Unable to get rid of some malwares / Smitfraud-c

Status
Not open for further replies.
E

Enezarz

New member
Hello,
Need more expertise to get rid of pretty resistant one(s) !
I'm using Win2k with Firefox (AV is Norman, firewall is ZoneLabs) and each time I reboot the PC / connect to the web things like wacky32.exe appear on C:. Also on the Windows Control panel Winantivirus 2006 icon can not be removed (!).
Ran ad-aware and AVG, also smitfraud (found nothing after a successful run) and VundoFix.exe until lists have been cleared, but still spybot is finding the same list of elements.

:rolleyes: Thanks for the help and I hope the thread is fine

----
Here's the spybot report :


--- Search result list ---
Command Service: Réglages Autorun (Valeur du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname

Smitfraud-C.: Réglages Autorun (wma34987) (Valeur du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wma34987

Smitfraud-C.: Fichier de programme (Fichier, fixed)
C:\WINNT\system32\RUNDLL32.EXE

Smitfraud-C.: Réglages Autorun (defender) (Valeur du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.AntiVirusOverride: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Microsoft.WindowsSecurityCenter.FirewallDisabled: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisabled: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

Microsoft.WindowsSecurityCenter.FirewallDisableNotify: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter.FirewallOverride: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Microsoft.WindowsSecurityCenter.SP2Update: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2!=dword:0

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter_disabled: Réglages (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2006-10-08 unins000.exe (51.41.0.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-02-20 Tools.dll (2.0.0.2)
2006-02-06 advcheck.dll (1.0.2.0)
2006-10-13 Includes\Spybots.sbi (*)
2006-10-13 Includes\Trojans.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-10-13 Includes\Hijackers.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-10-27 Includes\Cookies.sbi (*)
2006-10-27 Includes\Revision.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-10-27 Includes\TrojansC.sbi (*)
2006-10-27 Includes\SpybotsC.sbi (*)
2006-10-27 Includes\SecurityC.sbi (*)
2006-10-27 Includes\PUPSC.sbi (*)
2006-10-27 Includes\MalwareC.sbi (*)
2006-10-27 Includes\KeyloggersC.sbi (*)
2006-10-27 Includes\HijackersC.sbi (*)
2006-10-27 Includes\DialerC.sbi (*)



--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX8.1 / SP1: Correctif pour DirectX 8.1 - KB839643
/ DirectX: DirectX Update 819696
... (cut as too lon)

--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Program Files\Finders\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Program Files\Finders\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6266880
MD5: 01d90ae5dccbce0c7b52874fec35a608

Located: HK_LM:Run, Anti-Virus Update Scheduler V1.39.12R
command: C:\WINNT\sysdat.exe
file:

Located: HK_LM:Run, defender
command: C:\\dfndrff_e26.exe
file:

Located: HK_LM:Run, HPDJ Taskbar Utility
command: C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
file: C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
size: 196608
MD5: 7c6b5065e7326e3c91a62800df3a31fa

Located: HK_LM:Run, NeroCheck
command: C:\WINNT\system32\NeroCheck.exe
file: C:\WINNT\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, newname
command: C:\\nwnmff_e26.exe
file:

Located: HK_LM:Run, Norman ZANDA
command: C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
file:

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
file: C:\WINNT\system32\RUNDLL32.EXE
size: 10000
MD5: 61cf5b74a4b5fe430f87e9259b7e4f60

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINNT\system32\nwiz.exe
size: 741376
MD5: a4ae9ba1e10cb9f6c0949c4db91a1f72

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, Share-to-Web Namespace Daemon
command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
size: 69632
MD5: 2f2bc80803f0638f6738e37f769e4bd0

Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111888
MD5: 25927f36c86159f0d55288f4fed12d93

Located: HK_LM:Run, wma34987
command: RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
file: C:\WINNT\system32\RUNDLL32.EXE
size: 10000
MD5: 61cf5b74a4b5fe430f87e9259b7e4f60

Located: HK_LM:Run, Zone Labs Client
command: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
file: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
size: 755480
MD5: b4e843ded6daf99aec3fbfe395e643c7

Located: HK_LM:RunServices, tetriz3
command: C:\WINNT\system32\tetriz3.exe
file:

Located: HK_CU:Run, internat.exe
command: internat.exe
file: C:\WINNT\system32\internat.exe
size: 20752
MD5: 406b12788886496bd299c3f9e5e310d0

Located: HK_CU:Run, Shell
command: "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
file:

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: HK_CU:Run, tetriz3
command: C:\WINNT\system32\tetriz3.exe
file:

Located: Démarrage (tous utilisateurs), Acrobat Assistant.lnk
command: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
file: C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
size: 49254
MD5: 0e6e43d31ac16bcf682eb5f63178c492

Located: Démarrage (tous utilisateurs), hp psc 2000 Series.lnk
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
size: 323646
MD5: 1fd676dceec0288701445bc9acc61329

Located: Démarrage (tous utilisateurs), Nielsen NetRatings.lnk
command: C:\Program Files\NielsenNetratings\bin\insight.exe
file: C:\Program Files\NielsenNetratings\bin\insight.exe
size: 20480
MD5: b613f98929f988c8103463742272b72e

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
 
Hi Enezarz and welcome to Safer Networking Forums :)

You have some infections there...

Post a HijackThis log to here:
  • Please download HijackThis to your desktop -> HijackThis 1.99.1
  • Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
  • Run HijackThis.exe
  • Click on Do a system scan and save a logfile
  • Wait for the scan to end, a logfile will popup in a notepad document
  • Please copy that log and paste it to you thread
 
Thx for the quick answer but I forgot to tell HIJACK had been ran several times already... :lip:
Here it is :

Logfile of HijackThis v1.99.1
Scan saved at 20:55:53, on 27/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\internat.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\akascanner\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Finders\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Windows Sheduler (Microsoft Windows Scheduled Tasker) - Unknown owner - C:\WINNT\eiRecvr.exe (file missing)
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Microsoft Windows TCPIP Protocol Driver (TCP IP Protocol Driver) - Unknown owner - C:\WINNT\tcpsvcs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: wins(WINS) (wins) - Unknown owner - C:\WINNT\system32\winscntrl.exe (file missing)
 
Hi again, you got a nice collection infections there...

One or more of the identified infections is a backdoor trojan.
You also have a keystroke logger infection.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post :bigthumb:
 
Enezarz said:
Thi PC has never been used for any financial or banking txns. So please go ahead for the clean-up. Thanks :cool:
Click to expand...

This PC has no sensitive information nor has been used for any financial txn. Thanks to help tring to eradicate the malwares. :red:
 
Hi again, I respect your decision to continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Then, make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Disable Spybot S&D Teatimer.
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu select "Advanced Mode"
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck "Resident TeaTimer" and OK any prompts.
  • Restart your computer
==================

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

tcpsvcs.exe

Disable bad services
  • Start
  • Run
  • Type services.msc to the field and press enter.
  • A window opens, scroll down to Microsoft Windows TCPIP Protocol Driver (TCP IP Protocol Driver)
  • Rightclick it and choose Stop
  • Then choose Properties
  • Set Startup to Disabled
  • Click Apply and OK.
  • Scroll down to Windows Windows Sheduler (Microsoft Windows Scheduled Tasker)
  • Rightclick it and choose Stop
  • Then choose Properties
  • Set Startup to Disabled
  • Click Apply and OK.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe

Continue with HijackThis:
  • Config
  • Delete an NT service
  • Copy the following line to the box and press OK; TCP IP Protocol Driver
  • Answer Yes
  • Delete an NT service
  • Copy the following line to the box and press OK; Microsoft Windows Scheduled Tasker
  • Answer Yes
Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present): Be careful with the paths and names!
C:\WINNT\eiRecvr.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\sysdat.exe
C:\WINNT\system32\winscntrl.exe
C:\WINNT\system32\ssl.exe
C:\WINNT\system32\tetriz3.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe

Use the Windows search
  • Start
  • Search
  • All files and folders
  • More advanced options
Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
  • Search for this and delete if found: w0181c50.dll
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon
    foldericon.png
    and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt
 
Last edited:
Hi again,

I followed the whole process but bad news was unable to find the files of this section :
"Go to the My Computer and delete the following files (if present): Be careful with the paths and names!
C:\WINNT\eiRecvr.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\sysdat.exe
C:\WINNT\system32\winscntrl.exe
C:\WINNT\system32\ssl.exe
C:\WINNT\system32\tetriz3.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"

And still I can see them on the HijackThis report :sick:
Please let me know any other steps to follow, or retry the same if needed.

Here's the AVG report :
---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

+ Créé à: 19:29:26 28/10/2006

+ Résultat de l'analyse:



C:\akascanner\SDFix\backups\backups.zip/backups/loader[1].exe -> Downloader.VB.afl : Nettoyé et sauvegardé (mise en quarantaine).
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-18.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-19.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-20.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-21.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.12:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-22.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.24:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-15.txt -> TrackingCookie.Com : Nettoyé.
:mozilla.24:C:\Documents and Settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\6bt3wbkg.default\cookies-17.txt -> TrackingCookie.Com : Nettoyé.


Fin du rapport

The Hijackthis one :
Logfile of HijackThis v1.99.1
Scan saved at 19:34:49, on 28/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\akascanner\Scanner.exe
C:\Program Files\Norman\bin\niu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

And finally the SDFix report :
SDFix: Version 1.32
-------------------

Scan run on:
sam. 28/10/2006

Time:
14:34


Microsoft Windows 2000 [Version 5.00.2195]

Running from: C:\akascanner\SDFix

Stage One...

Checking Services...

Name:
-----

ssl
wins

Path:
----

C:\WINNT\system32\ssl.exe
"C:\WINNT\system32\winscntrl.exe"


ssl Deleted...
wins Deleted...

Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\DOCUME~1\DEFAUL~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\SH67K9CV\LOADER~1.EXE

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED
 
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
NOT run it yet.

==================

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINNT\sysdat.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e26.exe
O4 - HKLM\..\Run: [wma34987] RUNDLL32.EXE w0181c50.dll,n 005349820000000a0181c50
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e26.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINNT\system32\tetriz3.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [tetriz3] C:\WINNT\system32\tetriz3.exe


Use the Windows search
  • Start
  • Search
  • All files and folders
  • More advanced options
Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
  • Search for this and delete if found: w0181c50.dll
Please run Killbox.

Select "Delete on Reboot".
Select "All Files".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\eiRecvr.exe
C:\WINNT\tcpsvcs.exe
C:\WINNT\sysdat.exe
C:\WINNT\system32\tetriz3.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Web Folders\ibm00005.exe
Click to expand...
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart to the safe mode again.

Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run a can with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,
  • Post the Cure-it report and a fresh HijackThis log
 
Hi,
In the meantime I followed once again the same process and found only one exe file : tcpsvcs.exe - then deleted it.
Will process as per your new instructions.
Thanks.
 
Hi again,

Sounds better from the last logs. :rolleyes:
Here's the Dr.Web report :
eraseme_38141.exe;C:\WINNT;Win32.HLLW.MyBot;Supprimé.;
ecRecvr.exe;C:\WINNT;Win32.HLLW.MyBot;Supprimé.;
atapi32.exe;C:\WINNT;Win32.HLLW.MyBot;Supprimé.;
pbifmvhk.exe;C:\WINNT\system32;Adware.SearchColours;Quarantaine.;

And the HijackThis one :
Logfile of HijackThis v1.99.1
Scan saved at 19:23:11, on 29/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\akascanner\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

All known for me excepted the nvsvc32.exe... Any next action to suggest ?
Thx and regards
 
Hi again, it is looking good from here :)
How is the pc running ?

You mentioned that you had a winantivirus icon in your Control Panel. I assume that it is still there. We'll remove it...

Please run a scan with WinPFind 1.4.1, instructions -> here

Post the WinPFind log to here when you're ready :bigthumb:
 
Hello,
Sorry for the delay. As said the PC looks fine, but I also removed manually a wack32.exe file remaining on root C: (not sure why any of the tools did not remove it) and it has not reappeared this time. All the scans are fine (spybot & Co.).
And you bet, the winantivirus icon is still there.
Will process as per your instructions.
C U :bigthumb:
 
:rolleyes: Here's the report :

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 31/10/2006 10:58:05
WinPFind v1.5.0 Folder = C:\WinPFfind\WinPFind\
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 11/10/2006 11:07:58 88576 C:\VundoFix.exe (Atribune.org)

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 19/02/2002 12:38:18 168960 C:\WINNT\SYSTEM32\dvdaudio.ax ()
winsync 02/08/2002 1309184 C:\WINNT\SYSTEM32\wbdbase.deu ()
UPX! 17/06/1998 01:00:00 138752 C:\WINNT\SYSTEM32\MSVCRTD.DLL (Microsoft Corporation)
PECompact2 11/09/2006 19:37:22 8960936 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 11/09/2006 19:37:22 8960936 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
Umonitor 03/06/2005 12:30:56 555792 C:\WINNT\SYSTEM32\RASDLG.DLL (Microsoft Corporation)
WSUD 19/06/2003 21:05:04 1011764 C:\WINNT\SYSTEM32\mfc42u.dll (Microsoft Corporation)
UPX! 24/11/2001 19:31:48 65536 C:\WINNT\SYSTEM32\FraunhoferAudio.ax (Fraunhofer)
UPX! 24/11/2001 19:28:14 86528 C:\WINNT\SYSTEM32\FraunhoferVideo.ax (Fraunhofer)

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
30/10/2006 00:15:24 H 554984 C:\WINNT\ShellIconCache ()
24/10/2006 23:35:10 H 4212 C:\WINNT\system32\zllictbl.dat ()
22/10/2006 23:58:14 HS 423708 C:\WINNT\system32\rsvyb.ini2 ()
31/10/2006 10:43:08 H 6 C:\WINNT\Tasks\SA.DAT ()
31/10/2006 10:43:22 S 64 C:\WINNT\CSC\00000001 ()
28/10/2006 09:00:26 S 64 C:\WINNT\CSC\csc1.tmp ()
29/10/2006 10:19:50 S 64 C:\WINNT\CSC\00000002 ()

Checking for CPL files...
19/06/2003 21:05:04 304912 C:\WINNT\SYSTEM32\appwiz.cpl (Microsoft Corporation)
15/04/2004 16:28:56 324608 C:\WINNT\SYSTEM32\QuickTime.cpl (Apple Computer, Inc.)
02/08/2002 32528 C:\WINNT\SYSTEM32\fax.cpl (Microsoft Corporation)
02/08/2002 131856 C:\WINNT\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
02/08/2002 122128 C:\WINNT\SYSTEM32\intl.cpl (Microsoft Corporation)
02/08/2002 36624 C:\WINNT\SYSTEM32\irprops.cpl (Microsoft Corporation)
02/08/2002 123664 C:\WINNT\SYSTEM32\main.cpl (Microsoft Corporation)
02/08/2002 310032 C:\WINNT\SYSTEM32\mmsys.cpl (Microsoft Corporation)
02/08/2002 17168 C:\WINNT\SYSTEM32\ncpa.cpl (Microsoft Corporation)
02/08/2002 42256 C:\WINNT\SYSTEM32\nwc.cpl (Microsoft Corporation)
02/08/2002 6416 C:\WINNT\SYSTEM32\telephon.cpl (Microsoft Corporation)
02/08/2002 61200 C:\WINNT\SYSTEM32\timedate.cpl (Microsoft Corporation)
03/06/2005 12:31:08 66832 C:\WINNT\SYSTEM32\msmq.cpl (Microsoft Corporation)
19/06/2003 21:05:04 245008 C:\WINNT\SYSTEM32\DESK.CPL (Microsoft Corporation)
30/08/2002 18:24:06 293376 C:\WINNT\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
19/06/2003 21:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
19/06/2003 21:05:04 94480 C:\WINNT\SYSTEM32\powercfg.cpl (Microsoft Corporation)
06/10/2003 14:16:00 73728 C:\WINNT\SYSTEM32\nvtuicpl.cpl (NVIDIA Corporation)
19/06/2003 21:05:04 131344 C:\WINNT\SYSTEM32\SYSDM.CPL (Microsoft Corporation)
02/08/2002 02:00:00 70416 C:\WINNT\SYSTEM32\access.cpl (Microsoft Corporation)
01/05/2002 18:51:36 77824 C:\WINNT\SYSTEM32\joy.cpl (Microsoft Corporation)
16/12/2005 16:45:44 69632 C:\WINNT\SYSTEM32\av.cpl ()
26/05/2005 04:16:32 175896 C:\WINNT\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
19/06/2003 21:05:04 84240 C:\WINNT\SYSTEM32\sticpl.cpl (Microsoft Corporation)
26/05/2005 04:16:32 175896 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
03/06/2005 12:31:08 66832 C:\WINNT\SYSTEM32\dllcache\msmq.cpl (Microsoft Corporation)
02/08/2002 42256 C:\WINNT\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
07/10/1999 00:46:10 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl (IBM Corporation)
30/08/2002 18:24:06 293376 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
20/03/2003 20:13:00 139264 C:\WINNT\SYSTEM32\ReinstallBackups\PCI#VEN_10DE&DEV_0110&SUBSYS_00000000&REV_A1#4&9AEDED5&0&0008\0000\DriverFiles\nvtuicpl.cpl (NVIDIA Corporation)

Checking for Downloaded Program Files...
{166B1BCA-3F9C-11CF-8075-444553540000} - Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38089.4947569444
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
29/10/2006 10:20:14 646 C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Acrobat Assistant.lnk ()
29/10/2006 10:20:12 575 C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\hp psc 2000 Series.lnk ()
29/10/2006 10:20:14 542 C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Nielsen NetRatings.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
05/10/2006 21:49:46 706 C:\Documents and Settings\Administrateur\Application Data\update.log ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\WINNT\SYSTEM32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
\\Search Bar - http://www.free.fr/search/
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - C:\WINNT\SYSTEM32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx ()
\{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Astuce du jour = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - Contrôle ActiveX File and Folders Search = C:\WINNT\system32\shell32.dll (Microsoft Corporation)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = C:\WINNT\system32\msdxm.ocx (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Adresse = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Liens = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8193

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Extension Affichage Panorama du Panneau de configuration = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Extensions de l'interpréteur de commandes pour la compression de fichiers = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Menu contextuel de cryptage = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc.)
\\{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINNT\System32\nvshell.dll (NVIDIA Corporation)
\\{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINNT\System32\nvshell.dll (NVIDIA Corporation)
\\{A4DF5659-0801-4A60-9607-1C48695EFDA9} - Dossier de téléchargement Share-to-Web = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL (Hewlett-Packard)
\\{5a61f7a0-cde1-11cf-9113-00aa00425c62} - IIS Shell Extention = ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - = C:\PROGRA~1\FICHIE~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\NVC - {D5507020-DB45-11d1-A5F0-00600872F78D} = C:\Program Files\Norman\Nvc\BIN\NVCSE.DLL (Norman Data Defense Systems)
\PowerArchiver - {d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Program Files\PowerArchiver\PASHLEXT.DLL (eFront Media, Inc.)
\ShellExtension - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\NVC - {D5507020-DB45-11d1-A5F0-00600872F78D} = C:\Program Files\Norman\Nvc\BIN\NVCSE.DLL (Norman Data Defense Systems)
\ShellExtension - = ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\NVC - {D5507020-DB45-11d1-A5F0-00600872F78D} = C:\Program Files\Norman\Nvc\BIN\NVCSE.DLL (Norman Data Defense Systems)
\PowerArchiver - {d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e} = C:\Program Files\PowerArchiver\PASHLEXT.DLL (eFront Media, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager - C:\WINNT\SYSTEM32\mobsync.exe (Microsoft Corporation)
NeroCheck - C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
NvCplDaemon - RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll ()
nwiz - C:\WINNT\SYSTEM32\nwiz.exe (NVIDIA Corporation)
Share-to-Web Namespace Daemon - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
Norman ZANDA - C:\Program Files\Norman\bin\ZLH.EXE ()
HPDJ Taskbar Utility - C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
Zone Labs Client - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
internat.exe - C:\WINNT\SYSTEM32\internat.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe (Hewlett-Packard Co.)
C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Nielsen NetRatings.lnk - C:\Program Files\NielsenNetratings\bin\insight.exe (NetRatings, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = WebCheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)
\\{7D00738B-6974-4794-98D4-DE79A07ECD81} - = ()

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Pré-chargeur Browseui = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Démon de cache des catégories de composant = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINNT\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\wzcnotif - wzcdlg.dll = (Microsoft Corporation)


>>> DNS Name Servers <<<
{2DC3DB85-9B76-4CD3-91C4-0928958B564A} - ()

...
 
>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
Hi again :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open HijackThis.
  • Open the Misc Tools section
  • Delete a file on Reboot
  • Copy the following line to the "Filename" box and press Open; C:\WINNT\system32\rsvyb.ini2
  • Answer NO to the Reboot prompt.
  • Press Delete a file on Reboot again.
  • Copy the following line to the "Filename" box and press Open; C:\WINNT\SYSTEM32\av.cpl
  • Answer YES to the Reboot prompt.
  • The computer will reboot, if not , reboot it yourself

When the computer has restarted, check the Control Panel. The winantivirus entry should be gone.
¨
Post a one more HijackThis log :bigthumb:
 
Hi again,
Sounds good as the icon is no more shown on the control panel :present:
Here's the HiJackThis report :

Logfile of HijackThis v1.99.1
Scan saved at 17:09:19, on 31/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norman\Bin\Zanda.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norman\Nvc\bin\nvcoas.exe
C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
C:\Program Files\Norman\bin\NJEEVES.EXE
C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\Norman\bin\ZLH.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\NielsenNetratings\bin\insight.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norman\Nvc\BIN\NIP.EXE
C:\Program Files\Norman\Nvc\bin\cclaw.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\akascanner\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free.fr/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = setup.msn.com;memberservices.msn.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrateur\Application Data\Mozilla\Profiles\default\b0hivv32.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\Program Files\Norman\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetratings\bin\insight.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.free.fr/
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Program Files\Norman\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Program Files\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
 
Hi again, it is looking clean now :)

Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
You can remove VundoFix.

Now you can make your hidden files hidden again.
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Check "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

=============

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use AVG Anti-Spyware
    Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?
  • Stand Up and Be Counted !
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe ;)
 
Status
Not open for further replies.
Back
Top