View Full Version : win32.murlo.ff.rtk
Greetings,
OK I've tried to get rid of this thing without bothering anybody but it looks like I have no other option ... I can't get rid of win32.murlo.ff.rtk. The machine is extremely slow and it can't get Internet acces so I unforutnetly can't supply a Kaspersky log report. If it is of any help - "Fichier Communs" is "Common Files" and Bell or Sympatico are ISPs. Ran Spybot several times and the only thing that remains is murlo. Spyboy points to a registry key that I followed and never found. The other points to C:\Windows\Temp\startdrv.drv, that I've deleted and seen re-appear on many occasions....:sad:
HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11:36, on 2007-12-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\RPS.exe
C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spoolc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://fr.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] C:\Program Files\Bell\Gestionnaire de securite\RPS.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.6.3.34/bowling/bowling-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.6.3.34/pinochle/pinochle-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.6.3.34/holdem/holdem-en_US.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.6.3.34/simball/simball-en_US.cab
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.6.3.34/whackdown/whackdown-en_US.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\sol709.txt
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Service de sécurité matérielle (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 9571 bytes
GREAT! (I guess), I got to Kasperskys' and ran the scan...results:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 10:37:09 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/12/2007
Kaspersky Anti-Virus database records: 473458
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 90682
Number of viruses found: 7
Number of infected objects: 14
Number of suspicious objects: 16
Duration of the scan process: 03:48:44
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Gestionnaire de securite\Logs\Coupe-feu - Paquets bloqués - 12-05-2007--17-20-48.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Gestionnaire de securite\Logs\FirewallService12-05-2007--17-10-51.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Gestionnaire de securite\Logs\Fw_Session.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Gestionnaire de securite\Logs\SafetyConsoleLog12-05-2007--17-13-03.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bell\Gestionnaire de securite\Logs\ServiceModel12-05-2007--17-12-47.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk10.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk12.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk14.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk14.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk2.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk5.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk6.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk8.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk8.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\enduser\Application Data\Bell\Sympatico Security Advisor\client_gateway.log Object is locked skipped
C:\Documents and Settings\enduser\Bureau\games jeux\Chainz2_Setup-dm.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Documents and Settings\enduser\Bureau\games jeux\InternetGameBox_setup.exe/EXE-file/stream/data0006 Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped
C:\Documents and Settings\enduser\Bureau\games jeux\InternetGameBox_setup.exe/EXE-file/stream Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped
C:\Documents and Settings\enduser\Bureau\games jeux\InternetGameBox_setup.exe/EXE-file Infected: not-a-virus:AdWare.Win32.NaviPromo.bw skipped
C:\Documents and Settings\enduser\Bureau\games jeux\InternetGameBox_setup.exe Embedded EXE: infected - 3 skipped
C:\Documents and Settings\enduser\Bureau\games jeux\InternetGameBox_setup.exe UPX: infected - 3 skipped
C:\Documents and Settings\enduser\Bureau\games jeux\InternetGameBox_setup.exe PE_Patch.UPX: infected - 3 skipped
C:\Documents and Settings\enduser\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\enduser\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\enduser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\enduser\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\enduser\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\enduser\Local Settings\Historique\History.IE5\MSHist012007120520071206\index.dat Object is locked skipped
C:\Documents and Settings\enduser\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\enduser\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\enduser\Mes documents\Ma musique\SHIT A ELYZE\Incomplete\Erik\07 Track 7.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\enduser\Mes documents\Ma musique\SHIT A ELYZE\Incomplete\Erik\Rare Recording (daftpunk).wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\enduser\ntuser.dat Object is locked skipped
C:\Documents and Settings\enduser\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0212181.sys Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0212185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0212186.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0213185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0214185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0215185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0216185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0217185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0217186.exe Infected: Backdoor.Win32.Agent.cxf skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0218185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0218186.exe Infected: Backdoor.Win32.Agent.cxf skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0219185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0220185.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0228197.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0229229.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0229230.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0230216.exe Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0230217.sys Object is locked skipped
C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\change.log Object is locked skipped
C:\WINDOWS\dcxxygx.exe Infected: Trojan-Downloader.Win32.Wixud.m skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ip6fw.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sol709.txt Infected: Trojan.Win32.Qhost.zs skipped
C:\WINDOWS\system32\spoolc.exe Infected: Backdoor.Win32.Agent.cxf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
little eagle
2007-12-10, 21:18
Lets try running combofix.exe
Download it from one of the links below:
Note:
It is important that it is saved directly to your desktop
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
THANKS! It took 3.5 hrs to run...but well worth it I'm sure. The boot up after combofix was the fastest I've seen it in a long time. I'm keeping the machine isolated so as not to take any steps backwards. It seems to have used either Windows or the machines default language which is French (Canadian), let me know if you need anything translated or if you want me to switch the language to English and rerun. Here's the log, looking forward to the next step, thanks again.:bigthumb:
ComboFix 07-12-09.1 - enduser 2007-12-10 17:34:19.1 - NTFSx86
Running from: C:\Documents and Settings\enduser\Bureau\ComboFix.exe
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Fichiers communs\download
C:\Program Files\winupdates
C:\Program Files\winupdates\a.zip
C:\WINDOWS\pack.epk
C:\WINDOWS\system32\1_exception.nls
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\YOBX46.sys
C:\WINDOWS\system32\tubyoquh.dat
C:\WINDOWS\system32\tubyoquh.exe
C:\WINDOWS\system32\tubyoquh_nav.dat
C:\WINDOWS\system32\tubyoquh_navps.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CTL_W32
-------\LEGACY_RUNTIME
-------\LEGACY_YOBX46
-------\runtime
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-11-11 to 2007-12-11 ))))))))))))))))))))))))))))))))))))
.
2007-12-30 09:26 . 2007-12-30 09:26 <REP> d-------- C:\WINDOWS\SWImport Xtra Cache
2007-12-30 09:26 . 2007-12-30 09:26 24 --a------ C:\WINDOWS\SWImport Xtra.PRF
2007-12-29 18:16 . 2007-11-28 15:16 <REP> d-------- C:\Documents and Settings\enduser\Contacts
2007-12-29 18:14 . 2007-12-29 18:14 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-09 16:24 . 2007-12-09 16:24 <REP> d-------- C:\RegSeeker
2007-12-09 16:21 . 2007-12-09 16:12 450,114 --a------ C:\RegSeeker.zip
2007-12-05 17:52 . 2007-12-05 17:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-05 17:48 . 2007-12-05 17:48 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 23:58 . 2007-12-04 23:27 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-12-04 23:51 . 2007-12-04 23:51 <REP> d-------- C:\Program Files\Trend Micro
2007-12-04 09:51 . 2007-12-04 09:51 <REP> d-------- C:\Documents and Settings\Administrateur.ENDUSER-XTHRM7S\Application Data\AVG7
2007-12-03 22:41 . 2007-12-03 22:41 29 --a------ C:\WINDOWS\system32\prrwrpps.tmp
2007-12-03 22:21 . 2007-12-03 22:21 87,552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-03 19:12 . 2007-12-03 19:12 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 08:48 . 2007-12-03 17:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-02 15:42 . 2007-12-02 15:44 841 --a------ C:\WINDOWS\system32\5619.lps
2007-11-30 22:57 . 2007-12-03 22:21 291,328 --a------ C:\WINDOWS\system32\libcurl.dll
2007-11-30 22:57 . 2007-11-30 22:57 16,384 --a------ C:\WINDOWS\dcxxygx.exe
2007-11-17 12:27 . 2007-11-17 12:27 244 --ah----- C:\sqmnoopt05.sqm
2007-11-17 12:27 . 2007-11-17 12:27 232 --ah----- C:\sqmdata06.sqm
2007-11-17 12:27 . 2007-11-17 12:27 232 --ah----- C:\sqmdata05.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt04.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt03.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt02.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata04.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata03.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata02.sqm
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 23:22 --------- d-----w C:\Program Files\Simulateur de conduite 3D Demo
2007-12-29 23:15 --------- d-----w C:\Program Files\MSN Messenger
2007-12-04 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-04 03:49 --------- d-----w C:\Documents and Settings\enduser\Application Data\AVG7
2007-11-26 15:52 --------- d-----w C:\Program Files\MP3Rocket
2007-11-26 15:52 --------- d-----w C:\Program Files\LimeWire
2007-10-20 00:40 --------- d-----w C:\Program Files\Fichiers communs\Scanner
2007-10-20 00:19 --------- d-----w C:\Program Files\Fichiers communs\Authentium
2007-10-20 00:18 --------- d-----w C:\Program Files\Raxco
2007-10-20 00:18 --------- d-----w C:\Program Files\CA
2007-10-20 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-20 00:17 --------- d-----w C:\Program Files\Bell
2007-10-20 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2007-10-20 00:16 --------- d-----w C:\Documents and Settings\enduser\Application Data\Bell
2007-10-20 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 00:14 --------- d-----w C:\Documents and Settings\enduser\Application Data\InstallShield
2007-10-20 00:13 36,139,752 ----a-w C:\Program Files\Sympatico_GS60_setup.exe
2007-10-13 14:50 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-13 14:50 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2007-09-20 17:40 785 ----a-w C:\Program Files\INSTALL.LOG
2007-09-17 15:34 12,373,255 ------w C:\AVG7QT.DAT
2007-03-18 13:18 179,200 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb4827.dat
2007-03-18 13:18 151 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb1860.dat
2007-03-18 13:18 13,046 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb5436.dat
2007-03-18 13:18 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb4604.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb8253.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb3902.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2391.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb153.dat
2006-11-04 13:51 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2936.dat
2006-10-28 15:30 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb630.dat
2006-10-22 12:47 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2488.dat
2006-10-21 14:22 49 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb41.dat
2006-10-14 12:30 9,216 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb8467.dat
2006-10-14 12:30 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb6334.dat
2006-05-23 21:33 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-03-26 19:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-03-04 16:39 4,096 ----a-w C:\Documents and Settings\enduser\log.dat
2005-11-30 01:15 9,346,664 ----a-w C:\Program Files\zlsSetup_60_667_000.exe
2005-11-17 12:27 9,352,392 ----a-w C:\Program Files\Install_MSN_Messenger.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe" [2007-08-27 16:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" [2003-08-18 18:01]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2005-06-20 07:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-20 07:17]
"nwiz"="nwiz.exe" [2003-12-19 03:17 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-19 18:10 C:\WINDOWS\system32\rundll32.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-27 09:52]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 02:21]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-10-17 07:51]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 14:00]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-02 03:16 C:\WINDOWS\system32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 08:40 C:\WINDOWS\AGRSMMSG.exe]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 09:33]
"Gestionnaire de sécurité Sympatico"="C:\Program Files\Bell\Gestionnaire de securite\RPS.exe" [2007-08-27 16:05]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 18:09]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe" [2007-08-27 16:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-03 22:37]
"dumprep"="C:\WINDOWS\system32\spoolc.exe" [2007-12-03 22:21]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe" [2007-08-27 16:04]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 18:09]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-03 22:37]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FAT Defragmentation]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=C:\WINDOWS\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
2007-11-30 22:57 16384 --a------ C:\WINDOWS\dcxxygx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotTVPlayer]
C:\WINDOWS\temp\HotTVPlayer.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonytest]
jswTss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"usnjsvc"=3 (0x3)
"ITMRTSVC"=2 (0x2)
"iPodService"=3 (0x3)
"PDEngine"=2 (0x2)
"PDAgent"=2 (0x2)
"dvpapi"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dumprep"=C:\WINDOWS\system32\spoolc.exe
"tubyoquh"=c:\windows\system32\tubyoquh.exe tubyoquh
"vcs4diamond"=C:\Program Files\AV Vcs 4.0 DIAMOND\Vcs4Core.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"msmsgr"=msmsgss.exe
"Service"=real.exe
"Sonytest"=jswTss.exe
S1 ctl_w32;ctl_w32;C:\WINDOWS\system32\drivers\ctl_w32.sys
S3 cpqeth;Pilote de carte réseau Ethernet Compaq PCMCIA;C:\WINDOWS\system32\DRIVERS\cpqndis5.sys
S3 Radialpoint Security Services;Gestionnaire de sécurité Sympatico;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\enduser\LOCALS~1\Temp\tdpkylft.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 20:26:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?1?5?8??????? ?(?B???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-10 20:30:25 - machine was rebooted
.
--- E O F ---
little eagle
2007-12-11, 04:23
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\dcxxygx.exe
Save this as Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
Then post the results log.
ComboFix 07-12-09.1 - enduser 2007-12-10 21:35:34.2 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.92 [GMT -5:00]Running from: C:\Documents and Settings\enduser\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\enduser\Bureau\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\dcxxygx.exe
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\dcxxygx.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\ctl_w32
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-11-11 to 2007-12-11 ))))))))))))))))))))))))))))))))))))
.
