View Full Version : smitfraud-C.toolbar888 related problem
Hi!
For the past few weeks my PC (windows XP) has a popup problem when using Internet Explorer (v6.0, SP2). I scanned my PC using Spybot S&D which detected and removed the file removalfile.bat (recognised as smitfraud-C.toolbar888). I did a couple scans after that and Spybot always detected the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan as smitfraud-C.toolbar888. Note that for each scan, I did not remove manually .dll files using Process Explorer as suggested by Spybot since I was not able to identify which files to kill.
I also used Ad-Aware (build 1.05) to scan my PC but it was not able to complete the scan because the PC shut down by itself. As recommended elsewhere to solve that problem, I performed a scan using VundoFix 6.2.8 which detected and removed the file lmhapi.dll. Now, when scanning my PC with Ad-Aware (build 1.06), only cookies get detected.
My popup problem is not getting any better. Can you help?
I'll wait for your reply before posting a HijackThis log (if necessary).
I did as recommanded in the "before you post" post. As always, Spybot only detected the registry entry recognised as Smitfraud-C.Toolbar888. Find below the HJT log. The Panda Online Scan log will follow in the next post.
Here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 09:11:01, on 2006-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\UnivLaval\cvpnd.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\nsr\bin\nsrexecd.exe
C:\Program Files\nsr\bin\nsrpm.exe
C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MétéoMédia\MétéoIMédia\WeatherEye.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://agora.ulaval.ca/courriel/login.php?url=%2Flogin.php%3Fnocache%3D4qo3euq4xri8&reason=logout
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB} - C:\WINDOWS\system32\tmp18.tmp.dll
O2 - BHO: (no name) - {4924923B-AB0C-4670-98A3-405C42B122D5} - C:\WINDOWS\system32\lmhapi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MétéoIMédia] C:\Program Files\MétéoMédia\MétéoIMédia\WeatherEye
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Universite Laval Client VPN ULaval.lnk = C:\Program Files\UnivLaval\vpngui.exe
O8 - Extra context menu item: Chercher avec Copernic 2001 - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Copernic 2001 - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/fr/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1E2F2D-8D3E-47F5-9864-FD0BBC9ECFCE}: NameServer = 132.203.250.13,132.203.250.10
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UnivLaval\cvpnd.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Fichiers communs\Network Associates\McShield\Mcshield.exe
O23 - Service: NetWorker Remote Exec Service (nsrexecd) - Legato Systems, Inc. - C:\Program Files\nsr\bin\nsrexecd.exe
O23 - Service: NetWorker Power Monitor (nsrpm) - Legato Systems, Inc. - C:\Program Files\nsr\bin\nsrpm.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
Here is the Panda Online Scan log
Incident Status Location
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Administrateur\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\bergerono\Cookies\bergerono@server.iad.liveperson[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\bergerono\Cookies\bergerono@xiti[1].txt
Possible Virus. Not disinfected C:\Documents and Settings\bergerono\Local Settings\Temp\tmp18.tmp.exe
Possible Virus. Not disinfected C:\Documents and Settings\bergerono\Local Settings\Temp\tmp35.tmp.exe
Possible Virus. Not disinfected C:\Documents and Settings\bergerono\Local Settings\Temp\tmp5F7.tmp.exe
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\christiansend\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\coursollec\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Default User\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\droletg\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\droletg\Cookies\droletg@xiti[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\foleyf\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\gagnonc\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\giassonma\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\guimonds\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\guimonds\Cookies\guimonds@64.62.232[2].txt
Spyware:Cookie/Servlet Not disinfected C:\Documents and Settings\larchera\Local Settings\Temp\Cookies\larchera@servlet[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\lheureuxm\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\martelmc\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\parisv\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\quoreshia\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\vigerc\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\vigerc\Cookies\vigerc@rightmedia[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp
Spyware:Cookie/Clickbank Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3E.tmp
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp
Spyware:Cookie/Enhance Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp
Spyware:Cookie/LinkExchange Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4C.tmp
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp
Spyware:Cookie/888 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp
Spyware:Cookie/888 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5DB.tmp
Spyware:Cookie/Enhance Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5DC.tmp
Spyware:Cookie/Findwhat Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5DD.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5DF.tmp
Spyware:Cookie/FastClick Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc10.txt
Spyware:Cookie/Mediaplex Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc14.txt
Spyware:Cookie/Rightmedia Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc17.txt
Spyware:Cookie/Advertising Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc19.txt
Spyware:Cookie/Tribalfusion Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc20.txt
Spyware:Cookie/Valueclick Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc22.txt
Spyware:Cookie/Advertising Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc5.txt
Spyware:Cookie/Falkag Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc7.txt
Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc8.txt
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc9.txt
Possible Virus. Not disinfected C:\VundoFix Backups\lmhapi.dll.bad
Possible Virus. Not disinfected C:\WINDOWS\system32\ssttr.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\tmp18.tmp.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\tmp35.tmp.dll
Possible Virus. Not disinfected C:\WINDOWS\system32\tmp5F7.tmp.dll
I hope the logs get posted correctly...
steamwiz
2006-11-10, 01:27
Hi
The smitfraud-C.toolbar888 is a false positive .. ignore it
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O2 - BHO: (no name) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB} - C:\WINDOWS\system32\tmp18.tmp.dll
O2 - BHO: (no name) - {4924923B-AB0C-4670-98A3-405C42B122D5} - C:\WINDOWS\system32\lmhapi.dll (file missing)
Reboot
have the popups stopped ?
steam
Since I did what you recommanded, popups have stopped. As far as I can tell, my problem appears to be solved. Thanks. :bigthumb:
Should I call it Victory or is there anything else I should do to clean/secure my PC?
steamwiz
2006-11-10, 23:52
Going on that Panda log ... you have a fair bit of cleaning still to do...
Download and install the 30 day trial of Ewido Anti-Spyware from HERE :-
Ewido is now called - AVG Anti-Spyware 7.5
http://www.ewido.net/en/download/
1. Download it to your desktop
2. Doubleclick the ewido icon to start the ewido setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close Ewido > Do not run the scan yet.
Boot your computer into Safemode
1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process
1. Launch Ewido-Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. Ewido will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close Ewido
10. Copy & paste the ewido report in your next post
& a new hijackthis log... run from normal mode...
steam
I overwrote the AVG Anti-Spyware log by mistake, so I can not post it. However, AVG only found tracking cookies for which it did not take any action (according to the log) even if I clicked "Apply all actions". I ran AVG a second time and it found nothing.
Here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 09:35:56, on 2006-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\UnivLaval\cvpnd.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\nsr\bin\nsrexecd.exe
C:\Program Files\nsr\bin\nsrpm.exe
C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Palm\Palm.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MétéoMédia\MétéoIMédia\WeatherEye.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://agora.ulaval.ca/courriel/login.php?url=%2Flogin.php%3Fnocache%3D4qo3euq4xri8&reason=logout
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Program Files\Copernic 2001 Basic\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MétéoIMédia] C:\Program Files\MétéoMédia\MétéoIMédia\WeatherEye
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Universite Laval Client VPN ULaval.lnk = C:\Program Files\UnivLaval\vpngui.exe
O8 - Extra context menu item: Chercher avec Copernic 2001 - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Copernic 2001 - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/fr/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1E2F2D-8D3E-47F5-9864-FD0BBC9ECFCE}: NameServer = 132.203.250.13,132.203.250.10
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UnivLaval\cvpnd.exe
O23 - Service: NetWorker Remote Exec Service (nsrexecd) - Legato Systems, Inc. - C:\Program Files\nsr\bin\nsrexecd.exe
O23 - Service: NetWorker Power Monitor (nsrpm) - Legato Systems, Inc. - C:\Program Files\nsr\bin\nsrpm.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Fichiers communs\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
steamwiz
2006-11-14, 22:57
HI
Your hijackthis log is clean, but it was the Pandascan log I was concerned about...
please run this cleaner program ... then run the Pandascan again & post the new Pandalog
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
cheers
steam
Here is the Pandalog
Incident Status Location
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Administrateur\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\christiansend\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\coursollec\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Default User\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\droletg\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\droletg\Cookies\droletg@xiti[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\foleyf\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\gagnonc\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\giassonma\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\guimonds\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\guimonds\Cookies\guimonds@64.62.232[2].txt
Spyware:Cookie/Servlet Not disinfected C:\Documents and Settings\larchera\Local Settings\Temp\Cookies\larchera@servlet[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\lheureuxm\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\martelmc\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\parisv\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\quoreshia\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\vigerc\Cookies\administrateur@linkexchange[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\vigerc\Cookies\vigerc@rightmedia[2].txt
Adware:Adware/WebSearch Not disinfected C:\hijackthis\backups\backup-20061110-083838-115.dll
Spyware:Cookie/LinkExchange Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq49.tmp
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp
Spyware:Cookie/888 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp
Spyware:Cookie/888 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp
Spyware:Cookie/Rightmedia Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc17.txt
Possible Virus. Not disinfected C:\WINDOWS\system32\ssttr.exe
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\tmp35.tmp.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\tmp5F7.tmp.dll
steamwiz
2006-11-16, 21:38
HI
How many user accounts are on the computer ? I count at least 16
Find all the cookie folders below, delete the cookies (do NOT delete the cookies folder)
C:\Documents and Settings\Administrateur\Cookies\
C:\Documents and Settings\bergerono\Cookies\
C:\Documents and Settings\christiansend\Cookies\
C:\Documents and Settings\coursollec\Cookies\
C:\Documents and Settings\Default User\Cookies\
C:\Documents and Settings\droletg\Cookies\
C:\Documents and Settings\foleyf\Cookies\
C:\Documents and Settings\gagnonc\Cookies\
C:\Documents and Settings\giassonma\Cookies\
C:\Documents and Settings\guimonds\Cookies\
C:\Documents and Settings\larchera\Local Settings\Temp\Cookies\
C:\Documents and Settings\lheureuxm\Cookies\
C:\Documents and Settings\martelmc\Cookies\
C:\Documents and Settings\parisv\Cookies\
C:\Documents and Settings\quoreshia\Cookies\
C:\Documents and Settings\vigerc\Cookies\
Then...Start hijackthis
Click "open the misc tools section"
Click "backups"
Click "delete all"
then...empty your yahoo quarantine folder
C:\Program Files\Yahoo!\YPSR\Quarantine
then...find and delete these files :-
C:\WINDOWS\system32\ssttr.exe ... file
C:\WINDOWS\system32\tmp35.tmp.dll ... file
C:\WINDOWS\system32\tmp5F7.tmp.dll ... file
finaly ... empty your RECYCLE bin
Run a new Pandascan and post the log if it finds anything...
steam
Hi. Actually, there are 17 user accounts on my PC!
Here is the (much better) Pandalog
Incident Status Location
Spyware:Cookie/Servlet Not disinfected C:\Documents and Settings\larchera\Local Settings\Temp\Cookies\larchera@servlet[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\RECYCLER\S-1-5-21-694882400-1956205806-930774774-3753\Dc17.txt
Thanks
steamwiz
2006-11-17, 02:28
HI
Those 2 were in the list I gave you to delete...
either you missed them, or you had trouble deleting them...
The first should have been found in the cookie folder...
The other should have gone when you emptied your recycle bin..
But they are only a couple of minor cookies ... if you can't remove them, don't worry about them...
steam
LonnyRJones
2006-11-26, 00:58
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).