Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

parispainter

20 Posts

3399

August 7th, 2011 00:00

all files hidden and something is blocking me from running malwarebytes to fix it

all files are hidden including the bureau. the virus seems to have infected avast which i tried to delete but it's blocked. i tried to run malwarebytes but it says "access denied". here's my hijackthis log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 08:36:53, on 07/08/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19088)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WTClient.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?

LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer avec Club-Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital

Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-

4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Increase performance and video formats for your HTML5

kevinf80_1d0ac6

1.1K Posts

August 7th, 2011 01:00

Hi

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE

** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE

Please proceed as follows :-

Step 1

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O1 - Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com
O4 - HKCU\..\Run: [mIDuMjVairisaH] C:\ProgramData\mIDuMjVairisaH.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot

Step 2

Please download Rkill and save to your Desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use Link 1 from the following list and so on in sequencial order until one runs successfully.

Link 1

Link 2

Link 3

Link 4

Link 5

Link 6


  • A log pops up at the end of the run. This log file is also located at C:\rkill.log. Please post this log in your reply.
  • If you get an alert from your own Security Program, accept it and allow Rkill to run, it is very safe and will not harm your system.If the alert is from the Infection Malware program (you`ll know by the name) leave the alert open and run the same Rkill version again. You may have to run it several times, it may take upto 9 to work.
  • If the tool does not run from any of the links provided, please let me know.


Step 3

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

    user posted image








  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the user posted image icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


**** Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)


Post the logs from RKill and Combofix in next reply please...

Kevin

























































parispainter

20 Posts

August 7th, 2011 13:00

just rebooted and the little fuzzy looking thing is still on the bottom of the tool bar. it's called "services media manager". it went away but is back now

parispainter

20 Posts

August 7th, 2011 13:00

hi kevin

 thanks so much for your help. files are starting to show up but some are still hiding.

linda

here's my rkill report:

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 07/08/2011 at 19:49:21.

Operating System: Windows Vista (TM) Home Premium

Processes terminated by Rkill or while it was running:

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Users\utilisateur\Downloads\iExplore.exe

C:\Users\utilisateur\Downloads\iExplore.exe

Rkill completed on 07/08/2011 at 19:49:37.

here's my combofix report. unfortunately, i wasnt given a language option and my computer put parts of it automatically in french. i hope it's not the parts that you need!

ComboFix 11-08-07.03 - utilisateur 07/08/2011  20:43:18.2.2 - x86

Microsoft® Windows Vista™ Édition Familiale Premium   6.0.6002.2.1252.33.1036.18.2037.803 [GMT 2:00]

Lancé depuis: c:\users\utilisateur\Desktop\gotcha.exe.exe

.

.

((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Exécution préalable -------

.

c:\program files\PAV\pav.exe.tmp1

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\.ddr

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\10150092283854586_8846.mp4.ddr

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\208274895862743_12115.mp4.ddr

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\489427224895_4614.mp4.ddr

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\52349854895_55865.mp4.ddr

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\75251154895_35415.mp4.ddr

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\8rnznyd7xeddg.avi.ddr

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\10150092283854586_8846.mp4

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\208274895862743_12115.mp4

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\489427224895_4614.mp4

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\52349854895_55865.mp4

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\75251154895_35415.mp4

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\8rnznyd7xeddg.avi

c:\users\utilisateur\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\x7wg5.mp4.ddp

c:\users\utilisateur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Repair\Uninstall Windows Vista Repair.lnk

c:\users\utilisateur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Repair\Windows Vista Repair.lnk

c:\users\utilisateur\AppData\Roaming\OfferBox\config.dat

c:\users\utilisateur\AppData\Roaming\OfferBox\config.xml

c:\windows\security\Database\tmp.edb

.

.

(((((((((((((((((((((((((((((   Fichiers créés du 2011-07-07 au 2011-08-07  ))))))))))))))))))))))))))))))))))))

.

.

2011-08-07 18:53 . 2011-08-07 18:53 -------- d-----w- c:\users\utilisateur\AppData\Local\temp

2011-08-07 18:53 . 2011-08-07 18:53 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Local\temp

2011-08-07 18:53 . 2011-08-07 18:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-07 18:17 . 2011-08-07 18:17 9310 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS

2011-08-07 18:17 . 2011-08-07 18:17 8646 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2011-08-07 18:17 . 2011-08-07 18:17 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS

2011-08-07 18:17 . 2011-08-07 18:17 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS

2011-08-07 18:17 . 2011-08-07 18:17 5927 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS

2011-08-07 18:17 . 2011-08-07 18:17 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS

2011-08-07 18:17 . 2011-08-07 18:17 8613 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS

2011-08-07 18:17 . 2011-08-07 18:17 1651 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS

2011-08-07 18:16 . 2011-08-07 18:16 6910 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS

2011-08-07 18:16 . 2011-08-07 18:16 8288 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS

2011-08-07 18:16 . 2011-08-07 18:16 6208 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS

2011-08-07 18:16 . 2011-08-07 18:16 18541 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS

2011-08-07 18:16 . 2011-08-07 18:16 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS

2011-08-07 18:16 . 2011-08-07 18:16 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS

2011-08-07 18:16 . 2011-08-07 18:16 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS

2011-08-07 18:16 . 2011-08-07 18:16 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS

2011-08-07 18:16 . 2011-08-07 18:16 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS

2011-08-07 06:30 . 2011-08-07 06:30 388096 ----a-r- c:\users\utilisateur\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-06 17:30 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C906DA64-C8B1-481A-B5C7-835730CD124F}\mpengine.dll

2011-08-02 17:34 . 2011-08-02 17:34 -------- d-----w- c:\users\utilisateur\AppData\Roaming\PeerNetworking

2011-07-27 13:59 . 2011-07-27 14:00 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Local\Adobe

2011-07-11 15:41 . 2011-07-27 13:59 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Roaming\Adobe

2011-07-11 15:41 . 2011-07-12 07:26 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Local\Google

.

.

.

((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 17:52 . 2011-04-11 10:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-03 20:28 . 2011-06-03 20:28 0 ---ha-w- c:\windows\system32\ConduitEngine.tmp

2011-05-28 06:08 . 2011-06-17 11:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-05-28 06:04 . 2011-06-17 11:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-05-28 06:04 . 2011-06-17 11:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-05-28 06:04 . 2011-06-17 11:16 71680 ----a-w- c:\windows\system32\iesetup.dll

2011-05-28 06:04 . 2011-06-17 11:16 109056 ----a-w- c:\windows\system32\iesysprep.dll

2011-05-28 05:10 . 2011-06-17 11:16 385024 ----a-w- c:\windows\system32\html.iec

2011-05-28 04:33 . 2011-06-17 11:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2011-05-28 04:31 . 2011-06-17 11:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-05-24 17:14 . 2009-10-06 13:04 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-19 12:13 . 2011-05-19 12:13 0 ----a-w- c:\users\utilisateur\AppData\Local\BITF650.tmp

2011-05-18 18:39 . 2011-05-18 18:39 0 ----a-w- c:\users\utilisateur\AppData\Local\BIT34C6.tmp

.

.

(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [BU]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-08-20 2000120]

"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [BU]

"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2011-01-29 3372856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-13 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-13 154136]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-13 133656]

"WTClient"="WTClient.exe" [2007-04-11 40960]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregFre\Ereg.exe" [BU]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-16 202256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 1226608]

"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"SAOB Monitor"="c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-11-16 2536448]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-02-01 5546376]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-02-01 390720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]

.

c:\users\utilisateur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aoChCgeHApgo]

c:\programdata\aoChCgeHApgo.exe [BU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bfepitaqunuhogaj]

c:\users\utilisateur\AppData\Local\svertfs.dll [BU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

2007-05-09 16:01 36864 ----a-w- c:\windows\OEM02Mon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TQ566808]

D:\Setup.exe [BU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 136176]

R2 SFR.DashBoard.Service;SFR.DashBoard.Service;c:\program files\SFR\Gestionnaire de Connexion\SFR.DashBoard.Service.exe [2010-05-31 18272]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]

R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\DRIVERS\Gt51Ip.sys [2008-02-18 106624]

R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\DRIVERS\gt72ubus.sys [2008-02-08 59648]

R3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 136176]

R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-04-14 9216]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]

R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]

R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [2007-04-23 10752]

R3 WPFFontCache_v0400;Cache de police de Windows Presentation Foundation 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-07-21 114688]

R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2009-07-21 105088]

S0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\DRIVERS\tdrpm273.sys [2011-04-11 752128]

S2 afcdpsrv;Service Acronis Nonstop Backup;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2011-04-11 3246040]

S2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [2008-04-30 200704]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2009-06-07 61440]

S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-04-11 167968]

S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-03-26 111104]

S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [2007-06-07 18944]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12

LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache

getPlusHelper REG_MULTI_SZ   getPlusHelper

hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc

nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper

.

Contenu du dossier 'Tâches planifiées'

.

2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 12:01]

.

2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 12:01]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.hotmail.com/

uInternet Settings,ProxyOverride = *.local

IE: Ajouter la cible du lien à un fichier PDF existant - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Ajouter à un fichier PDF existant - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convertir au format Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Convertir la cible du lien au format Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.hotmail.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: Veoh Video Compass: searchrecs@veoh.com - %profile%\extensions\searchrecs@veoh.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com

FF - Ext: uTorrentBar_FR Community Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - %profile%\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: DivX Plus Web Player HTML5

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa

FF - Ext: Veoh Web Player Video Finder: web@veoh.com - c:\program files\Veoh Networks\VeohWebPlayer\FFVideoFinder

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHELINS SUPPRIMES - - - -

.

URLSearchHooks-{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{05EEB91A-AEF7-4F8A-978F-FB83E7B03F8E} - (no file)

WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-07 20:53

Windows 6.0.6002 Service Pack 2 NTFS

.

Recherche de processus cachés ...

.

Recherche d'éléments en démarrage automatique cachés ...

.

Recherche de fichiers cachés ...

.

Scan terminé avec succès

Fichiers cachés: 0

.

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Heure de fin: 2011-08-07  20:59:50

ComboFix-quarantined-files.txt  2011-08-07 18:59

.

Avant-CF: 29 376 385 024 octets libres

Après-CF: 29 031 546 880 octets libres

.

- - End Of File - - C02347041467A15607606733D82A3B90

kevinf80_1d0ac6

1.1K Posts

August 7th, 2011 14:00

Continue as follows please :-

Step 1

Download the following program to your desktop:

Unhidetool

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
Please be patient as this may take several minutes to run, it will scan and fix all Hard drives on your system. You will see a new window with the drive being processed, typically C:\ as below:

user posted image

Changing as the next drive is processed as below:

user posted image

You will get a success alert at the end.

user posted image

Re-boot and see if your files are present.

Step 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in between the dotted lines below into it:

-----------------------------------------------------------------------------------------------------------------------------------------

KillAll::

File::
c:\windows\system32\ConduitEngine.tmp
c:\users\utilisateur\AppData\Local\BITF650.tmp
c:\users\utilisateur\AppData\Local\BIT34C6.tmp
c:\programdata\aoChCgeHApgo.exe
c:\users\utilisateur\AppData\Local\svertfs.dll
D:\Setup.exe
Firefox::
FF - ProfilePath - c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: uTorrentBar_FR Community Toolbar: {05eeb91a-aef7-4f8a-978f-fb83e7b03f8e} - %profile%\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aoChCgeHApgo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bfepitaqunuhogaj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TQ566808]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
-----------------------------------------------------------------------------------------------------------------------------------------

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

user posted image

user posted image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3

Run ESET Online Scan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.ESET OnlineScan
  • Click the user posted image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

 

  • Click on user posted image to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the user posted image icon on your desktop.

 

  • Check user posted image
  • Click the user posted image button.
  • Accept any security warnings from your browser.
  • Check user posted image
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push user posted image
  • Push user posted image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the user posted image button.
  • Push user posted image


You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

Step 4

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see the following in next reply :-

  • Log from Combofix
  • Log from ESET
  • Log from Security Check
  • Update on current issues



Kevin

parispainter

20 Posts

August 8th, 2011 01:00

thanks, kevin. it looks good and all my files are back. that fuzzy icon with a red X on it is still showing up when i turn on the computer (services media manager). i've only seen it one other time and that was when the computer had a virus.

also, all the desktop icons are underlined and i cant rename them by clicking on them twice slowly. i have to right-click and rename from the menu. no big deal but i'm wondering if it's a sign of a continuing problem.

here's the combofix log:

ComboFix 11-08-07.03 - utilisateur 07/08/2011  23:14:24.3.2 - x86

Microsoft® Windows Vista™ Édition Familiale Premium   6.0.6002.2.1252.33.1036.18.2037.1064 [GMT 2:00]

Lancé depuis: c:\users\utilisateur\Desktop\gotcha.exe.exe

Commutateurs utilisés :: c:\users\utilisateur\Desktop\CFScript.txt

.

FILE ::

"c:\programdata\aoChCgeHApgo.exe"

"c:\users\utilisateur\AppData\Local\BIT34C6.tmp"

"c:\users\utilisateur\AppData\Local\BITF650.tmp"

"c:\users\utilisateur\AppData\Local\svertfs.dll"

"c:\windows\system32\ConduitEngine.tmp"

"D:\Setup.exe"

.

ADS - Windows: deleted 128 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\chrome.manifest

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\chrome\utorrentbar_fr.jar

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\ConduitAutoCompleteSearch.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\ConduitAutoCompleteSearch.xpt

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\ConduitToolbar.idl

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\ConduitToolbar.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\ConduitToolbar.xpt

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\RadioWMPCore.dll

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\RadioWMPCore.xpt

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\components\RadioWMPCoreGecko19.dll

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\alertSettingsComponent.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\appContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\engineContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\engineSettings.json

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\fbAlert.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\getAppsContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\postAppsContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\toolbarContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\defaults\unsharedAppsContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\install.rdf

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\lib\xpcom.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\META-INF\manifest.mf

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\META-INF\zigbert.rsa

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\META-INF\zigbert.sf

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\searchplugin\conduit.gif

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\searchplugin\conduit.ico

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\searchplugin\conduit.PNG

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\searchplugin\conduit.src

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\searchplugin\conduit.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\setup.ini

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\{05eeb91a-aef7-4f8a-978f-fb83e7b03f8e}\version.txt

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\chrome.manifest

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\chrome\conduitengine.jar

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.xpt

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\ConduitToolbar.idl

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\ConduitToolbar.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\ConduitToolbar.xpt

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\RadioWMPCore.dll

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\RadioWMPCore.xpt

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\alertSettingsComponent.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\appContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\engineContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\engineSettings.json

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\fbAlert.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\getAppsContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\postAppsContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\toolbarContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\defaults\unsharedAppsContextMenu.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\DualPackage\install.rdf

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\install.rdf

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\lib\xpcom.js

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\META-INF\manifest.mf

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\META-INF\zigbert.rsa

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\META-INF\zigbert.sf

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\searchplugin\conduit.gif

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\searchplugin\conduit.ico

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\searchplugin\conduit.PNG

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\searchplugin\conduit.src

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\searchplugin\conduit.xml

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\setup.ini

c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\extensions\engine@conduit.com\version.txt

c:\windows\system32\muzapp.exe

.

.

(((((((((((((((((((((((((((((   Fichiers créés du 2011-07-07 au 2011-08-07  ))))))))))))))))))))))))))))))))))))

.

.

2011-08-07 21:24 . 2011-08-07 21:28 -------- d-----w- c:\users\utilisateur\AppData\Local\temp

2011-08-07 21:24 . 2011-08-07 21:24 -------- d-----w- c:\users\Invité\AppData\Local\temp

2011-08-07 21:24 . 2011-08-07 21:24 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Local\temp

2011-08-07 21:24 . 2011-08-07 21:24 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-08-07 18:40 . 2011-08-07 18:59 -------- d-----w- C:\gotcha.exe

2011-08-07 06:30 . 2011-08-07 06:30 388096 ----a-r- c:\users\utilisateur\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-06 17:30 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C906DA64-C8B1-481A-B5C7-835730CD124F}\mpengine.dll

2011-08-02 17:34 . 2011-08-02 17:34 -------- d-----w- c:\users\utilisateur\AppData\Roaming\PeerNetworking

2011-07-27 13:59 . 2011-07-27 14:00 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Local\Adobe

2011-07-11 15:41 . 2011-07-27 13:59 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Roaming\Adobe

2011-07-11 15:41 . 2011-07-12 07:26 -------- d-----w- c:\users\Invité.PC-de-utilisate\AppData\Local\Google

.

.

.

((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-06 17:52 . 2011-04-11 10:01 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-03 20:28 . 2011-06-03 20:28 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2011-05-28 06:08 . 2011-06-17 11:16 916480 ----a-w- c:\windows\system32\wininet.dll

2011-05-28 06:04 . 2011-06-17 11:16 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-05-28 06:04 . 2011-06-17 11:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-05-28 06:04 . 2011-06-17 11:16 71680 ----a-w- c:\windows\system32\iesetup.dll

2011-05-28 06:04 . 2011-06-17 11:16 109056 ----a-w- c:\windows\system32\iesysprep.dll

2011-05-28 05:10 . 2011-06-17 11:16 385024 ----a-w- c:\windows\system32\html.iec

2011-05-28 04:33 . 2011-06-17 11:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2011-05-28 04:31 . 2011-06-17 11:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-05-24 17:14 . 2009-10-06 13:04 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-05-19 12:13 . 2011-05-19 12:13 0 ----a-w- c:\users\utilisateur\AppData\Local\BITF650.tmp

2011-05-18 18:39 . 2011-05-18 18:39 0 ----a-w- c:\users\utilisateur\AppData\Local\BIT34C6.tmp

.

.

(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [BU]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-08-20 2000120]

"RegistryBooster"="c:\program files\Uniblue\RegistryBooster\launcher.exe" [BU]

"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2011-01-29 3372856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-13 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-13 154136]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-13 133656]

"WTClient"="WTClient.exe" [2007-04-11 40960]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregFre\Ereg.exe" [BU]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-16 202256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-08 1226608]

"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"SAOB Monitor"="c:\program files\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe" [2010-11-16 2536448]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-02-01 5546376]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-02-01 390720]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-26 421160]

.

c:\users\utilisateur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux1"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]

2007-05-09 16:01 36864 ----a-w- c:\windows\OEM02Mon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"AntiVirusOverride"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 136176]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]

R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\DRIVERS\Gt51Ip.sys [2008-02-18 106624]

R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\DRIVERS\gt72ubus.sys [2008-02-08 59648]

R3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 136176]

R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-04-14 9216]

R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [2008-01-19 21504]

R3 PTSimHid;PenTablet Simulated HID MiniDriver;c:\windows\system32\DRIVERS\PTSimHid.sys [2007-04-23 10752]

R3 WPFFontCache_v0400;Cache de police de Windows Presentation Foundation 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-07-21 114688]

R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2009-07-21 105088]

S0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\DRIVERS\tdrpm273.sys [2011-04-11 752128]

S2 afcdpsrv;Service Acronis Nonstop Backup;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2011-04-11 3246040]

S2 GtDetectSc;GtDetectSc;c:\program files\Option\GlobeTrotter Connect\GtDetectSc.exe [2008-04-30 200704]

S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2009-06-07 61440]

S2 SFR.DashBoard.Service;SFR.DashBoard.Service;c:\program files\SFR\Gestionnaire de Connexion\SFR.DashBoard.Service.exe [2010-05-31 18272]

S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys [2011-04-11 167968]

S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-03-26 111104]

S3 PTSimBus;PenTablet Bus Enumerator;c:\windows\system32\DRIVERS\PTSimBus.sys [2007-06-07 18944]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12

LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache

getPlusHelper REG_MULTI_SZ   getPlusHelper

hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc

nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper

.

Contenu du dossier 'Tâches planifiées'

.

2011-08-07 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-18 15:34]

.

2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 12:01]

.

2011-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 12:01]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.hotmail.com/

uInternet Settings,ProxyOverride = *.local

IE: Ajouter la cible du lien à un fichier PDF existant - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Ajouter à un fichier PDF existant - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convertir au format Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: Convertir la cible du lien au format Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\utilisateur\AppData\Roaming\Mozilla\Firefox\Profiles\z1te0y7n.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IPGTDF&PC=IPGTDF&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.hotmail.com

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

FF - Ext: Veoh Video Compass: searchrecs@veoh.com - %profile%\extensions\searchrecs@veoh.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: DivX Plus Web Player HTML5

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa

FF - Ext: Veoh Web Player Video Finder: web@veoh.com - c:\program files\Veoh Networks\VeohWebPlayer\FFVideoFinder

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-07 23:27

Windows 6.0.6002 Service Pack 2 NTFS

.

Recherche de processus cachés ...

.

Recherche d'éléments en démarrage automatique cachés ...

.

Recherche de fichiers cachés ...

.

Scan terminé avec succès

Fichiers cachés: 0

.

**************************************************************************

.

--------------------- DLLs chargées dans les processus actifs ---------------------

.

- - - - - - - > 'Explorer.exe'(2892)

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\windows\system32\conime.exe

c:\windows\System32\Drivers\WTSRV.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\System32\WTClient.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe

.

**************************************************************************

.

Heure de fin: 2011-08-07  23:38:40 - La machine a redémarré

ComboFix-quarantined-files.txt  2011-08-07 21:38

ComboFix2.txt  2011-08-07 18:59

.

Avant-CF: 28 942 831 616 octets libres

Après-CF: 28 887 965 696 octets libres

.

- - End Of File - - 406012EC88FE08810B880F9482990633

the ESETscan said no viruses and didn't give me an option to print a log.

SECURITY CHECKLIST log

Results of screen317's Security Check version 0.99.18  

Windows Vista Service Pack 2 (UAC is disabled!)

Internet Explorer 8  

``````````````````````````````

Antivirus/Firewall Check:

ESET Online Scanner v3  

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware    

Java(TM) 6 Update 21  

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.2.152.32  

Mozilla Firefox (3.6.18) Firefox Out of Date!  

````````````````````````````````

Process Check:  

objlist.exe by Laurent

Acronis TrueImageHome OnlineBackupStandalone TrueImageMonitor.exe

``````````End of Log````````````

kevinf80_1d0ac6

1.1K Posts

August 8th, 2011 03:00

The icon you mention that shows up on boot is related to Roxio, it monitors changes to your system. It shows in HJT:

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

It is not malicious but does not need to run at startup,


You can stop that in MSConfig or you can do it with HJT as follows:

Please re-open HiJackThis and scan only.  Check the boxes next to all the entries listed below.


O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"


Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.  Reboot.

Next,

You have UAC (User Access Control) turned off, you should have that turned on at all times.

Next,

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... user posted image
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
Let me know how you get on with the above, tell me what issues remain, if none we`ll clean up the tools we`ve used on your system.....
Kevin

kevinf80_1d0ac6

1.1K Posts

August 10th, 2011 13:00

Due to unforeseen circumstances I will be away from this Forum for approximately two weeks. If another helper wishes to take over your log please follow their instructions.

If you receive no responses within 48 hours of this reply please start a new thread. In your new thread list your current issues and also give a link to this thread so any new helper can see what has been done.

Apologies,

Kevin

parispainter

20 Posts

August 22nd, 2011 02:00

hi kevin

ive been away too so im hoping all's well with you and you are back on line.

my files are back and there seems to be no viruses but there are small bugs. all my desktop icons are still underlined. i can't selected many files at once (to download photos for example) and in my accessories/ system tools, all have disappeared: no defrag, no cleanup, no info. also, i still have all the logs and programs you had me download. what next?

View More

View All

No Events found!

Top