Help Removing Trojan-clicker-delft

rdupuis

as requsested I created a new topic about help removing Trojan-Clicker-Delft

I tried to upload the files as you mentionned

but it doesn't let me

"Upload failed. You are not permitted to upload this type of file"

I will send them to your mail

I dowloaded the BDAspy but lauched it too fast and closed it

Now it doesn't allow me another scan!

farbar

Hi rdupuis,

The reason you could not upload the files is that you did not zip/archive it password protected. I suppose you didn't got a clear instruction as how to do that. I am not sure if kyron has already got the files from others. If you still wanted to send the sample you may read more on this here: http://forum.bitdefender.com/index.php?showtopic=84

Since you have waited too Long lets start the removal.

• Download ComboFix.exe using either of these links:

  
  bleepingcomputer

  
  Geekstogo

• Close any open browsers.
• 
  Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
• Double click on combofix.exe to run the programme & then follow the prompts.

  
  When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") along with a new HijackThis log into your next post.

• ComboFix may need to reboot to finish its work. Let it.

Note:

*Do not mouseclick combofix's window while it's running. That may cause it to stall

*Combofix should never take more than 20 minutes if malware is detected. If it does, open task-manager (press ctrl+alt+del)select and end any processes of findstr.exe, find.exe, sed.exe or swreg.exe, then combofix should continue.

rdupuis

OK

I will do that

Meanwhile I managed the bd sys log

/applications/core/interface/file/attachment.php?id=1385" data-fileid="1385" rel="">bd_sys_log.xml

rdupuis

here are the files from combofix and hijackthis

PS I pasted here the hijackthis text file because I cannot upload it... (promis i ll check how to upload properly later!)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:44, on 2008-01-24

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

c:\APPS\HIDSERVICE\HIDSERVICE.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe

c:\APPS\Powercinema\Kernel\TV\CLSched.exe

C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\WINDOWS\system32\drivers\RMC.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Apps\Powercinema\PCMService.exe

C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Program Files\Softwin\BitDefender10\bdmcon.exe

C:\Program Files\Softwin\BitDefender10\bdagent.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {32175A08-7A43-4E28-810E-D2128E0E5072} - c:\windows\system32\dsauthw.dll

O2 - BHO: PBBEFRV2 - {4E7BD74F-2B8D-469E-A0E8-ED6AB197B82D} - C:\WINDOWS\system32\pbbefrv2.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Fichiers communs\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: PBBEFRV2 - {4E7BD74F-2B8D-469E-A0E8-ED6AB197B82D} - C:\WINDOWS\system32\pbbefrv2.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [RMC] C:\WINDOWS\system32\drivers\RMC.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"

O4 - HKLM\..\Run: [ccApp] -

O4 - HKLM\..\Run: [iS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Outil de détection de support de Cyber-shot Viewer.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\befr.htm

O20 - Winlogon Notify: ezulsfij - C:\WINDOWS\SYSTEM32\dsauthw.dll

O20 - Winlogon Notify: tt - C:\WINDOWS\

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Fichiers communs\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe

O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe

O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Fichiers communs\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Fichiers communs\Softwin\BitDefender Communicator\xcommsvr.exe

--

End of file - 10578 bytes

/applications/core/interface/file/attachment.php?id=1387" data-fileid="1387" rel="">ComboFix.txt

farbar

Thanks for attaching the BDAsys log. With that you don't need to attach anything anymore on this topic. The attachments are to be securely downloaded by the BD virus researchers and mods for the perpose of detection and removals tool development. The members (like me) can't download the attachments.

So I am waiting for the content of ComboFix log. Please paste and copy the content into you reply.

rdupuis

OK then

thanks again for taking time on this

Hope you get along with the french...

but I guess the parts that mean something to you are in another language anyway (wich I totally misunderstand)

ComboFix 08-01-23.2 - violette 2008-01-24 15:33:27.1 - NTFSx86

Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.263 [GMT 1:00]

Endroit: C:\Documents and Settings\violette\Local Settings\Temporary Internet Files\Content.IE5\6PKJOVS3\ComboFix[1].exe

* Création d'un nouveau point de restauration

.

The following files were disabled during the run:

C:\WINDOWS\system32\sockspy.dll

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\dsauthw.dll . . . . Echec de suppression

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_LZCHKVCD

-------\lzchkvcd

((((((((((((((((((((((((((((( Fichiers créés 2007-12-24 to 2008-01-24 ))))))))))))))))))))))))))))))))))))

.

2008-01-24 15:31 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe

2008-01-21 12:14 . 2008-01-21 12:14 <REP> d-------- C:\Program Files\Trend Micro

2008-01-21 11:07 . 2008-01-21 11:07 <REP> d-------- C:\Program Files\Dynamic Toolbar

2008-01-19 18:00 . 2008-01-19 19:13 <REP> d-------- C:\Program Files\a-squared Free

2008-01-17 11:29 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll

2008-01-11 22:59 . 2008-01-12 00:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-11 22:59 . 2008-01-11 22:59 1,409 --a------ C:\WINDOWS\QTFont.for

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-24 14:37 81,984 ----a-w C:\WINDOWS\system32\bdod.bin

2008-01-24 14:36 84,992 ----a-w C:\WINDOWS\system32\dsauthw.dll

2008-01-22 10:13 19,584 ----a-w C:\WINDOWS\system32\drivers\ppiobrpi.dat

2007-11-12 14:01 246,545 ----a-w C:\WINDOWS\system32\libssl32.dll

2007-11-12 14:01 1,188,375 ----a-w C:\WINDOWS\system32\libeay32.dll

2007-11-07 09:28 728,576 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-11-07 09:28 728,576 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll

2007-10-31 03:53 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys

2007-10-29 22:43 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll

2007-10-29 22:43 1,293,824 ------w C:\WINDOWS\system32\dllcache\quartz.dll

2007-10-25 16:43 8,516,608 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-25 09:01 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll

2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll

2007-10-25 09:00 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll

.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{32175A08-7A43-4E28-810E-D2128E0E5072}]

2008-01-24 15:36 84992 --a------ c:\windows\system32\dsauthw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A0E8-ED6AB197B82D}]

2004-03-17 10:24 820736 --a------ C:\WINDOWS\system32\pbbefrv2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

{4E7BD74F-2B8D-469E-A0E8-ED6AB197B82D}

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-ed6ab197b82d}]

[HKEY_CLASSES_ROOT\pbbefrv2.PBBEFRV2]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]

"{4E7BD74F-2B8D-469E-A0E8-ED6AB197B82D}"= C:\WINDOWS\system32\pbbefrv2.dll [2004-03-17 10:24 820736]

[HKEY_CLASSES_ROOT\clsid\{4e7bd74f-2b8d-469e-a0e8-ed6ab197b82d}]

[HKEY_CLASSES_ROOT\pbbefrv2.PBBEFRV2]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 13:00 15360]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-05 13:00 208952]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 13:00 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-05 13:00 455168]

"RMC"="C:\WINDOWS\system32\drivers\RMC.exe" [2005-03-28 16:55 24576]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-04 10:13 102490]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-04 10:12 708698]

"Raccourci vers la page des propriétés de High Definition Audio"="HDAShCut.exe" [2005-01-07 16:07 61952 C:\WINDOWS\system32\HdAShCut.exe]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 20:05 339968]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-03 21:05 32881]

"PCMService"="c:\Apps\Powercinema\PCMService.exe" [2005-05-11 12:48 127118]

"ccApp"="-" []

"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [2004-09-21 10:35 132248]

"SSC_UserPrompt"="C:\Program Files\Fichiers communs\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-10-07 08:25 218240]

"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-09-17 17:41 290816]

"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-09-17 17:40 69632]

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 10:38 866816]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 22:12 49152]

"HPWITOOLBOX"="C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe" [2003-08-01 00:35 290816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 13:00 15360]

C:\Documents and Settings\violette\Menu D‚marrer\Programmes\D‚marrage\

Outil de d‚tection de support de Cyber-shot Viewer.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-25 14:50:54 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=sockspy.dll

R0 ncekexre;ncekexre;C:\WINDOWS\system32\drivers\ppiobrpi.dat []

R2 MTC0001_RMC;Remove Control Device;C:\WINDOWS\system32\drivers\RMC.sys [2005-04-22 14:24]

R3 Slazldrv;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slazldrv.sys [2005-01-05 01:48]

R3 ULI5261;ULi Based Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN.SYS [2004-12-31 14:24]

.

Contenu du dossier 'Scheduled Tasks/Tâches planifiées'

"2008-01-23 20:00:00 C:\WINDOWS\Tasks\HDReg.job"

- c:\Apps\HDReg\HDRegRem.exe

"2007-09-15 10:32:37 C:\WINDOWS\Tasks\Rappel d'enregistrement 1.job"

- C:\WINDOWS\system32\OOBE\oobebaln.exe

"2007-09-15 10:32:37 C:\WINDOWS\Tasks\Rappel d'enregistrement 2.job"

- C:\WINDOWS\system32\OOBE\oobebaln.exe

"2007-09-15 10:32:37 C:\WINDOWS\Tasks\Rappel d'enregistrement 3.job"

- C:\WINDOWS\system32\OOBE\oobebaln.exe

"2007-09-15 09:21:04 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-24 15:39:19

Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès

Les fichiers cachés: 0

**************************************************************************

.

--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]

-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]

-> C:\WINDOWS\system32\sockspy.dll

.

farbar

Certainly Frech makes it not easier for me, but it will do. If you want to know if anything happened yet I should say 1 infection out of three is gone. You have already had a couple of things on your computer which were there undetected (by Norton? I see you have two AV on your system which is not a goed idea) for quite sometime. BitDefender could find it though. The last one which has hijacked your browser is recent and yet to be detected and named.

I prepare and post the next step tomorrow.

farbar

Step 1.

Remove old Java versions due to serious security vulnerability:

• Go to http://java.sun.com/javase/downloads/index.jsp
  
• Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) but don't install it yet.
• Go to control panel -add/remove programs – uninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE) in the name.

  
  Step 2.

• Download SDFix and save it to your Desktop.
• Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account and log in. If a window popup appears confirm that you want to enter safe mode

While in Safe Mode:

• Open the extracted SDFix folder and double click RunThis.bat to start the ******.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the ****** and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).Paste the contents of the Report.txt back on the forum.

Step 3.

Install JRE.

Step 4.

Please make a fresh hijackthis log and paste it along with the SDFix log.

farbar

Hi rdupis,

I notice you have run Combofix from Internet temporary files. Please make sure you save this time SDFix to your Desktop. To to that when you click the download link a window pops up asking you if you want to save or run the download. Click save and give the path to desktop, close the window after the download finished, close Internet, you see the downloaded file on your screen.

I realize you do your best and this is all new to you and you are trying to translate English to French which is your OS language. Let me know if doing the stap 2 is too much to ask from you. Then I come with an easier one so that you don't need to go to safe mode.

You may skip the step 4 just the SDFix log is enough for now.

swade

I am having a similar problem with this type of virus mine is C:\WINDOWS\system32\dmserver.dll , I cant do anything because it keeps closing everything I click on!!!!!!! I cant even type 5 freaking words with out it closing and it is really starting to ###### me off royally!!!!! I have tried the BDAspy stuff with no luck! Please help, I can email you the log but I cannot open and cut/paste the contents because my web browser won’t stay open long enough for me to get the blasted thing open!!!! It’s like my desktop keeps refreshing and closing my browser!!!!

farbar

I am having a similar problem with this type of virus mine is C:\WINDOWS\system32\dmserver.dll ....

I am sorry I can't assist you right now . I suggest you to find a way to initiate your own topic. It catches the eyes earlier than in the middle of somebody else's topic. The virus researches may want to take a look at the dll and the mods and others may give you some advise.

rdupuis

Hi farbar

Since our last contact i had to reinstall all window programs

since the combo fix bloqued everyrhing...

I will be more carefull now...

Sorry not to answer earlyer but with the time needed for installation and hollidays in- between...

farbar

Hi farbar

Since our last contact i had to reinstall all window programs

since the combo fix bloqued everyrhing...

I will be more carefull now...

Sorry not to answer earlyer but with the time needed for installation and hollidays in- between...

I had the feeling something had happened. Thank you letting me know.

So take care.