CWS continuously comes back after cleaning

Discussion in 'adware, spyware & hijack cleaning' started by tyfris, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. tyfris

    tyfris Guest

    hello !

    I have the following problems, can someone help me ?
    (1) I am regularly under cws attack. SG blocks them, but I have to click on "remove BHO" etc... I tried adaware, spybot and pestpatrol without success. They remove items, but they comes back later (even if I don't visit "suspect" websites. I tried today CWSshredder, same results.
    (2) Someone suggested it may be related (?), after I download the new spywareblaster 3.1, I get a message:"This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." I cannot get it right, even after deleting the old version and files.
    Here is my log, after adaware and cwsshredder cleaning.
    Thank you for helping § (english is not my mother language, so please take it into account)

    Logfile of HijackThis v1.97.7
    Scan saved at 17:11:05, on 28/04/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINNT\system32\pong.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\internat.exe
    C:\docume~1\(my name)\applic~1\services.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\(My Name)\Bureau\VDL\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.int-evry.fr/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.int-evry.fr"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [JQXE] C:\WINNT\JQXE.exe
    O4 - HKLM\..\Run: [DKR] C:\WINNT\DKR.exe
    O4 - HKLM\..\Run: [Online Special] C:\WINNT\swchost.exe
    O4 - HKLM\..\Run: [pong.exe] pong.exe
    O4 - HKLM\..\Run: [Systems Restart] C:\WINNT\slchost.exe
    O4 - HKLM\..\Run: [System Restore] C:\WINNT\svahost.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [GNUBIP] C:\WINNT\GNUBIP.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [lwtmdcz] C:\WINNT\lwtmdcz.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [ieupdate] C:\WINNT\system32\dvx.exe
    O4 - HKCU\..\Run: [DivXupDaTe.exe] C:\WINNT\system32\winagent32.exe
    O4 - HKCU\..\Run: [System Update] c:\docume~1\(my name)\applic~1\services.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\Findfast.exe
    O4 - Global Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O12 - Plugin for .int/comm/eurostat/Public/datashop/print-product/EN?catalogue=Eurostat&product=KS-NP-02-012-__-N-EN&mode=download: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipviewer.com/exe//fvlite/fvliteY.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37830.2910532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int-evry.fr
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    to see if we can prevent the cws hijackers reinfecting you try this
    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm if you haven't already got one and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked
    then when we have a guaranteed working cure for it we can advise how to fully remove it.

    Now copy all these files and zip them and send to submit@thespykiller.co.uk

    please include a short note refering to this post

    First download CWshredder from https://www.wilderssecurity.com/showthread.php?t=14086

    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [JQXE] C:\WINNT\JQXE.exe
    O4 - HKLM\..\Run: [DKR] C:\WINNT\DKR.exe
    O4 - HKLM\..\Run: [Online Special] C:\WINNT\swchost.exe
    O4 - HKLM\..\Run: [pong.exe] pong.exe
    O4 - HKLM\..\Run: [Systems Restart] C:\WINNT\slchost.exe
    O4 - HKLM\..\Run: [System Restore] C:\WINNT\svahost.exe
    O4 - HKLM\..\Run: [GNUBIP] C:\WINNT\GNUBIP.exe
    O4 - HKLM\..\Run: [lwtmdcz] C:\WINNT\lwtmdcz.exe
    O4 - HKCU\..\Run: [ieupdate] C:\WINNT\system32\dvx.exe
    O4 - HKCU\..\Run: [DivXupDaTe.exe] C:\WINNT\system32\winagent32.exe
    O4 - HKCU\..\Run: [System Update] c:\docume~1\(my name)\applic~1\services.exe

    Delete these files

    C:\WINNT\system32\pong.exe
    C:\WINNT\JQXE.exe
    C:\WINNT\DKR.exe
    C:\WINNT\swchost.exe
    C:\WINNT\slchost.exe
    C:\WINNT\svahost.exe
    C:\WINNT\GNUBIP.exe
    C:\WINNT\lwtmdcz.exe
    C:\WINNT\system32\dvx.exe
    c:\document and settings\(my name)\application data\services.exe
    C:\WINNT\system32\winagent32.exe


    Now Run Cwshreddder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then
    Reboot normally & post a new hijackthis log where the O4 entry for jushed32.exe will appear so we can remove it



    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R300 28.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    also

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/

    Now I don't see any running antivirus, that is a bit like standing in downtown Baghdad stark naked with a bulls eye on your chest waving an American Flag. Definitely not recommended

    Download and install & run an antivirus immediately

    lists here
    http://www.wilders.org/anti_viruses.htm

    one free one that many users of this forum use successfully is
    AVG from http://www.grisoft.com/us/us_dwnl_free.php
     
  4. tyfris

    tyfris Guest

    thank you dvk01

    I will try that and post results
     
  5. tyfris

    tyfris Guest

    hi

    here is the log after fixing checked items (04....) and CWSshredder. You wrote delete these files, I only found and deleted these files:
    C:\WINNT\system32\pong.exe
    c:\document and settings\(my name)\application data\services.exe
    I don't know if it was normal or not (Hijackthese fixed them ?)
    Thank you again !

    Logfile of HijackThis v1.97.7
    Scan saved at 15:30:09, on 29/04/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\(my name)\Bureau\VDL\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.int-evry.fr"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\Findfast.exe
    O4 - Global Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O12 - Plugin for .int/comm/eurostat/Public/datashop/print-product/EN?catalogue=Eurostat&product=KS-NP-02-012-__-N-EN&mode=download: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipviewer.com/exe//fvlite/fvliteY.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37830.2910532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int-evry.fr
     
  6. tyfris

    tyfris Guest

    After the whole procedure, it came back. Here is the log after running spybot and adaware, and after attack (I had already fixed the obfuscated items in the first log, I left them this time :
    thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 16:18:25, on 29/04/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft Office\Office\winword.exe
    C:\Documents and Settings\(my name)\Bureau\VDL\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mjbn.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\mjbn.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.int-evry.fr"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\Findfast.exe
    O4 - Global Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O12 - Plugin for .int/comm/eurostat/Public/datashop/print-product/EN?catalogue=Eurostat&product=KS-NP-02-012-__-N-EN&mode=download: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipviewer.com/exe//fvlite/fvliteY.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37830.2910532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int-evry.fr
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    OK try this
    Download this zip: http://tools.zerosrealm.com/pv.zip unzip it to the desktop.
    Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.

    select option 2 internet explorer dll and press return
    Notepad will open with a log in it

    copy & paste the contents of that log back here in a reply

    then repeat with option 1 and post that log

    before posting, after you press post reply please tick disable smillies in this post, otherwise the logs will not post
     
  8. tyfris

    tyfris Guest

    Module information for 'iexplore.exe'
    MODULE BASE SIZE PATH
    iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 Internet Explorer
    ntdll.dll 78460000 536576 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 DLL Couche NT
    msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft (R) C Runtime Library
    KERNEL32.dll 77e70000 798720 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6897 DLL du client API BASE Windows NT
    USER32.dll 77e00000 413696 C:\WINNT\system32\USER32.dll 5.00.2195.6897 DLL client de l'API Utilisateur de Windows 2000
    GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
    SHLWAPI.dll 70a70000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1400 Bibliothèque d'utilitaires légers du Shell
    ADVAPI32.dll 78ed0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 API avancées Windows 32
    RPCRT4.DLL 770c0000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
    SHDOCVW.dll 71700000 1347584 C:\WINNT\system32\SHDOCVW.dll 6.00.2800.1400 Bibliothèque d'objets et de contrôles de documents de l'environnement
    WS2_32.DLL 74fb0000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
    WS2HELP.DLL 74fa0000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Application d'assistance de Windows Socket 2.0 pour Windows NT
    comctl32.dll 950000 540672 C:\WINNT\system32\comctl32.dll 5.81 Common Controls Library
    SHELL32.dll 77580000 2420736 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 DLL commune du shell Windows
    ole32.dll 77a40000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.6906 Microsoft OLE pour Windows
    INDICDLL.dll 6e350000 24576 C:\WINNT\system32\INDICDLL.dll 5.00.2920.0000 Keyboard Language Indicator Shell Hook Extension
    IMM32.dll 75e00000 106496 C:\WINNT\system32\IMM32.dll 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
    BROWSEUI.dll 71500000 1036288 C:\WINNT\system32\BROWSEUI.dll 6.00.2800.1400 Bibliothèque de l'interface utilisateur du navigateur
    browselc.dll 71960000 77824 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Bibliothèque de l'interface utilisateur du navigateur Shell
    CLBCATQ.DLL 72c60000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
    OLEAUT32.dll 779a0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
    cscui.dll 77840000 262144 C:\WINNT\system32\cscui.dll 5.00.2195.6705 IU de cache côté client
    CSCDLL.DLL 77090000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Agent Réseau hors-connexion
    shdoclc.dll 718c0000 569344 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Bibliothèque d'objets et de contrôles de documents de l'environnement
    WININET.dll 63000000 618496 C:\WINNT\system32\WININET.dll 6.00.2800.1405 Extensions Internet pour Win32
    CRYPT32.dll 79570000 557056 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
    MSASN1.DLL 77400000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
    AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
    dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
    MSVBVM60.DLL 6a7d0000 1392640 C:\WINNT\system32\MSVBVM60.DLL 6.00.9690 Visual Basic Virtual Machine
    urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1400 Extensions OLE32 pour Win32
    VERSION.dll 77810000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
    LZ32.DLL 75950000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
    mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
    RASAPI32.dll 774b0000 208896 C:\WINNT\system32\RASAPI32.dll 5.00.2195.6625 Remote Access API
    RASMAN.DLL 77490000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6604 Remote Access Connection Manager
    TAPI32.DLL 77500000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 DLL Client de l'API Microsoft® Windows(TM) Téléphonie
    RTUTILS.DLL 77820000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
    wsock32.dll 74fd0000 36864 C:\WINNT\system32\wsock32.dll 5.00.2195.6603 DLL Socket 32-bits Windows
    msafd.dll 74f50000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider
    wshtcpip.dll 74f90000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL
    sensapi.dll 75a50000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL
    USERENV.DLL 78d20000 401408 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
    netapi32.dll 750f0000 323584 C:\WINNT\system32\netapi32.dll 5.00.2195.6897 Net Win32 API DLL
    SECUR32.DLL 78fb0000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
    NETRAP.DLL 75140000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
    SAMLIB.DLL 750d0000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
    WLDAP32.DLL 77940000 176128 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 DLL API LDAP Win32
    DNSAPI.DLL 77970000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
    rnr20.dll 77830000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL
    iphlpapi.dll 77310000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 API de l'application d'assistance IP
    ICMP.DLL 774f0000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
    MPRAPI.DLL 772f0000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
    ACTIVEDS.DLL 77380000 196608 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 DLL de la couche de routage AD
    ADSLDPC.DLL 77350000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 DLL C du fournisseur LDAP AD
    SETUPAPI.DLL 783c0000 593920 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
    DHCPCSVC.DLL 77330000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 Service client DHCP
    winrnr.dll 777d0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
    rasadhlp.dll 777e0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
    mshtml.dll 63580000 2818048 C:\WINNT\system32\mshtml.dll 6.00.2800.1400 Visionneuse HTML Microsoft (R)
    jscript.dll 6b700000 589824 C:\WINNT\system32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
    docprop2.dll 71e40000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
    WINMM.DLL 77540000 200704 C:\WINNT\System32\WINMM.DLL 5.00.2161.1 MCI API DLL
    MSVFW32.DLL 6a6f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2195.6612 DLL Microsoft Video for Windows
    AVIFIL32.DLL 747f0000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2195.6612 Bibliothèque d'assistance des fichiers AVI Microsoft
    MSACM32.dll 773e0000 77824 C:\WINNT\System32\MSACM32.dll 5.00.2134.1 Filtre audio ACM Microsoft
    faxshell.dll 6ff60000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fournisseur de colonne de données Tiff de télécopie
    MSLS31.DLL 75a60000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
    wdmaud.drv 77530000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
    msacm32.drv 773d0000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Mappeur de sons Microsoft
    msadp32.acm 75ce0000 24576 C:\WINNT\system32\msadp32.acm 5.00.2134.1 Codec Microsoft ADPCM pour MSACM
    mshtmled.dll 70f30000 450560 C:\WINNT\system32\mshtmled.dll 6.00.2800.1106 Composant d'édition HTML Microsoft (R)
    webcheck.dll 70340000 274432 C:\WINNT\system32\webcheck.dll 6.00.2800.1106 Contrôleur de site Web
    rsaenh.dll 7ca00000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
    actxprxy.dll 703d0000 110592 C:\WINNT\system32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
    WINSPOOL.DRV 777f0000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Pilote de spouleur Windows
    MPR.DLL 79450000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 DLL de routeur de fournisseurs multiples
    msratelc.dll 30000000 73728 C:\WINNT\system32\msratelc.dll 6.00.2800.1106 DLL de gestion d'utilisateur local et de contrôle d'accès à Internet
    PS5UI.DLL 78610000 143360 C:\WINNT\system32\spool\DRIVERS\W32X86\3\PS5UI.DLL 5.1.2600.1106 (xpsp1.020828-1920) Interface utilisateur du pilote PostScript
    PSCRIPT5.DLL 77cb0000 471040 C:\WINNT\system32\spool\DRIVERS\W32X86\3\PSCRIPT5.DLL 5.1.2600.1106 (xpsp1.020828-1920) Pilote d'imprimante PostScript
    mscms.dll 6b5b0000 77824 C:\WINNT\system32\mscms.dll 5.00.2180.1 Microsoft Color Matching System DLL
    dispex.dll 6990000 45056 C:\WINNT\System32\dispex.dll 5.6.0.6626 Microsoft (r) DispEx
    imgutil.dll 70510000 40960 C:\WINNT\system32\imgutil.dll 6.00.2800.1106 IE plugin image decoder support DLL
    comdlg32.dll 76b00000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 DLL commune de boîtes de dialogues
    printui.dll 752e0000 409600 C:\WINNT\system32\printui.dll 5.00.2195.6702 DLL de l'IU d'impression
    CFGMGR32.dll 77080000 28672 C:\WINNT\system32\CFGMGR32.dll 5.00.2134.1 Configuration Manager Forwarder DLL
    plugin.ocx 82c0000 98304 C:\WINNT\system32\plugin.ocx 6.00.2800.1106 Plugin
    ntshrui.dll 76f70000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Extensions de l'interpréteur de commandes pour le partage
    ATL.DLL 773b0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
    Module information for 'iexplore.exe'
    MODULE BASE SIZE PATH
    iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2800.1106 Internet Explorer
    ntdll.dll 78460000 536576 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 DLL Couche NT
    msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft (R) C Runtime Library
    KERNEL32.dll 77e70000 798720 C:\WINNT\system32\KERNEL32.dll 5.00.2195.6897 DLL du client API BASE Windows NT
    USER32.dll 77e00000 413696 C:\WINNT\system32\USER32.dll 5.00.2195.6897 DLL client de l'API Utilisateur de Windows 2000
    GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
    SHLWAPI.dll 70a70000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1400 Bibliothèque d'utilitaires légers du Shell
    ADVAPI32.dll 78ed0000 401408 C:\WINNT\system32\ADVAPI32.dll 5.00.2195.6876 API avancées Windows 32
    RPCRT4.DLL 770c0000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
    SHDOCVW.dll 71700000 1347584 C:\WINNT\system32\SHDOCVW.dll 6.00.2800.1400 Bibliothèque d'objets et de contrôles de documents de l'environnement
    WS2_32.DLL 74fb0000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
    WS2HELP.DLL 74fa0000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Application d'assistance de Windows Socket 2.0 pour Windows NT
    comctl32.dll 950000 540672 C:\WINNT\system32\comctl32.dll 5.81 Common Controls Library
    SHELL32.dll 77580000 2420736 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 DLL commune du shell Windows
    ole32.dll 77a40000 978944 C:\WINNT\system32\ole32.dll 5.00.2195.6906 Microsoft OLE pour Windows
    INDICDLL.dll 6e350000 24576 C:\WINNT\system32\INDICDLL.dll 5.00.2920.0000 Keyboard Language Indicator Shell Hook Extension
    IMM32.dll 75e00000 106496 C:\WINNT\system32\IMM32.dll 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
    BROWSEUI.dll 71500000 1036288 C:\WINNT\system32\BROWSEUI.dll 6.00.2800.1400 Bibliothèque de l'interface utilisateur du navigateur
    browselc.dll 71960000 77824 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Bibliothèque de l'interface utilisateur du navigateur Shell
    CLBCATQ.DLL 72c60000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
    OLEAUT32.dll 779a0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
    WININET.dll 63000000 618496 C:\WINNT\system32\WININET.dll 6.00.2800.1405 Extensions Internet pour Win32
    CRYPT32.dll 79570000 557056 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
    MSASN1.DLL 77400000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
    cscui.dll 77840000 262144 C:\WINNT\system32\cscui.dll 5.00.2195.6705 IU de cache côté client
    CSCDLL.DLL 77090000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Agent Réseau hors-connexion
    shdoclc.dll 718c0000 569344 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Bibliothèque d'objets et de contrôles de documents de l'environnement
    AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
    dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
    MSVBVM60.DLL 6a7d0000 1392640 C:\WINNT\system32\MSVBVM60.DLL 6.00.9690 Visual Basic Virtual Machine
    urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1400 Extensions OLE32 pour Win32
    VERSION.dll 77810000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
    LZ32.DLL 75950000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
    mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
    RASAPI32.dll 774b0000 208896 C:\WINNT\system32\RASAPI32.dll 5.00.2195.6625 Remote Access API
    RASMAN.DLL 77490000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6604 Remote Access Connection Manager
    TAPI32.DLL 77500000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 DLL Client de l'API Microsoft® Windows(TM) Téléphonie
    RTUTILS.DLL 77820000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
    wsock32.dll 74fd0000 36864 C:\WINNT\system32\wsock32.dll 5.00.2195.6603 DLL Socket 32-bits Windows
    msafd.dll 74f50000 122880 C:\WINNT\system32\msafd.dll 5.00.2195.6602 Microsoft Windows Sockets 2.0 Service Provider
    wshtcpip.dll 74f90000 28672 C:\WINNT\System32\wshtcpip.dll 5.00.2195.6601 Windows Sockets Helper DLL
    sensapi.dll 75a50000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL
    USERENV.DLL 78d20000 401408 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
    netapi32.dll 750f0000 323584 C:\WINNT\system32\netapi32.dll 5.00.2195.6897 Net Win32 API DLL
    SECUR32.DLL 78fb0000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
    NETRAP.DLL 75140000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
    SAMLIB.DLL 750d0000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
    WLDAP32.DLL 77940000 176128 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 DLL API LDAP Win32
    DNSAPI.DLL 77970000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
    rnr20.dll 77830000 49152 C:\WINNT\System32\rnr20.dll 5.00.2195.6603 Windows Socket2 NameSpace DLL
    iphlpapi.dll 77310000 77824 C:\WINNT\system32\iphlpapi.dll 5.00.2195.6602 API de l'application d'assistance IP
    ICMP.DLL 774f0000 20480 C:\WINNT\system32\ICMP.DLL 5.00.2134.1 ICMP DLL
    MPRAPI.DLL 772f0000 94208 C:\WINNT\system32\MPRAPI.DLL 5.00.2181.1 Windows NT MP Router Administration DLL
    ACTIVEDS.DLL 77380000 196608 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 DLL de la couche de routage AD
    ADSLDPC.DLL 77350000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 DLL C du fournisseur LDAP AD
    SETUPAPI.DLL 783c0000 593920 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
    DHCPCSVC.DLL 77330000 102400 C:\WINNT\system32\DHCPCSVC.DLL 5.00.2195.6685 Service client DHCP
    winrnr.dll 777d0000 32768 C:\WINNT\System32\winrnr.dll 5.00.2160.1 LDAP RnR Provider DLL
    rasadhlp.dll 777e0000 20480 C:\WINNT\system32\rasadhlp.dll 5.00.2168.1 Remote Access AutoDial Helper
    mshtml.dll 63580000 2818048 C:\WINNT\system32\mshtml.dll 6.00.2800.1400 Visionneuse HTML Microsoft (R)
    jscript.dll 6b700000 589824 C:\WINNT\system32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
    MSLS31.DLL 75a60000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
    actxprxy.dll 703d0000 110592 C:\WINNT\system32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
     
  9. tyfris

    tyfris Guest

    and now option 1
    Module information for 'Explorer.EXE'
    MODULE BASE SIZE PATH
    Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3700.6690 Explorateur Windows
    ntdll.dll 78460000 536576 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 DLL Couche NT
    ADVAPI32.DLL 78ed0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 API avancées Windows 32
    KERNEL32.DLL 77e70000 798720 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6897 DLL du client API BASE Windows NT
    RPCRT4.DLL 770c0000 462848 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6904 Remote Procedure Call Runtime
    GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
    USER32.DLL 77e00000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.6897 DLL client de l'API Utilisateur de Windows 2000
    SHLWAPI.DLL 70a70000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1400 Bibliothèque d'utilitaires légers du Shell
    msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft (R) C Runtime Library
    COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
    shim.dll 77880000 151552 C:\WINNT\system32\shim.dll 5.00.2195.6717 Shim Engine DLL
    AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.6717 Windows 2000 Shim Accessory DLL
    WS2_32.DLL 74fb0000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
    WS2HELP.DLL 74fa0000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Application d'assistance de Windows Socket 2.0 pour Windows NT
    OLE32.DLL 77a40000 978944 C:\WINNT\system32\OLE32.DLL 5.00.2195.6906 Microsoft OLE pour Windows
    SHELL32.dll 77580000 2420736 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 DLL commune du shell Windows
    CLBCATQ.DLL 72c60000 589824 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3511.0
    OLEAUT32.dll 779a0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
    cscui.dll 77840000 262144 C:\WINNT\system32\cscui.dll 5.00.2195.6705 IU de cache côté client
    CSCDLL.DLL 77090000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Agent Réseau hors-connexion
    MSI.DLL 13c0000 2113536 C:\WINNT\system32\MSI.DLL 2.0.2600.1183 Windows Installer
    RASAPI32.dll 774b0000 208896 C:\WINNT\system32\RASAPI32.dll 5.00.2195.6625 Remote Access API
    RASMAN.DLL 77490000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6604 Remote Access Connection Manager
    TAPI32.DLL 77500000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 DLL Client de l'API Microsoft® Windows(TM) Téléphonie
    RTUTILS.DLL 77820000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
    wininet.dll 63000000 618496 C:\WINNT\system32\wininet.dll 6.00.2800.1405 Extensions Internet pour Win32
    CRYPT32.dll 79570000 557056 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
    MSASN1.DLL 77400000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
    SHDOCVW.DLL 1730000 1347584 C:\WINNT\system32\SHDOCVW.DLL 6.00.2800.1400 Bibliothèque d'objets et de contrôles de documents de l'environnement
    browseui.dll 71500000 1036288 C:\WINNT\system32\browseui.dll 6.00.2800.1400 Bibliothèque de l'interface utilisateur du navigateur
    MPR.DLL 79450000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 DLL de routeur de fournisseurs multiples
    USERENV.DLL 78d20000 401408 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
    ntshrui.dll 76f70000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Extensions de l'interpréteur de commandes pour le partage
    ATL.DLL 773b0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
    NETAPI32.DLL 750f0000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL
    SECUR32.DLL 78fb0000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
    NETRAP.DLL 75140000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
    SAMLIB.DLL 750d0000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
    WLDAP32.DLL 77940000 176128 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 DLL API LDAP Win32
    DNSAPI.DLL 77970000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
    WSOCK32.DLL 74fd0000 36864 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 DLL Socket 32-bits Windows
    mydocs.dll 76dc0000 73728 C:\WINNT\system32\mydocs.dll 5.00.3502.6601 Interface utilisateur du dossier Mes documents
    ntlanman.dll 750e0000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6601 Gestionnaire de réseau local Microsoft®
    NETUI0.DLL 75190000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.6601 Code commun NT LM UI - Classes GUI
    NETUI1.DLL 75150000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
    NETSHELL.dll 76ef0000 495616 C:\WINNT\system32\NETSHELL.dll 5.00.2195.6604 Noyau des Connexions réseau
    webcheck.dll 70340000 274432 C:\WINNT\system32\webcheck.dll 6.00.2800.1106 Contrôleur de site Web
    stobject.dll 76670000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.6601 Objet du service d'environnement Systray
    BATMETER.DLL 766e0000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.6601 DLL d'application d'assistance de Jauge de batterie
    SETUPAPI.DLL 783c0000 593920 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
    POWRPROF.DLL 76690000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.6601 Power Profile Helper DLL
    WINMM.DLL 77540000 200704 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL
    wdmaud.drv 77530000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
    msacm32.drv 773d0000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Mappeur de sons Microsoft
    MSACM32.dll 773e0000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Filtre audio ACM Microsoft
    INDICDLL.dll 6e350000 24576 C:\WINNT\system32\INDICDLL.dll 5.00.2920.0000 Keyboard Language Indicator Shell Hook Extension
    IMM32.dll 75e00000 106496 C:\WINNT\system32\IMM32.dll 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
    spywareguard.dll 22200000 126976 C:\Program Files\SpywareGuard\spywareguard.dll 2.02 SpywareGuard Protection
    MSVBVM60.DLL 6a7d0000 1392640 C:\WINNT\system32\MSVBVM60.DLL 6.00.9690 Visual Basic Virtual Machine
    browselc.dll 71960000 77824 C:\WINNT\system32\browselc.dll 6.00.2800.1106 Bibliothèque de l'interface utilisateur du navigateur Shell
    urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1400 Extensions OLE32 pour Win32
    VERSION.dll 77810000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
    LZ32.DLL 75950000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
    LINKINFO.DLL 766b0000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking
    docprop2.dll 71e40000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
    MSVFW32.DLL 6a6f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2195.6612 DLL Microsoft Video for Windows
    AVIFIL32.DLL 747f0000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2195.6612 Bibliothèque d'assistance des fichiers AVI Microsoft
    faxshell.dll 6ff60000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fournisseur de colonne de données Tiff de télécopie
    CfgMgr32.dll 77080000 28672 C:\WINNT\system32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL
    WINTRUST.dll 768e0000 176128 C:\WINNT\system32\WINTRUST.dll 5.131.2195.6824 API Microsoft de vérification de la confiance
    IMAGEHLP.dll 77910000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
    FINDFAST.CPL 30000000 45056 C:\WINNT\system32\FINDFAST.CPL 8.0 Panneau de configuration de Microsoft Recherche accélérée
    comdlg32.dll 76b00000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 DLL commune de boîtes de dialogues
    powercfg.cpl 64dd0000 114688 C:\WINNT\system32\powercfg.cpl 5.00.3502.6601 Panneau de configuration - Gestion de l'alimentation
    PASHLEXT.DLL 4cb0000 520192 C:\Program Files\PowerArchiver\PASHLEXT.DLL 2.5.0.1 PowerArchiver Shell Extensions
    vpshell2.dll 10000000 40960 C:\Program Files\Fichiers communs\Symantec Shared\SSC\vpshell2.dll 7.60.00.926 Norton AntiVirus
    msxml3.dll 69b10000 1134592 C:\WINNT\system32\msxml3.dll 8.30.9926.0 MSXML 3.0 SP 3
    mstask.dll 6aa20000 229376 C:\WINNT\System32\mstask.dll 4.71.2195.6704 Fichier DLL d'interface du Planificateur de tâches
    soa800.dll 6e0b0000 208896 C:\Program Files\Microsoft Office\Office\soa800.dll 8.000.3720 MSAPP Export Support for Microsoft Access
    query.dll 78680000 1462272 C:\WINNT\system32\query.dll 5.00.2195.6664 Bibliothèque de requête et d'indexation de Index Server
    shdoclc.dll 718c0000 569344 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Bibliothèque d'objets et de contrôles de documents de l'environnement
    AcroIEHelper.ocx 69c0000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
    dlprotect.dll 11000000 192512 C:\Program Files\SpywareGuard\dlprotect.dll 2.02 SpywareGuard Download Protection
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Nothing showing in those logs

    please do this now

    Go here:
    http://www10.brinkster.com/expl0iter/freeatlast/PVtool.htm
    And download "Xfind.zip" from there.
    Unzip, run the 'find.bat' inside.
    Wait till it terminates and find 'log.txt' inside which
    you'd need to attach into your next reply.
     
  11. tyfris

    tyfris Guest

    all I get is a file.txt with "C:\WINNT\System32\HLPBODC.DLL +++ File read error".
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Please download TheKillbox from here: http://download.broadbandmedic.com/VbStuff/KillBox.zip

    Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

    C:\WINDOWS\System32\HLPBODC.DLL

    Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filename and path should show up in the window.
    Repeat those actions for:

    C:\WINDOWS\System32\mjbn.dll

    So you will have two filenames showing in that window.
    If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

    When you're back in windows, please run the latest version of cwshredder. Post a new hijackthis log.
     
  13. tyfris

    tyfris Guest

    here it is !

    Logfile of HijackThis v1.97.7
    Scan saved at 18:15:24, on 29/04/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\(my name)\Bureau\VDL\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.int-evry.fr"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\Findfast.exe
    O4 - Global Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O12 - Plugin for .int/comm/eurostat/Public/datashop/print-product/EN?catalogue=Eurostat&product=KS-NP-02-012-__-N-EN&mode=download: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipviewer.com/exe//fvlite/fvliteY.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37830.2910532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int-evry.fr
     
  14. tyfris

    tyfris Guest

    CWS came back

    here's the log after, if it can help

    Logfile of HijackThis v1.97.7
    Scan saved at 18:34:08, on 29/04/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft Office\Office\winword.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\(my name)\Bureau\VDL\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lcpdcb.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\lcpdcb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.int-evry.fr"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\Findfast.exe
    O4 - Global Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O12 - Plugin for .int/comm/eurostat/Public/datashop/print-product/EN?catalogue=Eurostat&product=KS-NP-02-012-__-N-EN&mode=download: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipviewer.com/exe//fvlite/fvliteY.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37830.2910532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int-evry.fr
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I'll get someone else to have a look at this and see what else they can suggest, but these cws hijackers are proving very difficult to fix at the moment even though many experts are working full time on fixes

    Have you tried using a firewall to block the servers as I suggested in my first post, because I can't see any signs of one in the logs
     
  16. tyfris

    tyfris Guest

    My computer is on a company LAN, so I don't know if I am allowed to have my own firewall. Anyway, thank you for helping !
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Ok that's one avenue blocked, but if you were infected on a Lan, I'm pretty sure that many others on the same lan must have been as well.

    I've sent out a message to a few of the people who are actually developing the fixes for these hijackers to look at this thread and see what i've missed
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Can you repeat this part:

    Regards,

    Pieter
     
  19. tyfris

    tyfris Guest

    hi

    same result: C:\WINNT\System32\HLPBODC.DLL +++ File read error

    regards
     
  20. tyfris

    tyfris Guest

    Am I lucky ? I have done again the killbox procedure indicated before, with two changes compared to the first time, and since 2 hours, no come back of CWS. Changes were:
    (1) after using cwshredder, I also ran adaware which found 1 CWS registry key and one CWS file. It seems that cwshredder didn't clean them (or did they install before I ran adaware ?)
    (2) I avoided some recently discovered websites.
    This poses the problem of identifying the right causality. If no more message from me, it means it's OK now.
    Still, I have the same pb with spywareblaster 3.1 :"This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it."

    Thank you again !
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi tyfris,

    Let's hope it stays away.

    Read this thread: https://www.wilderssecurity.com/showthread.php?t=27971
    on how to prevent future infections.

    Javacool is looking into what this CWS does to damage his program.
    Keep an eye out for any news on his forum.

    Regards,

    Pieter
     
  22. tyfris

    tyfris Guest

    thank you ! It seems to be very usefull !
     
  23. tyfris

    tyfris Guest

    unfortunately, it came back this morning. I just had started up my pc, and only outlook express was opened, not even IE. It's the same searchx that other users have encountered. I have tried to clean it again (CWShredder first, adaware then, that found 1 registry and one file).
    Should I post my hijackthis log again ? After it comes back again or now ?
    Thanks
     
  24. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    post a log now please so we can see what it finds
     
  25. tyfris

    tyfris Guest

    that's it ! thanks again !

    Logfile of HijackThis v1.97.7
    Scan saved at 15:03:30, on 03/05/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Documents and Settings\(my name)\Bureau\VDL\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.int-evry.fr/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    N1 - Netscape 4: user_pref("browser.startup.homepage", "www.int-evry.fr"); (C:\Program Files\Netscape\Users\default\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\Findfast.exe
    O4 - Global Startup: MS Office - Démarrage accéléré.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O12 - Plugin for .int/comm/eurostat/Public/datashop/print-product/EN?catalogue=Eurostat&product=KS-NP-02-012-__-N-EN&mode=download: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipviewer.com/exe//fvlite/fvliteY.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37830.2910532407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int-evry.fr
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int-evry.fr
     
Thread Status:
Not open for further replies.