about:blank issue in Internet Explorer 6

[kouye]

Hi,
I am running a Dell Dimension 4500 under Windows HP Home SP2. When starting up Internet Explorer 6, I get en empty startup page, with 'about:blank' in the address bar. In the Internet Options dialog in the Tools menu, I managed to change the startup page to www.yahoo.com. But when I restart IE, the Yahoo page takes a very long time to show up and all image links are broken. Clicking on a link or typing another URL just gets me to a blank page, on a notification that the page is inaccessible. When I use Firefox, Internet access works fine and refresh rates are normal.
I ran the five steps. All went OK, except step 4 (Panda) for lack of Internet access with IE 6.
Any idea what is going wrong ?

Here is the Deckard log :

Deckard's System Scanner v20070711.54
Run by Matthieu on 2007-07-19 at 22:52:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2007-07-19 20:52:51 UTC - RP1353 - Deckard's System Scanner Restore Point
5: 2007-07-19 20:41:53 UTC - RP1352 - Software Distribution Service 3.0
4: 2007-07-19 18:30:58 UTC - RP1351 - Point de vérification système
3: 2007-07-17 15:30:41 UTC - RP1350 - Supprimé ADI USB ADSL Interface
2: 2007-07-17 15:28:01 UTC - RP1349 - Configured NETGEAR WG111v2 wireless USB 2.0 adapter


-- First Restore Point --
1: 2007-07-17 13:55:29 UTC - RP1348 - Point de vérification système


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Matthieu.exe) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:59:35, on 19/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Matthieu\Bureau\dss.exe
C:\DOCUME~1\Matthieu\MESDOC~1\DIGITA~1\HIJACK~1.0\Matthieu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/f...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pandasoftware.com/products/activescan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=SECURITOO:8080;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [RjLyraInstaller] E:\setup.exe E:\
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe"
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LacKZMOTx] C:\WINDOWS\txpjpotb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Rappels du Calendrier Microsoft Works.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.fr
O16 - DPF: Interface Chat Wanadoo - http://chat4.x-echo.com/version6/Applet/wchatsign.cab
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr...eleir_cert.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1156503289484
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\windows\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\windows\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\windows\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\windows\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 stltrack - c:\windows\system32\drivers\stltrack.sys <Not Verified; Shuttle Technology; Shuttle Devices Tracking Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.5.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.5.0>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes; CDRTools>
R2 enodpl - c:\windows\system32\drivers\enodpl.sys
R2 tandpl - c:\windows\system32\drivers\tandpl.sys
R3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; Elaborate Bytes; CloneCD>

S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys (file missing)
S3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys (file missing)
S3 musbehco - c:\docume~1\matthieu\locals~1\temp\musbehco.sys (file missing)
S3 RTLWUSB (NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver) - c:\windows\system32\drivers\wg111v2.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 bgsvcgen (B's Recorder GOLD Library General Service) - c:\windows\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD8>
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\fichiers communs\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>


-- Files created between 2007-06-19 and 2007-07-19 -----------------------------

2007-07-19 22:35:39 0 d-------- C:\Program Files\SpywareBlaster
2007-07-19 22:34:01 1156 --a------ C:\WINDOWS\mozver.dat
2007-07-19 22:32:31 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-19 22:32:26 0 d------c- C:\Documents and Settings\Matthieu\Application Data\Mozilla
2007-07-19 19:50:34 0 d-------- C:\Program Files\Registrar Registry Manager
2007-07-17 18:11:31 0 d-------- C:\WINDOWS\system32\SoftwareDistribution


-- Find3M Report ---------------------------------------------------------------

2007-07-19 22:47:26 0 d-------- C:\Program Files\Symantec
2007-07-19 22:42:59 0 d-------- C:\Program Files\Fichiers communs\System
2007-07-19 22:22:18 0 d-------- C:\Program Files\Fichiers communs\Symantec Shared
2007-07-19 22:03:49 0 d------c- C:\Documents and Settings\Matthieu\Application Data\Symantec
2007-07-19 21:57:39 0 d-------- C:\Program Files\Fichiers communs
2007-07-17 18:28:51 0 d------c- C:\Documents and Settings\Matthieu\Application Data\MSN6
2007-07-17 18:09:10 0 d-------- C:\Program Files\FinePixViewer
2007-07-17 17:31:29 0 d-------- C:\Program Files\Wanadoo
2007-07-17 17:29:20 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-07-15 16:21:32 66376282 --a------ C:\Program Files\Man U.sav
2007-07-15 16:21:32 324009 --a------ C:\Program Files\hall_of_fame.bin
2007-07-15 16:20:42 535 --a------ C:\Program Files\game.cfg
2007-06-11 11:53:32 0 d-------- C:\Program Files\LimeWire
2007-06-11 11:53:22 0 d-------- C:\Program Files\Incomplete
2007-06-10 19:12:01 0 d-------- C:\Program Files\NETGEAR
2007-06-10 10:15:11 445434 --a------ C:\WINDOWS\system32\perfh00C.dat
2007-06-10 10:15:11 63854 --a------ C:\WINDOWS\system32\perfc00C.dat
2007-05-13 22:37:53 65024 --a------ C:\WINDOWS\IFinst26.exe
2007-05-06 00:26:03 50976881 --a------ C:\Program Files\benfica.sav


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{04079851-5845-4dea-848C-3ECD647AA554} C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
{9394EDE7-C8B5-483E-8773-474BF36AF6E4} C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"AdaptecDirectCD"="\"C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"EPSON Stylus C42 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C42 Series\" /O6 \"USB001\" /M \"Stylus C42\""
"RjLyraInstaller"="E:\\setup.exe E:\\"
"CloneCDTray"="C:\\Program Files\\Elaborate Bytes\\CloneCD\\CloneCDTray.exe"
"ElbyCheckElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"windows auto update"=""
"Microsoft Inet Xp.."=""
"nwiz"="nwiz.exe /install"
"MessengerPlus3"="\"C:\\Documents and Settings\\Matthieu\\Mes documents\\Thibaud Perso\\MsgPlus.exe\""
"winshost.exe"="C:\\WINDOWS\\System32\\winshost.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"LacKZMOTx"="C:\\WINDOWS\\txpjpotb.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SMSTray"="C:\\Program Files\\Samsung\\Samsung Media Studio 5\\SMSTray.exe"
"MAAgent"="C:\\Program Files\\MarkAny\\ContentSafer\\MAAgent.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"MSMSGS"="\"C:\\Program Files\\Messenger\\Msmsgs.exe\" /background"
"winshost.exe"="C:\\WINDOWS\\System32\\winshost.exe"
"MessengerPlus3"="\"C:\\Documents and Settings\\Matthieu\\Mes documents\\Thibaud Perso\\MsgPlus.exe\" /WinStart"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ file:///C:/Documents%20and%20Settings/Matthieu/Local%20Settings/Temp/Fond0304_24_1280.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ file:///C:/Documents%20and%20Settings/Matthieu/Mes%20documents/Mes%20images/53.jpg

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net

100 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-07-19 at 23:01:04 ---------

[sUBs]

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=SECURITOO:8080;
O4 - HKLM\..\Run: [RjLyraInstaller] E:\setup.exe E:\
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [LacKZMOTx] C:\WINDOWS\txpjpotb.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exeart
O4 - Startup: PowerReg Scheduler.exe


---------------


1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[kouye]

Hi,
Here are the requested logs :


"Matthieu" - 2007-07-20 0:23:10 - ComboFix 07-07-20.5 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))


2007-07-20 00:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 22:52 <REP> d----c--- C:\Deckard
2007-07-19 22:35 <REP> d-------- C:\Program Files\SpywareBlaster
2007-07-19 22:34 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-19 22:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-19 19:51 31,024 --a------ C:\WINDOWS\SYSTEM32\rrMon.sys
2007-07-19 19:50 <REP> d-------- C:\Program Files\Registrar Registry Manager
2007-07-17 18:11 <REP> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-07-17 18:07 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 20:47:26 -------- d-----w C:\Program Files\Symantec
2007-07-19 20:22:18 -------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2007-07-19 20:03:49 -------- dc----w C:\DOCUME~1\Matthieu\APPLIC~1\Symantec
2007-07-17 16:28:51 -------- dc----w C:\DOCUME~1\Matthieu\APPLIC~1\MSN6
2007-07-17 16:09:10 -------- d-----w C:\Program Files\FinePixViewer
2007-07-17 15:31:29 -------- d-----w C:\Program Files\Wanadoo
2007-07-17 15:29:20 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-15 14:21:32 66,376,282 ----a-w C:\Program Files\Man U.sav
2007-07-15 14:21:32 324,009 ----a-w C:\Program Files\hall_of_fame.bin
2007-07-15 14:20:42 535 ----a-w C:\Program Files\game.cfg
2007-06-11 09:53:32 -------- d-----w C:\Program Files\LimeWire
2007-06-11 09:53:22 -------- d-----w C:\Program Files\Incomplete
2007-06-10 17:12:56 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-06-10 17:12:01 -------- d-----w C:\Program Files\NETGEAR
2007-06-10 08:15:11 63,854 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-06-10 08:15:11 445,434 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-16 15:13:53 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 20:37:53 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2007-05-05 22:26:03 50,976,881 ----a-w C:\Program Files\benfica.sav
2007-04-25 14:22:35 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-02-24 19:11:39 98,785,632 ----a-w C:\Program Files\Anderlecht.sav
2006-05-28 12:53:16 301 ----a-w C:\Program Files\~net.out
2006-03-07 16:36:25 67,915,362 ----a-w C:\Program Files\Barça.sav
2005-07-30 14:26:45 26,448,111 ----a-w C:\Program Files\NAV05FRA.exe
2005-07-30 14:03:00 110,592 ----a-w C:\Program Files\setup.exe
2004-10-08 17:46:33 72,194,951 ----a-w C:\Program Files\Porto.sav
2004-03-23 18:46:32 2,592,062 ----a-w C:\Program Files\diamondminesetup.exe
2003-07-27 20:41:22 235 ----a-w C:\Program Files\msg.out
2003-07-27 20:41:22 108,048 ----a-w C:\Program Files\~MB.MBR
2003-07-27 20:41:21 960,048 ----a-w C:\Program Files\~BG.RGN
2003-07-27 20:40:02 73 ----a-w C:\Program Files\sip.ini
2003-07-27 20:40:02 58 ----a-w C:\Program Files\manager.ini
2003-07-27 20:40:02 123 ----a-w C:\Program Files\sound.ini
2002-11-17 14:58:32 272,060 ----a-w C:\Program Files\Uninst.isu
2002-09-21 15:27:57 60,981,981 ----a-w C:\Program Files\EUROLEAGUEFOOTBALL.exe
2001-10-02 14:45:08 7,024,640 ----a-w C:\Program Files\cm0102.exe
2001-10-02 13:36:16 7,024,640 ------w C:\Program Files\cm0102_GDI.exe
2001-09-26 15:04:44 9,958 ----a-w C:\Program Files\readme.txt
2001-09-23 19:16:28 610,304 ----a-r C:\Program Files\piced.exe
2001-09-17 11:10:24 598,016 ----a-r C:\Program Files\langtool.exe
2001-06-20 14:44:44 327 ----a-r C:\Program Files\piced.his
2001-06-20 14:44:44 322 ----a-r C:\Program Files\piced.elp
2001-06-20 14:44:42 65,123 ----a-r C:\Program Files\piccfg.exe
2001-06-20 14:44:42 54,784 ----a-r C:\Program Files\ip.exe
2000-03-16 17:28:32 3,919,872 ----a-w C:\Program Files\ELF.exe
2000-03-16 11:18:38 69,632 ----a-w C:\Program Files\DCSFX.dll
2000-03-16 11:18:38 319,488 ----a-w C:\Program Files\d2s2.dll
2000-03-16 11:18:38 1,036,288 ----a-w C:\Program Files\gfxwin.dll
2000-03-13 15:56:38 287,752 ----a-w C:\Program Files\DAT.pak
2000-03-13 14:13:22 50,555,424 ----a-w C:\Program Files\Graficos.pak
2000-03-13 13:54:54 20,480 ----a-w C:\Program Files\UninstELF.dll
2000-02-23 16:23:52 130,811 ----a-w C:\Program Files\aviso030.030
2000-02-11 17:56:20 194,795 ----a-w C:\Program Files\SFX.dat
1999-11-29 16:03:06 258,048 ----a-w C:\Program Files\Utils.dll
1999-11-24 14:26:08 635,652 ----a-w C:\Program Files\Winfonts.pak
1999-11-15 21:54:16 595,764 ----a-w C:\Program Files\img.pak


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-12 11:59]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-12 13:14]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-04 02:01]
"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2001-12-19 13:59]
"ElbyCheckElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2001-12-06 14:09]
"windows auto update"="" []
"Microsoft Inet Xp.."="" []
"nwiz"="nwiz.exe" [2003-10-06 14:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"MessengerPlus3"="C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe" [2006-06-10 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 09:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-20 01:10 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2006-07-21 08:32]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2006-06-02 14:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 01:09]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-06 15:33]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2004-10-13 18:24]
"MessengerPlus3"="C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe" [2006-06-10 16:31]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 21:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\Matthieu\Menu D‚marrer\Programmes\D‚marrage\
DESKTOP.INI [2001-09-19 07:29:48]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
DESKTOP.INI [2001-09-19 07:29:48]
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-25 1342]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]
Rappels du Calendrier Microsoft Works.lnk - C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-12 13:14:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-20 00:27:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-20 0:29:14

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 00:31:37, on 20/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\bgsvcgen.exe
C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Matthieu\Mes documents\Digital Angels\HijackThis 2.0\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pandasoftware.com/products/activescan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Rappels du Calendrier Microsoft Works.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.fr
O16 - DPF: Interface Chat Wanadoo - http://chat4.x-echo.com/version6/Applet/wchatsign.cab
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr...eleir_cert.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1156503289484
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\SYSTEM32\bgsvcgen.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Fichiers communs\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[sUBs]

Log appears clean but let's do a perfuntory scan

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[kouye]

Hi,
Here is the Kaspersky online scanner report. The scan has found 19 viruses and 45 infected objects. The report is in french, but I assume all will make sense to you. Just in case :
'L'objet est verrouillé' means 'The object is locked'
'Infecté' means 'Infected'
'Ignoré' means 'Ignored'
'Etendu' means 'Extended'
'Analyse terminée' means 'Scan completed'
Sorry for the inconvenience.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, July 20, 2007 2:31:50 PM
Système d'exploitation : Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version : 5.0.83.0
Dernière mise à jour de la base antivirus Kaspersky : 20/07/2007
Enregistrements dans la base antivirus Kaspersky : 365729
-------------------------------------------------------------------------------

Paramètres d'analyse:
Analyser avec la base antivirus suivante: étendue
Analyser les archives: vrai
Analyser les bases de messagerie: vrai

Cible de l'analyse - Poste de travail:
A:\
C:\
D:\
E:\

Statistiques de l'analyse:
Total d'objets analysés: 74662
Nombre de virus trouvés: 19
Nombre d'objets infectés: 45 / 0
Nombre d'objets suspects: 0
Durée de l'analyse: 01:47:38

Nom de l'objet infecté / Nom du virus / Dernière action
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\PerfectNavUninstall.exe/data0003 Infecté : Trojan-Downloader.Win32.Keenval.f ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\PerfectNavUninstall.exe NSIS: infecté - 1 ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Downloads\51.dat/data0189 Infecté : not-a-virus:AdWare.Win32.DownloadWare.a ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Downloads\51.dat/data0192 Infecté : not-a-virus:AdWare.Win32.DownloadWare ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Downloads\51.dat NSIS: infecté - 2 ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Downloads\90.dat/data0002 Infecté : not-a-virus:AdWare.Win32.MediaPops.a ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Downloads\90.dat NSIS: infecté - 1 ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Temp\me.exe/data0002 Infecté : not-a-virus:AdWare.Win32.MediaPops.a ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Temp\me.exe NSIS: infecté - 1 ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Temp\ml.exe/data0189 Infecté : not-a-virus:AdWare.Win32.DownloadWare.a ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Temp\ml.exe/data0192 Infecté : not-a-virus:AdWare.Win32.DownloadWare ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\temp.fr899E\Temp\ml.exe NSIS: infecté - 2 ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0002/data0003 Infecté : Trojan-Downloader.Win32.Keenval ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0002/data0004 Infecté : Trojan-Downloader.Win32.Keenval ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0002/data0005 Infecté : Trojan-Downloader.Win32.Keenval ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0002 Infecté : Trojan-Downloader.Win32.Keenval ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0008 Infecté : Trojan-Downloader.Win32.Small.alx ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0009/data0003 Infecté : Trojan-Downloader.Win32.Keenval.f ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0009 Infecté : Trojan-Downloader.Win32.Keenval.f ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe/data0005 Infecté : Trojan.Win32.Keenval.b ignoré
C:\Deckard\System Scanner\backup\DOCUME~1\Matthieu\LOCALS~1\Temp\UpdatedUpdaterInstall.exe NSIS: infecté - 8 ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Microsoft\Works\Portfolio\Exemple.wsb L'objet est verrouillé ignoré
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D1C3050.exe Infecté : not-a-virus:Downloader.Win32.WinFixer.o ignoré
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\INDEX.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\NTUSER.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\LocalService\ntuser.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\Matthieu\Cookies\INDEX.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\Matthieu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Matthieu\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\Matthieu\Local Settings\Historique\History.IE5\INDEX.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\Matthieu\Local Settings\Temporary Internet Files\Content.IE5\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Matthieu\Mes documents\Matthieu Perso\SetupOneMX.exe/file4 Infecté : not-a-virus:AdWare.Win32.MyWay.c ignoré
C:\Documents and Settings\Matthieu\Mes documents\Matthieu Perso\SetupOneMX.exe Inno: infecté - 1 ignoré
C:\Documents and Settings\Matthieu\ntuser.dat L'objet est verrouillé ignoré
C:\Documents and Settings\Matthieu\ntuser.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\Cookies\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\Local Settings\Historique\History.IE5\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\NTUSER.DAT L'objet est verrouillé ignoré
C:\Documents and Settings\NetworkService\ntuser.dat.LOG L'objet est verrouillé ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0003/cd_clint.dll Infecté : not-a-virus:AdWare.Win32.Cydoor ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0003/cd_htm.dll Infecté : not-a-virus:AdWare.Win32.Cydoor ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0003 Infecté : not-a-virus:AdWare.Win32.Cydoor ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0012 Infecté : not-a-virus:AdWare.Win32.NewDotNet ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0013 Infecté : not-a-virus:AdWare.Win32.DownloadWare.a ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0017 Infecté : not-a-virus:AdWare.Win32.BrilliantDigital.1007 ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0021/bdedetect1.dll Infecté : not-a-virus:AdWare.Win32.BrilliantDigital.1007 ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0021/bdeclean.exe Infecté : not-a-virus:AdWare.Win32.BrilliantDigital.30170 ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0021 Infecté : not-a-virus:AdWare.Win32.BrilliantDigital.30170 ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0022 Infecté : not-a-virus:AdWare.Win32.BrilliantDigital.1100 ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe/data0023 Infecté : not-a-virus:AdWare.Win32.Altnet.a ignoré
C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe Inno: infecté - 11 ignoré
C:\Program Files\KaZaA\PerfectNavUninstall.exe/data0003 Infecté : Trojan-Downloader.Win32.Keenval.f ignoré
C:\Program Files\KaZaA\PerfectNavUninstall.exe NSIS: infecté - 1 ignoré
C:\Program Files\MediaLoads\v1\ML.exe Infecté : not-a-virus:AdWare.Win32.DownloadWare ignoré
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE Infecté : not-a-virus:AdWare.Win32.MyWay.b ignoré
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL Infecté : not-a-virus:AdWare.Win32.MyWay.m ignoré
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL Infecté : not-a-virus:AdWare.Win32.MyWay.f ignoré
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL Infecté : not-a-virus:AdWare.Win32.MyWay.c ignoré
C:\System Volume Information\_restore{E76E0855-6E35-4275-83F4-FA20D9EFDF4F}\RP1353\change.log L'objet est verrouillé ignoré
C:\WINDOWS\Debug\PASSWD.LOG L'objet est verrouillé ignoré
C:\WINDOWS\SchedLgU.Txt L'objet est verrouillé ignoré
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log L'objet est verrouillé ignoré
C:\WINDOWS\Sti_Trace.log L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SAM L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS Infecté : Email-Worm.Win32.Bagle.pac ignoré
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.msn Infecté : Email-Worm.Win32.Bagle.pac ignoré
C:\WINDOWS\SYSTEM32\H323LOG.TXT L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA L'objet est verrouillé ignoré
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP L'objet est verrouillé ignoré
C:\WINDOWS\WIADEBUG.LOG L'objet est verrouillé ignoré
C:\WINDOWS\WIASERVC.LOG L'objet est verrouillé ignoré
C:\WINDOWS\WindowsUpdate.log L'objet est verrouillé ignoré

Analyse terminée.

[sUBs]

Open notepad and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7D1C3050.exe"
"C:\Documents and Settings\Matthieu\Mes documents\Matthieu Perso\SetupOneMX.exe"
"C:\Program Files\KaZaA\My Shared Folder\kmd171_fr.exe"
"C:\Program Files\KaZaA\PerfectNavUninstall.exe"
"C:\Program Files\MediaLoads\v1\ML.exe"
"C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE"
"C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL"
"C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL"
"C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL"
"C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS"
"C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.msn"
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

for %%g in (
C:\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[kouye]

Hi,
The batch file runs OK and quits after a while. A Notepad windows shows up and says :
"C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL"
"C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL"

[sUBs]

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\Program Files\MyWay

Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

[kouye]

Here it is :

"Matthieu" - 2007-07-21 7:43:38 - ComboFix 07-07-20.5 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Matthieu\Mes documents\Digital Angels\Batch files\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Program Files\MyWay\myBar\1.bin\PARTNER.BMP
C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER3.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER4.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER5.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER6.DAT
C:\Program Files\MyWay\myBar\1.bin\UNINSTALL.INF
C:\Program Files\MyWay\myBar\Cache\0001DD0D
C:\Program Files\MyWay\myBar\Cache\003A6C9A.bmp
C:\Program Files\MyWay\myBar\Cache\003A6E50.bmp
C:\Program Files\MyWay\myBar\Cache\003A6FF6.bmp
C:\Program Files\MyWay\myBar\Cache\0061ACE2
C:\Program Files\MyWay\myBar\Cache\008BEAB9
C:\Program Files\MyWay\myBar\Cache\0096F6CA
C:\Program Files\MyWay\myBar\Cache\00DFC6ED
C:\Program Files\MyWay\myBar\Cache\01058518.bin
C:\Program Files\MyWay\myBar\Cache\0105870C.bin
C:\Program Files\MyWay\myBar\Cache\01058910.bin
C:\Program Files\MyWay\myBar\Cache\01809C15
C:\Program Files\MyWay\myBar\Cache\01C2B48D
C:\Program Files\MyWay\myBar\Cache\04567FF6
C:\Program Files\MyWay\myBar\Cache\05391EEA
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\SrchAstt\Cache\0001DDA9
C:\Program Files\MyWay\SrchAstt\Cache\0061C06A
C:\Program Files\MyWay\SrchAstt\Cache\008BEC7E
C:\Program Files\MyWay\SrchAstt\Cache\0096F718
C:\Program Files\MyWay\SrchAstt\Cache\01809C73
C:\Program Files\MyWay\SrchAstt\Cache\05391EEA
C:\Program Files\MyWay\SrchAstt\Cache\files.ini


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-20 12:34 <REP> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-20 00:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 22:35 <REP> d-------- C:\Program Files\SpywareBlaster
2007-07-19 22:34 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-19 22:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-19 19:51 31,024 --a------ C:\WINDOWS\SYSTEM32\rrMon.sys
2007-07-19 19:50 <REP> d-------- C:\Program Files\Registrar Registry Manager
2007-07-17 18:11 <REP> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-07-17 18:07 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


sUBs, I'll be away and logged out for the rest of the weekend. I'll be back online on sunday evening (GMT+1:00). Have a great WE and speak to you soon.

[sUBs]

Matthieu, the combofix log that was posted is incomplete

[kouye]

OK, sorry. I'll be back at my desk tonight and will re-post.

[kouye]

Here's the full log :


"Matthieu" - 2007-07-21 7:43:38 - ComboFix 07-07-20.5 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Matthieu\Mes documents\Digital Angels\Batch files\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MyWay\myBar\1.bin\MYWAYPLUGINPROXY.CLASS
C:\Program Files\MyWay\myBar\1.bin\PARTNER.BMP
C:\Program Files\MyWay\myBar\1.bin\PARTNER.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER3.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER4.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER5.DAT
C:\Program Files\MyWay\myBar\1.bin\PARTNER6.DAT
C:\Program Files\MyWay\myBar\1.bin\UNINSTALL.INF
C:\Program Files\MyWay\myBar\Cache\0001DD0D
C:\Program Files\MyWay\myBar\Cache\003A6C9A.bmp
C:\Program Files\MyWay\myBar\Cache\003A6E50.bmp
C:\Program Files\MyWay\myBar\Cache\003A6FF6.bmp
C:\Program Files\MyWay\myBar\Cache\0061ACE2
C:\Program Files\MyWay\myBar\Cache\008BEAB9
C:\Program Files\MyWay\myBar\Cache\0096F6CA
C:\Program Files\MyWay\myBar\Cache\00DFC6ED
C:\Program Files\MyWay\myBar\Cache\01058518.bin
C:\Program Files\MyWay\myBar\Cache\0105870C.bin
C:\Program Files\MyWay\myBar\Cache\01058910.bin
C:\Program Files\MyWay\myBar\Cache\01809C15
C:\Program Files\MyWay\myBar\Cache\01C2B48D
C:\Program Files\MyWay\myBar\Cache\04567FF6
C:\Program Files\MyWay\myBar\Cache\05391EEA
C:\Program Files\MyWay\myBar\Cache\files.ini
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER.DAT
C:\Program Files\MyWay\SrchAstt\1.bin\PARTNER2.DAT
C:\Program Files\MyWay\SrchAstt\Cache\0001DDA9
C:\Program Files\MyWay\SrchAstt\Cache\0061C06A
C:\Program Files\MyWay\SrchAstt\Cache\008BEC7E
C:\Program Files\MyWay\SrchAstt\Cache\0096F718
C:\Program Files\MyWay\SrchAstt\Cache\01809C73
C:\Program Files\MyWay\SrchAstt\Cache\05391EEA
C:\Program Files\MyWay\SrchAstt\Cache\files.ini


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-20 12:34 <REP> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-07-20 00:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 22:35 <REP> d-------- C:\Program Files\SpywareBlaster
2007-07-19 22:34 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-19 22:32 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-19 19:51 31,024 --a------ C:\WINDOWS\SYSTEM32\rrMon.sys
2007-07-19 19:50 <REP> d-------- C:\Program Files\Registrar Registry Manager
2007-07-17 18:11 <REP> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-07-17 18:07 20,992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-20 17:43:16 -------- d-----w C:\Program Files\KaZaA
2007-07-19 20:47:26 -------- d-----w C:\Program Files\Symantec
2007-07-19 20:22:18 -------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2007-07-19 20:03:49 -------- dc----w C:\DOCUME~1\Matthieu\APPLIC~1\Symantec
2007-07-17 16:28:51 -------- dc----w C:\DOCUME~1\Matthieu\APPLIC~1\MSN6
2007-07-17 16:09:10 -------- d-----w C:\Program Files\FinePixViewer
2007-07-17 15:31:29 -------- d-----w C:\Program Files\Wanadoo
2007-07-17 15:29:20 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-15 14:21:32 66,376,282 ----a-w C:\Program Files\Man U.sav
2007-07-15 14:21:32 324,009 ----a-w C:\Program Files\hall_of_fame.bin
2007-07-15 14:20:42 535 ----a-w C:\Program Files\game.cfg
2007-06-11 09:53:32 -------- d-----w C:\Program Files\LimeWire
2007-06-11 09:53:22 -------- d-----w C:\Program Files\Incomplete
2007-06-10 17:12:56 21,035 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-06-10 17:12:01 -------- d-----w C:\Program Files\NETGEAR
2007-06-10 08:15:11 63,854 ----a-w C:\WINDOWS\system32\perfc00C.dat
2007-06-10 08:15:11 445,434 ----a-w C:\WINDOWS\system32\perfh00C.dat
2007-05-16 15:13:53 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-13 20:37:53 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2007-05-05 22:26:03 50,976,881 ----a-w C:\Program Files\benfica.sav
2007-04-25 14:22:35 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-02-24 19:11:39 98,785,632 ----a-w C:\Program Files\Anderlecht.sav
2006-05-28 12:53:16 301 ----a-w C:\Program Files\~net.out
2006-03-07 16:36:25 67,915,362 ----a-w C:\Program Files\Barça.sav
2005-07-30 14:26:45 26,448,111 ----a-w C:\Program Files\NAV05FRA.exe
2005-07-30 14:03:00 110,592 ----a-w C:\Program Files\setup.exe
2004-10-08 17:46:33 72,194,951 ----a-w C:\Program Files\Porto.sav
2004-03-23 18:46:32 2,592,062 ----a-w C:\Program Files\diamondminesetup.exe
2003-07-27 20:41:22 235 ----a-w C:\Program Files\msg.out
2003-07-27 20:41:22 108,048 ----a-w C:\Program Files\~MB.MBR
2003-07-27 20:41:21 960,048 ----a-w C:\Program Files\~BG.RGN
2003-07-27 20:40:02 73 ----a-w C:\Program Files\sip.ini
2003-07-27 20:40:02 58 ----a-w C:\Program Files\manager.ini
2003-07-27 20:40:02 123 ----a-w C:\Program Files\sound.ini
2002-11-17 14:58:32 272,060 ----a-w C:\Program Files\Uninst.isu
2002-09-21 15:27:57 60,981,981 ----a-w C:\Program Files\EUROLEAGUEFOOTBALL.exe
2001-10-02 14:45:08 7,024,640 ----a-w C:\Program Files\cm0102.exe
2001-10-02 13:36:16 7,024,640 ------w C:\Program Files\cm0102_GDI.exe
2001-09-26 15:04:44 9,958 ----a-w C:\Program Files\readme.txt
2001-09-23 19:16:28 610,304 ----a-r C:\Program Files\piced.exe
2001-09-17 11:10:24 598,016 ----a-r C:\Program Files\langtool.exe
2001-06-20 14:44:44 327 ----a-r C:\Program Files\piced.his
2001-06-20 14:44:44 322 ----a-r C:\Program Files\piced.elp
2001-06-20 14:44:42 65,123 ----a-r C:\Program Files\piccfg.exe
2001-06-20 14:44:42 54,784 ----a-r C:\Program Files\ip.exe
2000-03-16 17:28:32 3,919,872 ----a-w C:\Program Files\ELF.exe
2000-03-16 11:18:38 69,632 ----a-w C:\Program Files\DCSFX.dll
2000-03-16 11:18:38 319,488 ----a-w C:\Program Files\d2s2.dll
2000-03-16 11:18:38 1,036,288 ----a-w C:\Program Files\gfxwin.dll
2000-03-13 15:56:38 287,752 ----a-w C:\Program Files\DAT.pak
2000-03-13 14:13:22 50,555,424 ----a-w C:\Program Files\Graficos.pak
2000-03-13 13:54:54 20,480 ----a-w C:\Program Files\UninstELF.dll
2000-02-23 16:23:52 130,811 ----a-w C:\Program Files\aviso030.030
2000-02-11 17:56:20 194,795 ----a-w C:\Program Files\SFX.dat
1999-11-29 16:03:06 258,048 ----a-w C:\Program Files\Utils.dll
1999-11-24 14:26:08 635,652 ----a-w C:\Program Files\Winfonts.pak
1999-11-15 21:54:16 595,764 ----a-w C:\Program Files\img.pak


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-04 16:31]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-12 11:59]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-12 13:14]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-04 02:01]
"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2001-12-19 13:59]
"ElbyCheckElbyCDFL"="C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2001-12-06 14:09]
"windows auto update"="" []
"Microsoft Inet Xp.."="" []
"nwiz"="nwiz.exe" [2003-10-06 14:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"MessengerPlus3"="C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe" [2006-06-10 16:31]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 09:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-20 01:10 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2006-07-21 08:32]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2006-06-02 14:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 01:09]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2004-08-06 15:33]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" [2004-10-13 18:24]
"MessengerPlus3"="C:\Documents and Settings\Matthieu\Mes documents\Thibaud Perso\MsgPlus.exe" [2006-06-10 16:31]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 21:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

C:\Documents and Settings\Matthieu\Menu D‚marrer\Programmes\D‚marrage\
DESKTOP.INI [2001-09-19 07:29:48]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
DESKTOP.INI [2001-09-19 07:29:48]
Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-25 1342]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 23:05:56]
Rappels du Calendrier Microsoft Works.lnk - C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-12 13:14:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 07:47:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 7:49:14
C:\ComboFix-quarantined-files.txt ... 2007-07-21 07:48
C:\ComboFix2.txt ... 2007-07-20 00:29

--- E O F ---

[sUBs]

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windows auto update"=-
"Microsoft Inet Xp.."=-

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:
Double click on fix.reg & allow it to merge into the registry

How's the machine behaving now?

[kouye]

OK, I ran the fix.reg file. The PC seems to behave fine. Internet access is functional and speed is normal. Do you believe it's clean ?

[sUBs]

Yes, it's clean. The reg file merely deleted some orphaned entries.

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start → Run → type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
6. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[kouye]

Great ! Thanks for your help, sUBs. You guys really stand out.