1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help with stubborn Trojan

Discussion in 'Virus & Other Malware Removal' started by charaaz, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. charaaz

    charaaz Thread Starter

    Joined:
    Feb 13, 2005
    Messages:
    3
    Hi,

    Got a Trojan for several days now that AVG identifies as: Trojan horse Dropper.Small.9.AQ
    Path is C:\SYSTEM\wowdbe.exe (filename is wowdbe.exe)
    Status: infected (not identified as embedded)

    Even though AVG tells me it quarantined it/deleted it, that bugger comes back every time.

    Done so far (and several times each day, for 3 days):
    -Ran AVG scans, Ad-Aware Se, Spybot S&D and Spysubtract (including the CWShredder), both in normal mode and safe mode.
    -Disabled the automatic Sytem Restore from Windows.
    -Ran HD searches for wowdbe.exe (never found)
    -Performed other online scans which don't find anything.

    After all that, the new scans I make with AVG or Spyware removal programs all come out clear, but then after a while, the Resident Shields warns me it found that same Trojan again (even though my computer is just "on" but I don't do anything on it)

    Here's my last HijackThis log:

    Logfile of HijackThis v1.99.0
    Scan saved at 15:11:35, on 02/13/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ZIPMAGIC\ZM32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\UTILITAIRES\RAM IDLE\RAMIDLE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\SYSTEM\DSLAGENT.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\FICHIERS COMMUNS\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HJT\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.194.90.249/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skynet.be/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O2 - BHO: Name - {D7BD30EF-BC71-4615-9052-7CD9252DDA51} - C:\WINDOWS\SYSTEM\MSMIC.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IESP2.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [RealTray] c:\sounds&more\Realplayer8\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RAM Idle] C:\utilitaires\RAM Idle\RAMIdle.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\ZipMagic\zm32.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
    O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\ZipMagic\zm32.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Rappels du Calendrier Microsoft Works.lnk = C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: GetRight Monitor.lnk = C:\Program Files\GetRight\getright.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.dexia.be
    O15 - Trusted IP range: http://127.0.0.1
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://www.ubi.com/NR/Ubisoft/US/UBI_cab/GSManager.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/MTSInstallers/MetaStream3.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/fr/techsupp/activedata/ActiveData.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/dlaccell.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: Dexia netbanking - http://netbanking.dexia.be/PC//Dynamic/Shared/Applet//DexiaIIA.cab
    O16 - DPF: {D57521FC-5C2C-42D1-AFFF-C7F9261C0613} (VacPro.belgio_win98) - http://www9.advnt01.com/dialer/belgio_win98.CAB
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,346
    First Name:
    Karen
    Hi and welcome to TSG,

    I will post back with instructions shortly.
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,346
    First Name:
    Karen
    I see a lot of missing files for Norton A/V so I assume that you uninstalled in and are now running AVG.

    Go to Control Panel - Add/Remove programs and remove:

    Windows ControlAd

    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.194.90.249/search.php

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

    R3 - Default URLSearchHook is missing

    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll (file missing)

    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)

    O2 - BHO: Name - {D7BD30EF-BC71-4615-9052-7CD9252DDA51} - C:\WINDOWS\SYSTEM\MSMIC.DLL

    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll (file missing)

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)

    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IESP2.DLL

    O4 - HKLM\..\Run: [Windows ControlAd] C:\PROGRAM FILES\WINDOWS CONTROLAD\WINCTLAD.EXE

    O4 - Startup: PowerReg Scheduler.exe

    If you didn't place this restriction intentionnaly, include this entry as well:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    If you set these up here inentionally then leave them:
    O15 - Trusted Zone: *.dexia.be
    O15 - Trusted IP range: http://127.0.0.1

    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/ad...MetaStream3.cab

    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/dlaccell.CAB

    O16 - DPF: {D57521FC-5C2C-42D1-AFFF-C7F9261C0613} (VacPro.belgio_win98) –
    http://www9.advnt01.com/dialer/belgio_win98.CAB

    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.180,195.225.176.31


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\PROGRAM FILES\WINDOWS CONTROLAD - folder

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Reboot and post another Hijack This log please.
     
  4. charaaz

    charaaz Thread Starter

    Joined:
    Feb 13, 2005
    Messages:
    3
    Thanks a bunch for helping, I really appreciate.

    Yes, I've uninstalled NAV at some point and now run AVG instead.

    Windows ControlAd didn't appear in the list of Add/Remove programs. I could find the Windows Controlad folder in Program Files and deleted it tho (in Safe mode).

    I've re-run my spyware removal programs to check, they came out clean (some suspicious cookies only), except for SpySubtract that found a suspicous item in the Windows Registry:
    from Effective-i Inc : HKCU\Softaware\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\
    and deleted it.

    new HJT log:

    Logfile of HijackThis v1.99.0
    Scan saved at 23:54:45, on 02/13/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ZIPMAGIC\ZM32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UTILITAIRES\RAM IDLE\RAMIDLE.EXE
    C:\WINDOWS\SYSTEM\GSICON.EXE
    C:\WINDOWS\SYSTEM\DSLAGENT.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\FICHIERS COMMUNS\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\HJT\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skynet.be/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [RealTray] c:\sounds&more\Realplayer8\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RAM Idle] C:\utilitaires\RAM Idle\RAMIdle.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [ZipMagic] C:\Program Files\ZipMagic\zm32.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
    O4 - HKLM\..\RunServices: [ZipMagic] C:\Program Files\ZipMagic\zm32.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /service
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Rappels du Calendrier Microsoft Works.lnk = C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: GetRight Monitor.lnk = C:\Program Files\GetRight\getright.exe
    O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.dexia.be
    O15 - Trusted IP range: http://127.0.0.1
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://www.ubi.com/NR/Ubisoft/US/UBI_cab/GSManager.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/fr/techsupp/activedata/ActiveData.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: Dexia netbanking - http://netbanking.dexia.be/PC//Dynamic/Shared/Applet//DexiaIIA.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,346
    First Name:
    Karen
    It looks like you're running two firewalls, which isn't a good idea. You should pick one and get rid of the other.

    Everything else looks good in the log.

    Est-ce que tout va bien maintenant? (Je demeure au Québec) ;)
     
  6. charaaz

    charaaz Thread Starter

    Joined:
    Feb 13, 2005
    Messages:
    3
    Uh, two firewalls? No, I'm only running ZoneAlarm :confused:
    I had the Norton firewall at some point, but when my license expired I didn't renew it and uninstalled it. After that, I tried Outpost Firewall, but it was causing conflicts/problems for my LAN, so I also uninstalled it... is something telling you they didn't uninstall properly?

    Sinon, tout semble ok maintenant :) Mais je me méfie, hier tout semblait ok aussi, mais le Resident Shield a redétecté le Trojan quelques heures plus tard.
    Je reposterai dans cette thread si jamais ça arrive encore. Un Super Giga Merci pour ton aide (y) (mois je suis belge francophone ;) )
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,346
    First Name:
    Karen
    OK, this entry indicates Outpost firewall is still there so you can fix it with Hijack This:

    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\outpost.exe /waitservice

    Then locate and remove the folder:

    C:\PROGRAM FILES\AGNITUM


    Now you should turn system restore off to flush out all previous restore points and then turn it back on and create a new restore point:

    http://service1.symantec.com/SUPPOR...2001012513122239?OpenDocument&src=sec_doc_nam

    I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD, for added protection.

    http://www.javacoolsoftware.com/spywareblaster.html

    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html

    Je le savais ;)

    Bonne chance!
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330024

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice