Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Unable to delete Win32.Autorun.tmp

  1. #1
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default Unable to delete Win32.Autorun.tmp

    Hi,

    I have recently observed an abnormal behavior of my PC and, after performing SpyBot scan I found that Win32.Autorun.tmp is on it. As probably usual in my situation, I have run SpyBot several times in attempt to eliminate it, but without results. I have tried to follow the procedure described on this forum, but have not found the file 5kstzaw.exe.

    As a last tentative (before formatting the OS partition), I put my DDS log below. Thanks in advance for any of you who will find time to take a look on this problem.

    P.S. I have a French version of Windows, but have not found an equivalent forum in French. It should not be a problem while reading DSS file, but if you find I should go to a more appropriate forum, please indicate me one.

    P.S.S. As advised on certain forums, I have tried to perform a scan with GMER, but the virus was either completely slowing down the system or generating the error with following exit from OS (blue screen during a second, followed by shutdown)

    Thanks again

    -------------------------------------------------------------------------
    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Artem at 15:38:04,06 on lun. 13/09/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1372 [GMT 2:00]

    AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
    C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wbem\wmiapsrv.exe
    C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\WINDOWS\ATK0100\HControl.exe
    C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Documents and Settings\Artem\Bureau\dds.scr

    ============== Pseudo HJT Report ===============

    uWindow Title =
    mWinlogon: Taskman=c:\documents and settings\artem\application data\sjlp.exe
    uWinlogon: Shell=explorer.exe,c:\documents and settings\artem\application data\sjlp.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [ToshibaGLDocMon] "c:\program files\toshiba\toshiba e-studio client\GLDocMon.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
    mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
    mRun: [SkyTel] SkyTel.EXE
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NeroFilterCheck] c:\program files\fichiers communs\ahead\lib\NeroCheck.exe
    mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [HControl] c:\windows\atk0100\HControl.exe
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\artem\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\artem\menudm~1\progra~1\dmarra~1\skype.lnk - c:\windows\installer\{d103c4ba-f905-437a-8049-db24763bbe36}\SkypeIcon.exe
    StartupFolder: c:\docume~1\alluse~1.win\menudm~1\progra~1\dmarra~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222447142812
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: {DC6EA748-82AF-4331-A1EE-0B19E2A69E1A} = 164.15.59.200
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\artem\applic~1\mozilla\firefox\profiles\mniywwju.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://wwwdev.ulb.ac.be/webmail2/webmail2.php
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
    FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-4 343920]
    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
    R2 McAfeeFramework;Service McAfee Framework;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-4-19 70728]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-4 91832]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-4 43288]
    R3 SynMini;Syntek USB2.0 2M WebCam;c:\windows\system32\drivers\SynMini.sys [2008-9-26 1208064]
    R3 SynScan;Syntek USB2.0 2M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2008-9-26 8064]
    S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-11 38224]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-19 66600]

    =============== Created Last 30 ================

    2010-09-12 21:18:31 0 d-----w- c:\windows\pss
    2010-09-11 19:37:39 0 d-sha-r- C:\Autorun.inf
    2010-09-11 18:49:16 0 d-----w- c:\docume~1\artem\applic~1\Malwarebytes
    2010-09-11 18:49:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-11 18:49:06 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
    2010-09-11 18:49:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-11 18:49:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-11 17:35:22 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-09-11 17:11:34 2941 ----a-w- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
    2010-09-11 15:59:05 32768 ---ha-w- C:\SZKGFS.dat
    2010-09-11 15:54:15 0 d-----w- C:\UsbFix
    2010-09-11 15:53:54 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SITEguard
    2010-09-11 15:52:47 0 d-----w- c:\program files\fichiers communs\iS3
    2010-09-11 15:52:46 0 d-----w- c:\docume~1\alluse~1.win\applic~1\STOPzilla!
    2010-09-10 01:47:23 0 d-----w- c:\program files\GnuChess
    2010-09-01 13:00:45 91136 --sh--r- c:\docume~1\artem\applic~1\sjlp.exe

    ==================== Find3M ====================

    2010-09-10 01:34:19 49898 ----a-w- c:\windows\system32\perfc00C.dat
    2010-09-10 01:34:19 371218 ----a-w- c:\windows\system32\perfh00C.dat
    2010-07-17 03:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:32:14 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:25:24 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 09:02:32 1852032 ----a-w- c:\windows\system32\win32k.sys
    2010-06-17 14:03:10 80384 ----a-w- c:\windows\system32\iccvid.dll
    2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
    2009-09-04 07:30:47 16384 --sha-w- c:\windows\temp\cookies\index.dat
    2009-09-04 07:30:47 32768 --sha-w- c:\windows\temp\fichiers internet temporaires\content.ie5\index.dat
    2009-09-04 07:30:47 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

    ============= FINISH: 15:39:24,78 ===============

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.




    Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean






    Please download Malwarebytes from Here or Here

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post the report please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Post

    Hi ken545,

    First of all, thanks a lot for your reply. I have followed your instruction, and got the following log from Malwarebytes

    ---------------------------------------------------------------------------

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4628

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    16/09/2010 15:31:54
    mbam-log-2010-09-16 (15-31-54).txt

    Scan type: Quick scan
    Objects scanned: 148149
    Time elapsed: 8 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.Palevo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Worm.Palevo) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Artem\Application Data\sjlp.exe (Worm.Palevo) -> Delete on reboot.
    C:\Documents and Settings\Administrateur\Application Data\sjlp.exe (Worm.Palevo) -> Quarantined and deleted successfully.
    -------------------------------------------------------------------------

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Great, lets check a bit deeper.

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Under the Custom Scan box paste this in
      Code:
      
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav 
      
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
        Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default

    Hi ken545,

    thanks for a quick reply and for your suggestions. Please find the logs of OTL below. Just to mention that SpyBot no longer detects win32.Autorun.tmp and that its apparent activity (browser page redirection, connections to unknown ip addresses, etc.) has decreased, if not disappeared.

    Here is the OTL.txt file; the Extra.txt will follow.

    Thanks again for your time.
    --------------------------------------------------------------------------
    OTL logfile created on: 16/09/2010 17:20:15 - Run 1
    OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Artem\Bureau
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 0000080C | Country: Belgique | Language: FRB | Date Format: d/MM/yyyy

    2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 66,00% Memory free
    4,00 Gb Paging File | 3,00 Gb Available in Paging File | 87,00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 24,50 Gb Total Space | 5,33 Gb Free Space | 21,74% Space Free | Partition Type: NTFS
    Drive D: | 9,77 Gb Total Space | 1,44 Gb Free Space | 14,79% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ULB-614A9323631
    Current User Name: Artem
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Processes (SafeList) ==========

    PRC - C:\Documents and Settings\Artem\Bureau\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
    PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
    PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
    PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
    PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
    PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
    PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
    PRC - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
    PRC - C:\WINDOWS\ATK0100\HControl.exe ()
    PRC - C:\WINDOWS\ATK0100\ATKOSD.exe ()
    PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
    PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe (TOSHIBA CORPORATION.)
    PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TOSHIBA CORPORATION.)
    PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe (TOSHIBA CORPORATION.)
    PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe (TOSHIBA CORPORATION.)
    PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.)
    PRC - C:\Program Files\Toshiba\TOSHIBA e-STUDIO Client\GLDocMon.exe ()
    PRC - C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)


    ========== Modules (SafeList) ==========

    MOD - C:\Documents and Settings\Artem\Bureau\OTL.exe (OldTimer Tools)
    MOD - C:\WINDOWS\system32\msi.dll (Microsoft Corporation)
    MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
    MOD - C:\Program Files\Fichiers communs\Microsoft Shared\INK\SKCHUI.DLL (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (wampmysqld) -- c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe File not found
    SRV - (wampapache) -- c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe File not found
    SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
    SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
    SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
    SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
    SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
    SRV - (NMIndexingService) -- C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe (Nero AG)
    SRV - (EvtEng) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
    SRV - (S24EventMonitor) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
    SRV - (RegSrvc) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
    SRV - (LightScribeService) -- C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
    SRV - (ose) -- C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
    SRV - (MDM) -- C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)


    ========== Driver Services (SafeList) ==========

    DRV - (mferkdk) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys File not found
    DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
    DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
    DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
    DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
    DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
    DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
    DRV - (eeCtrl) -- C:\Program Files\Fichiers communs\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
    DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
    DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
    DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
    DRV - (NETw4x32) Pilote de carte Intel(R) -- C:\WINDOWS\system32\drivers\NETw4x32.sys (Intel Corporation)
    DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
    DRV - (smserial) -- C:\WINDOWS\system32\drivers\smserial.sys (Motorola Inc.)
    DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
    DRV - (SynMini) -- C:\WINDOWS\system32\drivers\SynMini.sys ()
    DRV - (SynScan) -- C:\WINDOWS\system32\drivers\SynScan.sys ()
    DRV - (Tosrfbd) -- C:\WINDOWS\system32\drivers\tosrfbd.sys (TOSHIBA CORPORATION)
    DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
    DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\tosrfhid.sys (TOSHIBA Corporation.)
    DRV - (tosporte) -- C:\WINDOWS\system32\drivers\tosporte.sys (TOSHIBA Corporation)
    DRV - (Tosrfbnp) -- C:\WINDOWS\system32\drivers\tosrfbnp.sys (TOSHIBA Corporation)
    DRV - (TosRfSnd) Bluetooth Audio Device (WDM) -- C:\WINDOWS\system32\drivers\tosrfsnd.sys (TOSHIBA Corporation)
    DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
    DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
    DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
    DRV - (Tosrfcom) -- C:\WINDOWS\system32\drivers\tosrfcom.sys (TOSHIBA Corporation)
    DRV - (toshidpt) -- C:\WINDOWS\system32\drivers\toshidpt.sys (TOSHIBA Corporation.)
    DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ATKACPI.sys ()
    DRV - (tosrfnds) -- C:\WINDOWS\system32\drivers\tosrfnds.sys (TOSHIBA Corporation.)
    DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
    DRV - (PQNTDrv) -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS ()


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Yahoo"
    FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=971163"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.startup.homepage: "http://wwwdev.ulb.ac.be/webmail2/webmail2.php"
    FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
    FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
    FF - prefs.js..extensions.enabledItems: fr@dictionaries.addons.mozilla.org:3.5
    FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.13
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: ru@dictionaries.addons.mozilla.org:0.4.4
    FF - prefs.js..extensions.enabledItems: uk-ua@dictionaries.addons.mozilla.org:1.6.0
    FF - prefs.js..extensions.enabledItems: nl-NL@dictionaries.addons.mozilla.org:2.2.0
    FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p="

    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/11 22:31:14 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/15 11:47:11 | 000,000,000 | ---D | M]

    [2008/09/26 16:26:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Extensions
    [2010/09/16 12:49:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions
    [2009/10/15 14:03:11 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
    [2010/03/17 17:29:39 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
    [2010/09/11 22:57:33 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
    [2008/09/28 15:48:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\en-GB@dictionaries.addons.mozilla.org
    [2010/02/07 11:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\fr@dictionaries.addons.mozilla.org
    [2009/08/28 21:14:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\LogMeInClient@logmein.com
    [2009/08/12 12:08:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\nl-NL@dictionaries.addons.mozilla.org
    [2010/09/16 12:49:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\ru@dictionaries.addons.mozilla.org
    [2009/08/20 12:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\uk-ua@dictionaries.addons.mozilla.org
    [2010/09/16 10:17:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/07/12 13:05:59 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    [2010/05/02 12:32:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/09/01 17:13:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2009/10/22 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
    [2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2009/12/18 11:10:44 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2009/12/18 11:10:44 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2009/12/18 11:10:44 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2009/12/18 11:10:45 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

    O1 HOSTS File: ([2010/09/16 15:59:19 | 000,419,461 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: 127.0.0.1 www.007guard.com
    O1 - Hosts: 127.0.0.1 007guard.com
    O1 - Hosts: 127.0.0.1 008i.com
    O1 - Hosts: 127.0.0.1 www.008k.com
    O1 - Hosts: 127.0.0.1 008k.com
    O1 - Hosts: 127.0.0.1 www.00hq.com
    O1 - Hosts: 127.0.0.1 00hq.com
    O1 - Hosts: 127.0.0.1 010402.com
    O1 - Hosts: 127.0.0.1 www.032439.com
    O1 - Hosts: 127.0.0.1 032439.com
    O1 - Hosts: 127.0.0.1 www.0scan.com
    O1 - Hosts: 127.0.0.1 0scan.com
    O1 - Hosts: 127.0.0.1 www.100888290cs.com
    O1 - Hosts: 127.0.0.1 100888290cs.com
    O1 - Hosts: 127.0.0.1 www.100sexlinks.com
    O1 - Hosts: 127.0.0.1 100sexlinks.com
    O1 - Hosts: 127.0.0.1 www.10sek.com
    O1 - Hosts: 127.0.0.1 10sek.com
    O1 - Hosts: 127.0.0.1 www.123topsearch.com
    O1 - Hosts: 127.0.0.1 123topsearch.com
    O1 - Hosts: 127.0.0.1 www.132.com
    O1 - Hosts: 127.0.0.1 132.com
    O1 - Hosts: 127.0.0.1 www.136136.net
    O1 - Hosts: 127.0.0.1 136136.net
    O1 - Hosts: 14474 more lines...
    O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
    O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe ()
    O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
    O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
    O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe (Nero AG)
    O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
    O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
    O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
    O4 - HKCU..\Run: [ToshibaGLDocMon] C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe ()
    O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
    O4 - Startup: C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
    O4 - Startup: C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\Skype.lnk = C:\WINDOWS\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 3
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/tech...bs/tgctlsr.cab (Symantec Script Runner Class)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/wind...?1222447142812 (WUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/ge...sh/swflash.cab (Shockwave Flash Object)
    O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
    O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
    O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
    O24 - Desktop WallPaper: C:\Documents and Settings\Artem\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Artem\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/09/26 14:44:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2010/09/11 21:37:39 | 000,000,000 | RHSD | M] - C:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2010/09/11 21:37:39 | 000,000,000 | RHSD | M] - D:\Autorun.inf -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/09/16 17:14:06 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\OTL.exe
    [2010/09/16 15:20:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/09/16 15:20:50 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/09/16 15:19:46 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Artem\Bureau\mbam-setup-1.46.exe
    [2010/09/16 14:38:58 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\TFC.exe
    [2010/09/16 14:14:13 | 000,000,000 | -HSD | C] -- C:\Config.Msi
    [2010/09/15 13:32:28 | 000,000,000 | ---D | C] -- C:\Program Files\MiKTeX 2.7
    [2010/09/13 15:04:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/09/13 14:51:29 | 000,000,000 | ---D | C] -- C:\ERDNT
    [2010/09/13 14:50:21 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
    [2010/09/12 23:18:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2010/09/12 12:32:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Bureau\PAPARS
    [2010/09/11 22:28:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
    [2010/09/11 21:37:39 | 000,000,000 | RHSD | C] -- C:\Autorun.inf
    [2010/09/11 20:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Application Data\Malwarebytes
    [2010/09/11 20:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
    [2010/09/11 20:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/09/11 17:54:15 | 000,000,000 | ---D | C] -- C:\UsbFix
    [2010/09/11 17:54:01 | 001,211,906 | ---- | C] (C_XX & El Desaparecido) -- C:\Documents and Settings\Artem\Bureau\UsbFix.exe
    [2010/09/11 17:53:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
    [2010/09/11 17:52:47 | 000,000,000 | ---D | C] -- C:\Program Files\Fichiers communs\iS3
    [2010/09/11 17:52:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
    [2010/09/10 03:53:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Bureau\Caniiso
    [2010/09/10 03:47:23 | 000,000,000 | ---D | C] -- C:\Program Files\GnuChess
    [2010/09/04 17:51:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Bureau\tempo
    [2010/09/01 17:13:06 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
    [2010/09/01 17:13:06 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
    [2010/09/01 17:13:06 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

    ========== Files - Modified Within 30 Days ==========

    [2010/09/16 17:15:59 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job
    [2010/09/16 17:14:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\OTL.exe
    [2010/09/16 15:59:19 | 000,419,461 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010/09/16 15:34:50 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\Skype.lnk
    [2010/09/16 15:34:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/09/16 15:34:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
    [2010/09/16 15:34:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/09/16 15:33:10 | 013,631,488 | -H-- | M] () -- C:\Documents and Settings\Artem\NTUSER.DAT
    [2010/09/16 15:20:59 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Malwarebytes' Anti-Malware.lnk
    [2010/09/16 15:19:48 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Artem\Bureau\mbam-setup-1.46.exe
    [2010/09/16 14:40:36 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Artem\Application Data\winscp.rnd
    [2010/09/16 14:38:58 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\TFC.exe
    [2010/09/16 14:17:29 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/09/16 12:04:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010/09/15 23:33:53 | 000,000,120 | ---- | M] () -- C:\WINDOWS\rcwin.ini
    [2010/09/15 20:27:48 | 000,000,364 | ---- | M] () -- C:\WINDOWS\win.ini
    [2010/09/14 19:42:59 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\dds.scr
    [2010/09/14 19:25:02 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100916-155919.backup
    [2010/09/14 18:26:47 | 000,000,284 | -HS- | M] () -- C:\Documents and Settings\Artem\ntuser.ini
    [2010/09/14 17:59:48 | 000,000,212 | -HS- | M] () -- C:\boot.ini
    [2010/09/14 17:59:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/09/14 10:10:40 | 000,070,488 | ---- | M] () -- C:\Documents and Settings\Artem\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    [2010/09/14 09:57:18 | 000,001,320 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Cygwin.lnk
    [2010/09/13 15:41:33 | 000,002,912 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\Attach.zip
    [2010/09/13 14:50:26 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\ERUNT AutoBackup.lnk
    [2010/09/13 14:50:23 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\Artem\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
    [2010/09/13 14:50:23 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\ERUNT.lnk
    [2010/09/12 13:40:46 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100914-192502.backup
    [2010/09/12 13:32:52 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-134046.backup
    [2010/09/12 12:48:44 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-133252.backup
    [2010/09/11 21:37:39 | 000,002,941 | ---- | M] () -- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
    [2010/09/11 19:35:39 | 000,000,744 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
    [2010/09/11 19:19:22 | 000,000,796 | ---- | M] () -- C:\WINDOWS\gnuchess.ini
    [2010/09/11 17:59:36 | 000,418,771 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-124843.backup
    [2010/09/11 17:59:05 | 000,032,768 | -H-- | M] () -- C:\SZKGFS.dat
    [2010/09/11 17:54:09 | 001,211,906 | ---- | M] (C_XX & El Desaparecido) -- C:\Documents and Settings\Artem\Bureau\UsbFix.exe
    [2010/09/10 05:10:06 | 000,011,374 | ---- | M] () -- C:\Documents and Settings\Artem\gsview32.ini
    [2010/09/10 03:48:06 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\GNUCHESS.EXE.lnk
    [2010/09/10 03:34:19 | 000,782,488 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/09/10 03:34:19 | 000,371,218 | ---- | M] () -- C:\WINDOWS\System32\perfh00C.dat
    [2010/09/10 03:34:19 | 000,314,842 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/09/10 03:34:19 | 000,049,898 | ---- | M] () -- C:\WINDOWS\System32\perfc00C.dat
    [2010/09/10 03:34:19 | 000,041,170 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/09/05 15:40:41 | 000,417,012 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100911-170209.backup
    [2010/09/04 22:59:57 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
    [2010/09/01 23:42:02 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/08/28 22:43:07 | 001,172,672 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\SPARSKIT2.tar.gz
    [2010/08/27 10:48:22 | 000,058,368 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\12.5.10.doc
    [2010/08/25 20:01:46 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Adobe Reader 9.lnk
    [2010/08/25 13:39:18 | 000,066,450 | ---- | M] () -- C:\Documents and Settings\Artem\Mes documents\dnew.f90
    [2010/08/25 13:39:14 | 000,071,301 | ---- | M] () -- C:\Documents and Settings\Artem\Mes documents\dagmg.f90
    [2010/08/24 16:06:42 | 000,046,814 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\inter_element.cc.htm
    [2010/08/23 10:55:11 | 000,000,642 | -H-- | M] () -- C:\Documents and Settings\Artem\Mes documents\SWWATER.INI

    ========== Files Created - No Company Name ==========

    [2010/09/16 15:20:59 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Malwarebytes' Anti-Malware.lnk
    [2010/09/14 19:42:35 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\dds.scr
    [2010/09/14 17:59:56 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\Skype.lnk
    [2010/09/14 17:59:56 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\ERUNT AutoBackup.lnk
    [2010/09/14 17:59:56 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Bluetooth Manager.lnk
    [2010/09/13 15:41:33 | 000,002,912 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\Attach.zip
    [2010/09/13 14:50:23 | 000,000,610 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
    [2010/09/13 14:50:23 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\ERUNT.lnk
    [2010/09/11 23:26:56 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\prof.exe
    [2010/09/11 19:35:22 | 000,000,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
    [2010/09/11 19:11:34 | 000,002,941 | ---- | C] () -- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
    [2010/09/11 17:59:05 | 000,032,768 | -H-- | C] () -- C:\SZKGFS.dat
    [2010/09/10 03:48:06 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\GNUCHESS.EXE.lnk
    [2010/08/28 22:43:01 | 001,172,672 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\SPARSKIT2.tar.gz
    [2010/08/26 22:15:14 | 000,058,368 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\12.5.10.doc
    [2010/08/25 13:39:17 | 000,066,450 | ---- | C] () -- C:\Documents and Settings\Artem\Mes documents\dnew.f90
    [2010/08/25 13:39:13 | 000,071,301 | ---- | C] () -- C:\Documents and Settings\Artem\Mes documents\dagmg.f90
    [2010/08/24 16:06:41 | 000,046,814 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\inter_element.cc.htm
    [2010/08/23 10:55:11 | 000,000,642 | -H-- | C] () -- C:\Documents and Settings\Artem\Mes documents\SWWATER.INI
    [2010/03/31 14:01:12 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
    [2010/03/28 14:37:40 | 000,246,784 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
    [2010/03/08 23:00:29 | 000,000,186 | ---- | C] () -- C:\WINDOWS\WinCom.INI
    [2009/09/08 14:54:25 | 000,540,776 | ---- | C] () -- C:\WINDOWS\ES1mi.dll
    [2009/09/08 14:54:25 | 000,503,908 | ---- | C] () -- C:\WINDOWS\ES1Disc.dll
    [2009/09/08 14:54:25 | 000,376,832 | ---- | C] () -- C:\WINDOWS\ES1Snmpp.dll
    [2009/09/08 14:54:25 | 000,204,800 | ---- | C] () -- C:\WINDOWS\eSDMLD.dll
    [2009/09/08 14:54:15 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\eSTsnmp.dll
    [2009/09/08 14:54:15 | 000,274,432 | ---- | C] () -- C:\WINDOWS\eSTsnmp.dll
    [2009/09/08 14:54:05 | 000,016,597 | ---- | C] () -- C:\WINDOWS\RIO1_40c.ini
    [2009/08/28 15:03:20 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\winscp.rnd
    [2009/08/15 13:05:47 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
    [2009/07/08 23:45:07 | 000,037,376 | ---- | C] () -- C:\Documents and Settings\Artem\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/06/19 10:51:29 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\PUTTY.RND
    [2009/04/27 06:13:36 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
    [2009/04/14 19:03:18 | 000,000,071 | ---- | C] () -- C:\WINDOWS\sex-oneclick-repertoire.ini
    [2009/02/26 22:56:16 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
    [2009/02/26 22:56:16 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
    [2008/12/12 12:38:46 | 000,000,072 | ---- | C] () -- C:\WINDOWS\MSYS.INI
    [2008/12/03 16:18:29 | 000,000,796 | ---- | C] () -- C:\WINDOWS\gnuchess.ini
    [2008/11/07 11:26:54 | 000,003,252 | ---- | C] () -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS
    [2008/10/31 14:19:14 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
    [2008/10/15 23:38:02 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
    [2008/10/10 23:49:54 | 000,233,525 | ---- | C] () -- C:\WINDOWS\System32\isutil.dll
    [2008/10/10 23:49:53 | 000,000,271 | ---- | C] () -- C:\WINDOWS\apptune.ini
    [2008/10/07 12:00:18 | 000,000,120 | ---- | C] () -- C:\WINDOWS\rcwin.ini
    [2008/10/05 20:48:06 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
    [2008/09/27 23:44:38 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2008/09/26 20:06:55 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\Dtctrace.dll
    [2008/09/26 19:06:56 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2008/09/26 16:03:54 | 000,028,143 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
    [2008/09/26 15:51:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
    [2008/09/26 15:19:04 | 000,014,848 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynSam.sys
    [2008/09/26 15:19:04 | 000,008,064 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynScan.sys
    [2008/09/26 15:18:59 | 000,498,688 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynPin.sys
    [2008/09/26 15:18:59 | 000,030,848 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynCamd.sys
    [2008/09/26 15:18:58 | 001,208,064 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynMini.sys
    [2008/09/26 15:10:43 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
    [2008/09/26 14:57:57 | 000,028,822 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
    [2008/09/26 14:57:47 | 000,005,632 | R--- | C] () -- C:\WINDOWS\System32\drivers\ATKACPI.sys
    [2008/09/26 14:57:30 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
    [2007/04/28 13:05:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
    [2007/04/28 13:05:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
    [2007/04/28 13:05:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
    [2007/04/28 13:05:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
    [2007/04/17 10:35:49 | 000,286,208 | ---- | C] () -- C:\WINDOWS\System32\cncs232.dll
    [2005/09/02 14:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
    [2005/07/22 21:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
    [2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
    [2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2001/07/31 05:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

    ========== LOP Check ==========

    [2008/09/30 11:14:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\LightScribe
    [2010/09/11 17:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
    [2010/04/13 11:39:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STDUConverter
    [2010/09/11 19:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
    [2010/02/19 10:56:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Tarma Installer
    [2010/03/28 15:20:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
    [2009/06/08 10:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
    [2010/05/29 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
    [2009/04/14 09:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\DisplayTune
    [2010/03/08 21:37:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\FileZilla
    [2008/11/22 11:42:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\IcoFX
    [2009/06/11 14:31:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\KDE
    [2010/06/29 13:02:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Publish or Perish
    [2009/07/08 23:43:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Toshiba
    [2010/09/16 17:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\WinEdt
    [2010/06/06 12:25:17 | 000,000,364 | ---- | M] () -- C:\WINDOWS\Tasks\Install_NSS.job
    [2010/09/16 17:15:59 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2004/08/05 14:00:00 | 018,779,217 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
    [2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
    [2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
    [2008/04/13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
    [2008/04/13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

    < MD5 for: ATAPI.SYS >
    [2004/08/05 14:00:00 | 018,779,217 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
    [2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
    [2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
    [2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    [2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
    [2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
    [2004/08/05 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\system32\DRIVERS\atapi.sys
    [2004/08/05 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
    [2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [1999/10/02 10:24:46 | 000,017,408 | ---- | M] () MD5=1363337A5301619F00F8033835EF30E9 -- C:\MATLAB\R2007b\sys\perl\win32\site\lib\auto\Win32\EventLog\EventLog.dll
    [2004/08/05 14:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=21E83876A6287F15538EF187D286FE11 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
    [2008/04/14 04:33:24 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=4EC800BDF80521B0207BD2301DFC7D14 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
    [2008/04/14 04:33:24 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=4EC800BDF80521B0207BD2301DFC7D14 -- C:\WINDOWS\system32\eventlog.dll

    < MD5 for: NETLOGON.DLL >
    [2008/04/14 04:33:34 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=04821179C3171554C1BD1F9888A113E2 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
    [2008/04/14 04:33:34 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=04821179C3171554C1BD1F9888A113E2 -- C:\WINDOWS\system32\netlogon.dll
    [2004/08/05 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=FAF07FDCDE76000621A28D19F8E2E8EB -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

    < MD5 for: SCECLI.DLL >
    [2008/04/14 04:33:40 | 000,187,392 | ---- | M] (Microsoft Corporation) MD5=973B36634C544948C663E8269AA1B3A3 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
    [2008/04/14 04:33:40 | 000,187,392 | ---- | M] (Microsoft Corporation) MD5=973B36634C544948C663E8269AA1B3A3 -- C:\WINDOWS\system32\scecli.dll
    [2004/08/05 14:00:00 | 000,186,368 | ---- | M] (Microsoft Corporation) MD5=DEC0397F35D027874804EC72979D03CC -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\Tasks\*.job /lockedfiles >

    < %systemroot%\system32\drivers\*.sys /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2008/09/26 15:40:27 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2008/09/26 15:40:27 | 000,663,552 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2008/09/26 15:40:27 | 000,458,752 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
    < End of report >
    ---------------------------------------------------------------------

  6. #6
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default

    and here is the Extras.txt log. As mentioned in my first log, my Windows version is French. To ease the reading of the last section of this log, I include few (homemade) translations:

    Service s'est terminé de façon inattendue pour la 1ème fois. = Service unexpectedly interrupted for the first time.
    Application bloquée = blocked application
    Application défaillante = failing application

    I should also mention that, in the attempt to understand whether these are regular tasks that suddenly start using a lot of CPU/memory resources, or whether it is trojan activity, I have intentionally killed the tasks that was "consuming" the most. This probably explains the number of interrupted services.

    Thanks again for your help.

    --------------------------------------------------------------------------
    OTL Extras logfile created on: 16/09/2010 17:20:15 - Run 1
    OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Artem\Bureau
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 0000080C | Country: Belgique | Language: FRB | Date Format: d/MM/yyyy

    2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 66,00% Memory free
    4,00 Gb Paging File | 3,00 Gb Available in Paging File | 87,00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 24,50 Gb Total Space | 5,33 Gb Free Space | 21,74% Space Free | Partition Type: NTFS
    Drive D: | 9,77 Gb Total Space | 1,44 Gb Free Space | 14,79% Space Free | Partition Type: NTFS
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ULB-614A9323631
    Current User Name: Artem
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .exe [@ = exefile] -- Reg Error: Key error. File not found
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
    htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
    http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== Firewall Settings ==========
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "3306:TCP" = 3306:TCP:*:Enabled:MySQL Server
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\cygwin\usr\X11R6\bin\XWin.exe" = C:\cygwin\usr\X11R6\bin\XWin.exe:*:Enabled:XWin -- File not found
    "C:\MATLAB\R2007b\bin\win32\MATLAB.exe" = C:\MATLAB\R2007b\bin\win32\MATLAB.exe:*:Enabled:MATLAB -- (The MathWorks Inc.)
    "C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:Logiciel de transfert de fichiers -- (Microsoft Corporation)
    "C:\cygwin\bin\XWin.exe" = C:\cygwin\bin\XWin.exe:*:Enabled:XWin -- ()
    "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
    "C:\GMSH\gmsh.exe" = C:\GMSH\gmsh.exe:*:Enabled:gmsh -- ()
    "C:\Program Files\WinSCP\WinSCP.exe" = C:\Program Files\WinSCP\WinSCP.exe:*:Enabled:WinSCP: SFTP, FTP and SCP client -- (Martin Prikryl)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{02D7C83F-FCCB-4EEC-9E4B-C6FF8AADC015}" = Power4 Gear
    "{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
    "{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
    "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
    "{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
    "{1E5007FA-DA5E-4EDD-BDE5-14D128D66887}" = PowerQuest PartitionMagic 7.0
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
    "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
    "{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 21
    "{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
    "{29D3773E-54F4-23C2-D523-236A4453B844}_is1" = FileAlyzer
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{350C940c-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
    "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
    "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{7B63B2922B174135AFC0E1377DD81EC2}" =
    "{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
    "{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-040C-0000-0000000FF1CE}" = Module de compatibilité pour Microsoft Office System 2007
    "{901E040C-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 French User Interface Pack
    "{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
    "{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
    "{94ECA004-8B62-45E8-B83D-A85F61A1F0B9}" = eWebEditPro 4 Client
    "{975C8028-51D8-44A9-9585-82E9810FE96A}" = hp LaserJet 1000
    "{97F32DF8-D66E-446A-A425-C1D7B45C1036}" = Nero 7 Essentials
    "{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
    "{985556E5-353F-4AA9-9E75-29AB8A5E4E14}" = Harzing's Publish or Perish 2.8.3644
    "{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
    "{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
    "{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
    "{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
    "{AFA9D219-A7FD-4240-8793-E5C7C9D715F4}" = IKEA Home Planner
    "{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{C3BDF1C8-66EF-4A0F-B427-A99E39706F45}_is1" = RMVB Converter 1.8
    "{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
    "{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
    "{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows
    "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
    "{D5A9B7C0-8751-11D8-9D75-000129760D75}" = MediaShow 3.0
    "{E008BEB1-AB63-46C1-BD3D-08D3A1F8E26D}" = McAfee Agent
    "{E4A41F8D-5DFD-422F-8C7A-D77D56116A56}" = Le Grand Robert & Collins
    "{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
    "{EC3D786A-C56F-427B-9B7A-9AC0CA7DB140}" = TOSHIBA e-STUDIO850 Series Client
    "{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
    "{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
    "Active Ports" = Active Ports
    "Adobe AIR" = Adobe AIR
    "Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
    "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
    "CamStudio" = CamStudio
    "DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
    "DivX Setup.divx.com" = DivX Setup
    "ERUNT_is1" = ERUNT 1.1j
    "FileZilla Client" = FileZilla Client 3.1.4.1
    "GPL Ghostscript 8.63" = GPL Ghostscript 8.63
    "GSview 4.9" = GSview 4.9
    "HControl" = ATK0100 ACPI UTILITY
    "IcoFX_is1" = IcoFX 1.6.4
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "Imagicon" = Imagicon
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "MatlabR2007b" = MATLAB R2007b
    "McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
    "MiKTeX 2.7" = MiKTeX 2.7
    "MinGW" = MinGW 5.1.4
    "Mozilla Firefox (3.5.12)" = Mozilla Firefox (3.5.12)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "MSFortranPowerStation" = Microsoft Fortran PowerStation 4.0
    "MSYS-1.0_is1" = "Minimal SYStem 1.0.10"
    "MSYS-DTK_is1" = "MSYS Developer Tool Kit 1.0.1"
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "NVIDIA Drivers" = NVIDIA Drivers
    "PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
    "ProInst" = Intel(R) PROSet/Wireless Software
    "Services Off-line de Home'Bank_is1" = Services Off-line de Home'Bank 4.04
    "SMSERIAL" = Motorola SM56 Speakerphone Modem
    "USB2.0 2M WebCam" = USB2.0 2M WebCam
    "Usbfix" = Usbfix By C_XX & El Desaparecido
    "WinDjView" = WinDjView 1.0.3
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Lecteur Windows Media*11
    "Windows XP Service" = Windows XP Service Pack*3
    "WinRAR archiver" = WinRAR archiver
    "winscp3_is1" = WinSCP 4.2.3 beta
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 8/08/2010 13:29:14 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
    Description = Application bloquée MATLAB.exe, version 1.0.0.1, module bloqué hungapp,
    version 0.0.0.0, adresse de blocage 0x00000000.

    Error - 8/08/2010 14:26:12 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
    Description = Application bloquée gmsh.exe, version 0.0.0.0, module bloqué hungapp,
    version 0.0.0.0, adresse de blocage 0x00000000.

    Error - 8/08/2010 14:27:16 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
    Description = Application bloquée gmsh.exe, version 0.0.0.0, module bloqué hungapp,
    version 0.0.0.0, adresse de blocage 0x00000000.

    Error - 14/08/2010 16:52:54 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
    Description = Application bloquée MATLAB.exe, version 1.0.0.1, module bloqué hungapp,
    version 0.0.0.0, adresse de blocage 0x00000000.

    Error - 16/08/2010 16:38:58 | Computer Name = ULB-614A9323631 | Source = Application Error | ID = 1000
    Description = Application défaillante divxupdate.exe, version 1.0.1.10, module défaillant
    msvcp80.dll, version 8.0.50727.4053, adresse de défaillance 0x000100b5.

    Error - 27/08/2010 17:17:22 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
    Description = Application bloquée firefox.exe, version 1.9.1.3834, module bloqué
    hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

    Error - 6/09/2010 15:25:05 | Computer Name = ULB-614A9323631 | Source = Application Error | ID = 1000
    Description = Application défaillante explorer.exe, version 6.0.2900.5512, module
    défaillant kernel32.dll, version 5.1.2600.5781, adresse de défaillance 0x00012afb.

    Error - 8/09/2010 20:05:16 | Computer Name = ULB-614A9323631 | Source = Application Error | ID = 1000
    Description = Application défaillante divxupdate.exe, version 1.0.1.10, module défaillant
    msvcp80.dll, version 8.0.50727.4053, adresse de défaillance 0x000100b5.

    Error - 9/09/2010 21:29:37 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
    Description = Application bloquée msimn.exe, version 6.0.2900.5512, module bloqué
    hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

    Error - 11/09/2010 13:08:08 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
    Description = Application bloquée iFrmewrk.exe, version 11.1.0.2, module bloqué
    hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

    [ System Events ]
    Error - 16/09/2010 8:40:48 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service Intel(R) PROSet/Wireless Service s'est terminé de façon
    inattendue pour la 1ème fois.

    Error - 16/09/2010 8:40:48 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service LightScribeService Direct Disc Labeling Service s'est terminé
    de façon inattendue pour la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service McAfee Engine Service s'est terminé de façon inattendue
    pour la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service Java Quick Starter s'est terminé de façon inattendue pour
    la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service Service McAfee Framework s'est terminé de façon inattendue
    pour la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service Machine Debug Manager s'est terminé de façon inattendue
    pour la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service McAfee Task Manager s'est terminé de façon inattendue pour
    la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service NVIDIA Display Driver Service s'est terminé de façon inattendue
    pour la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service Intel(R) PROSet/Wireless Registry Service s'est terminé
    de façon inattendue pour la 1ème fois.

    Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
    Description = Le service Cyberlink RichVideo Service(CRVS) s'est terminé de façon
    inattendue pour la 1ème fois.


    < End of report >

  7. #7
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hi,

    You still have a few things going on that need to be fixed, run this tool please

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  8. #8
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default

    Hi ken545,

    thanks for your rapid response. ComboFix has detected the OS language and generated the report in French (again...). Based on some other posts on the forum, I've translated it. You will fine the "translated version" below. I did my best, but if some things are still unclear, I am at your complete disposal.

    Another (probably) important point: I had some problems disabling McAfee and I simply renamed the containing folder (before starting Windows). That is why it is treated as orphan.

    Thanks again for your time

    -------------------------------------------------------------------------
    ComboFix 10-09-16.04 - Artem 16/09/2010 23:41:04.1.2 - x86
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1397 [GMT 2:00]
    Running from: c:\documents and settings\Artem\Bureau\ComboFix.exe
    .

    (((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\spool\prtprocs\w32x86\pcldll6l.dll
    c:\windows\system32\spool\prtprocs\w32x86\zpp.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_NPF


    ((((((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 ))))))))))))))))))))))))))))))))))))
    .

    2010-09-16 13:20 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-16 13:20 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-15 11:32 . 2010-09-15 11:56 -------- d-----w- c:\program files\MiKTeX 2.7
    2010-09-13 12:51 . 2010-09-13 12:51 -------- d-----w- C:\ERDNT
    2010-09-13 12:50 . 2010-09-13 12:50 -------- d-----w- c:\program files\ERUNT
    2010-09-11 20:31 . 2010-09-11 20:31 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\Mozilla
    2010-09-11 20:29 . 2010-09-11 20:29 -------- d-sh--w- c:\documents and settings\Administrateur\IETldCache
    2010-09-11 18:49 . 2010-09-11 18:49 -------- d-----w- c:\documents and settings\Artem\Application Data\Malwarebytes
    2010-09-11 18:49 . 2010-09-11 18:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-09-11 18:49 . 2010-09-16 13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-11 17:11 . 2010-09-11 19:37 2941 ----a-w- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
    2010-09-11 15:59 . 2010-09-11 15:59 32768 ---ha-w- C:\SZKGFS.dat
    2010-09-11 15:54 . 2010-09-11 19:37 -------- d-----w- C:\UsbFix
    2010-09-11 15:53 . 2010-09-11 15:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
    2010-09-11 15:52 . 2010-09-11 15:52 -------- d-----w- c:\program files\Fichiers communs\iS3
    2010-09-11 15:52 . 2010-09-11 17:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
    2010-09-10 01:47 . 2010-09-10 01:48 -------- d-----w- c:\program files\GnuChess

    .
    (((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-16 21:49 . 2009-04-11 22:02 -------- d-----w- c:\documents and settings\Artem\Application Data\Skype
    2010-09-16 21:21 . 2010-09-16 21:21 50 ----a-w- c:\program files\.directory
    2010-09-16 21:16 . 2008-11-13 14:43 -------- d-----w- c:\documents and settings\Artem\Application Data\WinEdt
    2010-09-16 12:14 . 2008-09-26 14:04 -------- d-----w- c:\program files\Fichiers communs\Adobe
    2010-09-16 09:07 . 2008-09-27 15:40 -------- d-----w- c:\documents and settings\Artem\Application Data\AdobeUM
    2010-09-14 08:10 . 2009-07-08 21:46 70488 ----a-w- c:\documents and settings\Artem\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-09-12 15:25 . 2010-06-23 12:00 -------- d-----w- c:\program files\yapakit-release-2008.10.27.21.28.26-win32-ix86
    2010-09-11 17:35 . 2010-09-11 17:35 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
    2010-09-10 01:34 . 2004-08-05 12:00 49898 ----a-w- c:\windows\system32\perfc00C.dat
    2010-09-10 01:34 . 2004-08-05 12:00 371218 ----a-w- c:\windows\system32\perfh00C.dat
    2010-09-01 21:42 . 2010-06-03 06:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-01 15:13 . 2008-09-28 11:10 -------- d-----w- c:\program files\Fichiers communs\Java
    2010-09-01 15:13 . 2008-09-28 11:28 -------- d-----w- c:\program files\Java
    2010-09-01 13:20 . 2009-02-28 22:29 -------- d-----w- c:\documents and settings\Artem\Application Data\U3
    2010-08-20 22:10 . 2010-08-20 22:10 503808 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c8ec525-n\msvcp71.dll
    2010-08-20 22:10 . 2010-08-20 22:10 499712 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c8ec525-n\jmc.dll
    2010-08-20 22:10 . 2010-08-20 22:10 348160 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c8ec525-n\msvcr71.dll
    2010-08-20 22:09 . 2010-08-20 22:09 61440 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4bedf1a5-n\decora-sse.dll
    2010-08-20 22:09 . 2010-08-20 22:09 12800 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4bedf1a5-n\decora-d3d.dll
    2010-08-17 13:17 . 2004-08-05 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-11 08:53 . 2010-05-18 18:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX
    2010-07-22 15:48 . 2004-08-05 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 06:19 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-17 03:00 . 2010-05-02 10:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:32 . 2004-08-05 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:25 . 2004-08-05 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 09:02 . 2004-08-05 12:00 1852032 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-05 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-10-22 18:07 . 2010-04-19 15:00 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .

    ((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ToshibaGLDocMon"="c:\program files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe" [2005-09-12 835584]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 638976]
    "SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
    "RTHDCPL"="RTHDCPL.EXE" [2007-03-08 16125952]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
    "NeroFilterCheck"="c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2007-03-26 161328]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
    "HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

    c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

    c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

    c:\documents and settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-5-24 49152]

    c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\MATLAB\\R2007b\\bin\\win32\\MATLAB.exe"=
    "c:\\WINDOWS\\system32\\ftp.exe"=
    "c:\\cygwin\\bin\\XWin.exe"=
    "c:\\GMSH\\gmsh.exe"=
    "c:\\Program Files\\WinSCP\\WinSCP.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3306:TCP"= 3306:TCP:MySQL Server

    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [19/04/2010 17:00 70728]
    R3 SynMini;Syntek USB2.0 2M WebCam;c:\windows\system32\drivers\SynMini.sys [26/09/2008 15:18 1208064]
    R3 SynScan;Syntek USB2.0 2M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [26/09/2008 15:19 8064]
    S2 McAfeeEngineService;McAfee Engine Service;"c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe" --> c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [?]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [19/04/2010 17:00 66600]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

    2010-06-06 c:\windows\Tasks\Install_NSS.job
    - c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]

    2010-09-16 c:\windows\Tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {DC6EA748-82AF-4331-A1EE-0B19E2A69E1A} = 164.15.59.200
    FF - ProfilePath - c:\documents and settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://wwwdev.ulb.ac.be/webmail2/webmail2.php
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
    FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-McAfee Anti-Spyware Enterprise Module - c:\program files\McAfee\VirusScan Enterprise\scan32.exe
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-16 23:53
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2960)
    c:\program files\Fichiers communs\Microsoft Shared\INK\SKCHUI.DLL
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\WinSCP\DragExt.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\eappprxy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Fichiers communs\LightScribe\LSSrvc.exe
    c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\nvsvc32.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\windows\system32\wbem\wmiapsrv.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    c:\program files\Skype\Phone\Skype.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
    c:\windows\ATK0100\ATKOSD.exe
    c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-09-16 23:53:30 - computer rebooted
    ComboFix-quarantined-files.txt 2010-09-16 21:53

    Pre-Run: 5.624.242.176 octets libres
    Post-Run: 5.478.584.320 octets libres

    WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

    - - End Of File - - 7D4B8E52A98E5289BE8ACAFCA2DDA036

  9. #9
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    France Ahhhh . I have family in Italy and go to visit every few years, I have never been to France but have always wanted to visit, maybe on my next trip.

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following
      Code:
      :OTL
      PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
      [2010/09/14 19:25:02 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100916-155919.backup
      [2010/09/12 13:40:46 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100914-192502.backup
      [2010/09/12 13:32:52 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-134046.backup
      [2010/09/12 12:48:44 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-133252.backup
      [2010/09/11 17:59:36 | 000,418,771 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-124843.backup
      [2010/09/11 19:35:39 | 000,000,744 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
      [2010/09/11 17:59:05 | 000,032,768 | -H-- | M] () -- C:\SZKGFS.dat
      
      
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot when it is done
    • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  10. #10
    Junior Member
    Join Date
    Sep 2010
    Posts
    8

    Default

    Hi ken545,

    if you live or work in the south of France (or in Italy), it should be like vacation all year I am from Belgium, and the climate there is close to the one in south of UK (it rains most of the time). The same holds actually for the northern France as well.

    Thanks again for a quick answer. I have run OTL and got the log below. As an additional observation, I've run gmer (renamed) to see whether the system tasks are still reacting on this program by dramatically increasing their activity (100% CPU usage, slowing down of the PC), and it is still the case. Once I kill the most active tasks, the other start doing the same...

    Thanks for being so kind and reacting so quickly! I could hardly guess that my PC is infected to that point...
    --------------------------------------------------------------------
    All processes killed
    ========== OTL ==========
    No active process named Explorer.EXE was found!
    C:\WINDOWS\system32\drivers\etc\hosts.20100916-155919.backup moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100914-192502.backup moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100912-134046.backup moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100912-133252.backup moved successfully.
    C:\WINDOWS\system32\drivers\etc\hosts.20100912-124843.backup moved successfully.
    C:\WINDOWS\system32\drivers\kgpcpy.cfg moved successfully.
    C:\SZKGFS.dat moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrateur
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: All Users.WINDOWS

    User: Artem
    ->Temp folder emptied: 590464 bytes
    ->Temporary Internet Files folder emptied: 5275893 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 58485281 bytes
    ->Flash cache emptied: 689 bytes

    User: Default User

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 16867 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 61,00 mb


    OTL by OldTimer - Version 3.2.12.1 log created on 09172010_083820

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
    -----------------------------------------------------------------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •