Please help for hijack problem

[toubib32]

Hello,

I use windows xp sp3 updated, IE8. I use the PC primarily for downloading games and movies, and streaming movies and games online.

Following the execution of a program, I no longer had access to my task manager and my homepage has been changed. When I go to my internet options, the box "General" containing the home page and choose the option delete history and cookies disappeared. There are many other boxes: security, privacy, content, connection, programs.

USB fix allowed me to regain access to my task manager, but found no solution for the two other problems.

So far, I did a scan with more than 17 tools

microsoft security key

avira premium internet security

USB Fix findy kill, Ad-remover

spybot search and destroy

FxBgleMO, FxBeagle, FixJFI, FixAdix of symantech

cw shredder

avg antivirus

CoolWebSearch miniremoval smartkiller

C cleaner

Tune up utilities

uniblue registry booster

HijackThis

But still no result

And finally, I found a hijack in the registry with Malwarebytes' Anti-Malware ----------------HKEY_CURRENT_USER \ SOFTWARE \ Policies \ Microsoft \ Internet Explorer \ Control Panel \ Homepage

I removed it.

But still no box "general" internet options and no ability to change my homepage.

You will find below reports generated by hijackthis and Malwarebytes' Anti-Malware.

I certainly was wrong to delete the infected file.

So if someone could advise me!??

Please kindly provide me with invaluable help

Thank you in advance and sorry for my english

PS: If anyone is interested in studying the application that caused me all wrong, contacte me.

PC configuration

PC: GenuineIntel

Processor: Intel Pentium E2140 1.6GHZ 2CPU 1GB of Ram

Model: x86 Family 6 Model 15 Stepping 3

Motherboard: ECS Socket 775 Intel 945GCT-M2

* Operating System + version:

o Windows XP PRO 2002 updated

o SP3 updated

* System security: Both 2 antivirus

avira premium security suite trial version: updated

Microsoft security essentiels: updated

* Setting system optimization: tune-up utilities trial, perfect disc trial

* Internet navigation

o Type of connection: ADSL 1M

o Browser: IE 8 and Firefox updated updated

o Instant Messaging: NO

Other: internet download manager, vlc media player, windows media player, divxplus, nero lite, winrar, imgburn, incromedia website evolution v8

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 12:11:32, on 17/05/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Fichiers communs\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\sttray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.microsoft.com/fwlink/?linkid=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\RunOnce: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE R

[Maniac]

Hello toubib32! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install or uninstall any software or hardware, while work on.
  

Step 1:

• Launch Malwarebytes' Anti-Malware
  
• Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  
• Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2:

Please download the following scanning tool. GMER

• Open the zip file and copy the file
  gmer.exe
  to your Desktop.
  
  
• Double click on
  gmer.exe
  and run it.
  
  
• It may take a minute to load and become available.
  
  
• Do not make any changes. Click on the
  SCAN
  button and DO NOT use the computer while it's scanning.
  
  
• Once the scan is done click on the
  SAVE
  button and browse to your Desktop and save the file as
  GMER.LOG
  
  
• Zip up the
  GMER.LOG
  file and save it as
  gmerlog.zip
  and attach it to your reply post.
  
  
• DO NOT
  directly post this log into a reply. You
  MUST
  attach it as a
  .ZIP
  file.
  
  
• Click OK and quit the GMER program.
  
  

How To Use Compressed (Zipped) Folders in Windows XP

Compress and uncompress files (zip files) in Vista

Step 3:

Also, I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
  
• Click "Open Uninstall Manager"
  
• Click "Save List" (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

In your next reply, please include these log(s) in this sequence:

1. MalwareBytes' Anti-Malware log
   
2. GMER log
   
3. Add or Remove Programs list
   
4. a new fresh HiJackThis log
   

[toubib32]

Hi Borislav,

Thank you very much for your help.

Before reading your message, I

[Maniac]

Step 1:

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 2:

Please, uninstall the following applications:

1. Uniblue RegistryBooster
   

You can read, how to this in:

• Windows XP
  
• Windows Vista
  
• Windows 7
  

Step 3:

Let's use alternative of GMER:

Download RootRepeal Beta on your desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  • 
    
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    

  [*]Click the OK button

  [*]In the next dialog, select all drives showing

  [*]Click OK to start the scan

  Note: The scan can take some time.
  DO NOT
  run any other programs while the scan is running

  [*]When the scan is complete, the Save Report button will become available

  [*]Click this and save the report to your Desktop as RootRepeal.txt

  [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Step 4:

If you do not impose any restrictions on your Internet Explorer, please do the following:

Please, open HiJackThis and select Do a system scan only.

Check the following entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then, close all open windows except that of HijackThis, and select Fix Checked.

In your next reply, please include these log(s) in this sequence:

1. RootRepeal log
   
2. a new fresh HiJackThis log
   

[toubib32]

ROOTREPEAL © AD, 2007-2010

==================================================

Report Save Time: 2010/05/18 14:45

Program Version: Version 2.0.0.0

Windows Version: Windows XP SP3

==================================================

DRIVERS

-------------------

File Invisible dump_atapi.sys 0xaa389000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes

File Invisible dump_WMILIB.SYS 0xf7b1d000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes

File Invisible rootrepeal.sys 0xaa65e000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes

PROCESSES

-------------------

4 - System

112 - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

120 - C:\Program Files\Fichiers communs\Nero\Nero BackItUp 4\NBService.exe

188 - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

244 - C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe

312 - C:\WINDOWS\sttray.exe

320 - C:\WINDOWS\system32\igfxtray.exe

324 - C:\WINDOWS\system32\hkcmd.exe

400 - C:\WINDOWS\system32\igfxsrvc.exe

480 - C:\Program Files\DivX\DivX Update\DivXUpdate.exe

564 - C:\WINDOWS\system32\igfxpers.exe

640 - C:\Program Files\Microsoft Security Essentials\msseces.exe

752 - C:\WINDOWS\explorer.exe

764 - C:\WINDOWS\system32\ctfmon.exe

820 - C:\WINDOWS\system32\smss.exe

860 - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSVC.EXE

892 - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

924 - C:\WINDOWS\system32\csrss.exe

948 - C:\WINDOWS\system32\winlogon.exe

992 - C:\WINDOWS\system32\services.exe

1004 - C:\WINDOWS\system32\lsass.exe

1208 - C:\WINDOWS\system32\svchost.exe

1292 - C:\WINDOWS\system32\svchost.exe

1336 - C:\Program Files\Microsoft Security Essentials\MsMpEng.exe

1348 - C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe

1376 - C:\WINDOWS\system32\svchost.exe

1472 - C:\WINDOWS\system32\svchost.exe

1536 - C:\WINDOWS\system32\svchost.exe

1624 - C:\WINDOWS\system32\wbem\wmiapsrv.exe

1736 - C:\WINDOWS\system32\spoolsv.exe

1796 - C:\Program Files\Avira\AntiVir Desktop\sched.exe

1900 - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe

1912 - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

1956 - C:\WINDOWS\system32\svchost.exe

2016 - C:\Program Files\Java\jre6\bin\jqs.exe

2348 - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

2360 - C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe

2480 - C:\Documents and Settings\SG\Bureau\RootRepeal.exe

2496 - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

2508 - C:\WINDOWS\system32\wuauclt.exe

3020 - C:\Program Files\Internet Download Manager\IEMonitor.exe

3216 - C:\WINDOWS\system32\svchost.exe

3264 - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSVCM.EXE

3564 - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

3772 - C:\WINDOWS\system32\alg.exe

FILES

-------------------

Mismatch C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Essentials\Support\Application.etl, Size mismatch (API: 466944, Raw: 450560)

