HijackThis NOTEPAD MEDIALOAD TIBS

Computing.Net > Forums > Security and Virus > HijackThis NOTEPAD MEDIALOAD TIBS

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

HijackThis NOTEPAD MEDIALOAD TIBS

Name: jimbart
Date: January 30, 2004 at 02:57:07 Pacific
OS: WinXP SP1
CPU/Ram: ATHLON1,44 512

Comment:

Hello, thanks for helping southwestern french (near Bordeaux) XP user.
Sory, for my english who’s not really the best you could read…
SO since my Norton update was out of order (end of 1st year – OK I’”ve got to do something with this pb), and specially since early january I saw somme “parasite” links coming into my internet favorite links (2 porn links) and on my “desktop” –“bureau” in french- (in that cas it’s “only” 2 links that lead to mortgage or credit sites).
Another pb was thefact that NOTEPAD changed its icon and is called “Mediaload” (from Microsoft (R) Mediaload). So with that new notepad I was no longer able to edit a txt file, nothing was happening…
My IE6 Default page changed to aboutblank.biz.
Spybot didn’t see anything at that time. It wasjust telling me of “aboutblank.biz”, and I tried to restore my www google fr favourite link
3 days ago, I saw acertain number of new phenomenon :
- an internet connexion came into my settings, called TIBS41
- a “live cams” link came onto my “desktop”
- some fileswere found by spybot (TIBS, ifr.txt, livecams also, I through out these files)
- saw also something called “websiteviewer”(I don’t remember where)

Well, I searched around the internet community and found examples of the problems I encounter, and it seems that I’ve got at least two pbs : a virus and atrojaan.
I saw that you could help me…
NOTICE : before re-starting my PC, I set all the about-blnk.biz to www google fr in order to see what is modified at the start.
Logfile of HijackThis v1.97.7
Scan saved at 11:24:14, on 30/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ahfp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires Internet\Suivi_conso-\Netcom\Netcom.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires.winXP\EffaceHistorique\EffaceHistorique.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\DTemp(mesure-temp-DD_alertes-possibles)\DTemp.exe
C:\Documents and Settings\ADMIN\Menu Démarrer\Programmes\Démarrage\PureText.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\VCool_17\VCool.exe
C:\Documents and Settings\ADMIN\Mes documents\HijackThis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libertysurf.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Liberty Surf -
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 69.56.223.196 t.rack.cc
O1 - Hosts: 69.56.223.196 www.alfa-search.com
O1 - Hosts: 69.56.223.196 webcoolsearch.com
O1 - Hosts: 69.56.223.196 in.webcounter.cc
O1 - Hosts: 69.56.223.196 i-lookup.com
O1 - Hosts: 69.56.223.196 www.hand-book.com
O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
O1 - Hosts: 69.56.223.196 allneedsearch.com
O1 - Hosts: 69.56.223.196 nativehardcore.com
O1 - Hosts: 69.56.223.196 teen-biz.com
O1 - Hosts: 69.56.223.196 tits.hardcore4ever.net
O1 - Hosts: 69.56.223.196 best.royalsearch.net
O1 - Hosts: 69.56.223.196 default-homepage-network.com
O1 - Hosts: 69.56.223.196 xwebsearch.biz
O1 - Hosts: 69.56.223.196 www.rightfinder.net
O1 - Hosts: 69.56.223.196 www.search-1.net
O1 - Hosts: 69.56.223.196 www.searchv.com
O1 - Hosts: 69.56.223.196 www.websearch.com
O1 - Hosts: 69.56.223.196 mysearchnow.com
O1 - Hosts: 69.56.223.196 www.therealsearch.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 find.microgirls.com
O1 - Hosts: 69.56.223.196 super-spider.com
O1 - Hosts: 69.56.223.196 www.searching-the-net.com
O1 - Hosts: 69.56.223.196 www.firstbookmark.com
O1 - Hosts: 69.56.223.196 just.find-itnow.com
O1 - Hosts: 69.56.223.196 www.find-itnow.com
O1 - Hosts: 69.56.223.196 qwertysearch123.biz
O1 - Hosts: 69.56.223.196 www.search-space.com
O1 - Hosts: 69.56.223.196 www.windowws.cc
O1 - Hosts: 69.56.223.196 aifind.info
O1 - Hosts: 69.56.223.196 www.find4u.net
O1 - Hosts: 69.56.223.196 find4u.net
O1 - Hosts: 69.56.223.196 www.lookfor.cc
O1 - Hosts: 69.56.223.196 www.008i.com
O1 - Hosts: 69.56.223.196 www.viewpornkey.com
O1 - Hosts: 69.56.223.196 www.hugesearch.net
O1 - Hosts: 69.56.223.196 www.novaf---.com
O1 - Hosts: 69.56.223.196 www.seznam.cz
O1 - Hosts: 69.56.223.196 aifind.cc
O1 - Hosts: 69.56.223.196 www.onet.pl
O1 - Hosts: 69.56.223.196 teenhqpics.com
O1 - Hosts: 69.56.223.196 www.ttjj.com
O1 - Hosts: 69.56.223.196 www.search-dot.com
O1 - Hosts: 69.56.223.196 www.search-and-go.com
O1 - Hosts: 69.56.223.196 www.slotch.com
O1 - Hosts: 69.56.223.196 www.2fastsearch.net
O1 - Hosts: 69.56.223.196 awebfind.biz
O1 - Hosts: 69.56.223.196 www.power-search.info
O1 - Hosts: 69.56.223.196 www.naver.com
O1 - Hosts: 69.56.223.196 www.daum.net
O1 - Hosts: 69.56.223.196 www.ohcorea.com
O1 - Hosts: 69.56.223.196 www.hao123.com
O1 - Hosts: 69.56.223.196 58q.com
O1 - Hosts: 69.56.223.196 www.hotwebsearch.com
O1 - Hosts: 69.56.223.196 www.startium.com
O1 - Hosts: 69.56.223.196 www.gajai.com
O1 - Hosts: 69.56.223.196 www.wazzupnet.com
O1 - Hosts: 69.56.223.196 freshvideogals.com
O1 - Hosts: 69.56.223.196 www.xgmm.com
O1 - Hosts: 69.56.223.196 searchmyrequest.com
O1 - Hosts: 69.56.223.196 yourbookmarks.ws
O1 - Hosts: 69.56.223.196 wmmse.com
O1 - Hosts: 69.56.223.196 link.startmake.com
O1 - Hosts: 69.56.223.196 www.boredlife.com
O1 - Hosts: 69.56.223.196 approvedlinks.com
O1 - Hosts: 69.56.223.196 www.nkvd.us
O1 - Hosts: 69.56.223.196 www.8095.com
O1 - Hosts: 69.56.223.196 www.dreamwiz.com
O1 - Hosts: 69.56.223.196 ie-search.com
O1 - Hosts: 69.56.223.196 auto.ie.searchforge.com
O1 - Hosts: 69.56.223.196 search.psn.cn
O1 - Hosts: 69.56.223.196 www.couldnotfind.com
O1 - Hosts: 69.56.223.196 www.iquicksearch.com
O1 - Hosts: 69.56.223.196 1-se.com
O1 - Hosts: 69.56.223.196 www.spidersearch.com
O1 - Hosts: 69.56.223.196 search.ieplugin.com
O1 - Hosts: 69.56.223.196 itseasy.us
O1 - Hosts: 69.56.223.196 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 69.56.223.196 www.searchxl.com
O1 - Hosts: 69.56.223.196 www.hotsearchbox.com
O1 - Hosts: 69.56.223.196 www.searchforge.com
O1 - Hosts: 69.56.223.196 www.omega-search.com
O1 - Hosts: 69.56.223.196 searchcentrix.com
O2 - BHO: Microsoft Excel - {17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972} - C:\DOCUME~1\ADMIN\APPLIC~1\MICROS~1\Office\Excel10.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applis.BRT\APPLIS~1\UTILIT~4\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Netcom] "C:\Applis.BRT\Applis_Utilitaires\Utilitaires Internet\Suivi_conso-\Netcom\Netcom.exe"
O4 - HKLM\..\Run: [Efface Historique 2.0] C:\Applis.BRT\Applis_Utilitaires\Utilitaires.winXP\EffaceHistorique\EffaceHistorique.exe -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DTemp.lnk = C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\DTemp(mesure-temp-DD_alertes-possibles)\DTemp.exe
O4 - Startup: PureText.exe
O4 - Startup: VCool.lnk = C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\VCool_17\VCool.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ouvrir le cadre dans une nouvelle fenêtre - file://C:\WINDOWS\web\nvcadre.html
O8 - Extra context menu item: Télécharger en utilisant Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.libertysurf.fr
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37622.5975115741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Sponsored Link

Ads by Google

Response Number 1

Name: Tom41
Date: January 30, 2004 at 03:12:39 Pacific

Reply:

Hi jimbart,
You have a CoolWebSearch hijacker, Download and run CWShredder to remove it. After running CWShredder, run HijackThis again and post the new log.

CWShredder

Response Number 2

Name: jimbart
Date: January 30, 2004 at 06:18:50 Pacific

Reply:

CWS said :
Done!
Removed from your system:
- CWS.Googlems
this is the new log :
Logfile of HijackThis v1.97.7
Scan saved at 15:19:10, on 30/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ahfp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires Internet\Suivi_conso-\Netcom\Netcom.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires.winXP\EffaceHistorique\EffaceHistorique.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\DTemp(mesure-temp-DD_alertes-possibles)\DTemp.exe
C:\Documents and Settings\ADMIN\Menu Démarrer\Programmes\Démarrage\PureText.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\VCool_17\VCool.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ADMIN\Mes documents\HijackThis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libertysurf.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Liberty Surf -
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applis.BRT\APPLIS~1\UTILIT~4\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Netcom] "C:\Applis.BRT\Applis_Utilitaires\Utilitaires Internet\Suivi_conso-\Netcom\Netcom.exe"
O4 - HKLM\..\Run: [Efface Historique 2.0] C:\Applis.BRT\Applis_Utilitaires\Utilitaires.winXP\EffaceHistorique\EffaceHistorique.exe -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DTemp.lnk = C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\DTemp(mesure-temp-DD_alertes-possibles)\DTemp.exe
O4 - Startup: PureText.exe
O4 - Startup: VCool.lnk = C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\VCool_17\VCool.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ouvrir le cadre dans une nouvelle fenêtre - file://C:\WINDOWS\web\nvcadre.html
O8 - Extra context menu item: Télécharger en utilisant Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.libertysurf.fr
O15 - Trusted Zone: *.offshoreclicks.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37622.5975115741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B087D901-B6AF-4B82-B310-C22CD4118EEC}: NameServer = 213.36.80.1 213.36.80.1

Hope it tells you something !!!

Response Number 3

Name: Tom41
Date: January 30, 2004 at 08:36:30 Pacific

Reply:

Run HijackThis again and fix the following entry:
O15 - Trusted Zone: *.offshoreclicks.com

Response Number 4

Name: jimbart
Date: January 30, 2004 at 12:02:44 Pacific

Reply:

Thanks tim
here's the result of the hijack jury :
Logfile of HijackThis v1.97.7
Scan saved at 20:52:24, on 30/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ahfp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires Internet\Suivi_conso-\Netcom\Netcom.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires.winXP\EffaceHistorique\EffaceHistorique.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\DTemp(mesure-temp-DD_alertes-possibles)\DTemp.exe
C:\Documents and Settings\ADMIN\Menu Démarrer\Programmes\Démarrage\PureText.exe
C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\VCool_17\VCool.exe
C:\WINDOWS\system32\appsys.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ADMIN\Mes documents\HijackThis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libertysurf.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - Liberty Surf -
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Applis.BRT\APPLIS~1\UTILIT~4\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Netcom] "C:\Applis.BRT\Applis_Utilitaires\Utilitaires Internet\Suivi_conso-\Netcom\Netcom.exe"
O4 - HKLM\..\Run: [Efface Historique 2.0] C:\Applis.BRT\Applis_Utilitaires\Utilitaires.winXP\EffaceHistorique\EffaceHistorique.exe -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DTemp.lnk = C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\DTemp(mesure-temp-DD_alertes-possibles)\DTemp.exe
O4 - Startup: PureText.exe
O4 - Startup: VCool.lnk = C:\Applis.BRT\Applis_Utilitaires\Utilitaires CPU\VCool_17\VCool.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Ouvrir le cadre dans une nouvelle fenêtre - file://C:\WINDOWS\web\nvcadre.html
O8 - Extra context menu item: Télécharger en utilisant Download &Express - file://C:\WINDOWS\System32\MetaProducts\Add_Url.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.libertysurf.fr
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37622.5975115741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B087D901-B6AF-4B82-B310-C22CD4118EEC}: NameServer = 213.36.80.1 213.36.80.1

Note :
MEDIALOAD 5IT INSTALLED ITSELF ON MY COMPUTER ON the 040116 dissaperead, but i didn't really do something...Notepad (66ko 28/1/2001) is back in windows/system32.
I heard about viruses dissapearing ....
In fact there's a trace of Mediaload....its icon has become the icon of notepad...
This doesn't bother me but, when looking at small icons, I cannot see any icon ...txt and inf files have an invisible icon....

Response Number 5

Name: Tom41
Date: January 30, 2004 at 12:24:17 Pacific

Reply:

Hi Jim,
Locate the following file and right click on it and choose properties. Is there any copyright info listed?
C:\WINDOWS\system32\appsys.exe

dgi omega global cam fb ws-5614psl	www.imac power light info.com calling awk from awk DOS notepad
See More

Response Number 6

Name: jimbart
Date: January 31, 2004 at 02:32:00 Pacific

Reply:

Thanks Tom for helping me..
appsys.exe appears to have acreation date on the 19th of january
it's an application without any copyright...
I'm sure this isn't surprising you...

Response Number 7

Name: jimbart
Date: January 31, 2004 at 07:52:19 Pacific

Reply:

Another information :
I've been searching for all modifications made on the 19h of january and found : appsys.exe and teen.exe...
May I simply delete these files?
This black monday (the 19th jan 2004), i ran spybot and he detected CoolWWWSearch.
Here after, is its log file :
===================================
--- Search result list ---
CoolWWWSearch: IE Search assistent (Modification du registre, fixed)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank
CoolWWWSearch: IE Search assistent (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant=about:blank
CoolWWWSearch: IE Search bar (Modification du registre, fixed)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar=about:blank
CoolWWWSearch: IE Search bar (Modification du registre, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar=about:blank
--- Spybot-S&D version: 1.2 ---
2003-11-05 Includes\Cookies.sbi
2003-11-05 Includes\Dialer.sbi
2003-11-24 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2003-11-20 Includes\Malware.sbi
2003-04-28 Includes\plugin-ignore.ini
2003-11-05 Includes\Security.sbi
2003-11-24 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-11-05 Includes\Tracks.uti
2003-11-21 Includes\Trojans.sbi
--- System information ---
Windows XP (Build: 2600) Service Pack 1
/ Windows Media Player: Windows Media Update 320920
/ Windows XP / SP1: Service Pack 1 pour Windows XP
==================================
And NORTON doesn't see anything...

Response Number 8

Name: Tom41
Date: January 31, 2004 at 10:35:37 Pacific

Reply:

Hi Jim,
Yes, You need to get rid of appsys.exe and teen.exe.
Open the task manager and end process on appsys.exe. Then delete both files.
**Before deleting them, could you email me zipped copies to analyze? Click my name for the email addy..

Response Number 9

Name: jimbart
Date: January 31, 2004 at 10:44:52 Pacific

Reply:

OK I will follow your recommandations and send the files

Response Number 10

Name: mls
Date: February 2, 2004 at 20:33:17 Pacific

Reply:

Tom41…
hello…
I’m new to Computing.Net and have also encountered the TIBS41 problem [http://computing.net/security/wwwboard/forum/9288.html] that you have been helping jimbart with… I ran CWShredder and it has modified the Notepad application… also, wasn’t quite sure what you meant regarding running HijackThis again… wondering if you might be of assistance… I’m willing to provide compensation… thanks much…
mark.
mark@zcap.net

Sponsored Link

Ads by Google

Bloody(beijing)HDkiller, ...

HiJackThis log - help!

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: HijackThis NOTEPAD MEDIALOAD TIBS

whataboutadog.com needs removing

Summary

www.computing.net/answers/security/whataboutadogcom-needs-removing/21943.html

virtumonde and errors!

Summary

www.computing.net/answers/security/virtumonde-and-errors/22229.html

Hot Teens Icon/HijackThis help

Summary

www.computing.net/answers/security/hot-teens-iconhijackthis-help/10967.html

From the Geek Dictionary
PSU - The PSU or Power supply unit, converts wall power to the voltages needed fo...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
vertical lines on monitor

single core versus dual core questions?

imouse.vxd not found?

Handycam Firewire not working

CPU fan and SLI questions

All Awaiting Reply

Tom's News
Man Pleads Guilty Selling Fake Chips to Navy

Threatening Rap on YouTube Lands Two in Jail

New Final Fantasy XIII Trailer is 5 Minutes Long

Guy Quits Job With Error Message

Verizon Takes on Sprint's 3G Network (And Wins)

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE