please help - hijacked by http://v73.us

  1. 19-02-2005  #1
    Frédéric
    Frédéric is offline Newbie

    please help - hijacked by http://v73.us

    Hello,

    I am writing from Belgium. A few days ago, I caught this spyware somewhere on the web and I desperately trw to get rid of it. None of my softwares can help (spybot, spyware doctor, ad-aware). I would really appreciate your advice as I have seen that you already helped some persons to solve the same problem. Here is my log file. Some lines are in French. If this is a problem, please advise.

    Thank you very much

    Frédéric


    Logfile of HijackThis v1.99.0
    Scan saved at 9:33:43, on 19/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINDOWS\system32\slserv.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINDOWS\System32\spools.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\spools.exe
    C:\Documents and Settings\Fred\Local Settings\Temp\Répertoire temporaire 1 pour hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://v73.us/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Start Page = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://v73.us/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://v73.us/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\tmpfile2.exe
    O1 - Hosts: 65.125.226.82 www.lycos.com
    O1 - Hosts: 65.125.226.82 www.altavista.com
    O1 - Hosts: 65.125.226.82 www.cnn.com
    O1 - Hosts: 65.125.226.82 www.infospace.com
    O1 - Hosts: 65.125.226.82 www.mail.com
    O1 - Hosts: 65.125.226.82 www.hotmail.com
    O1 - Hosts: 65.125.226.82 www.yahoo.com
    O1 - Hosts: 65.125.226.82 www.gg.com
    O1 - Hosts: 65.125.226.82 www.gmail.com
    O1 - Hosts: 65.125.226.82 www.google.com
    O1 - Hosts: 65.125.226.82 www.icq.com
    O1 - Hosts: 65.125.226.82 www.norton.com
    O1 - Hosts: 65.125.226.82 www.microsoft.com
    O1 - Hosts: 65.125.226.82 www.msn.com
    O1 - Hosts: 65.125.226.85 www.thehun.com
    O1 - Hosts: 65.125.226.85 www.thehun.net
    O1 - Hosts: 65.125.226.85 www.worldsex.com
    O1 - Hosts: 65.125.226.85 www.al4a.com
    O1 - Hosts: 65.125.226.85 www.book-mark.net
    O1 - Hosts: 65.125.226.85 www.easypic.com
    O1 - Hosts: 65.125.226.85 www.call-kelly.com
    O1 - Hosts: 65.125.226.85 www.sleazydream.com
    O1 - Hosts: 65.125.226.85 www.amplandmovies.com
    O1 - Hosts: 65.125.226.85 www.mature-post.com
    O1 - Hosts: 65.125.226.82 lycos.com
    O1 - Hosts: 65.125.226.82 altavista.com
    O1 - Hosts: 65.125.226.82 cnn.com
    O1 - Hosts: 65.125.226.82 infospace.com
    O1 - Hosts: 65.125.226.82 mail.com
    O1 - Hosts: 65.125.226.82 hotmail.com
    O1 - Hosts: 65.125.226.82 yahoo.com
    O1 - Hosts: 65.125.226.82 gg.com
    O1 - Hosts: 65.125.226.82 gmail.com
    O1 - Hosts: 65.125.226.82 google.com
    O1 - Hosts: 65.125.226.82 icq.com
    O1 - Hosts: 65.125.226.82 norton.com
    O1 - Hosts: 65.125.226.82 microsoft.com
    O1 - Hosts: 65.125.226.82 msn.com
    O1 - Hosts: 65.125.226.85 thehun.com
    O1 - Hosts: 65.125.226.85 thehun.net
    O1 - Hosts: 65.125.226.85 worldsex.com
    O1 - Hosts: 65.125.226.85 al4a.com
    O1 - Hosts: 65.125.226.85 book-mark.net
    O1 - Hosts: 65.125.226.85 easypic.com
    O1 - Hosts: 65.125.226.85 call-kelly.com
    O1 - Hosts: 65.125.226.85 sleazydream.com
    O1 - Hosts: 65.125.226.85 amplandmovies.com
    O1 - Hosts: 65.125.226.85 mature-post.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O21 - SSODL: eplrr9 - {DB5E343B-BAA0-4FF2-805A-545E12558625} - C:\WINDOWS\System32\mspdnx.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Fax - Unknown - C:\WINDOWS\system32\fxssvc.exe
    O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: DSDM DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown - C:\Norman\NVC\BIN\Zanda.exe
    O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
  2. 19-02-2005  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://v73.us/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Start Page = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://v73.us/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://v73.us/search.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\tmpfile2.exe
    O1 - Hosts: 65.125.226.82 www.lycos.com
    O1 - Hosts: 65.125.226.82 www.altavista.com
    O1 - Hosts: 65.125.226.82 www.cnn.com
    O1 - Hosts: 65.125.226.82 www.infospace.com
    O1 - Hosts: 65.125.226.82 www.mail.com
    O1 - Hosts: 65.125.226.82 www.hotmail.com
    O1 - Hosts: 65.125.226.82 www.yahoo.com
    O1 - Hosts: 65.125.226.82 www.gg.com
    O1 - Hosts: 65.125.226.82 www.gmail.com
    O1 - Hosts: 65.125.226.82 www.google.com
    O1 - Hosts: 65.125.226.82 www.icq.com
    O1 - Hosts: 65.125.226.82 www.norton.com
    O1 - Hosts: 65.125.226.82 www.microsoft.com
    O1 - Hosts: 65.125.226.82 www.msn.com
    O1 - Hosts: 65.125.226.85 www.thehun.com
    O1 - Hosts: 65.125.226.85 www.thehun.net
    O1 - Hosts: 65.125.226.85 www.worldsex.com
    O1 - Hosts: 65.125.226.85 www.al4a.com
    O1 - Hosts: 65.125.226.85 www.book-mark.net
    O1 - Hosts: 65.125.226.85 www.easypic.com
    O1 - Hosts: 65.125.226.85 www.call-kelly.com
    O1 - Hosts: 65.125.226.85 www.sleazydream.com
    O1 - Hosts: 65.125.226.85 www.amplandmovies.com
    O1 - Hosts: 65.125.226.85 www.mature-post.com
    O1 - Hosts: 65.125.226.82 lycos.com
    O1 - Hosts: 65.125.226.82 altavista.com
    O1 - Hosts: 65.125.226.82 cnn.com
    O1 - Hosts: 65.125.226.82 infospace.com
    O1 - Hosts: 65.125.226.82 mail.com
    O1 - Hosts: 65.125.226.82 hotmail.com
    O1 - Hosts: 65.125.226.82 yahoo.com
    O1 - Hosts: 65.125.226.82 gg.com
    O1 - Hosts: 65.125.226.82 gmail.com
    O1 - Hosts: 65.125.226.82 google.com
    O1 - Hosts: 65.125.226.82 icq.com
    O1 - Hosts: 65.125.226.82 norton.com
    O1 - Hosts: 65.125.226.82 microsoft.com
    O1 - Hosts: 65.125.226.82 msn.com
    O1 - Hosts: 65.125.226.85 thehun.com
    O1 - Hosts: 65.125.226.85 thehun.net
    O1 - Hosts: 65.125.226.85 worldsex.com
    O1 - Hosts: 65.125.226.85 al4a.com
    O1 - Hosts: 65.125.226.85 book-mark.net
    O1 - Hosts: 65.125.226.85 easypic.com
    O1 - Hosts: 65.125.226.85 call-kelly.com
    O1 - Hosts: 65.125.226.85 sleazydream.com
    O1 - Hosts: 65.125.226.85 amplandmovies.com
    O1 - Hosts: 65.125.226.85 mature-post.com
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Delete the following files and folders:
    C:\WINDOWS\System32\spools.exe
    C:\WINDOWS\System32\tmpfile2.exe

    Reboot and post a fresh log
  3. 20-02-2005  #3
    Frédéric
    Frédéric is offline Newbie
    Dear Owen,

    here is the new logfile.

    Thank you
    Frédéric

    Logfile of HijackThis v1.99.0
    Scan saved at 11:49:11, on 20/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Fred\Local Settings\Temp\Répertoire temporaire 2 pour hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O21 - SSODL: eplrr9 - {13D458C8-635B-4FD8-B149-9D357BDAB99D} - C:\WINDOWS\System32\mspdnx.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Fax - Unknown - C:\WINDOWS\system32\fxssvc.exe
    O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: DSDM DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown - C:\Norman\NVC\BIN\Zanda.exe
    O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
  4. 22-02-2005  #4
    Frédéric
    Frédéric is offline Newbie
    Owen,

    here is a new logfile after having followed your instructions. Thank you

    Logfile of HijackThis v1.99.0
    Scan saved at 13:11:13, on 22/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Fred\Local Settings\Temp\Répertoire temporaire 2 pour hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O21 - SSODL: eplrr9 - {13D458C8-635B-4FD8-B149-9D357BDAB99D} - C:\WINDOWS\System32\mspdnx.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Fax - Unknown - C:\WINDOWS\system32\fxssvc.exe
    O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: DSDM DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown - C:\Norman\NVC\BIN\Zanda.exe
    O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
  5. 24-02-2005  #5
    owen
    owen is offline D-A-L Team Member (UK)
    Sorry about the response time.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://v73.us
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://v73.us/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://v73.us/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://v73.us/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://v73.us
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://v73.us
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O21 - SSODL: eplrr9 - {13D458C8-635B-4FD8-B149-9D357BDAB99D} - C:\WINDOWS\System32\mspdnx.dll

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Delete the following files and folders:
    C:\WINDOWS\System32\mspdnx.dll

    Reboot and post a fresh log
  6. 24-02-2005  #6
    Frédéric
    Frédéric is offline Newbie
    Owen

    here is the new logfile. There is some progress. It does not set http://v73.us as homepage any longer, and I can better access all web pages. But it seems that for the time being it runs very slowly. I had also to close IE and make a second attempt to be able to access d-a-l web page.

    Thanks again for your help.

    Frédéric




    Logfile of HijackThis v1.99.0
    Scan saved at 21:16:02, on 24/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Documents and Settings\Fred\Local Settings\Temp\Répertoire temporaire 2 pour hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belgacom.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O1 - Hosts: 65.125.226.82 http://yahoo.com
    O1 - Hosts: 65.125.226.82 http://google.com
    O1 - Hosts: 65.125.226.82 http://lycos.com
    O1 - Hosts: 65.125.226.82 http://altavista.com
    O1 - Hosts: 65.125.226.82 http://msn.com
    O1 - Hosts: 65.125.226.82 http://search.msn.com
    O1 - Hosts: 65.125.226.82 http://cnn.com
    O1 - Hosts: 65.125.226.82 http://excite.com
    O1 - Hosts: 65.125.226.82 http://alltheweb.com
    O1 - Hosts: 65.125.226.82 http://looksmart.com
    O1 - Hosts: 65.125.226.82 http://northernlight.com
    O1 - Hosts: 65.125.226.82 http://alexa.com
    O1 - Hosts: 65.125.226.82 http://search.aol.com
    O1 - Hosts: 65.125.226.82 http://epilot.com
    O1 - Hosts: 65.125.226.82 http://hotbot.com
    O1 - Hosts: 65.125.226.82 http://search.netscape.com
    O1 - Hosts: 65.125.226.82 http://infospace.com
    O1 - Hosts: 65.125.226.82 http://www.epilot.com
    O1 - Hosts: 65.125.226.82 http://www.hotbot.com
    O1 - Hosts: 65.125.226.82 http://www.infospace.com
    O1 - Hosts: 65.125.226.82 http://www.cnn.com
    O1 - Hosts: 65.125.226.82 http://www.msn.com
    O1 - Hosts: 65.125.226.82 http://www.altavista.com
    O1 - Hosts: 65.125.226.82 http://www.lycos.com
    O1 - Hosts: 65.125.226.82 http://www.google.com
    O1 - Hosts: 65.125.226.82 http://www.yahoo.com
    O1 - Hosts: 65.125.226.82 http://www.alexa.com
    O1 - Hosts: 65.125.226.82 http://www.excite.com
    O1 - Hosts: 65.125.226.82 http://www.alltheweb.com
    O1 - Hosts: 65.125.226.82 http://www.looksmart.com
    O1 - Hosts: 65.125.226.82 http://www.northernlight.com
    O1 - Hosts: 65.125.226.85 http://thehun.com
    O1 - Hosts: 65.125.226.85 http://thehun.net
    O1 - Hosts: 65.125.226.85 http://worldsex.com
    O1 - Hosts: 65.125.226.85 http://al4a.com
    O1 - Hosts: 65.125.226.85 http://book-mark.net
    O1 - Hosts: 65.125.226.85 http://easypic.com
    O1 - Hosts: 65.125.226.85 http://call-kelly.com
    O1 - Hosts: 65.125.226.85 http://sleazydream.com
    O1 - Hosts: 65.125.226.85 http://amplandmovies.com
    O1 - Hosts: 65.125.226.85 http://mature-post.com
    O1 - Hosts: 65.125.226.85 http://www.thehun.com
    O1 - Hosts: 65.125.226.85 http://www.thehun.net
    O1 - Hosts: 65.125.226.85 http://www.worldsex.com
    O1 - Hosts: 65.125.226.85 http://www.al4a.com
    O1 - Hosts: 65.125.226.85 http://www.book-mark.net
    O1 - Hosts: 65.125.226.85 http://www.easypic.com
    O1 - Hosts: 65.125.226.85 http://www.call-kelly.com
    O1 - Hosts: 65.125.226.85 http://www.sleazydream.com
    O1 - Hosts: 65.125.226.85 http://www.amplandmovies.com
    O1 - Hosts: 65.125.226.85 http://www.mature-post.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Fax - Unknown - C:\WINDOWS\system32\fxssvc.exe
    O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: DSDM DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown - C:\Norman\NVC\BIN\Zanda.exe
    O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
  7. 24-02-2005  #7
    owen
    owen is offline D-A-L Team Member (UK)
    Download the Hoster. Press "Restore Original Hosts" and press "OK". Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

    Reboot and post a fresh log.
  8. 26-02-2005  #8
    Frédéric
    Frédéric is offline Newbie
    Owen,

    I did what you said. Here is the new logfile.

    Frédéric

    Logfile of HijackThis v1.99.0
    Scan saved at 8:51:35, on 26/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Documents and Settings\Fred\Local Settings\Temp\Répertoire temporaire 2 pour hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belgacom.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Service d'administration du Gestionnaire de disque logique - Unknown - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Journal des événements - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Fax - Unknown - C:\WINDOWS\system32\fxssvc.exe
    O23 - Service: Service COM de gravage de CD IMAPI - Unknown - C:\WINDOWS\System32\imapi.exe
    O23 - Service: Partage de Bureau à distance NetMeeting - Unknown - C:\WINDOWS\System32\mnmsrvc.exe
    O23 - Service: DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: DSDM DDE réseau - Unknown - C:\WINDOWS\system32\netdde.exe
    O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
    O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    O23 - Service: Norman ZANDA - Unknown - C:\Norman\NVC\BIN\Zanda.exe
    O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\Nvc\BIN\nvcoas.exe
    O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    O23 - Service: Plug-and-Play - Unknown - C:\WINDOWS\system32\services.exe
    O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance - Unknown - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Prise en charge des cartes à puces - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Carte à puce - Unknown - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: Journaux et alertes de performance - Unknown - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Cliché instantané de volume - Unknown - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Carte de performance WMI - Unknown - C:\WINDOWS\System32\wbem\wmiapsrv.exe
  9. 26-02-2005  #9
    owen
    owen is offline D-A-L Team Member (UK)
    Thats a clean log, how are things running?
  10. 27-02-2005  #10
    Frédéric
    Frédéric is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    HI Owen,

    things are running well again. Seems this time I could get rid of it, thanks to you.

    frédéric
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« Hijack This Log - need help with DNS error | Pop Up Virus? »