STEALTH CODE

-------------------

HIDDEN SERVICES

-------------------

SSDT

-------------------

SYSCALL OK, INT 0x2E OK, ServiceTable OK, Driver IAT OK

NtCreateKey <unknown> 0xf7c67c1e

NtCreateThread <unknown> 0xf7c67c14

NtDeleteKey <unknown> 0xf7c67c23

NtDeleteValueKey <unknown> 0xf7c67c2d

NtLoadKey <unknown> 0xf7c67c32

NtOpenProcess <unknown> 0xf7c67c00

NtOpenThread <unknown> 0xf7c67c05

NtReplaceKey <unknown> 0xf7c67c3c

NtRestoreKey <unknown> 0xf7c67c37

NtSetValueKey <unknown> 0xf7c67c28

NtTerminateProcess <unknown> 0xf7c67c0f

NtWriteVirtualMemory <unknown> 0xf7c67c0a

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:55:45, on 18/05/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Fichiers communs\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\sttray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.microsoft.com/fwlink/?linkid=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [HiDownload] C:\Program Files\StreamingStar\HiDownload_Platinum\HiDownloadPlatinum.exe

O4 - HKCU\..\RunOnce: [RegistryBooster] "C:\Program Files\Uniblue\RegistryBooster\launcher.exe" delay 20000

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE R

[toubib32]

Thank you Thank you Thank you Maniac,

It's working . Finally "general" and "advanced" tabs are present in internet options.

Still one problem: I can't change my homepage. I am always sent to this homepage:http://www.telecharger-sans-limite.com/

Still need your advices.

Have great day

[Maniac]

Thanks!

We're not ready, please be patient. Now:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Open Tools -> Options -> Main tab
     
   • Set to Always ask me where to Save the files.
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[toubib32]

Hello,

Combo-Fix.txt is attached as a .RAR file

[Maniac]

First of all, you should not have more than one anti-virus program installed as they will conflict and cause problems. You have two so you need to uninstall one of them. Of the two, I would recommend keeping Avira Premium Security Suite , so please uninstall Microsoft Security Essentials .

Let me know how are things now.

[toubib32]

It's always the same thing with the homepage http://www.telecharger-sans-limite.com/. I can't change it.

I 've uninstalled Microsoft Security Essentials.

Could I place the Combo-fix.exe in the folder containing all the tools I've used or should I let it on my desktop?

[Maniac]

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

DDS::
FF - prefs.js: browser.startup.homepage - hxxp://www.telechargementz.org

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[toubib32]

It's the same homepage. I can't change it.

[toubib32]

Sorry, I forget to rar the file

[toubib32]

Hello Maniac,

An expert from another forum advice me to do a scan with OTL (de OldTimer) with a scan text. I wish that it will be helpfull

Here are the logs if you need them.

I Wish you a nice day

[nickW]

Hello Maniac,

I've locked his thread on Assiste: http://assiste.forum.free.fr/viewtopic.php?t=26702

Cheers.

[Maniac]

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here then click on:
  
• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
  
• Now click on Advanced Settings and select the following:
  

• • Remove found threats
    
  • Scan archives
    
  • Scan for potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth Technology
    

[*]Now click on:

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on:

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[toubib32]

Hello, I've stopped the first scan at 43% and I did a new full scan because it stall or I think it was. These are results of the two scans.

Thank you for understanding

The First scan

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=0fb96d700abbe047b85970c042cc1404

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-05-19 04:24:55

# local_time=2010-05-19 05:24:55 (+0100, Afr. centrale Ouest)

# country="France"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 194281 194281 0 0

# compatibility_mode=768 16777215 100 0 0 0 0 0

# compatibility_mode=1024 16777215 100 0 0 0 0 0

# compatibility_mode=1798 16775141 100 95 16049 763718 0 0

# compatibility_mode=8192 67108863 100 0 428 428 0 0

# scanned=2223

# found=1

# cleaned=1

# scan_time=1278

C:\Documents and Settings\SG\Bureau\anwar\back up driver and\Driver_Genius_9_Professional_US_Full.EXE probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C

ESETSmartInstaller@High as downloader log:

all ok

esets_scanner_update returned -1 esets_gle=53251

The second scan

C:\Documents and Settings\SG\Bureau\Microsoft office 2007 int

[Maniac]

Good!

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
    

  [*]On the Log file tab leave the Log to file checked.

  [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

  [*]Log mode = Append

  [*]Encoding = ANSI

  [*]Details Leave Names of file packers and Statistics checked.

  [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

  [*]On the General tab leave the Scan Priority on High

  [*]Click the Apply button at the bottom, and then the OK button.

  [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

  [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

  [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

  [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

  [*]Click 'Yes to all' if it asks if you want to cure/move the files.

  [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

  [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

  [*]Save the report to your Desktop. The report will be called DrWeb.csv

  [*]Close Dr.Web Cureit.

  [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

  [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

  

Let me know how are things now.

[toubib32]

Hello Borislav,

It's always the same thing with IE homepage.

RemoveWGA.exe C:\Documents and Settings\SG\Bureau\anw Tool.RemoveWGA Incurable.Deleted.

A0003064.reg C:\System Volume Information\_restore{0A5AFFF1-8DB3-49E5-B376-CB40644F3693}\RP1 Trojan.StartPage.1505 Deleted.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 22:38:50, on 19/05/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Fichiers communs\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Raxco\PerfectDisk\PDAgent.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Avira\AntiVir Desktop\avmailc.exe

C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE

C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\sttray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [HiDownload] C:\Program Files\StreamingStar\HiDownload_Platinum\HiDownloadPlatinum.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: T

[toubib32]

I note an internet browsing acceleration on firefox and IE

[toubib32]

Good Morning,

I note an acceleration of about 10% of the download speed with IDM.

I want to ask you if I could install these software:

1)ashampoo_internet_accelerator_3_3.20_sm trial version

2)SpeedBit Video Accelerator 3136.4455.0.0 trial version ( SpeedBit Ltd).

3) uninstall avira security( end of trial version period in2 days) and install AVG Internet Security 9.0 trial

I found in C:\System Volume Information\_restore{0A5AFFF1-8DB3-49E5-B376-CB40644F3693}\RP1 this application:

A0003678.exe (rapidshare generator)

I delete it and when I tried to empty Recycle Bin the file desappears. It's again in C:\System Volume Information\_restore{0A5AFFF1-8DB3-49E5-B376-CB40644F3693}\RP1

In fact that is the application I suspect to be the cause of my homepage problem

I wish this information was helpfull

Waiting for your advices

Than you

[Maniac]

I note an acceleration of about 10% of the download speed with IDM.

Cool!

I want to ask you if I could install these software:

1)ashampoo_internet_accelerator_3_3.20_sm trial version

2)SpeedBit Video Accelerator 3136.4455.0.0 trial version ( SpeedBit Ltd).

3) uninstall avira security( end of trial version period in2 days) and install AVG Internet Security 9.0 trial

Only if you use the latest versions of your programs. :)

I found in C:\System Volume Information\_restore{0A5AFFF1-8DB3-49E5-B376-CB40644F3693}\RP1 this application:

A0003678.exe (rapidshare generator)

I delete it and when I tried to empty Recycle Bin the file desappears. It's again in C:\System Volume Information\_restore{0A5AFFF1-8DB3-49E5-B376-CB40644F3693}\RP1

In fact that is the application I suspect to be the cause of my homepage problem

One of the problems.

[toubib32]

Results of analyse of Rapidshare.exe in Avira laboratoire Google translation

Dear

Thank you for the email you sent to the Avira virus lab.

Number of task INC00515169.

The files and the results are displayed in a list in the following section:

No. File Name File Size (bytes) Result

25713921 Rapidshare.exe 297 KB MALWARE

You will find the detailed results for each file in the following section:

Filename Result

Rapidshare.exe MALWARE

The file 'Rapidshare.exe has been classified as' MALWARE'. Our analysts have given the name of TR/StartPage.304128 this threat. The designation "TR /" A Trojan horse that is able to spy on your data, damage your privacy and may make unwanted changes on syst

[Maniac]

Good!

Any other problem?

[toubib32]

Hello Borislav,

All the problems are clean now. I can change my homepage.

Thank you for your advices and your help.

Wish you a great successful day