Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
May 16th, 2008, 3:29am
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   rb3-rb4.tmp in recycle bin.... ....again!!!		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: rb3-rb4.tmp in recycle bin.... ....again!!!  (Read 1312 times)
tittuq
Newbie
*





   


Posts: 12
rb3-rb4.tmp in recycle bin.... ....again!!!
« on: Oct 16th, 2007, 10:48pm »		 Quote Quote  Modify Modify
I'm new to this forum & i've been searching for answers for my recurring rb3-rb4.tmp always showing up in my recycle bin. and I found out I had to scan with Hijackthis and I had to post the results in here!
 
So here it goes! Now what do I do?
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:31:16, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\Rps.exe
C:\WINDOWS\system32\ugmqex.exe
C:\WINDOWS\system32\wscsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Initio\AcomData PushButton Manager v1.10\inihid_xp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} -  - (no file)
R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [yozemruA] C:\WINDOWS\yozemruA.exe
O4 - HKLM\..\Run: [win32085114836881] C:\WINDOWS\win32085114836881.exe
O4 - HKLM\..\Run: [sys014836881511] C:\WINDOWS\sys014836881511.exe
O4 - HKLM\..\Run: [ms068151148368] C:\WINDOWS\ms068151148368.exe
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Fichiers communs\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Fichiers communs\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\motivebrowser.exe" /hidden
O4 - HKLM\..\Run: [Windows Security Center] wscsvc.exe
O4 - HKLM\..\Run: [ddluevkqr] C:\WINDOWS\system32\ddluevkqr.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] "C:\Program Files\Bell\Gestionnaire de securite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [vguiayywhwgl] C:\WINDOWS\system32\vguiayywhwgl.exe
O4 - HKLM\..\Run: [ugmqex] C:\WINDOWS\system32\ugmqex.exe
O4 - HKLM\..\Run: [myyhu] C:\WINDOWS\system32\myyhu.exe
O4 - HKLM\..\Run: [gakkkajsld] C:\WINDOWS\system32\gakkkajsld.exe
O4 - HKLM\..\Run: [kvifqrl] C:\WINDOWS\system32\kvifqrl.exe
O4 - HKLM\..\RunServices: [ddluevkqr] C:\WINDOWS\system32\ddluevkqr.exe
O4 - HKLM\..\RunServices: [vguiayywhwgl] C:\WINDOWS\system32\vguiayywhwgl.exe
O4 - HKLM\..\RunServices: [ugmqex] C:\WINDOWS\system32\ugmqex.exe
O4 - HKLM\..\RunServices: [myyhu] C:\WINDOWS\system32\myyhu.exe
O4 - HKLM\..\RunServices: [gakkkajsld] C:\WINDOWS\system32\gakkkajsld.exe
O4 - HKLM\..\RunServices: [kvifqrl] C:\WINDOWS\system32\kvifqrl.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [Ahsc] "C:\DOCUME~1\DAVIDL~1\APPLIC~1\CROSOF~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Xsovk] C:\WINDOWS\system32\?racle\m?iexec.exe
O4 - HKCU\..\Run: [Ad Arrest] C:\Program Files\Ad Arrest IE Popup Killer\adarrest.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdate.exe] C:\Program Files\Windows\WinUpdate.exe
O4 - HKUS\S-1-5-18\..\Run: [Ahsc] "C:\PROGRA~1\SMBOLS~1\winspool.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\system32\RACLE~1\MIEXEC~1.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ndsnu] C:\WINDOWS\system32\?ssembly\r?gedit.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ahsc] "C:\PROGRA~1\SMBOLS~1\winspool.exe" -vt ndrv (User 'Default user')
O4 - Global Startup: AcomData PushButton Manager.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk762CJC A
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?1b74c3f2b9f04640ae443be02 cb6bf34
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?1b74c3f2b9f04640ae443be02 cb6bf34
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBI nitialSetup1.0.0.15.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/clien t/wuweb_site.cab?1096553206578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149456744727
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Print Spooler Service (ey0ztun6ieniaozu) - Unknown owner - C:\WINDOWS\system32\gakkkajsld.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
--
End of file - 10998 bytes
 Huh
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #1 on: Oct 17th, 2007, 12:42am »		 Quote Quote  Modify Modify
Welcome to the forum tittuq  Cheesy
 
According to your Hijackthis log, your computer appears to be significantly infected.
 
Please start the cleanup by following the procedure in the link below.  Once you have completed the initial cleanup, please post the logs that are requested at the end of the procedure back here so that we can see what other cleanup needs to be done.
 
http://www.misec.net/forum/board/FAQ/1170863449
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #2 on: Oct 17th, 2007, 5:34pm »		 Quote Quote  Modify Modify
Hey siliconman, i'm back!
 
I done everything you said even though I had a little hard time trying to translate all the steps to do (i'm french canadian!) but I think it went really well. So do I post the results (CCleaner, TrojanHunter & SuperAntiSpyware) right in this thread or do I put them in an other one?
 
Thanks Grin
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #3 on: Oct 18th, 2007, 1:01am »		 Quote Quote  Modify Modify
Please post the TrojanHunter, SuperAntiSpwyare, BitDefender and a NEW Hijackthis log right here in this thread.  Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #4 on: Oct 18th, 2007, 10:42am »		 Quote Quote  Modify Modify
Here it goes:
 
TrojanHunter Scan Report - Saved 2007-10-17 15:51
 
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\IndexCleaner
Suspicious registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\IndexCleaner
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ddluevkqr
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ddluevkqr
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\vguiayywhwgl
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\vguiayywhwgl
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ugmqex
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ugmqex
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\myyhu
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\myyhu
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\gakkkajsld
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gakkkajsld
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\kvifqrl
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\kvifqrl
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\wqgkqoreffrp
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\wqgkqoreffrp
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ke
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ke
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths (matches Adware.LookToMe.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths (matches Adware.LookToMe.100)
Registry value exists: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Exp lorer\Run\WinUpdate.exe (matches Adware.Agent.122)
Registry value exists: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Exp lorer\Run\WinUpdate.exe (matches Adware.Agent.122)
Error: Directory not found: C:\Documents and Settings\David Lessard\Application Data\?icrosoft
Error: Directory not found: C:\Documents and Settings\David Lessard\Application Data\?icrosoft
Error: Directory not found: C:\Documents and Settings\David Lessard\Application Data\??crosoft
Error: Directory not found: C:\Documents and Settings\David Lessard\Application Data\??crosoft
Error: Directory not found: C:\Program Files\Common Files\?ppPatch
Error: Directory not found: C:\Program Files\Common Files\?ppPatch
Error: Directory not found: C:\Program Files\Common Files\?asks
Error: Directory not found: C:\Program Files\Common Files\?asks
Error: Directory not found: C:\WINDOWS\system32\??pPatch
Error: Directory not found: C:\WINDOWS\system32\??pPatch
Error: Directory not found: C:\WINDOWS\system32\?racle
Error: Directory not found: C:\WINDOWS\system32\?racle
Error: Directory not found: C:\WINDOWS\system32\?ssembly
Error: Directory not found: C:\WINDOWS\system32\?ssembly
Error: Directory not found: C:\WINDOWS\W?nSxS
Error: Directory not found: C:\WINDOWS\W?nSxS
Error: Directory not found: C:\WINDOWS\?dobe
Error: Directory not found: C:\WINDOWS\?dobe
Error: Directory not found: C:\WINDOWS\?ystem
Error: Directory not found: C:\WINDOWS\?ystem
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ind exCleaner
Removed registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Inde xCleaner
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \ddluevkqr
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ddluevk qr
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \vguiayywhwgl
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\vguiayy whwgl
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \ugmqex
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ugmqex
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \myyhu
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\myyhu
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \gakkkajsld
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\gakkkaj sld
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \kvifqrl
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\kvifqrl  
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \wqgkqoreffrp
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\wqgkqor effrp
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices \ke
Removed registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ke
Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths
Removed registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Exp lorer\Run\WinUpdate.exe
IP Logged
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #5 on: Oct 18th, 2007, 11:01am »		 Quote Quote  Modify Modify
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
 
