tibs3 again

Discussion in 'malware problems & news' started by PATRICE PRIVAT, Dec 8, 2004.

Thread Status:
Not open for further replies.
  1. PATRICE PRIVAT

    PATRICE PRIVAT Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    1
    Hi

    I have read some posts about how to delete the _t.exe trojan horse but none of the solutions mentionned seems to work for me.
    I have AVG 6 updated,Highjack and AD aware : AD aware detects the 2 guilty files and says they are deleted permanently but if I do a research on c:/ they are always here in windows/system32
    even if I eventually manage to put them in the dustbin (which they are prone to refuse adamantly), they'll come back at each web connection after 2 to 8 minutes.
    Here's what Highjack says, please can you help in some ways ?
    I'm on XP and broadband connection;
    thanks
    Logfile of HijackThis v1.98.2
    Scan saved at 16:55:21, on 08/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\windows\system\hpsysdrv.exe
    C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Wanadoo\CnxMon.exe
    C:\WINDOWS\svchost.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe
    C:\Program Files\Nikon\NkView5\NkvMon.exe
    C:\PROGRA~1\Wanadoo\EspaceWanadoo.exe
    C:\PROGRA~1\Wanadoo\ComComp.exe
    C:\PROGRA~1\Wanadoo\Watch.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\t.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Propriétaire\Bureau\hijackthis1982.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=204
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=204
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Desktop Zoom] C:\Program Files\HPQ\Desktop Zoom\hpwinadj.exe -s
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
    O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
    O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F08AC368-BE3C-43F1-9652-2D83DE9DFAD3}: NameServer = 80.10.246.130 80.10.246.3
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,140
    Location:
    New England
    I'm sorry, but I'm afraid we have discontinued the general HijackThis log analysis service here at Wilders. See this announcement for a list of other sites that still perform this function (the image link to A-SAP.ORG):

    https://www.wilderssecurity.com/showthread.php?t=42148

    I'm afraid you'll need to go to one of those sites to get a log review done.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.