VBS:Small-AV [Trj]

Hi,

I’ve got a problem with a trojan horse called VBS:Small-AV [trj], version 080526-0.

Avast finds it in C:\1.vbs and aks me what to do. It can’t repair but puts this trojan in quarantine.
In spite of this, the trojan seems to be active, avast finds it again and again.

How can I do?

Thanks

Hi oedipe,

Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested.

If still having problems, post a HijackThis! log.

Hi,

The bootscan found 3 times the trojan horse and put it in quarantine. But there is always alerts about it :frowning:

This is my Hijack This! log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:54:57, on 31/05/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
D:\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\PC Tools Firewall Plus\FirewallGUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
E:\world community grid BOINC\boincmgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
E:\world community grid BOINC\boinc.exe
E:\world community grid BOINC\projects\www.worldcommunitygrid.org\wcg_faah_autodock_6.05_windows_intelx86
E:\HiJack This\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d’Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - D:\sudoku\EoAdv\EOREZO~1.DLL (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM..\Run: [POINTER] point32.exe
O4 - HKLM..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [00PCTFW] “D:\PC Tools Firewall Plus\FirewallGUI.exe” -s
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM..\RunServices: [MS Windows Executor Process] MSEXECP32.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Outil de mise à jour Google.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: World Community Grid - BOINC Manager.lnk = E:\world community grid BOINC\boincmgr.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Moi\Menu Démarrer\Programmes\Jeux\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .fpx: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll
O12 - Plugin for .ivr: C:\Program Files\Internet Explorer\PLUGINS\NPRVRT32.dll
O16 - DPF: {0000ED9A-DFFC-11D4-8D7A-B396C6A4A836} (ToolBar NetCourrier) - http://img.medianet-technologies.com/netc/toolbar/mttoolbar.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fr/filesharingctrl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/12e0f5e1276a4a035622/netzip/RdxIE601.cab
O16 - DPF: {5CE7A7AF-8C5E-48CF-AE30-8FC6F01C27E3} (Yahoo! Photos - Outil de publication Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3fr.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: dosplay - C:\WINDOWS\Cursors\dosplay.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (iziysnuxu) - Unknown owner - C:\z.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - D:\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe


End of file - 9972 bytes

Thanks for your help :slight_smile:

This is a nasty:

O4 - HKLM..\RunServices: [MS Windows Executor Process] MSEXECP32.exe

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, search for and upload the above file to VirusTotal for analysis- this will allow all AV’s to add the signature for this file.

EDIT: Just noticed this file’s reported as missing, so avast! has probably deleted it already.

[s]Also send this file for analysis:

C:\WINDOWS\lsass.exe

(Note: that’s a different file to the legitimate lsass.exe in the System32 folder.)[/s]

Please post the results here out of interest.

Now run HijackThis! again, tick these entries, close all other windows and click fix.

O4 - HKLM..\RunServices: [MS Windows Executor Process] MSEXECP32.exe
O20 - Winlogon Notify: dosplay - C:\WINDOWS\Cursors\dosplay.dll (file missing)
O23 - Service: Print Spooler Service (iziysnuxu) - Unknown owner - C:\z.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

You’ll need to delete the services

Follow the instructions here:

http://www.theeldergeek.com/add_a_service_in_windows_xp.htm

sc delete iziysnuxu
sc delete sdk

Then reboot into Safe Mode and find and delete the file MSEXECP32.exe.

Hi,

I disabled and enabled what you told about. I found the file “MSEXECP32.exe” in C:\Documents and settings\All users\Application Data\Spybot-Search & Destroy\Recovery\Spambotbxz.zip. It was protected by a password (?), so I tried to send the Spambotbxz.zip to VirusTotal, which conclued :
Antivirus Version Dernière mise à jour Résultat
AhnLab-V3 2008.5.30.1 2008.06.02 -
AntiVir 7.8.0.26 2008.06.02 -
Authentium 5.1.0.4 2008.06.01 -
Avast 4.8.1195.0 2008.06.02 -
AVG 7.5.0.516 2008.06.02 -
BitDefender 7.2 2008.06.02 -
CAT-QuickHeal 9.50 2008.06.02 -
ClamAV 0.92.1 2008.06.02 -
DrWeb 4.44.0.09170 2008.06.02 -
eSafe 7.0.15.0 2008.06.02 -
eTrust-Vet 31.4.5842 2008.06.02 -
Ewido 4.0 2008.06.02 -
F-Prot 4.4.4.56 2008.06.01 -
F-Secure 6.70.13260.0 2008.06.02 -
Fortinet 3.14.0.0 2008.06.02 -
GData 2.0.7306.1023 2008.06.02 -
Ikarus T3.1.1.26.0 2008.06.02 -
Kaspersky 7.0.0.125 2008.06.02 -
McAfee 5308 2008.06.02 -
Microsoft 1.3520 2008.06.02 -
NOD32v2 3152 2008.06.02 error - password-protected file
Norman 5.80.02 2008.06.02 -
Panda 9.0.0.4 2008.06.02 -
Prevx1 V2 2008.06.02 -
Rising 20.47.02.00 2008.06.02 -
Sophos 4.29.0 2008.06.02 -
Sunbelt 3.0.1139.1 2008.05.29
Symantec 10 2008.06.02 -
TheHacker 6.2.92.331 2008.06.02 -
VBA32 3.12.6.6 2008.06.01 -
VirusBuster 4.3.26:9 2008.06.02 -
Webwasher-Gateway 6.6.2 2008.06.02 -
Information additionnelle
File size: 947 bytes
MD5…: 2b194b4b3f2e7c011fb9c1c91f5f139f
SHA1…: 93d3e523fd110613fe16d06d28261fa5e84a59c0
SHA256: 6a2785f5fbb71cd963051462e527d0216ddccad092780ac395fdb7592e609a3c
SHA512: 9671bc9a74967d942dc3f7f5355dfc0b889cecd625a89bf65e455d9b43709a19
9dc0d15dfda56d076f99d13040b13936372eb982d892c6508d750ab14a721e11
PEiD…: -
PEInfo: -

I run Hijack, clicked fix and deleted the entries. But for sc delete iziysnuxu and sc delete sdk, the message “Open service failed 1060. The specified service doesn’t exists as an installed service”.

When I reboot in safe mode, I search for MSEXECP32.exe. The only result is in C:\Documents and settings\All users\Application Data\Spybot-Search & Destroy\Recovery\Spambotbxz.zip

Can you post a fresh Hijack This! log please?

Hi,
I’ve the same issue… here’s my hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:16:22, on 07.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\Program Files\Intel\WiFi\bin\S24EvMon.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Research In Motion\BlackBerry Unite\AttachServer\BBAttachServer.exe
D:\Program Files\Research In Motion\BlackBerry Unite\MDS\bin\bmds.exe
D:\Program Files\Research In Motion\BlackBerry Unite\Controller\ControllerService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Intel\WiFi\bin\EvtEng.exe
D:\Program Files\FileZilla Server\FileZilla Server.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
D:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
D:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
D:\WINDOWS\System32\snmp.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\Program Files\Research In Motion\BlackBerry Unite\BypassRouter\BlackberryRouter.exe
D:\Program Files\Research In Motion\BlackBerry Unite\BlackBerryDispatcher.exe
D:\Program Files\Research In Motion\BlackBerry Unite\SyncServer\BlackBerrySyncServer.exe
D:\Program Files\Research In Motion\BlackBerry Unite\ITAdminServer.exe
D:\Program Files\Research In Motion\BlackBerry Unite\BlackBerryAgent.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program Files\Apoint\Apoint.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\Apoint\Apntex.exe
D:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
D:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\TrueCrypt\TrueCrypt.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\WINDOWS\system32\wbem\unsecapp.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\TomTom HOME 2\HOMERunner.exe
D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\Windows Desktop Search\WindowsSearch.exe
D:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Documents and Settings\fabski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\WINDOWS\system32\dllhost.exe
D:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Research In Motion\BlackBerry Unite\AttachServer\BBConvert.exe
D:\WINDOWS\system32\cmd.exe
D:\Program Files\Research In Motion\BlackBerry Unite\AttachServer\BBConvert.exe
D:\Program Files\Research In Motion\BlackBerry Unite\AttachServer\BBConvert.exe
D:\Program Files\Research In Motion\BlackBerry Unite\AttachServer\BBConvert.exe
S:\HiJackThis.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

step 2

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ch/ig?hl=fr&source=iglk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:8080/unite/%20"D:/Documents%20and%20Settings/All%20Users/Desktop/Mozilla%20Firefox.lnk"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d’aide de l’Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [Apoint] D:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [trueImageMonitor.exe] D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM..\Run: [AcronisTimounterMonitor] D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “D:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [GrooveMonitor] “D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [UnlockerAssistant] “D:\Program Files\Unlocker\UnlockerAssistant.exe”
O4 - HKLM..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [UniteFileSync] “D:\Program Files\Research In Motion\BlackBerry Unite\File Sync\BlackBerrySync.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [CloneCDTray] “D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s
O4 - HKLM..\Run: [AppleSyncNotifier] D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM..\Run: [IntelZeroConfig] “D:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “D:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe” /tf Intel Wireless Tray
O4 - HKLM..\Run: [QuickTime Task] “D:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “D:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [trueCrypt] “D:\Program Files\TrueCrypt\TrueCrypt.exe” /q preferences /a favorites
O4 - HKCU..\Run: [msnmsgr] “D:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [Skype] “D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [TomTomHOME.exe] “D:\Program Files\TomTom HOME 2\HOMERunner.exe”
O4 - HKCU..\Run: [FileZilla Server Interface] “D:\Program Files\FileZilla Server\FileZilla Server Interface.exe”
O4 - HKCU..\Run: [Google Update] “D:\Documents and Settings\fabski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Bluetooth.lnk = ?
O4 - Startup: Google Calendar Sync.lnk = D:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: Windows Search.lnk = D:\Program Files\Windows Desktop Search\WindowsSearch.exe

3rd part

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218843497390
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - D:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlackBerry Attachment Service (BBAttachServer) - Research In Motion Limited - D:\Program Files\Research In Motion\BlackBerry Unite\AttachServer\BBAttachServer.exe
O23 - Service: BlackBerry MDS Connection Service - Research In Motion - D:\Program Files\Research In Motion\BlackBerry Unite\MDS\bin\bmds.exe
O23 - Service: BlackBerry Unite! Service - Research In Motion Limited - D:\Program Files\Research In Motion\BlackBerry Unite\Controller\ControllerService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - D:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - D:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - D:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - D:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SlingAgent Service (SlingAgentService) - Sling Media Inc. - D:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - D:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 14501 bytes

any help ?

What’s the name and location of the file detected?

I can’t see anything obvious in the log.

same, C:\1.vbs

You could try some different spyware scanners:

SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware

EDIT: Your main drive is D:. what’s C:?

ok, I will another try one to see…

c is my Vista partition, d is my XP partition