View Full Version : Unable to get rid of some malwares / Smitfraud-c
Hello,
Need more expertise to get rid of pretty resistant one(s) !
I'm using Win2k with Firefox (AV is Norman, firewall is ZoneLabs) and each time I reboot the PC / connect to the web things like wacky32.exe appear on C:. Also on the Windows Control panel Winantivirus 2006 icon can not be removed (!).
Ran ad-aware and AVG, also smitfraud (found nothing after a successful run) and VundoFix.exe until lists have been cleared, but still spybot is finding the same list of elements.
:rolleyes: Thanks for the help and I hope the thread is fine
----
Here's the spybot report :
--- Search result list ---
Command Service: Réglages Autorun (Valeur du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname
Smitfraud-C.: Réglages Autorun (wma34987) (Valeur du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wma34987
Smitfraud-C.: Fichier de programme (Fichier, fixed)
C:\WINNT\system32\RUNDLL32.EXE
Smitfraud-C.: Réglages Autorun (defender) (Valeur du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.AntiVirusOverride: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0
Microsoft.WindowsSecurityCenter.FirewallDisabled: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
Microsoft.WindowsSecurityCenter.FirewallDisabled: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter.FirewallOverride: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0
Microsoft.WindowsSecurityCenter.SP2Update: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0
Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
Microsoft.WindowsSecurityCenter_disabled: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2006-10-08 unins000.exe (51.41.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-02-06 advcheck.dll (1.0.2.0)
2006-10-13 Includes\Spybots.sbi (*)
2006-10-13 Includes\Trojans.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-10-13 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-10-27 Includes\Cookies.sbi (*)
2006-10-27 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-10-27 Includes\TrojansC.sbi (*)
2006-10-27 Includes\SpybotsC.sbi (*)
2006-10-27 Includes\SecurityC.sbi (*)
2006-10-27 Includes\PUPSC.sbi (*)
2006-10-27 Includes\MalwareC.sbi (*)
2006-10-27 Includes\KeyloggersC.sbi (*)
2006-10-27 Includes\HijackersC.sbi (*)
2006-10-27 Includes\DialerC.sbi (*)
--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX8.1 / SP1: Correctif pour DirectX 8.1 - KB839643
/ DirectX: DirectX Update 819696
... (cut as too lon)
--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Program Files\Finders\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Program Files\Finders\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6266880
MD5: 01d90ae5dccbce0c7b52874fec35a608
Located: HK_LM:Run, Anti-Virus Update Scheduler V1.39.12R
command: C:\WINNT\sysdat.exe
file:
Located: HK_LM:Run, defender
command: C:\\dfndrff_e26.exe
file:
Located: HK_LM:Run, HPDJ Taskbar Utility
command: C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
file: C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
size: 196608
MD5: 7c6b5065e7326e3c91a62800df3a31fa
Located: HK_LM:Run, NeroCheck
command: C:\WINNT\system32\NeroCheck.exe
file: C:\WINNT\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
Located: HK_LM:Run, newname
command: C:\\nwnmff_e26.exe
file:
Located: HK_LM:Run, Norman ZANDA
command: C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
file:
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
file: C:\WINNT\system32\RUNDLL32.EXE
size: 10000
MD5: 61cf5b74a4b5fe430f87e9259b7e4f60
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINNT\system32\nwiz.exe
size: 741376
MD5: a4ae9ba1e10cb9f6c0949c4db91a1f72
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9
Located: HK_LM:Run, Share-to-Web Namespace Daemon
command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 69632
MD5: 2f2bc80803f0638f6738e37f769e4bd0
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111888
MD5: 25927f36c86159f0d55288f4fed12d93
Located: HK_LM:Run, wma34987
command: RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
file: C:\WINNT\system32\RUNDLL32.EXE
size: 10000
MD5: 61cf5b74a4b5fe430f87e9259b7e4f60
Located: HK_LM:Run, Zone Labs Client
command: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 755480
MD5: b4e843ded6daf99aec3fbfe395e643c7
Located: HK_LM:RunServices, tetriz3
command: C:\WINNT\system32\tetriz3.exe
file:
Located: HK_CU:Run, internat.exe
command: internat.exe
file: C:\WINNT\system32\internat.exe
size: 20752
MD5: 406b12788886496bd299c3f9e5e310d0
Located: HK_CU:Run, Shell
command: "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
file:
Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38
Located: HK_CU:Run, tetriz3
command: C:\WINNT\system32\tetriz3.exe
file:
Located: Démarrage (tous utilisateurs), Acrobat Assistant.lnk
command: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 49254
MD5: 0e6e43d31ac16bcf682eb5f63178c492
Located: Démarrage (tous utilisateurs), hp psc 2000 Series.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
size: 323646
MD5: 1fd676dceec0288701445bc9acc61329
Located: Démarrage (tous utilisateurs), Nielsen NetRatings.lnk
command: C:\Program Files\NielsenNetratings\bin\insight.exe
file: C:\Program Files\NielsenNetratings\bin\insight.exe
size: 20480
MD5: b613f98929f988c8103463742272b72e
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
Hi Enezarz and welcome to Safer Networking Forums :)
You have some infections there...
Post a HijackThis log to here:
Please download HijackThis to your desktop -> HijackThis 1.99.1 (http://downloads.malwareremoval.com/HijackThis.exe)
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on Do a system scan and save a logfile
Wait for the scan to end, a logfile will popup in a notepad document
Please copy that log and paste it to you thread
Thx for the quick answer but I forgot to tell HIJACK had been ran several times already... :lip:
Here it is :
Logfile of HijackThis v1.99.1
Scan saved at 20:55:53, on 27/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\internat.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\akascanner\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Finders\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINNT\eiRecvr.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Microsoft Windows TCPIP Protocol Driver (TCP IP Protocol Driver) - Unknown owner - C:\WINNT\tcpsvcs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: wins(WINS) (wins) - Unknown owner - C:\WINNT\system32\winscntrl.exe (file missing)
HijackThis is renamed as scanner.exe :bigthumb:
Hi again, you got a nice collection infections there...
One or more of the identified infections is a backdoor trojan.
You also have a keystroke logger infection.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post :bigthumb:
Thi PC has never been used for any financial or banking txns. So please go ahead for the clean-up. Thanks :cool:
Thi PC has never been used for any financial or banking txns. So please go ahead for the clean-up. Thanks :cool:
This PC has no sensitive information nor has been used for any financial txn. Thanks to help tring to eradicate the malwares. :red:
Hi again, I respect your decision to continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open AVG Anti-Spyware
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Then, make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Disable Spybot S&D Teatimer.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
==================
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
tcpsvcs.exe
Disable bad services
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to Microsoft Windows TCPIP Protocol Driver (TCP IP Protocol Driver)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Scroll down to Windows Windows Sheduler (Microsoft Windows Scheduled Tasker)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe
Continue with HijackThis:
Config
Delete an NT service
Copy the following line to the box and press OK; TCP IP Protocol Driver
Answer Yes
Delete an NT service
Copy the following line to the box and press OK; Microsoft Windows Scheduled Tasker
Answer Yes
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present): Be careful with the paths and names!
C:\WINNT\eiRecvr.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\sysdat.exe
C:\WINNT\system32\winscntrl.exe
C:\WINNT\system32\ssl.exe
C:\WINNT\system32\tetriz3.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: w0181c50.dll
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
Hi again,
I followed the whole process but bad news was unable to find the files of this section :
"Go to the My Computer and delete the following files (if present): Be careful with the paths and names!
C:\WINNT\eiRecvr.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\sysdat.exe
C:\WINNT\system32\winscntrl.exe
C:\WINNT\system32\ssl.exe
C:\WINNT\system32\tetriz3.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
And still I can see them on the HijackThis report :sick:
Please let me know any other steps to follow, or retry the same if needed.
Here's the AVG report :
---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------
+ Créé à: 19:29:26 28/10/2006
+ Résultat de l'analyse:
C:\akascanner\SDFix\backups\backups.zip/backups/loader[1].exe -> Downloader.VB.afl : Nettoyé et sauvegardé (mise en quarantaine).
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-18.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-19.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-20.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-21.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-22.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.24:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-15.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.24:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-17.txt -> TrackingCookie.Com : Nettoyé.
Fin du rapport
The Hijackthis one :
Logfile of HijackThis v1.99.1
Scan saved at 19:34:49, on 28/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\akascanner\Scanner.exe
C:\Program Files\Norman\bin\niu.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
And finally the SDFix report :
SDFix: Version 1.32
-------------------
Scan run on:
sam. 28/10/2006
Time:
14:34
Microsoft Windows 2000 [Version 5.00.2195]
Running from: C:\akascanner\SDFix
Stage One...
Checking Services...
Name:
-----
ssl
wins
Path:
----
C:\WINNT\system32\ssl.exe
"C:\WINNT\system32\winscntrl.exe"
ssl Deleted...
wins Deleted...
Repairing Registry...
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two...
Checking For Malware:
--------------------
C:\DOCUME~1\DEFAUL~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\SH67K9CV\LOADER~1.EXE
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Files:
------
Any files removed are saved to the SDFix\backups Folder
FINISHED
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
NOT run it yet.
==================
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: w0181c50.dll
Please run Killbox.
Select "Delete on Reboot".
Select "All Files".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\eiRecvr.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\sysdat.exe
C:\WINNT\system32\tetriz3.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart to the safe mode again.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a can with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Hi,
In the meantime I followed once again the same process and found only one exe file : tcpsvcs.exe - then deleted it.
Will process as per your new instructions.
Thanks.
Hi again,
Sounds better from the last logs. :rolleyes:
Here's the Dr.Web report :
eraseme_38141.exe;C:\WINNT;Win32.HLLW.MyBot;Supprimé.;
ecRecvr.exe;C:\WINNT;Win32.HLLW.MyBot;Supprimé.;
atapi32.exe;C:\WINNT;Win32.HLLW.MyBot;Supprimé.;
pbifmvhk.exe;C:\WINNT\system32;Adware.SearchColours;Quarantaine.;
And the HijackThis one :
Logfile of HijackThis v1.99.1
Scan saved at 19:23:11, on 29/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\akascanner\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
All known for me excepted the nvsvc32.exe... Any next action to suggest ?
Thx and regards
Ok, nvsvc32.exe seems part of the nVidia graphic card...
Hi again, it is looking good from here :)
How is the pc running ?
You mentioned that you had a winantivirus icon in your Control Panel. I assume that it is still there. We'll remove it...
Please run a scan with WinPFind 1.4.1, instructions -> here (http://www.bleepingcomputer.com/files/winpfind.php)
Post the WinPFind log to here when you're ready :bigthumb:
Hello,
Sorry for the delay. As said the PC looks fine, but I also removed manually a wack32.exe file remaining on root C: (not sure why any of the tools did not remove it) and it has not reappeared this time. All the scans are fine (spybot & Co.).
And you bet, the winantivirus icon is still there.
Will process as per your instructions.
C U :bigthumb:
:rolleyes: Here's the report :
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 31/10/2006 10:58:05
WinPFind v1.5.0 Folder = C:\WinPFfind\WinPFind\
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195)
Internet Explorer (Version = 6.0.2800.1106)
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
UPX! 11/10/2006 11:07:58 88576 C:\VundoFix.exe (Atribune.org)
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
UPX! 19/02/2002 12:38:18 168960 C:\WINNT\SYSTEM32\dvdaudio.ax ()
winsync 02/08/2002 1309184 C:\WINNT\SYSTEM32\wbdbase.deu ()
UPX! 17/06/1998 01:00:00 138752 C:\WINNT\SYSTEM32\MSVCRTD.DLL (Microsoft Corporation)
PECompact2 11/09/2006 19:37:22 8960936 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 11/09/2006 19:37:22 8960936 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
Umonitor 03/06/2005 12:30:56 555792 C:\WINNT\SYSTEM32\RASDLG.DLL (Microsoft Corporation)
WSUD 19/06/2003 21:05:04 1011764 C:\WINNT\SYSTEM32\mfc42u.dll (Microsoft Corporation)
UPX! 24/11/2001 19:31:48 65536 C:\WINNT\SYSTEM32\FraunhoferAudio.ax (Fraunhofer)
UPX! 24/11/2001 19:28:14 86528 C:\WINNT\SYSTEM32\FraunhoferVideo.ax (Fraunhofer)
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
30/10/2006 00:15:24 H 554984 C:\WINNT\ShellIconCache ()
24/10/2006 23:35:10 H 4212 C:\WINNT\system32\zllictbl.dat ()
22/10/2006 23:58:14 HS 423708 C:\WINNT\system32\rsvyb.ini2 ()
31/10/2006 10:43:08 H 6 C:\WINNT\Tasks\SA.DAT ()
31/10/2006 10:43:22 S 64 C:\WINNT\CSC\00000001 ()
28/10/2006 09:00:26 S 64 C:\WINNT\CSC\csc1.tmp ()
29/10/2006 10:19:50 S 64 C:\WINNT\CSC\00000002 ()
Checking for CPL files...
19/06/2003 21:05:04 304912 C:\WINNT\SYSTEM32\appwiz.cpl (Microsoft Corporation)
15/04/2004 16:28:56 324608 C:\WINNT\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
02/08/2002 32528 C:\WINNT\SYSTEM32\fax.cpl (Microsoft Corporation)
02/08/2002 131856 C:\WINNT\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
02/08/2002 122128 C:\WINNT\SYSTEM32\intl.cpl (Microsoft Corporation)
02/08/2002 36624 C:\WINNT\SYSTEM32\irprops.cpl (Microsoft Corporation)
02/08/2002 123664 C:\WINNT\SYSTEM32\main.cpl (Microsoft Corporation)
02/08/2002 310032 C:\WINNT\SYSTEM32\mmsys.cpl (Microsoft Corporation)
02/08/2002 17168 C:\WINNT\SYSTEM32\ncpa.cpl (Microsoft Corporation)
02/08/2002 42256 C:\WINNT\SYSTEM32\nwc.cpl (Microsoft Corporation)
02/08/2002 6416 C:\WINNT\SYSTEM32\telephon.cpl (Microsoft Corporation)
02/08/2002 61200 C:\WINNT\SYSTEM32\timedate.cpl (Microsoft Corporation)
03/06/2005 12:31:08 66832 C:\WINNT\SYSTEM32\msmq.cpl (Microsoft Corporation)
19/06/2003 21:05:04 245008 C:\WINNT\SYSTEM32\DESK.CPL (Microsoft Corporation)
30/08/2002 18:24:06 293376 C:\WINNT\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
19/06/2003 21:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
19/06/2003 21:05:04 94480 C:\WINNT\SYSTEM32\powercfg.cpl (Microsoft Corporation)
06/10/2003 14:16:00 73728 C:\WINNT\SYSTEM32\nvtuicpl.cpl (NVIDIA Corporation)
19/06/2003 21:05:04 131344 C:\WINNT\SYSTEM32\SYSDM.CPL (Microsoft Corporation)
02/08/2002 02:00:00 70416 C:\WINNT\SYSTEM32\access.cpl (Microsoft Corporation)
01/05/2002 18:51:36 77824 C:\WINNT\SYSTEM32\joy.cpl (Microsoft Corporation)
16/12/2005 16:45:44 69632 C:\WINNT\SYSTEM32\av.cpl ()
26/05/2005 04:16:32 175896 C:\WINNT\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
19/06/2003 21:05:04 84240 C:\WINNT\SYSTEM32\sticpl.cpl (Microsoft Corporation)
26/05/2005 04:16:32 175896 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
03/06/2005 12:31:08 66832 C:\WINNT\SYSTEM32\dllcache\msmq.cpl (Microsoft Corporation)
02/08/2002 42256 C:\WINNT\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
07/10/1999 00:46:10 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl (IBM Corporation)
30/08/2002 18:24:06 293376 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
20/03/2003 20:13:00 139264 C:\WINNT\SYSTEM32\ReinstallBackups\PCI#VEN_10DE&DEV_0110&SUBSYS_00000000&REV_A1#4&9AEDED5&0&0008\0000\DriverFiles\nvtuicpl.cpl (NVIDIA Corporation)
Checking for Downloaded Program Files...
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38089.4947569444
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
29/10/2006 10:20:14 646 C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Acrobat Assistant.lnk ()
29/10/2006 10:20:12 575 C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\hp psc 2000 Series.lnk ()
29/10/2006 10:20:14 542 C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Nielsen NetRatings.lnk ()
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
Checking files in %USERPROFILE%\Application Data folder...
05/10/2006 21:49:46 706 C:\Documents and Settings\Administrateur\Application Data\update.log ()
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
>>> Internet Explorer Settings <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\WINNT\SYSTEM32\blank.htm
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Search Bar - http://www.free.fr/search/
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\WINNT\SYSTEM32\blank.htm
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx ()
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)
>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Astuce du jour = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - Contrôle ActiveX File and Folders Search = C:\WINNT\system32\shell32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINNT\system32\msdxm.ocx (Microsoft Corporation)
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Liens = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8193
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Extension Affichage Panorama du Panneau de configuration = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Extensions de l'interpréteur de commandes pour la compression de fichiers = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Menu contextuel de cryptage = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc.)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINNT\System32\nvshell.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINNT\System32\nvshell.dll (NVIDIA Corporation)
\\{A4DF5659-0801-4A60-9607-1C48695EFDA9} - Dossier de téléchargement Share-to-Web = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL (Hewlett-Packard)
\\{5a61f7a0-cde1-11cf-9113-00aa00425c62} - IIS Shell Extention = ()
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - = C:\PROGRA~1\FICHIE~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()
>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\NVC - {D5507020-DB45-11d1-A5F0-00600872F78D} = C:\Program Files\Norman\Nvc\BIN\NVCSE.DLL (Norman Data Defense Systems)
\PowerArchiver - {d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Program Files\PowerArchiver\PASHLEXT.DLL (eFront Media, Inc.)
\ShellExtension - = ()
[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]
[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\NVC - {D5507020-DB45-11d1-A5F0-00600872F78D} = C:\Program Files\Norman\Nvc\BIN\NVCSE.DLL (Norman Data Defense Systems)
\ShellExtension - = ()
[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]
[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\NVC - {D5507020-DB45-11d1-A5F0-00600872F78D} = C:\Program Files\Norman\Nvc\BIN\NVCSE.DLL (Norman Data Defense Systems)
\PowerArchiver - {d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Program Files\PowerArchiver\PASHLEXT.DLL (eFront Media, Inc.)
>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager - C:\WINNT\SYSTEM32\mobsync.exe (Microsoft Corporation)
NeroCheck - C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
NvCplDaemon - RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll ()
nwiz - C:\WINNT\SYSTEM32\nwiz.exe (NVIDIA Corporation)
Share-to-Web Namespace Daemon - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
Norman ZANDA - C:\Program Files\Norman\bin\ZLH.EXE ()
HPDJ Taskbar Utility - C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
internat.exe - C:\WINNT\SYSTEM32\internat.exe (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (Hewlett-Packard Co.)
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Nielsen NetRatings.lnk - C:\Program Files\NielsenNetratings\bin\insight.exe (NetRatings, Inc.)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[All Users Startup Folder Disabled Items]
[Current User Startup Folder Disabled Items]
>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]
>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d
>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = WebCheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll (Microsoft Corporation)
>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)
\\{7D00738B-6974-4794-98D4-DE79A07ECD81} - = ()
>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Pré-chargeur Browseui = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Démon de cache des catégories de composant = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINNT\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\wzcnotif - wzcdlg.dll = (Microsoft Corporation)
>>> DNS Name Servers <<<
{2DC3DB85-9B76-4CD3-91C4-0928958B564A} - ()
...
>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]
>>> Selected AddOn's <<<
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hi again :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open HijackThis.
Open the Misc Tools section
Delete a file on Reboot
Copy the following line to the "Filename" box and press Open; C:\WINNT\system32\rsvyb.ini2
Answer NO to the Reboot prompt.
Press Delete a file on Reboot again.
Copy the following line to the "Filename" box and press Open; C:\WINNT\SYSTEM32\av.cpl
Answer YES to the Reboot prompt.
The computer will reboot, if not , reboot it yourself
When the computer has restarted, check the Control Panel. The winantivirus entry should be gone.
¨
Post a one more HijackThis log :bigthumb:
Hi again,
Sounds good as the icon is no more shown on the control panel :present:
Here's the HiJackThis report :
Logfile of HijackThis v1.99.1
Scan saved at 17:09:19, on 31/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\akascanner\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
Hi again, it is looking clean now :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove VundoFix.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
Hi Mr_JAk3 :crowned:,
And many thanks for the help !
Best regards. :)
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: