'System Alert' message

[kouye]

Hi,
I am running XP Home SP2 and for the past few days, I have been having a message poping up very regularly on the notification area of the system tray (bottom right) that says :
"System Alert !
System has detected a number of active spyware applications that may impact the performance of your computer"
The message is located on a flashing red shield icon. When I click on the message, Internet Explorer starts up on the Virus Protect Pro web site (www.virusprotectpro.com/?aff=1003) and suggests I acquire and download the product.
The online Symantec vulnerability/virus detection reveals no spyware/adware/virus. Neither does BitDefender Online. Windows Defender, A Squared, Spyware S&D, AdAware SE are equally unsuccessful in detecting anything unusual.
I have run the 5 steps and here are the results.
Thanks for your kind help,
Edward

Panda ActiveScan report :


Incident Status Location

Virus:Trj/Lowzones.TQ Disinfected Operating system
Virus:W32/Moonlight.K.worm Disinfected Operating system
Adware:Adware/Spylocked Not disinfected C:\WINDOWS\system32\zpeolvh.dll
Virus:Trj/Lowzones.TQ Disinfected Operating system
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\gaby\Cookies\gaby@888[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\gaby\Cookies\gaby@xiti[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Michele\Cookies\michele@advertising[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Michele\Cookies\michele@bluestreak[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Michele\Cookies\michele@clickbank[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Michele\Cookies\michele@doubleclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Michele\Cookies\michele@overture[2].txt
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Michele\Cookies\michele@weborama[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Michele\Cookies\michele@xiti[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\rafio\Cookies\rafio@ccbill[2].txt
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\rafio\Cookies\rafio@malwarewiped[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\rafio\Cookies\rafio@xiti[1].txt
Adware:Adware/2Search Not disinfected C:\Documents and Settings\rafio\Local Settings\Temp\a.exe
Virus:W32/Moonlight.K.worm Disinfected C:\Documents and Settings\rafio\Local Settings\Temp\juan.dll
Adware:Adware/WebSearch Not disinfected C:\Documents and Settings\rafio\Local Settings\Temp\laf38.tmp
Adware:Adware/2Search Not disinfected C:\Program Files\PopsMedia Site Adviser\vm5_killer.exe
Potentially unwanted tool:Application/SpyCrush Not disinfected C:\Program Files\VirusProtectPro 3.3\VirusProtectPro 3.3.exe
Virus:Trj/Lowzones.TQ Disinfected C:\WINDOWS\system32\ughavil.dll



HijackThis log :

Deckard's System Scanner v20070611.50
Run by Michele on 2007-07-05 at 00:02:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2007-07-04 22:02:27 UTC - RP58 - Deckard's System Scanner Restore Point
57: 2007-07-04 21:47:24 UTC - RP57 - Software Distribution Service 3.0
56: 2007-07-04 16:51:40 UTC - RP56 - Software Distribution Service 3.0
55: 2007-07-04 16:49:00 UTC - RP55 - Installed Windows Defender
54: 2007-07-04 13:24:18 UTC - RP54 - Removed Windows Live Sign-in Assistant


-- First Restore Point --
1: 2007-05-25 08:11:21 UTC - RP1 - Point de vérification système


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Michele.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 00:03:59, on 05/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\FICHIE~1\LIBRES~1\gescw.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\fond-ecran-wallpaper\few-oneclick.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Michele\Local Settings\Temporary Internet Files\Content.IE5\Z6W4D3XZ\dss[1].exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\PROGRA~1\HIJACK~1\Michele.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\DOCUME~1\rafio\LOCALS~1\Temp\juan.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gescw] "C:\PROGRA~1\FICHIE~1\LIBRES~1\gescw.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\ughavil.dll,TurnOn2
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Fond Ecran OneClick.lnk = C:\Program Files\fond-ecran-wallpaper\few-oneclick.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?917e05e77b6848b6b69ae8fca894030c
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?917e05e77b6848b6b69ae8fca894030c
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1180081533796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} (AdVerifierADPCtrl Class) - https://static.impots.gouv.fr/tdir/s...nerADP-1.0.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2007-07-05 00:00:22 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-07-04 23:57:47 436 --a------ C:\WINDOWS\Tasks\XoftSpySE 2.job
2007-07-04 23:41:01 252 --a------ C:\WINDOWS\Tasks\Vérifier les mises à jour de Windows Live Toolbar.job
2007-07-04 18:38:39 366 --a------ C:\WINDOWS\Tasks\XoftSpySE.job
2007-07-04 09:31:00 394 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1180510256.job
2007-07-02 20:00:00 596 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Analyse système complète - Donnard.job


-- Files created between 2007-06-05 and 2007-07-05 -----------------------------

2007-07-04 23:52:37 0 d-------- C:\WINDOWS\system32\fr-fr
2007-07-04 23:49:24 0 d-------- C:\WINDOWS\network diagnostic
2007-07-04 23:25:56 0 d-------- C:\Program Files\SpywareBlaster
2007-07-04 22:05:10 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-07-04 18:49:02 0 d-------- C:\Program Files\Windows Defender
2007-07-04 18:38:36 0 d-------- C:\Program Files\XoftSpySE
2007-07-04 17:50:21 0 d-------- C:\WINDOWS\BDOSCAN8
2007-07-04 17:22:02 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-07-04 15:56:53 0 d-------- C:\Program Files\a-squared Free
2007-07-04 15:28:29 0 d-------- C:\Documents and Settings\Michele\Application Data\Lavasoft
2007-07-04 15:28:20 0 d-------- C:\Program Files\Lavasoft
2007-07-04 15:23:53 0 d-------- C:\WINDOWS\system32\appmgmt
2007-07-04 11:24:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-07-04 11:15:52 88527 --a------ C:\Documents and Settings\Michele\scan.dat
2007-07-03 21:35:41 0 d-------- C:\Documents and Settings\Donnard\Application Data\libresystem
2007-07-03 14:42:18 0 d-------- C:\Documents and Settings\rafio\Application Data\libresystem
2007-07-03 07:17:07 0 d-------- C:\Documents and Settings\Michele\Application Data\libresystem
2007-07-03 07:12:02 0 d-------- C:\Program Files\Fichiers communs\LibreSystem
2007-07-03 07:05:08 0 dr------- C:\Documents and Settings\All Users\Application Data\libresystem
2007-07-03 07:05:03 0 d-------- C:\Program Files\LibreSystem
2007-07-02 13:42:51 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-07-02 13:42:49 0 d-------- C:\Program Files\VirusProtectPro 3.3
2007-07-02 13:42:25 0 d-------- C:\Program Files\PopsMedia Site Adviser
2007-06-30 21:19:00 0 d---s---- C:\Documents and Settings\rafio\UserData
2007-06-29 14:54:58 0 d-------- C:\Documents and Settings\rafio\Application Data\AdobeUM
2007-06-29 14:54:31 0 d-------- C:\Documents and Settings\rafio\Application Data\Adobe
2007-06-27 21:47:42 0 d-------- C:\Program Files\Windows Media Connect 2
2007-06-27 21:45:00 0 d-------- C:\WINDOWS\system32\LogFiles
2007-06-27 21:45:00 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-06-25 21:33:33 0 d-------- C:\Documents and Settings\Donnard\Application Data\Dossier de téléchargement Share-to-Web
2007-06-25 21:33:33 0 d-------- C:\Documents and Settings\Donnard\Application Data\Dossier de téléchargement Share-to-Web
2007-06-24 11:11:08 0 d-------- C:\Documents and Settings\Michele\Contacts
2007-06-12 00:03:10 0 d-------- C:\Documents and Settings\Donnard\Application Data\Help
2007-06-11 00:01:03 0 d-------- C:\Documents and Settings\Donnard\Application Data\Macromedia
2007-06-10 23:59:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-06-10 16:43:06 0 d-------- C:\Documents and Settings\Donnard\Application Data\AdobeUM
2007-06-10 16:42:42 0 d-------- C:\Documents and Settings\Donnard\Application Data\Adobe
2007-06-10 16:39:08 0 d-------- C:\Documents and Settings\Donnard\Application Data\Google
2007-06-05 20:12:44 0 d-------- C:\Program Files\fond-ecran-wallpaper
2007-06-05 20:12:39 75541 --a------ C:\WINDOWS\system32\un_coucherdesoleil_ev.exe
2007-06-05 20:12:39 885318 --a------ C:\WINDOWS\system32\sunset.scr <Not Verified; ecran-de-veille.org; >


-- Find3M Report ---------------------------------------------------------------

2007-07-04 23:57:19 0 d-------- C:\Program Files\Fichiers communs\Symantec Shared
2007-07-04 22:40:32 0 d-------- C:\Program Files\Windows Live Toolbar
2007-07-04 22:40:14 0 d-------- C:\Program Files\Norton AntiVirus
2007-07-04 22:38:03 0 d-------- C:\Program Files\Google
2007-07-04 18:49:04 0 d-------- C:\Program Files\Fichiers communs\Microsoft Shared
2007-07-03 07:12:02 0 d-------- C:\Program Files\Fichiers communs
2007-06-28 08:34:01 8704 --a-s---- C:\WINDOWS\system32\zpeolvh.dll
2007-06-14 01:12:46 0 d-------- C:\Program Files\Fichiers communs\System
2007-06-09 16:37:24 0 d-------- C:\Documents and Settings\Michele\Application Data\Google
2007-06-04 10:07:46 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-03 17:57:57 0 d-------- C:\Program Files\Windows Live Favorites
2007-06-01 22:42:59 0 d-------- C:\Documents and Settings\Michele\Application Data\AdobeUM
2007-06-01 18:37:05 0 d-------- C:\Documents and Settings\Michele\Application Data\Adobe
2007-06-01 18:35:20 0 d-------- C:\Program Files\Fichiers communs\Adobe
2007-06-01 18:08:07 0 d-------- C:\Documents and Settings\Michele\Application Data\Macromedia
2007-05-30 17:38:24 0 d-------- C:\Program Files\MSXML 4.0
2007-05-30 10:07:09 0 d-------- C:\Documents and Settings\Michele\Application Data\ArcSoft
2007-05-30 09:37:08 0 d-------- C:\Documents and Settings\Michele\Application Data\Dossier de téléchargement Share-to-Web
2007-05-30 09:37:08 0 d-------- C:\Documents and Settings\Michele\Application Data\Dossier de téléchargement Share-to-Web
2007-05-30 09:34:38 0 d-------- C:\Program Files\Fichiers communs\Nikon
2007-05-30 09:34:21 0 d-------- C:\Program Files\Nikon
2007-05-30 09:34:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-05-30 09:34:06 0 d-------- C:\Program Files\QuickTime
2007-05-30 09:33:56 28672 --a------ C:\WINDOWS\system32\qttask.exe
2007-05-30 09:33:26 0 d-------- C:\Program Files\ArcSoft
2007-05-30 09:30:47 0 d-------- C:\Program Files\ReadIris
2007-05-30 09:26:52 0 d-------- C:\Program Files\Fichiers communs\Hewlett-Packard
2007-05-30 09:25:14 0 d-------- C:\Program Files\Hewlett-Packard
2007-05-30 09:19:11 0 d-------- C:\Program Files\Logitech
2007-05-30 09:19:11 0 d-------- C:\Program Files\Fichiers communs\FotoWire
2007-05-30 09:17:10 0 d-------- C:\Program Files\Fichiers communs\Logitech
2007-05-30 07:01:22 367658 --a------ C:\WINDOWS\system32\perfh00C.dat
2007-05-30 07:01:22 48616 --a------ C:\WINDOWS\system32\perfc00C.dat
2007-05-25 13:42:02 0 d-------- C:\Program Files\Messenger
2007-05-25 11:51:50 0 d-------- C:\Program Files\Fichiers communs\ODBC
2007-05-25 11:51:46 0 d-------- C:\Program Files\Fichiers communs\SpeechEngines
2007-05-25 11:51:19 62 --ahs---- C:\Documents and Settings\Michele\Application Data\desktop.ini
2007-05-25 11:44:42 0 d-------- C:\Documents and Settings\Michele\Application Data\Identities
2007-05-25 11:21:51 0 d-------- C:\Program Files\Fichiers communs\Designer
2007-05-25 11:20:30 0 d-------- C:\Program Files\microsoft frontpage
2007-05-25 10:42:26 0 d-------- C:\Program Files\Symantec
2007-05-25 10:20:31 0 d-------- C:\Program Files\Fichiers communs\InstallShield
2007-05-25 10:05:35 0 -rahs---- C:\MSDOS.SYS
2007-05-25 10:05:35 0 -rahs---- C:\IO.SYS
2007-05-25 10:05:35 0 --a------ C:\CONFIG.SYS
2007-05-25 10:05:35 0 --a------ C:\AUTOEXEC.BAT
2007-05-25 10:04:02 0 d--h----- C:\Program Files\WindowsUpdate
2007-05-25 10:03:58 0 d-------- C:\Program Files\Services en ligne
2007-05-25 10:03:11 0 d-------- C:\Program Files\Fichiers communs\Services
2007-05-25 10:03:07 0 d-------- C:\Program Files\Fichiers communs\MSSoap
2007-05-25 10:02:57 0 d-------- C:\Program Files\Movie Maker
2007-05-25 10:02:00 21892 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-05-25 10:01:36 0 d-------- C:\Program Files\Online Services
2007-05-25 10:01:26 0 d-------- C:\Program Files\MSN Gaming Zone
2007-05-25 10:01:17 0 d-------- C:\Program Files\Windows NT


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{184746EC-9E9D-4C7D-B9E7-9039EBD801A9} C:\Program Files\Video ActiveX Access\iesplg.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar1.dll
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\Windows Live Toolbar\msntb.dll
{E12BFF69-38A7-406e-A8EF-2738107A7831} C:\DOCUME~1\rafio\LOCALS~1\Temp\juan.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AlcxMonitor"="ALCXMNTR.EXE"
"ccApp"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Symantec PIF AlertEng"="\"C:\\Program Files\\Fichiers communs\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Fichiers communs\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"gescw"="\"C:\\PROGRA~1\\FICHIE~1\\LIBRES~1\\gescw.exe\" -start"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"SecurityUpdate"="rundll32.exe C:\\WINDOWS\\system32\\ughavil.dll,TurnOn2"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{4688f900-0d0c-4788-b297-59cc10e70ccc}"="amberoids"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-07-05 at 00:04:44 ---------

[alba]

Hi kouye

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Please download SmitfraudFix (by S!Ri) to your Desktop. Do not run it yet.

=======================================================

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

=================

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually--into Normal Mode.


The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

=================

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
· "Security Info"
· "Warning Message"
· "Security Desktop"
· "Warning Homepage"
· "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

=======================

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

=======================

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Notes

1. If you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

2. As many of the variants of Smitfraud have begun invading the Hosts file, this tool will reset your Hosts file as a necessary precaution. You will also have to reset any specific modifications you may require such as Hosts MVPS.

======================================================

Also please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note for Internet Explorer 7 users**

If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

==================================================

Then post the following logs in your next reply...

c:\rapport.txt
Kaspersky results
Hijackthis log

Then post the following logs in your next reply...

[kouye]

Hi alba,
Thank you for taking care of this issue. I followed your instructions exactly. Here are the SmitFraudFix and HiJackThis logs you requested. The Kaspersky log is too long to fit here and is included as an attachement.
Please le me know what you think.


SmitFraudFix v2.200

Scan done at 22:03:12,48, 05/07/2007
Run from C:\Documents and Settings\Michele\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BCEB1AD5-AA48-4006-A017-0B74DA62B0DB}: DhcpNameServer=80.10.246.1 80.10.26.132 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BCEB1AD5-AA48-4006-A017-0B74DA62B0DB}: DhcpNameServer=80.10.246.1 80.10.26.132 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BCEB1AD5-AA48-4006-A017-0B74DA62B0DB}: DhcpNameServer=80.10.246.1 80.10.26.132 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=80.10.246.1 80.10.26.132 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=80.10.246.1 80.10.26.132 192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=80.10.246.1 80.10.26.132 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Logfile of HijackThis v1.99.1
Scan saved at 00:04:05, on 06/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\FICHIE~1\LIBRES~1\gescw.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\DOCUME~1\rafio\LOCALS~1\Temp\juan.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [gescw] "C:\PROGRA~1\FICHIE~1\LIBRES~1\gescw.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\ughavil.dll,TurnOn2
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?917e05e77b6848b6b69ae8fca894030c
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?917e05e77b6848b6b69ae8fca894030c
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1180081533796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} (AdVerifierADPCtrl Class) - https://static.impots.gouv.fr/tdir/s...nerADP-1.0.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe

[kouye]

Alba,
After doing what you suggested, the System Alert pop-up doesn't show anymore and the red shield icon in the system tray has disappeared.
But I get an error message that says :
C:\WINDOWS\system32\ughavil.dll is missing
This happens whenever I open a user session.
Google has not been very helpful on 'ughavil.dll'
Any ideas ?

[alba]

Hi kouye

Quote:

But I get an error message that says :
C:\WINDOWS\system32\ughavil.dll is missing
This happens whenever I open a user session.

This is because there is still a reg entry for it we will fix that in this pass

================================

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Please download ATF Cleaner - Here

===============================================

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

===============================================

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O4 - HKLM\..\Run: [gescw] "C:\PROGRA~1\FICHIE~1\LIBRES~1\gescw.exe" -start
O4 - HKLM\..\Run: [SecurityUpdate] rundll32.exe C:\WINDOWS\system32\ughavil.dll,TurnOn2



Please remember to close all other windows, including browsers then click Fix checked.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

• C:\Program Files\PopsMedia Site Adviser
  

=================

ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Click Select All found at the bottom of the list.
• Click the Empty Selected button.

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
• Click the Empty Selected button.
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

===============================================

REBOOT TO NORMAL MODE

=================


Go here and do the BitDefender online virus scan.

• Click "I Agree" to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Leave the scanning options at default and press "Click here to scan" to begin the scan.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on "Click here to export the scan results"
• Save the report to your desktop then come back here and post it in your next reply

==================

Please Run a scan with Hijackthis and save the log

===============================================

In your next post, please include fresh logs from:

• Online scan
• Hijackthis log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[kouye]

Hi alba,
Did what you suggested. The "C:\WINDOWS\system32\ughavil.dll is missing" message doesn't happen any more.
Here are the logs. Looking forward to your input.
Thanks again for your time


BitDefender Online Scanner

Scan report generated at: Fri, Jul 06, 2007 - 18:31:19

Scan path: A:\;C:\;D:\;

Statistics

Time
00:21:03

Files
64920

Folders
2872

Boot Sectors
2

Archives
814

Packed Files
4330

Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1

Engines Info

Virus Definitions
637344

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\System Volume Information\_restore{741EEBA3-3214-4CF8-BD3D-D8492B2BA2F5}\RP52\A0008202.exe=>(NSIS o)=>lzma_solid_nsis0000
Infected with: Trojan.Downloader.Zlob.AAAB

C:\System Volume Information\_restore{741EEBA3-3214-4CF8-BD3D-D8492B2BA2F5}\RP52\A0008202.exe=>(NSIS o)=>lzma_solid_nsis0000
Disinfection failed

C:\System Volume Information\_restore{741EEBA3-3214-4CF8-BD3D-D8492B2BA2F5}\RP52\A0008202.exe=>(NSIS o)=>lzma_solid_nsis0000
Deleted

C:\System Volume Information\_restore{741EEBA3-3214-4CF8-BD3D-D8492B2BA2F5}\RP52\A0008202.exe=>(NSIS o)
Update failed



Logfile of HijackThis v1.99.1
Scan saved at 18:04:34, on 06/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\DOCUME~1\rafio\LOCALS~1\Temp\juan.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Ouvrir dans un nouvel onglet d'arrière-plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/229?917e05e77b6848b6b69ae8fca894030c
O8 - Extra context menu item: Ouvrir dans un nouvel onglet de premier plan - res://C:\Program Files\Windows Live Toolbar\Components\fr-fr\msntabres.dll.mui/230?917e05e77b6848b6b69ae8fca894030c
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1180081533796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} (AdVerifierADPCtrl Class) - https://static.impots.gouv.fr/tdir/s...nerADP-1.0.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Planificateur LiveUpdate automatique - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\AppCore\AppSvc32.exe

[alba]

Hi kouye

French lessons start next week :embarrassed:

Do you no what this folder is C:\Program Files\Fichiers communs\LibreSystem ? Is it something that you installed yourself and can you tell me more about it

[kouye]

No problem...
LibreSystem is supposedly an anti-spyware program, but I have a strong feeling it's probably a rogue. It was installed by the owner of the PC (friend of mine).
There's more on it here :
http://secubox.aldria.com/topic-1229.html

French again, sorry... In a nutshell, it says that libresystem.com is one of many domains that are associated with an IP address that is targeted by a malware designed to lure unsuspecting users into buying rogue anti-spywares. Apparently, this was designed last year by a group called SSHijacker.

Before I came to TSF for help, I started by uninstalling LibreSystem (or I thought I did...), among other actions. From what you see, is it still active ?

[alba]

Hi ya

Quote:

I started by uninstalling LibreSystem

No worries we will remove the residue folders and that will be gone

=================

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\DOCUME~1\rafio\LOCALS~1\Temp\juan.dll (file missing)



Please remember to close all other windows, including browsers then click Fix checked.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

• C:\Documents and Settings\Donnard\Application Data\libresystem
  C:\Documents and Settings\rafio\Application Data\libresystem
  C:\Documents and Settings\Michele\Application Data\libresystem
  C:\Program Files\Fichiers communs\LibreSystem

If you have any problems deleting the folders boot into safe mode and delete them from there

You can also delete smitfraudfix


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start → Run → type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
6. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[kouye]

OK, perfect. The PC works like a charm.
Thanks for your help, alba.
Have a good day too.