Generated 10/17/2007 at 04:59 PM
 
Application Version : 3.9.1008
 
Core Rules Database Version : 3326
Trace Rules Database Version: 1327
 
Scan type  : Complete Scan
Total Scan Time : 00:48:46
 
Memory items scanned : 90
Memory threats detected   : 0
Registry items scanned    : 5232
Registry threats detected : 18
File items scanned   : 38004
File threats detected     : 40
 
Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInsta nce
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Serv ice
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Lega cy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Conf igFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Clas s
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Clas sGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Devi ceDesc
 
Adware.Starware
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafe.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\cursorcafeA.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware\buttons\games.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\gamesA.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware\buttons\jokesearch.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\moviesA.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\pranks.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\smiley.bmp
C:\Documents and Settings\All Users\Application Data\Starware\buttons\smileyxp.png
C:\Documents and Settings\All Users\Application Data\Starware\buttons
C:\Documents and Settings\All Users\Application Data\Starware\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware\contexts\travel.xml
C:\Documents and Settings\All Users\Application Data\Starware\contexts
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware\SimpleUpdate
C:\Documents and Settings\All Users\Application Data\Starware
 
Trojan.DollarRevenue
C:\WINDOWS\keyboard1.dat
 
Trojan.DNSChanger-Codec
C:\DOCUMENTS AND SETTINGS\DAVID LESSARD\BUREAU\DOWNLOADS FIREFOX\NET-CODEC1331.EXE
 
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WAPISVCC.EXE
 
Adware.Tracking Cookie
C:\WINDOWS\Temp\Cookies\david lessard@ad.yieldmanager[2].txt
C:\WINDOWS\Temp\Cookies\david lessard@cassava[1].txt
C:\WINDOWS\Temp\Cookies\david lessard@cpvfeed[1].txt
C:\WINDOWS\Temp\Cookies\david lessard@kmpads[2].txt
C:\WINDOWS\Temp\Cookies\david lessard@msnportal.112.2o7[1].txt
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #6 on: Oct 18th, 2007, 11:56am »		 Quote Quote  Modify Modify
Okay, looks like TH and SAS found a treasure trove of malicious files.  
 
Did you run a remote scan with BitDefender?
 
Would you please post a new Hijackthis scan log.  Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #7 on: Oct 18th, 2007, 12:17pm »		 Quote Quote  Modify Modify
[General]
App= "BitDefender Online Scanner v8"
Date= 18:10:2007
Time= 13:04:24
Scan Path= A:\;C:\Grin:\;E:\;
 
[Engines Info]
Virus Definitions= 827162
Engine build= "AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)"
Scan plugins= 14
Archive plugins= 38
Unpack plugins= 7
E-mail plugins= 6
System plugins= 1
 
[Scan Statistics]
Folders= 5163
Files= 225696
Archives= 1203
Packed files= 6071
Identified viruses= 5
Infected files= 6
Warnings= 0
Suspect files= 0
Disinfected files= 0
Deleted files= 5
Copied files= 0
Moved files= 0
Renamed files= 0
I/O Errors= 30
 
[Scan Settings]
SecondAction= Delete
FirstAction= Disinfect
Heuristics= 1
Enable Warnings= 1
Exclude Ext=  
Extensions= *;
Scan Emails= 1
Scan Archives= 1
Scan Packed= 1
Scan Files= 1
Scan Boot= 1
Verify Memory= 0
 
[Scan Results]
Line00000015= "C:\Documents and Settings\David Lessard\Bureau\Downloads FireFox\setup.exe Infected with: Trojan.Downloader.Zlob.AARX"
Line00000014= "C:\Documents and Settings\David Lessard\Bureau\Downloads FireFox\setup.exe Deleted"
Line00000013= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP805\A014675 0.exe Infected with: DeepScan:Generic.Zlob.7.06B0FD20"
Line00000012= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP805\A014675 0.exe Disinfection failed"
Line00000011= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP805\A014675 0.exe Deleted"
Line00000010= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP816\A015045 6.exe Detected with:  Adware.PartyPoker.A"
Line00000009= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP816\A015045 6.exe Disinfection failed"
Line00000008= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP816\A015045 6.exe Deleted"
Line00000007= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP828\A015389 1.exe Infected with: DeepScan:Generic.Zlob.7.1FED44BB"
Line00000006= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP828\A015389 1.exe Disinfection failed"
Line00000005= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP828\A015389 1.exe Deleted"
Line00000004= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP834\A015421 8.exe Infected with: Trojan.Downloader.Zlob.AARX"
Line00000003= "C:\System Volume Information\_restore{3D13997A-678B-4E5E-9041-409CBC7B2CBC}\RP834\A015421 8.exe Deleted"
Line00000002= "C:\WINDOWS\system32\wscsvc.exe Infected with: Trojan.Downloader.Agent.YOV"
Line00000001= "C:\WINDOWS\system32\wscsvc.exe Disinfection failed"
Line00000000= "C:\WINDOWS\system32\wscsvc.exe Delete failed"
IP Logged
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #8 on: Oct 18th, 2007, 12:18pm »		 Quote Quote  Modify Modify
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18:02, on 2007-10-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\Rps.exe
C:\WINDOWS\system32\wscsvc.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\gakkkajsld.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Initio\AcomData PushButton Manager v1.10\inihid_xp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} -  - (no file)
R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [yozemruA] C:\WINDOWS\yozemruA.exe
O4 - HKLM\..\Run: [win32085114836881] C:\WINDOWS\win32085114836881.exe
O4 - HKLM\..\Run: [sys014836881511] C:\WINDOWS\sys014836881511.exe
O4 - HKLM\..\Run: [ms068151148368] C:\WINDOWS\ms068151148368.exe
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Fichiers communs\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Fichiers communs\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\motivebrowser.exe" /hidden
O4 - HKLM\..\Run: [Windows Security Center] wscsvc.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] "C:\Program Files\Bell\Gestionnaire de securite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [gakkkajsld] C:\WINDOWS\system32\gakkkajsld.exe
O4 - HKLM\..\Run: [bwtsgwos] C:\WINDOWS\system32\bwtsgwos.exe
O4 - HKLM\..\Run: [f] C:\WINDOWS\system32\f.exe
O4 - HKLM\..\Run: [jl] C:\WINDOWS\system32\jl.exe
O4 - HKLM\..\RunServices: [gakkkajsld] C:\WINDOWS\system32\gakkkajsld.exe
O4 - HKLM\..\RunServices: [bwtsgwos] C:\WINDOWS\system32\bwtsgwos.exe
O4 - HKLM\..\RunServices: [f] C:\WINDOWS\system32\f.exe
O4 - HKLM\..\RunServices: [jl] C:\WINDOWS\system32\jl.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [Ahsc] "C:\DOCUME~1\DAVIDL~1\APPLIC~1\CROSOF~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Xsovk] C:\WINDOWS\system32\?racle\m?iexec.exe
O4 - HKCU\..\Run: [Ad Arrest] C:\Program Files\Ad Arrest IE Popup Killer\adarrest.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [Ahsc] "C:\PROGRA~1\SMBOLS~1\winspool.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\system32\RACLE~1\MIEXEC~1.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ndsnu] C:\WINDOWS\system32\?ssembly\r?gedit.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ahsc] "C:\PROGRA~1\SMBOLS~1\winspool.exe" -vt ndrv (User 'Default user')
O4 - Global Startup: AcomData PushButton Manager.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk762CJC A
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?1b74c3f2b9f04640ae443be02 cb6bf34
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?1b74c3f2b9f04640ae443be02 cb6bf34
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBI nitialSetup1.0.0.15.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/clien t/wuweb_site.cab?1096553206578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149456744727
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Print Spooler Service (ey0ztun6ieniaozu) - Unknown owner - C:\WINDOWS\system32\f.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
--
End of file - 11945 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #9 on: Oct 18th, 2007, 1:16pm »		 Quote Quote  Modify Modify
Okay, there are still several infections present.  Please go to the link below and download Combofix.exe.  Save it on your desktop.
 
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
 
-  Double click combofix.exe & follow the prompts.  
 
-  A window will open with a warning. Type "1" (and Enter) to start the fix.  
 
-  When the scan completes it will open a text window.
 
-  Please attach the combofix log back here.
 
-  Run HJT again and post a NEW HJT log back here.  
 
(Combofix will automatically save the log file to C:\combofix.txt)
 
 
Caution - do not touch your mouse/keyboard until the Combofix scan has completed. The Combofix scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
« Last Edit: Oct 18th, 2007, 1:23pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #10 on: Oct 18th, 2007, 1:33pm »		 Quote Quote  Modify Modify
ComboFix 07-10-18.6 - David Lessard 2007-10-18 14:27:10.1 - NTFSx86  
Microsoft Windows XP dition familiale  5.1.2600.2.1252.1.1036.18.165 [GMT -4:00]
Running from: C:\Documents and Settings\David Lessard\Bureau\ComboFix.exe
 * Created a new restore point
.
 
((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.
 
C:\Documents and Settings\David Lessard\Application Data\CROSOF~1
C:\Documents and Settings\David Lessard\Application Data\ICROSO~1
C:\Program Files\Fichiers communs\inetget
C:\Program Files\outlook
C:\Program Files\windows
C:\WINDOWS\dobe~1
C:\WINDOWS\system32\f.exe
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ystem~1
 
.
(((((((((((((((((((((((((((((   Fichiers créés 2007-09-18 to 2007-10-18  ))))))))))))))))))))))))))))))))))))
.
 
2007-10-18 14:2651,200--a------C:\WINDOWS\NirCmd.exe
2007-10-18 13:51225,509--a------C:\WINDOWS\system32\bftm.exe
2007-10-18 12:08<REP>d--------C:\WINDOWS\BDOSCAN8
2007-10-18 11:38225,509--a------C:\WINDOWS\system32\jl.exe
2007-10-17 18:03<REP>d--------C:\WINDOWS\system32\fr-fr
2007-10-17 18:01225,509--a------C:\WINDOWS\system32\bwtsgwos.exe
2007-10-17 17:546,058,496-----c---C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-17 17:542,455,488-----c---C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-10-17 17:54459,264-----c---C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-17 17:54383,488-----c---C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-17 17:54267,776-----c---C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-17 17:5463,488-----c---C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-17 17:5452,224-----c---C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-17 17:5413,824-----c---C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-17 15:58<REP>d--------C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-17 14:19<REP>d--------C:\Documents and Settings\David Lessard\Application Data\TrojanHunter
2007-10-17 13:30<REP>d--------C:\Program Files\SUPERAntiSpyware
2007-10-17 13:30<REP>d--------C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-10-17 13:30<REP>d--------C:\Documents and Settings\David Lessard\Application Data\SUPERAntiSpyware.com
2007-10-17 13:27<REP>d--------C:\Program Files\TrojanHunter 5.0
2007-10-17 13:27<REP>d--------C:\Program Files\CCleaner
2007-10-17 13:07225,509--a------C:\WINDOWS\system32\ke.exe
2007-10-17 01:08225,509--a------C:\WINDOWS\system32\wqgkqoreffrp.exe
2007-10-16 23:28<REP>d--------C:\Program Files\Trend Micro
2007-10-16 16:25225,509--a------C:\WINDOWS\system32\kvifqrl.exe
2007-10-15 19:04225,509--a------C:\WINDOWS\system32\gakkkajsld.exe
2007-10-15 12:55225,509--a------C:\WINDOWS\system32\lhhtjee.exe
2007-10-14 20:26225,509--a------C:\WINDOWS\system32\myyhu.exe
2007-10-12 15:35224,655--a------C:\WINDOWS\system32\ugmqex.exe
2007-10-11 11:43226,914--a------C:\WINDOWS\system32\vguiayywhwgl.exe
2007-10-09 13:57584,192-----c---C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 17:26<REP>d--------C:\Program Files\LimeWire
2007-10-06 21:38<REP>d--------C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-03 15:12<REP>dr-------C:\Documents and Settings\LocalService\Mes documents
2007-10-03 14:5255,296--a------C:\WINDOWS\system32\drivers\rp_skt32.sys
2007-10-03 14:51<REP>d--------C:\Program Files\Raxco
2007-10-03 14:51<REP>d--------C:\Program Files\Fichiers communs\Scanner
2007-10-03 14:51<REP>d--------C:\Program Files\Fichiers communs\Authentium
2007-10-03 14:51<REP>d--------C:\Program Files\CA
2007-10-03 14:51<REP>d--------C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-03 14:5148,384--a------C:\WINDOWS\system32\drivers\rp_pkt32.sys
2007-10-03 14:50<REP>d--------C:\Program Files\Bell
2007-10-03 14:50<REP>d--------C:\Documents and Settings\David Lessard\Application Data\Bell
2007-10-03 14:50<REP>d--------C:\Documents and Settings\All Users\Application Data\Bell
2007-10-03 14:49<REP>d--------C:\Documents and Settings\David Lessard\Application Data\InstallShield
2007-10-02 23:1360,928---hs----C:\WINDOWS\system32\wscsvc.exe
2007-09-25 13:13129,784---------C:\WINDOWS\system32\pxafs.dll
2007-09-19 19:4581,920-ra------C:\WINDOWS\system32\drivers\InfReg.exe
2007-09-19 19:4528,005-ra------C:\WINDOWS\system32\drivers\enethusb.sys
2007-09-19 19:39<REP>d--------C:\WINDOWS\system32\CodeBaby
2007-09-19 19:38<REP>d--------C:\Program Files\Fichiers communs\Motive
2007-09-19 19:38<REP>d--------C:\Documents and Settings\All Users\Application Data\Motive
2007-09-19 19:3869,632--a------C:\WINDOWS\system32\MCCDevice.dll
2007-09-19 19:386,048--a------C:\WINDOWS\system32\MCC16.dll
 
.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 05:27---------d-----wC:\Documents and Settings\David Lessard\Application Data\Lavasoft
2007-10-14 00:19---------d-----wC:\Documents and Settings\David Lessard\Application Data\Azureus
2007-10-11 04:12---------d-----wC:\Program Files\Winamp
2007-10-07 22:25---------d-----wC:\Program Files\DivX
2007-10-03 18:50---------d--h--wC:\Program Files\InstallShield Installation Information
2007-09-23 18:00---------d-----wC:\Program Files\Azureus
2007-09-21 20:281,882----a-wC:\Program Files\INSTALL.LOG
2007-09-19 23:38---------d-----wC:\Program Files\Common Files
2007-08-21 06:17683,520----a-wC:\WINDOWS\system32\inetcomm.dll
2007-08-13 22:54413,696----a-wC:\WINDOWS\system32\vbscript.dll
2007-08-13 22:54156,160----a-wC:\WINDOWS\system32\msls31.dll
2007-08-13 22:4578,336----a-wC:\WINDOWS\system32\ieencode.dll
2007-08-13 22:4440,960----a-wC:\WINDOWS\system32\licmgr10.dll
2007-08-13 22:3971,680----a-wC:\WINDOWS\system32\admparse.dll
2007-08-13 22:3955,296----a-wC:\WINDOWS\system32\iesetup.dll
2007-08-13 22:3636,352----a-wC:\WINDOWS\system32\imgutil.dll
2007-08-13 22:3245,568----a-wC:\WINDOWS\system32\mshta.exe
2007-08-13 22:0148,128----a-wC:\WINDOWS\system32\mshtmler.dll
2007-07-30 23:1992,504----a-wC:\WINDOWS\system32\cdm.dll
2007-07-30 23:19549,720----a-wC:\WINDOWS\system32\wuapi.dll
2007-07-30 23:1953,080----a-wC:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:1943,352----a-wC:\WINDOWS\system32\wups2.dll
2007-07-30 23:19325,976----a-wC:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19271,224----a-wC:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19207,736----a-wC:\WINDOWS\system32\muweb.dll
2007-07-30 23:19203,096----a-wC:\WINDOWS\system32\wuweb.dll
2007-07-30 23:191,712,984----a-wC:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:1833,624----a-wC:\WINDOWS\system32\wups.dll
2007-07-26 23:06200,704----a-wC:\WINDOWS\system32\ssldivx.dll
2007-07-26 23:061,044,480----a-wC:\WINDOWS\system32\libdivx.dll
.
 
(((((((((((((((((((((((((((((((((   Point de chargement Reg   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-03-11 09:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-03-11 09:11]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-20 15:05]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-03-20 13:13]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 06:50]
"eMusicClient"="C:\Program Files\Winamp\eMusic\eMusicClient.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"yozemruA"="C:\WINDOWS\yozemruA.exe" []
"win32085114836881"="C:\WINDOWS\win32085114836881.exe" []
"sys014836881511"="C:\WINDOWS\sys014836881511.exe" []
"ms068151148368"="C:\WINDOWS\ms068151148368.exe" []
"MotiveReportAgent"="C:\Program Files\Fichiers communs\Motive\McciBootStrapper.exe" []
"Windows Security Center"="wscsvc.exe" [2007-10-03 03:03 C:\WINDOWS\system32\wscsvc.exe]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 10:33]
"Gestionnaire de sécurité Sympatico"="C:\Program Files\Bell\Gestionnaire de securite\Rps.exe" [2007-05-09 12:35]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe" [2007-05-09 12:35]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"gakkkajsld"="C:\WINDOWS\system32\gakkkajsld.exe" [2007-10-15 19:04]
"bwtsgwos"="C:\WINDOWS\system32\bwtsgwos.exe" [2007-10-17 18:01]
"jl"="C:\WINDOWS\system32\jl.exe" [2007-10-18 11:38]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ahsc"="C:\DOCUME~1\DAVIDL~1\APPLIC~1\CROSOF~1\services.exe" []
"Xsovk"="C:\WINDOWS\system32\?racle\m?iexec.exe" []
"Ad Arrest"="C:\Program Files\Ad Arrest IE Popup Killer\adarrest.exe" []
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"gakkkajsld"=C:\WINDOWS\system32\gakkkajsld.exe
"bwtsgwos"=C:\WINDOWS\system32\bwtsgwos.exe
"f"=C:\WINDOWS\system32\f.exe
"jl"=C:\WINDOWS\system32\jl.exe
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Ahsc"="C:\PROGRA~1\SMBOLS~1\winspool.exe" -vt ndrv
"Ndsnu"=C:\WINDOWS\system32\?ssembly\r?gedit.exe
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]  
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
 
S2 ey0ztun6ieniaozu;Print Spooler Service;C:\WINDOWS\system32\bftm.exe /service
S3 Radialpoint Security Services;Gestionnaire de sécurité Sympatico;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
 
*Newly Created Service* - CATCHME
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-09-23 14:42:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-18 18:02:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
.
************************************************************************ **
 
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-18 14:29:15
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...
 
scanning hidden autostart entries ...
 
scanning hidden files ...
 
scan completed successfully  
hidden files: 0  
 
************************************************************************ **
.
Completion time: 2007-10-18 14:30:12
.
--- E O F ---
IP Logged
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #11 on: Oct 18th, 2007, 1:36pm »		 Quote Quote  Modify Modify
Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time..... Hope it's the last time.....
Wink
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:34:17, on 2007-10-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\Rps.exe
C:\WINDOWS\system32\wscsvc.exe
C:\WINDOWS\system32\gakkkajsld.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Initio\AcomData PushButton Manager v1.10\inihid_xp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.ca/0SEENCA/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: {1A03F196-9617-4CA0-842B-A83CEECB022B} -  - (no file)
R3 - URLSearchHook: (no name) - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [eMusicClient] C:\Program Files\Winamp\eMusic\eMusicClient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [yozemruA] C:\WINDOWS\yozemruA.exe
O4 - HKLM\..\Run: [win32085114836881] C:\WINDOWS\win32085114836881.exe
O4 - HKLM\..\Run: [sys014836881511] C:\WINDOWS\sys014836881511.exe
O4 - HKLM\..\Run: [ms068151148368] C:\WINDOWS\ms068151148368.exe
O4 - HKLM\..\Run: [MotiveReportAgent] "C:\Program Files\Fichiers communs\Motive\McciBootStrapper.exe" /url="-url=file://C:\Program Files\Fichiers communs\Motive\ReportAgent.html" /browsertype=CustomMSIE /browserpath="C:\Program Files\Common Files\Motive\motivebrowser.exe" /hidden
O4 - HKLM\..\Run: [Windows Security Center] wscsvc.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] "C:\Program Files\Bell\Gestionnaire de securite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [gakkkajsld] C:\WINDOWS\system32\gakkkajsld.exe
O4 - HKLM\..\Run: [bwtsgwos] C:\WINDOWS\system32\bwtsgwos.exe
O4 - HKLM\..\Run: [jl] C:\WINDOWS\system32\jl.exe
O4 - HKLM\..\RunServices: [gakkkajsld] C:\WINDOWS\system32\gakkkajsld.exe
O4 - HKLM\..\RunServices: [bwtsgwos] C:\WINDOWS\system32\bwtsgwos.exe
O4 - HKLM\..\RunServices: [f] C:\WINDOWS\system32\f.exe
O4 - HKLM\..\RunServices: [jl] C:\WINDOWS\system32\jl.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [Ahsc] "C:\DOCUME~1\DAVIDL~1\APPLIC~1\CROSOF~1\services.exe" -vt ndrv
O4 - HKCU\..\Run: [Xsovk] C:\WINDOWS\system32\?racle\m?iexec.exe
O4 - HKCU\..\Run: [Ad Arrest] C:\Program Files\Ad Arrest IE Popup Killer\adarrest.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Ahsc] "C:\PROGRA~1\SMBOLS~1\winspool.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ndsnu] C:\WINDOWS\system32\?ssembly\r?gedit.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ahsc] "C:\PROGRA~1\SMBOLS~1\winspool.exe" -vt ndrv (User 'Default user')
O4 - Global Startup: AcomData PushButton Manager.lnk = ?
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk762CJC A
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?1b74c3f2b9f04640ae443be02 cb6bf34
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?1b74c3f2b9f04640ae443be02 cb6bf34
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBI nitialSetup1.0.0.15.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/clien t/wuweb_site.cab?1096553206578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1149456744727
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Print Spooler Service (ey0ztun6ieniaozu) - Unknown owner - C:\WINDOWS\system32\bftm.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
--
End of file - 11128 bytes
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #12 on: Oct 18th, 2007, 2:10pm »		 Quote Quote  Modify Modify
No, it's not the last time.  Wink Your system is really infected.  You have some very strange looking files on your system.  
 
Please do the following:
 
A.  Make all your files and folders visible:
 
Follow the procedure in the link below to make all your files and folders visible.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
B.  Submit the following files to Mischel Internet Security for Analysis.
 
-  The link below explains how to submit files for analysis
 
http://www.misec.net/forum/board/FAQ/1139308293
 
-  Submit the following files:
 

yozemruA.exe
win32085114836881.exe
sys014836881511.exe
ms068151148368.exe
wscsvc.exe
gakkkajsld.exe
bwtsgwos.exe
jl.exe
f.exe

 
C.  Run each one of the above files through VirusTotal:
 
After you have submitted the above files, please go to the link below and run each one of the above files through VirusTotal.
 
http://www.virustotal.com/en/indexf.html
 
Please post back here what VirusTotal reports about each one of the above files.  
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #13 on: Oct 18th, 2007, 2:58pm »		 Quote Quote  Modify Modify
There is one more file that I would like you to submit for analysis and also run through VirusTotal
 
winspool.exe
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
tittuq
Newbie
*





   


Posts: 12
Re: rb3-rb4.tmp in recycle bin.... ....again!!!
« Reply #14 on: Oct 23rd, 2007, 1:14pm »