2007-12-30 09:26 . 2007-12-30 09:26 <REP> d-------- C:\WINDOWS\SWImport Xtra Cache
2007-12-30 09:26 . 2007-12-30 09:26 24 --a------ C:\WINDOWS\SWImport Xtra.PRF
2007-12-29 18:16 . 2007-11-28 15:16 <REP> d-------- C:\Documents and Settings\enduser\Contacts
2007-12-29 18:14 . 2007-12-29 18:14 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-09 16:24 . 2007-12-09 16:24 <REP> d-------- C:\RegSeeker
2007-12-09 16:21 . 2007-12-09 16:12 450,114 --a------ C:\RegSeeker.zip
2007-12-05 17:52 . 2007-12-05 17:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-05 17:48 . 2007-12-05 17:48 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 23:58 . 2007-12-04 23:27 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-12-04 23:51 . 2007-12-04 23:51 <REP> d-------- C:\Program Files\Trend Micro
2007-12-04 09:51 . 2007-12-04 09:51 <REP> d-------- C:\Documents and Settings\Administrateur.ENDUSER-XTHRM7S\Application Data\AVG7
2007-12-03 22:41 . 2007-12-03 22:41 29 --a------ C:\WINDOWS\system32\prrwrpps.tmp
2007-12-03 22:21 . 2007-12-03 22:21 87,552 --a------ C:\WINDOWS\system32\spoolc.exe
2007-12-03 19:12 . 2007-12-03 19:12 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 08:48 . 2007-12-03 17:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-02 15:42 . 2007-12-02 15:44 841 --a------ C:\WINDOWS\system32\5619.lps
2007-11-30 22:57 . 2007-12-03 22:21 291,328 --a------ C:\WINDOWS\system32\libcurl.dll
2007-11-17 12:27 . 2007-11-17 12:27 244 --ah----- C:\sqmnoopt05.sqm
2007-11-17 12:27 . 2007-11-17 12:27 232 --ah----- C:\sqmdata06.sqm
2007-11-17 12:27 . 2007-11-17 12:27 232 --ah----- C:\sqmdata05.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt04.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt03.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt02.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata04.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata03.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata02.sqm
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 23:22 --------- d-----w C:\Program Files\Simulateur de conduite 3D Demo
2007-12-29 23:15 --------- d-----w C:\Program Files\MSN Messenger
2007-12-04 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-04 03:49 --------- d-----w C:\Documents and Settings\enduser\Application Data\AVG7
2007-11-26 15:52 --------- d-----w C:\Program Files\MP3Rocket
2007-11-26 15:52 --------- d-----w C:\Program Files\LimeWire
2007-10-20 00:40 --------- d-----w C:\Program Files\Fichiers communs\Scanner
2007-10-20 00:19 --------- d-----w C:\Program Files\Fichiers communs\Authentium
2007-10-20 00:18 --------- d-----w C:\Program Files\Raxco
2007-10-20 00:18 --------- d-----w C:\Program Files\CA
2007-10-20 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-20 00:17 --------- d-----w C:\Program Files\Bell
2007-10-20 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2007-10-20 00:16 --------- d-----w C:\Documents and Settings\enduser\Application Data\Bell
2007-10-20 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 00:14 --------- d-----w C:\Documents and Settings\enduser\Application Data\InstallShield
2007-10-20 00:13 36,139,752 ----a-w C:\Program Files\Sympatico_GS60_setup.exe
2007-10-13 14:50 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-13 14:50 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2007-09-20 17:40 785 ----a-w C:\Program Files\INSTALL.LOG
2007-09-17 15:34 12,373,255 ------w C:\AVG7QT.DAT
2007-03-18 13:18 179,200 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb4827.dat
2007-03-18 13:18 151 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb1860.dat
2007-03-18 13:18 13,046 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb5436.dat
2007-03-18 13:18 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb4604.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb8253.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb3902.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2391.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb153.dat
2006-11-04 13:51 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2936.dat
2006-10-28 15:30 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb630.dat
2006-10-22 12:47 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2488.dat
2006-10-21 14:22 49 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb41.dat
2006-10-14 12:30 9,216 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb8467.dat
2006-10-14 12:30 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb6334.dat
2006-05-23 21:33 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-03-26 19:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-03-04 16:39 4,096 ----a-w C:\Documents and Settings\enduser\log.dat
2005-11-30 01:15 9,346,664 ----a-w C:\Program Files\zlsSetup_60_667_000.exe
2005-11-17 12:27 9,352,392 ----a-w C:\Program Files\Install_MSN_Messenger.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" [2003-08-18 18:01]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2005-06-20 07:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-20 07:17]
"nwiz"="nwiz.exe" [2003-12-19 03:17 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-19 18:10 C:\WINDOWS\system32\rundll32.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-27 09:52]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 02:21]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-10-17 07:51]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 14:00]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-02 03:16 C:\WINDOWS\system32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 08:40 C:\WINDOWS\AGRSMMSG.exe]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 09:33]
"Gestionnaire de sécurité Sympatico"="C:\Program Files\Bell\Gestionnaire de securite\RPS.exe" [2007-08-27 16:05]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-19 18:09]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe" [2007-08-27 16:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-03 22:37]
"dumprep"="C:\WINDOWS\system32\spoolc.exe" [2007-12-03 22:21]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 18:09]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-03 22:37]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FAT Defragmentation]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=C:\WINDOWS\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
C:\WINDOWS\dcxxygx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotTVPlayer]
C:\WINDOWS\temp\HotTVPlayer.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonytest]
jswTss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"usnjsvc"=3 (0x3)
"ITMRTSVC"=2 (0x2)
"iPodService"=3 (0x3)
"PDEngine"=2 (0x2)
"PDAgent"=2 (0x2)
"dvpapi"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dumprep"=C:\WINDOWS\system32\spoolc.exe
"tubyoquh"=c:\windows\system32\tubyoquh.exe tubyoquh
"vcs4diamond"=C:\Program Files\AV Vcs 4.0 DIAMOND\Vcs4Core.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"msmsgr"=msmsgss.exe
"Service"=real.exe
"Sonytest"=jswTss.exe
S3 cpqeth;Pilote de carte réseau Ethernet Compaq PCMCIA;C:\WINDOWS\system32\DRIVERS\cpqndis5.sys
S3 Radialpoint Security Services;Gestionnaire de sécurité Sympatico;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\DOCUME~1\enduser\LOCALS~1\Temp\tdpkylft.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 21:48:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe???????????????|?p???? ?(?B???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-10 21:51:20 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-10 20:30
.
--- E O F ---
little eagle
2007-12-11, 14:05
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report, You do not need to pay to remove anything just post the log. :lip:
Incident Status Location
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Virus:Generic Malware Disinfected C:\Documents and Settings\enduser\Application Data\Macromedia\Shockwave Player\xtras\download\TheGrooveAlliance\3DGrooveXtrav181\Groove.x32
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Smartadserver Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.smartadserver.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\enduser\Application Data\Mozilla\Firefox\Profiles\9pfdzl0o.default\cookies.txt[fl01.ct2.comclick.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\enduser\Bureau\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\enduser\Bureau\ComboFix.exe[nircmd.cfexe]
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\enduser\Bureau\games jeux\Chainz2_Setup-dm.exe
Virus:Trj/Downloader.RLF Disinfected C:\qoobox\Quarantine\C\WINDOWS\dcxxygx.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Adware:Adware/Beginto Not disinfected C:\WINDOWS\system32\SmartShopper\uninstallSE.exe
little eagle
2007-12-11, 21:00
Run a complete scan with spybot and then download and install AVG Anti-Spyware (ewido). Then scan and post the report here.
Instructions and download link can be found here (http://forums.security-central.us/showthread.php?t=3165).
The Sybot log is REALLY long, I also ran the AVG Anti-Spyware with all the settings as instructed, however it did not produce a report (even though Automatically generate report after every scan is selected). I can tell you that it found and deleted 14 tracking cookies and two adwares (42 traces). Where to now ?
Thanks
Beginning of Spybot log:
--- Search result list ---
Congratulations!: No immediate threats were found. ()
I don't mean to over info you but I had AVG advise me of a virus as I was starting up Spybot as per your instructions in post #9, I allowed AVG to send it to the vault. I created a log file of the vault and the virus notice is the last one on the list at 11/12/2007 16:40:39. If it helps. Here's the log:
Trojan horse Downloader.Generic6.WKH C:\WINDOWS\ddubbv.exe 03/12/2007 23:52:47 ddubbv.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\WINDOWS\ddubbv.exe 04/12/2007 06:39:14 ddubbv.exe 374.5 KB
Trojan horse SHeur.AECU C:\WINDOWS\xnnnav.exe 05/12/2007 17:13:53 xnnnav.exe 135 KB
Trojan horse Downloader.Generic6.WKH C:\WINDOWS\ddubbv.exe 05/12/2007 17:14:10 ddubbv.exe 374.5 KB
Trojan horse Dropper.Generic.ILS C:\WINDOWS\ksacre.exe 05/12/2007 17:14:43 ksacre.exe 40 KB
Virus found BackDoor.Ntrootkit C:\DOCUME~1\enduser\LOCALS~1\Temp\104156.exe 05/12/2007 17:17:32 104156.exe 40.5 KB
Virus found BackDoor.Ntrootkit C:\DOCUME~1\enduser\LOCALS~1\Temp\112718.exe 03/12/2007 23:58:10 112718.exe 40 KB
Trojan horse Downloader.Generic6.WKH C:\WINDOWS\ddubbv.exe 03/12/2007 23:15:34 ddubbv.exe 374.5 KB
Virus found BackDoor.Ntrootkit C:\DOCUME~1\enduser\LOCALS~1\Temp\495421.exe 03/12/2007 23:16:30 495421.exe 40 KB
Trojan horse Downloader.Generic6.WKH C:\WINDOWS\ddubbv.exe 03/12/2007 23:17:54 ddubbv.exe 374.5 KB
Trojan horse SHeur.AECU C:\WINDOWS\xnnnav.exe 04/12/2007 08:14:49 xnnnav.exe 135 KB
Trojan horse Dropper.Generic.ILS C:\WINDOWS\ksacre.exe 04/12/2007 08:19:54 ksacre.exe 40 KB
Virus found BackDoor.Ntrootkit C:\Documents and Settings\enduser\Local Settings\Temp\103078.exe 04/12/2007 11:19:53 103078.exe 40 KB
Trojan horse Downloader.Agent.14.C C:\WINDOWS\daverx.exe 04/12/2007 11:19:53 daverx.exe 20.5 KB
Trojan horse Generic9.ZMG C:\WINDOWS\system32\sol709.txt 04/12/2007 11:19:53 sol709.txt 7.93 KB
Trojan horse BackDoor.Generic9.EFP C:\WINDOWS\system32\drivers\ip6fw.sys 04/12/2007 11:19:53 ip6fw.sys 28.38 KB
Trojan horse Downloader.Agent.OFN C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0212181.sys 05/12/2007 20:29:02 A0212181.sys 28.38 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0214185.exe 05/12/2007 20:29:24 A0214185.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0215185.exe 05/12/2007 20:29:51 A0215185.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0216185.exe 05/12/2007 20:30:17 A0216185.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0217185.exe 05/12/2007 20:30:52 A0217185.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0218185.exe 05/12/2007 20:31:20 A0218185.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0219185.exe 05/12/2007 20:31:51 A0219185.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP351\A0220185.exe 05/12/2007 20:32:25 A0220185.exe 374.5 KB
Trojan horse Downloader.Generic6.WKH C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0228197.exe 05/12/2007 20:33:06 A0228197.exe 374.5 KB
Trojan horse SHeur.AECU C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0229229.exe 05/12/2007 20:33:34 A0229229.exe 135 KB
Trojan horse Dropper.Generic.ILS C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0229230.exe 05/12/2007 20:34:07 A0229230.exe 40 KB
Trojan horse Downloader.Agent.14.C C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0230216.exe 05/12/2007 20:34:30 A0230216.exe 20.5 KB
Trojan horse BackDoor.Generic9.EFP C:\System Volume Information\_restore{6DF58C5F-2D5B-41AE-B9F4-5C71AB4BEBAD}\RP352\A0230217.sys 05/12/2007 20:35:00 A0230217.sys 28.38 KB
Trojan horse Generic9.ZMG C:\WINDOWS\system32\sol709.txt 04/12/2007 13:31:23 sol709.txt 7.93 KB
Trojan horse Generic9.ZMG C:\WINDOWS\system32\sol709.txt 04/12/2007 15:18:51 sol709.txt 7.93 KB
Trojan horse BackDoor.Generic9.EFP C:\WINDOWS\system32\drivers\ip6fw.sys 11/12/2007 16:40:39 ip6fw.sys 28.38 KB
THANKS
little eagle
2007-12-12, 05:10
Lets run an F-Secure online scan.
Click HERE (http://support.f-secure.com/enu/home/ols.shtml)
Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.
Scanning Report
Tuesday, December 11, 2007 23:05:21 - 00:25:42
Computer name: ELYSE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
--------------------------------------------------------------------------------
Result: 3 malware found
Skintrim.gen1 (virus)
C:\DOCUMENTS AND SETTINGS\ENDUSER\BUREAU\GAMES JEUX\INTERNETGAMEBOX_SETUP.EXE (Submitted)
W32/Agent.DMMS (virus)
C:\WINDOWS\SYSTEM32\LIBCURL.DLL (Submitted)
Zango (spyware)
System (Disinfected)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 33391
System: 4152
Not scanned: 5
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 2
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\PREFETCH\LAYOUT.INI
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-12-12
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Libra: 2.4.2, 2007-12-10
F-Secure Orion: 1.2.37, 2007-12-12
F-Secure Pegasus: 1.19.0, 2007-11-10
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
little eagle
2007-12-12, 13:39
Double click combofix.exe & follow the prompts.
Post that log in your next reply.
ComboFix 07-12-09.1 - enduser 2007-12-12 17:17:43.3 - NTFSx86
Running from: C:\Documents and Settings\enduser\Bureau\ComboFix.exe
.
((((((((((((((((((((((((((((( Fichiers créés 2007-11-12 to 2007-12-12 ))))))))))))))))))))))))))))))))))))
.
2007-12-30 09:26 . 2007-12-30 09:26 <REP> d-------- C:\WINDOWS\SWImport Xtra Cache
2007-12-30 09:26 . 2007-12-30 09:26 24 --a------ C:\WINDOWS\SWImport Xtra.PRF
2007-12-29 18:16 . 2007-11-28 15:16 <REP> d-------- C:\Documents and Settings\enduser\Contacts
2007-12-29 18:14 . 2007-12-29 18:14 <REP> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-11 16:44 . 2007-12-11 16:44 <REP> d-------- C:\Documents and Settings\enduser\Application Data\Grisoft
2007-12-11 16:44 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-11 07:59 . 2007-12-11 09:39 <REP> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-11 07:59 . 2007-12-11 07:59 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-11 07:59 . 2007-12-11 07:59 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-11 07:59 . 2007-12-11 07:59 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-09 16:24 . 2007-12-09 16:24 <REP> d-------- C:\RegSeeker
2007-12-09 16:21 . 2007-12-09 16:12 450,114 --a------ C:\RegSeeker.zip
2007-12-05 17:52 . 2007-12-05 17:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-05 17:48 . 2007-12-05 17:48 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-04 23:58 . 2007-12-04 23:27 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-12-04 23:51 . 2007-12-04 23:51 <REP> d-------- C:\Program Files\Trend Micro
2007-12-04 09:51 . 2007-12-04 09:51 <REP> d-------- C:\Documents and Settings\Administrateur.ENDUSER-XTHRM7S\Application Data\AVG7
2007-12-03 22:41 . 2007-12-03 22:41 29 --a------ C:\WINDOWS\system32\prrwrpps.tmp
2007-12-03 19:12 . 2007-12-11 16:44 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-03 08:48 . 2007-12-03 17:36 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-02 15:42 . 2007-12-02 15:44 841 --a------ C:\WINDOWS\system32\5619.lps
2007-11-30 22:57 . 2007-12-03 22:21 291,328 --a------ C:\WINDOWS\system32\libcurl.dll
2007-11-17 12:27 . 2007-11-17 12:27 244 --ah----- C:\sqmnoopt05.sqm
2007-11-17 12:27 . 2007-11-17 12:27 232 --ah----- C:\sqmdata06.sqm
2007-11-17 12:27 . 2007-11-17 12:27 232 --ah----- C:\sqmdata05.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt04.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt03.sqm
2007-11-16 09:34 . 2007-11-16 09:34 244 --ah----- C:\sqmnoopt02.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata04.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata03.sqm
2007-11-16 09:34 . 2007-11-16 09:34 232 --ah----- C:\sqmdata02.sqm
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-30 23:22 --------- d-----w C:\Program Files\Simulateur de conduite 3D Demo
2007-12-29 23:15 --------- d-----w C:\Program Files\MSN Messenger
2007-12-11 14:14 --------- d-----w C:\Program Files\QuickTime
2007-12-11 14:02 --------- d-----w C:\Program Files\Fichiers communs\Scanner
2007-12-11 13:57 --------- d-----w C:\Program Files\Apoint2K
2007-12-11 04:12 --------- d-----w C:\Documents and Settings\enduser\Application Data\AVG7
2007-12-04 18:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-26 15:52 --------- d-----w C:\Program Files\MP3Rocket
2007-11-26 15:52 --------- d-----w C:\Program Files\LimeWire
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 14:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 00:19 --------- d-----w C:\Program Files\Fichiers communs\Authentium
2007-10-20 00:18 --------- d-----w C:\Program Files\Raxco
2007-10-20 00:18 --------- d-----w C:\Program Files\CA
2007-10-20 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-20 00:17 --------- d-----w C:\Program Files\Bell
2007-10-20 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
2007-10-20 00:16 --------- d-----w C:\Documents and Settings\enduser\Application Data\Bell
2007-10-20 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-20 00:14 --------- d-----w C:\Documents and Settings\enduser\Application Data\InstallShield
2007-10-20 00:13 36,139,752 ----a-w C:\Program Files\Sympatico_GS60_setup.exe
2007-10-13 14:50 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-13 14:50 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2007-10-12 22:45 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-20 17:40 785 ----a-w C:\Program Files\INSTALL.LOG
2007-09-17 15:34 12,373,255 ------w C:\AVG7QT.DAT
2007-03-18 13:18 179,200 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb4827.dat
2007-03-18 13:18 151 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb1860.dat
2007-03-18 13:18 13,046 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb5436.dat
2007-03-18 13:18 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb4604.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb8253.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb3902.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2391.dat
2006-11-25 22:21 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb153.dat
2006-11-04 13:51 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2936.dat
2006-10-28 15:30 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb630.dat
2006-10-22 12:47 6,144 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb2488.dat
2006-10-21 14:22 49 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb41.dat
2006-10-14 12:30 9,216 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb8467.dat
2006-10-14 12:30 0 ----a-w C:\Documents and Settings\enduser\Application Data\internaldb6334.dat
2006-05-23 21:33 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-03-26 19:08 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-03-15 20:57 83,233 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_03_15_15_56_22_small.dmp.zip
2006-03-04 16:39 4,096 ----a-w C:\Documents and Settings\enduser\log.dat
2006-02-21 12:53 104,859 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_02_20_13_14_23_small.dmp.zip
2006-02-10 21:22 129,086 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_02_09_16_36_13_small.dmp.zip
2006-01-27 00:48 107,015 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_01_26_18_06_36_small.dmp.zip
2006-01-23 23:58 116,839 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_01_23_18_47_28_small.dmp.zip
2005-11-30 01:15 9,346,664 ----a-w C:\Program Files\zlsSetup_60_667_000.exe
2005-11-17 12:27 9,352,392 ----a-w C:\Program Files\Install_MSN_Messenger.exe
2003-01-31 17:08 65,536 ------w C:\WINDOWS\inf\setup\bcr.exe
2003-01-31 17:08 50,934 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvpciusb.sys
2003-01-31 17:08 50,911 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvbususb.sys
2003-01-31 17:08 49,296 ------w C:\WINDOWS\inf\setup\efnt16.dll
2003-01-31 17:08 49,152 ------w C:\WINDOWS\inf\enclss32.dll
2003-01-31 17:08 32,768 ------w C:\WINDOWS\inf\setup\efnt32.dll
2003-01-31 17:08 3,690,496 ------w C:\WINDOWS\inf\setup.exe
2003-01-31 17:08 28,005 ------w C:\WINDOWS\inf\ssdsl3x\drivers\enethusb.sys
2003-01-31 17:08 241,664 ------w C:\WINDOWS\inf\setup\bohica.dll
2003-01-31 17:08 23,560 ------w C:\WINDOWS\inf\enclss16.dll
2003-01-31 17:08 163,840 ------w C:\WINDOWS\inf\setup\enisnmp.dll
2003-01-31 17:08 163,840 ------w C:\WINDOWS\inf\setup\efntsw.dll
2003-01-31 17:08 159,744 ------w C:\WINDOWS\inf\setup\l2xpdrv.dll
2003-01-31 17:08 159,744 ------w C:\WINDOWS\inf\setup\csshim.dll
2003-01-31 17:08 155,648 ------w C:\WINDOWS\inf\setup\prox.dll
2003-01-31 17:08 155,648 ------w C:\WINDOWS\inf\setup\efntos2k.dll
2003-01-31 17:08 155,648 ------w C:\WINDOWS\inf\setup\ClearMB.exe
2003-01-31 17:08 15,332 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvbeth.sys
2003-01-31 17:08 15,309 ------w C:\WINDOWS\inf\ssdsl3x\drivers\vvbetht.sys
2003-01-31 17:08 147,456 ------w C:\WINDOWS\inf\setup\efntos9x.dll
2003-01-31 17:08 139,264 ------w C:\WINDOWS\inf\setup\enicommon.dll
2003-01-31 17:08 135,168 ------w C:\WINDOWS\inf\setup\EnCmnSvr.exe
2003-01-31 17:08 122,880 ------w C:\WINDOWS\inf\setup\efntos.dll
2003-01-31 17:08 122,880 ------w C:\WINDOWS\inf\setup\efntnio.dll
2003-01-31 17:08 118,784 ------w C:\WINDOWS\inf\setup\defdel.exe
2002-06-04 10:06 65,536 ------w C:\WINDOWS\inf\copyinf.exe
.
((((((((((((((((((((((((((((( snapshot@2007-12-10_20.29.13.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-29 22:36:31 1,293,824 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:34:33 15,072 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:34:38 216,800 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:34:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:34:56 727,776 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:35:48 394,976 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-10-10 23:22:14 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\advpack.dll
+ 2007-10-10 23:22:14 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\dxtrans.dll
+ 2007-10-10 23:22:14 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\extmgr.dll
+ 2007-10-10 23:22:14 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\icardie.dll
+ 2007-10-10 08:16:47 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ie4uinit.exe
+ 2007-10-10 23:22:14 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakeng.dll
+ 2007-10-10 23:22:14 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieaksie.dll
+ 2007-10-10 05:47:20 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieakui.dll
+ 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dat
+ 2007-10-10 23:22:14 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieapfltr.dll
+ 2007-10-10 23:22:15 388,096 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iedkcs32.dll
+ 2007-10-10 23:22:16 6,067,200 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieframe.dll
+ 2007-10-10 23:22:16 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iernonce.dll
+ 2007-10-10 23:22:16 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iertutil.dll
+ 2007-10-10 08:16:47 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\ieudinit.exe
+ 2007-10-10 08:16:56 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\iexplore.exe
+ 2007-10-10 23:22:16 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\jsproxy.dll
+ 2007-10-10 23:22:16 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeeds.dll
+ 2007-10-10 23:22:16 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msfeedsbs.dll
+ 2007-10-30 23:40:57 3,593,216 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtml.dll
+ 2007-10-10 23:22:18 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mshtmled.dll
+ 2007-10-10 23:22:18 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\msrating.dll
+ 2007-10-10 23:22:18 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\mstime.dll
+ 2007-10-10 23:22:18 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\occache.dll
+ 2007-10-10 23:22:18 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\url.dll
+ 2007-10-10 23:22:19 1,162,240 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\urlmon.dll
+ 2007-10-10 23:22:19 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\webcheck.dll
+ 2007-10-10 23:22:19 825,344 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2007-03-06 01:34:33 15,072 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spmsg.dll
+ 2007-03-06 01:34:38 216,800 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\spuninst.exe
+ 2007-03-06 01:34:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\spcustom.dll
+ 2007-03-06 01:34:56 727,776 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe
+ 2007-03-06 01:35:48 394,976 ----a-w C:\WINDOWS\$hf_mig$\KB942615-IE7\update\updspapi.dll
+ 2007-11-13 11:02:46 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB942763\SP2QFE\tzchange.exe
+ 2007-03-06 01:34:33 15,072 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spmsg.dll
+ 2007-03-06 01:34:38 216,800 ----a-w C:\WINDOWS\$hf_mig$\KB942763\spuninst.exe
+ 2007-03-06 01:34:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\spcustom.dll
+ 2007-03-06 01:34:56 727,776 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\update.exe
+ 2007-03-06 01:35:48 394,976 ----a-w C:\WINDOWS\$hf_mig$\KB942763\update\updspapi.dll
+ 2007-11-13 08:47:45 20,480 ----a-w C:\WINDOWS\$hf_mig$\KB944653\SP2QFE\secdrv.sys
+ 2007-03-06 01:34:33 15,072 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spmsg.dll
+ 2007-03-06 01:34:38 216,800 ----a-w C:\WINDOWS\$hf_mig$\KB944653\spuninst.exe
+ 2007-03-06 01:34:31 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\spcustom.dll
+ 2007-03-06 01:34:56 727,776 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\update.exe
+ 2007-03-06 01:35:48 394,976 ----a-w C:\WINDOWS\$hf_mig$\KB944653\update\updspapi.dll
+ 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-05-07 21:38:46 500,120 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2007-05-07 21:39:00 192,920 ----a-w C:\WINDOWS\Downloaded Program Files\fsauc.dll
+ 2007-05-07 21:39:24 254,360 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2007-08-20 09:59:29 124,928 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\advpack.dll
+ 2007-08-20 09:59:29 214,528 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\dxtrans.dll
+ 2007-08-20 09:59:29 132,608 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\extmgr.dll
+ 2007-08-20 09:59:29 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\icardie.dll
+ 2007-08-17 10:22:11 63,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ie4uinit.exe
+ 2007-08-20 09:59:29 153,088 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakeng.dll
+ 2007-08-20 09:59:29 230,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieaksie.dll
+ 2007-08-17 07:34:25 161,792 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieakui.dll
+ 2007-08-20 09:59:29 383,488 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieapfltr.dll
+ 2007-08-20 09:59:29 384,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iedkcs32.dll
+ 2007-08-20 09:59:29 6,058,496 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieframe.dll
+ 2007-08-20 09:59:29 44,544 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iernonce.dll
+ 2007-08-20 09:59:30 267,776 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iertutil.dll
+ 2007-08-17 10:22:11 13,824 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\ieudinit.exe
+ 2007-08-17 10:22:32 625,152 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\iexplore.exe
+ 2007-08-20 09:59:30 27,648 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\jsproxy.dll
+ 2007-08-20 09:59:30 459,264 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeeds.dll
+ 2007-08-20 09:59:30 52,224 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msfeedsbs.dll
+ 2007-08-20 09:59:30 3,584,512 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtml.dll
+ 2007-08-20 09:59:30 477,696 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mshtmled.dll
+ 2007-08-20 09:59:30 193,024 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\msrating.dll
+ 2007-08-20 09:59:30 671,232 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\mstime.dll
+ 2007-08-20 09:59:31 102,400 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\occache.dll
+ 2007-03-06 01:34:38 216,800 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:35:48 394,976 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\updspapi.dll
+ 2007-08-20 09:59:31 105,984 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\url.dll
+ 2007-08-20 09:59:31 1,152,000 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\urlmon.dll
+ 2007-08-20 09:59:31 232,960 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\webcheck.dll
+ 2007-08-20 09:59:31 824,832 -c----w C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
+ 2007-03-29 14:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 21:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 19:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 18:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 23:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 23:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 20:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 18:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 15:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 18:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 23:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 21:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 19:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 19:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 18:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 18:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 16:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 16:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 13:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 19:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 15:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 15:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 21:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 14:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 15:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 19:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 19:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 18:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 13:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 13:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 22:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 19:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 11:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 22:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
- 2007-08-20 09:59:29 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2007-10-10 23:49:42 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2006-08-02 17:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2007-08-20 09:59:29 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2007-10-10 23:49:42 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2007-08-20 09:59:29 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2007-10-10 23:49:42 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2007-08-20 09:59:29 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2007-10-10 23:49:42 132,608 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2007-08-20 09:59:29 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
+ 2007-10-10 23:49:42 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll
- 2007-08-17 10:22:11 63,488 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2007-10-10 11:00:41 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2007-08-20 09:59:29 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2007-10-10 23:49:42 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2007-08-20 09:59:29 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2007-10-10 23:49:42 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2007-08-17 07:34:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2007-10-10 05:46:55 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2007-08-20 09:59:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
+ 2007-10-10 23:49:42 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll
- 2007-08-20 09:59:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2007-10-10 23:49:42 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2007-08-20 09:59:29 6,058,496 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
+ 2007-10-10 23:49:43 6,065,664 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll
- 2007-08-20 09:59:29 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2007-10-10 23:49:43 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2007-08-20 09:59:30 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
+ 2007-10-10 23:49:43 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll
- 2007-08-17 10:22:11 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe
- 2007-08-17 10:22:32 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2007-10-10 11:00:59 625,152 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2007-08-20 09:59:30 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2007-10-10 23:49:44 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2007-08-20 09:59:30 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
+ 2007-10-10 23:49:44 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll
- 2007-08-20 09:59:30 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
+ 2007-10-10 23:49:44 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
- 2007-08-20 09:59:30 3,584,512 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2007-10-30 23:23:48 3,590,656 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2007-08-20 09:59:30 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2007-10-10 23:49:44 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2007-08-20 09:59:30 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2007-10-10 23:49:44 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
- 2007-08-20 09:59:30 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2007-10-10 23:49:45 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
- 2007-08-20 09:59:31 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-10 23:49:45 102,400 -c----w C:\WINDOWS\system32\dllcache\occache.dll
+ 2007-10-29 22:43:32 1,293,824 -c----w C:\WINDOWS\system32\dllcache\quartz.dll
- 2007-08-20 09:59:31 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
+ 2007-10-10 23:49:45 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2007-08-20 09:59:31 1,152,000 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2007-10-10 23:49:45 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2007-08-20 09:59:31 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2007-10-10 23:49:45 232,960 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2007-08-20 09:59:31 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2007-10-10 23:49:45 824,832 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
- 2006-10-19 02:47:18 222,208 -c--a-w C:\WINDOWS\system32\dllcache\WMASF.dll
+ 2007-10-25 14:28:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2007-08-20 09:59:29 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2007-10-10 23:49:42 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll
- 2007-08-20 09:59:29 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2007-10-10 23:49:42 132,608 ----a-w C:\WINDOWS\system32\extmgr.dll
- 2007-08-20 09:59:29 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
+ 2007-10-10 23:49:42 63,488 ----a-w C:\WINDOWS\system32\icardie.dll
- 2007-08-17 10:22:11 63,488 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2007-10-10 11:00:41 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
- 2007-08-20 09:59:29 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2007-10-10 23:49:42 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll
- 2007-08-20 09:59:29 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2007-10-10 23:49:42 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll
- 2007-08-17 07:34:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2007-10-10 05:46:55 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
- 2007-08-20 09:59:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
+ 2007-10-10 23:49:42 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll
- 2007-08-20 09:59:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2007-10-10 23:49:42 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll
- 2007-08-20 09:59:29 6,058,496 ----a-w C:\WINDOWS\system32\ieframe.dll
+ 2007-10-10 23:49:43 6,065,664 ----a-w C:\WINDOWS\system32\ieframe.dll
- 2007-08-20 09:59:29 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2007-10-10 23:49:43 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll
- 2007-08-20 09:59:30 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
+ 2007-10-10 23:49:43 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll
- 2007-08-17 10:22:11 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
+ 2007-10-10 10:59:40 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
- 2007-08-20 09:59:30 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2007-10-10 23:49:44 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll
- 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-12-02 23:00:05 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-08-20 09:59:30 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
+ 2007-10-10 23:49:44 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll
- 2007-08-20 09:59:30 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
+ 2007-10-10 23:49:44 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll
- 2007-08-20 09:59:30 3,584,512 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2007-10-30 23:23:48 3,590,656 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2007-08-20 09:59:30 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2007-10-10 23:49:44 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll
- 2007-08-20 09:59:30 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2007-10-10 23:49:44 193,024 ----a-w C:\WINDOWS\system32\msrating.dll
- 2007-08-20 09:59:30 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2007-10-10 23:49:45 671,232 ----a-w C:\WINDOWS\system32\mstime.dll
- 2007-08-20 09:59:31 102,400 ----a-w C:\WINDOWS\system32\occache.dll
+ 2007-10-10 23:49:45 102,400 ----a-w C:\WINDOWS\system32\occache.dll
- 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe
- 2007-08-20 09:59:31 105,984 ----a-w C:\WINDOWS\system32\url.dll
+ 2007-10-10 23:49:45 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2007-08-20 09:59:31 1,152,000 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2007-10-10 23:49:45 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2007-08-20 09:59:31 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2007-10-10 23:49:45 232,960 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2007-08-20 09:59:31 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2007-10-10 23:49:45 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
+ 2003-03-25 23:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe" [2007-08-27 16:04]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" [2003-08-18 18:01]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2005-06-20 07:21]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-06-20 07:17]
"nwiz"="nwiz.exe" [2003-12-19 03:17 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-19 18:10 C:\WINDOWS\system32\rundll32.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-27 09:52]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 02:21]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-10-17 07:51]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 14:00]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-02 03:16 C:\WINDOWS\system32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 23:40]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 08:40 C:\WINDOWS\AGRSMMSG.exe]
"SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 09:33]
"Gestionnaire de sécurité Sympatico"="C:\Program Files\Bell\Gestionnaire de securite\RPS.exe" [2007-08-27 16:05]
"-FreedomNeedsReboot"="C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe" [2007-08-27 16:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-12-03 22:37]
"dumprep"="C:\WINDOWS\system32\spoolc.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe" [2007-08-27 16:04]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 18:09]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-03 22:37]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FAT Defragmentation]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=C:\WINDOWS\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clkhost]
C:\WINDOWS\dcxxygx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotTVPlayer]
C:\WINDOWS\temp\HotTVPlayer.exe -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonytest]
jswTss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec Core LC"=2 (0x2)
"usnjsvc"=3 (0x3)
"ITMRTSVC"=2 (0x2)
"iPodService"=3 (0x3)
"PDEngine"=2 (0x2)
"PDAgent"=2 (0x2)
"dvpapi"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dumprep"=C:\WINDOWS\system32\spoolc.exe
"tubyoquh"=c:\windows\system32\tubyoquh.exe tubyoquh
"vcs4diamond"=C:\Program Files\AV Vcs 4.0 DIAMOND\Vcs4Core.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"msmsgr"=msmsgss.exe
"Service"=real.exe
"Sonytest"=jswTss.exe
S3 cpqeth;Pilote de carte réseau Ethernet Compaq PCMCIA;C:\WINDOWS\system32\DRIVERS\cpqndis5.sys
S3 Radialpoint Security Services;Gestionnaire de sécurité Sympatico;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\DOCUME~1\enduser\LOCALS~1\Temp\tdpkylft.dll
.
**************************************************************************
catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-12 17:26:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????6?1?5?8??????? ?(?B???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-12 17:29:12
C:\ComboFix2.txt ... 2007-12-10 21:51
C:\ComboFix3.txt ... 2007-12-10 20:30
.
--- E O F ---
little eagle
2007-12-13, 05:42
Download The Avenger (http://swandog46.geekstogo.com/avenger.zip) Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.
The Avenger must be run from a user account with administrator privileges,
and ONLY works on Windows 2000 and XP, and only on 32-bit versions!
Copy all the text contained in the code box below to your Clipboard.
Files to delete:
C:\WINDOWS\system32\spoolc.exe
c:\windows\system32\tubyoquh.exe
C:\WINDOWS\dcxxygx.exe
The above script is for this user only, if you need help please start your own thread.
Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.
After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt
Paste the contents of the file into your reply along with a fresh HJT log.
Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.
Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cxvyvrdb
*******************
Script file located at: \??\C:\WINDOWS\akjlgxfe.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\spoolc.exe not found!
Deletion of file C:\WINDOWS\system32\spoolc.exe failed!
Could not process line:
C:\WINDOWS\system32\spoolc.exe
Status: 0xc0000034
File c:\windows\system32\tubyoquh.exe not found!
Deletion of file c:\windows\system32\tubyoquh.exe failed!
Could not process line:
c:\windows\system32\tubyoquh.exe
Status: 0xc0000034
File C:\WINDOWS\dcxxygx.exe not found!
Deletion of file C:\WINDOWS\dcxxygx.exe failed!
Could not process line:
C:\WINDOWS\dcxxygx.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10:38, on 2007-12-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Gestionnaire de securite\RPS.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://fr.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Gestionnaire de securite\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [Gestionnaire de sécurité Sympatico] C:\Program Files\Bell\Gestionnaire de securite\RPS.exe
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Gestionnaire de securite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dumprep] C:\WINDOWS\system32\spoolc.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Bell\Gestionnaire de securite\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.6.3.34/bowling/bowling-en_US.cab
O16 - DPF: Pinochle by pogo - http://game1.pogo.com/applet-6.6.3.34/pinochle/pinochle-en_US.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.6.3.34/holdem/holdem-en_US.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.6.3.34/simball/simball-en_US.cab
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-6.6.3.34/whackdown/whackdown-en_US.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Logiciel Bluetooth\bin\btwdins.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Fichiers communs\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Service de sécurité matérielle (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Service de mise-à-jour pour le Gestionnaire de sécurité Sympatico (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Gestionnaire de securite\rpsupdaterR.exe
O23 - Service: Gestionnaire de sécurité Sympatico Coupe-feu (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Gestionnaire de securite\Fws.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 10331 bytes
little eagle
2007-12-13, 13:12
Well looks good.
Close all programs leaving only HijackThis running. Place a check against each of the following,
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/c...ploader_v6.cab
Click on Fix Checked when finished and exit HijackThis.
Done.
Thank-you very much. :bigthumb:
little eagle
2007-12-13, 20:02
Reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I'll keep this thread open for a few days post back if you need anything.
Done - all went well. I appreciate your help and thank-you very much.
Sailor
little eagle
2007-12-15, 01:30
Your welcome. :)