Tojan Vundo + Virtumonde

Bizaro · Apr 15, 2008

Hello i have recently run a spybot scan saying i am infected with Vundo and Virtumonde.

Can you give me a hand in getting rid of it?

Blade81 · Apr 16, 2008

Hi

Download and install TrendMicro HijackThis
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

Bizaro · Apr 17, 2008

here is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:26:37, on 17.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Orange\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_ch&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_ch&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\MIKETO~1\AppData\Local\Temp\fccdcCRj.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\MIKETO~1\AppData\Local\Temp\ddcBRhhI.dll,c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [i8qKN45FXc] C:\ProgramData\taxcnodc\vsfihqty.exe
O4 - HKCU\..\Run: [vkqtuiyd] C:\ProgramData\vkqtuiyd\dczmlwhc.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\Orange\GlobeTrotter Connect\GlobeTrotter Connect.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52310602-9CF3-4382-8780-D80063966178}: Domain = epfl.ch
O17 - HKLM\System\CCS\Services\Tcpip\..\{52310602-9CF3-4382-8780-D80063966178}: NameServer = 128.178.15.228,128.178.15.227
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = epfl.ch
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = epfl.ch
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Planificateur LiveUpdate automatique (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11840 bytes

Blade81 · Apr 17, 2008

Hi

Is that your own computer? Have you read this?

Bizaro · Apr 18, 2008

yep personal laptop, why?

Blade81 · Apr 18, 2008

After seeing epfl.ch in your log just wanted to be sure.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Bizaro · Apr 18, 2008

the epfl.ch is my university

here is the combofix log:
ComboFix 08-04-17.1 - Mike Town 2008-04-18 12:14:47.1 - NTFSx86
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6000.0.1252.1.1036.18.1002 [GMT 2:00]
Endroit: C:\Users\Mike Town\Desktop\ComboFix.exe
* Création d'un nouveau point de restauration
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\KBL.LOG

.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-18 to 2008-04-18 ))))))))))))))))))))))))))))))))))))
.

2008-04-18 12:12 . 2008-04-18 12:13 <REP> d-------- C:\327882R2FWJFW
2008-04-17 20:00 . 2008-04-17 20:00 <REP> d-------- C:\Users\Mike Town\AppData\Roaming\dvdcss
2008-04-17 08:24 . 2008-04-17 08:24 <REP> d-------- C:\Program Files\Trend Micro
2008-04-15 10:07 . 2008-04-16 20:03 <REP> d-------- C:\Users\All Users\vkqtuiyd
2008-04-15 10:07 . 2008-04-16 20:03 <REP> d-------- C:\ProgramData\vkqtuiyd
2008-04-15 09:57 . 2008-04-15 09:57 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-15 09:57 . 2008-04-15 09:57 1,409 --a------ C:\Windows\QTFont.for
2008-04-15 09:56 . 2008-04-15 09:56 <REP> d-------- C:\Program Files\iTunes
2008-04-15 09:56 . 2008-04-15 09:56 <REP> d-------- C:\Program Files\iPod
2008-04-15 09:53 . 2008-04-15 09:53 <REP> d-------- C:\Windows\System32\Kaspersky Lab
2008-04-15 09:51 . 2008-04-15 09:52 <REP> d-------- C:\Program Files\QuickTime
2008-04-15 08:52 . 2008-04-15 05:06 <REP> d-------- C:\SDFix
2008-04-14 20:55 . 2008-04-14 20:55 <REP> d-------- C:\Users\All Users\qaolmqxy
2008-04-14 20:55 . 2008-04-14 20:55 <REP> d-------- C:\ProgramData\qaolmqxy
2008-04-14 14:05 . 2008-04-14 14:05 <REP> d-------- C:\Users\All Users\eaqvzrue
2008-04-14 14:05 . 2008-04-14 14:05 <REP> d-------- C:\ProgramData\eaqvzrue
2008-04-14 12:19 . 2008-04-15 11:22 <REP> d-------- C:\Users\All Users\vsmgcsjz
2008-04-14 12:19 . 2008-04-15 11:22 <REP> d-------- C:\ProgramData\vsmgcsjz
2008-04-13 16:01 . 2008-04-13 16:01 <REP> d-------- C:\Users\All Users\vlohyeqs
2008-04-13 16:01 . 2008-04-13 16:01 <REP> d-------- C:\ProgramData\vlohyeqs
2008-04-13 06:49 . 2008-04-13 07:21 <REP> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-13 06:49 . 2008-04-13 07:21 <REP> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-13 06:49 . 2008-04-13 06:49 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 18:46 . 2008-04-10 18:48 <REP> d-------- C:\Users\All Users\Lavasoft
2008-04-10 18:46 . 2008-04-10 18:48 <REP> d-------- C:\ProgramData\Lavasoft
2008-04-10 18:46 . 2008-04-10 18:46 <REP> d-------- C:\Program Files\Lavasoft
2008-04-10 17:03 . 2008-04-16 20:03 <REP> d-------- C:\Users\All Users\taxcnodc
2008-04-10 17:03 . 2008-04-11 20:29 <REP> d-------- C:\Users\All Users\cwtxnqsc
2008-04-10 17:03 . 2008-04-16 20:03 <REP> d-------- C:\ProgramData\taxcnodc
2008-04-10 17:03 . 2008-04-11 20:29 <REP> d-------- C:\ProgramData\cwtxnqsc
2008-04-09 15:52 . 2008-02-15 01:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 15:52 . 2008-02-19 07:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 15:52 . 2008-02-29 08:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 15:52 . 2008-02-29 08:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 15:52 . 2008-02-29 08:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 15:52 . 2008-02-29 08:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 15:52 . 2008-02-29 08:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 15:52 . 2008-02-29 08:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 15:52 . 2008-02-29 08:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 15:51 . 2008-02-29 06:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 15:51 . 2008-02-21 06:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 15:51 . 2007-12-16 13:42 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 15:51 . 2007-12-16 13:41 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-01 20:30 . 2008-03-29 19:23 95,608 --a------ C:\Windows\System32\AvastSS.scr
2008-04-01 20:30 . 2008-03-29 19:31 75,856 --a------ C:\Windows\System32\drivers\aswSP.sys
2008-04-01 20:30 . 2008-03-29 19:27 42,912 --a------ C:\Windows\System32\drivers\aswTdi.sys
2008-04-01 20:30 . 2008-03-29 19:29 23,152 --a------ C:\Windows\System32\drivers\aswRdr.sys
2008-04-01 20:30 . 2008-03-29 19:35 20,560 --a------ C:\Windows\System32\drivers\aswFsBlk.sys
2008-04-01 20:29 . 2008-04-01 20:29 <REP> d-------- C:\Program Files\Alwil Software
2008-04-01 20:29 . 2008-03-29 19:45 1,146,232 --a------ C:\Windows\System32\aswBoot.exe
2008-04-01 20:29 . 2004-01-09 10:13 380,928 --a------ C:\Windows\System32\actskin4.ocx
2008-04-01 20:29 . 2008-03-29 19:32 50,768 --a------ C:\Windows\System32\drivers\aswMonFlt.sys
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 10:18 --------- d-----w C:\Users\Mike Town\AppData\Roaming\uTorrent
2008-04-18 02:20 --------- d-----w C:\ProgramData\Symantec
2008-04-17 17:58 --------- d-----w C:\Users\Mike Town\AppData\Roaming\LimeWire
2008-04-17 08:20 --------- d-----w C:\Users\Mike Town\AppData\Roaming\teamspeak2
2008-04-10 16:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-10 01:12 --------- d-----w C:\Program Files\Windows Mail
2008-04-02 06:52 28,219 ----a-w C:\Users\Mike Town\AppData\Roaming\nvModes.dat
2008-04-02 06:51 --------- d-----w C:\Program Files\World of Warcraft
2008-03-24 23:19 --------- d-----w C:\ProgramData\CyberLink
2008-03-16 12:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-13 08:19 --------- d-----w C:\Program Files\uTorrent
2008-03-06 20:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-06 20:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-06 20:32 10,537 ----a-w C:\Windows\system32\drivers\coh_mon.cat
2008-03-06 20:27 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-03-03 15:14 --------- d-----w C:\Users\Mike Town\AppData\Roaming\Apple Computer
2008-03-02 14:33 --------- d-----w C:\Program Files\Windows Live
2008-03-02 14:31 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-02 14:30 --------- d-----w C:\ProgramData\WLInstaller
2008-03-02 00:33 --------- d-----w C:\Users\Mike Town\AppData\Roaming\vlc
2008-03-02 00:33 --------- d-----w C:\Program Files\VideoLAN
2008-03-01 20:53 --------- d-----w C:\Program Files\Orange
2008-03-01 20:53 --------- d-----w C:\Program Files\Common Files\GtFlashSwitch
2008-03-01 11:55 --------- d-----w C:\Users\Mike Town\AppData\Roaming\CyberLink
2008-03-01 11:42 --------- d-----w C:\Users\Mike Town\AppData\Roaming\Nero
2008-03-01 11:42 --------- d-----w C:\ProgramData\LightScribe
2008-02-29 17:43 --------- d-----w C:\ProgramData\Apple Computer
2008-02-29 17:42 --------- d-----w C:\Program Files\Bonjour
2008-02-29 17:40 --------- d-----w C:\Program Files\Apple Software Update
2008-02-29 17:39 --------- d-----w C:\ProgramData\Apple
2008-02-29 17:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-29 17:20 --------- d-----w C:\Users\Mike Town\AppData\Roaming\Azureus
2008-02-29 16:00 --------- d-----w C:\Users\Mike Town\AppData\Roaming\HP
2008-02-29 16:00 --------- d-----w C:\ProgramData\HP
2008-02-29 15:16 --------- d-----w C:\ProgramData\Azureus
2008-02-29 13:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-29 11:20 --------- d-----w C:\Program Files\LimeWire
2008-02-28 08:53 --------- d-----w C:\Users\Mike Town\AppData\Roaming\DivX
2008-02-28 08:42 --------- d-----w C:\ProgramData\Adobe Systems
2008-02-28 08:37 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-28 07:34 106 ----a-w C:\Users\Mike Town\AppData\Roaming\wklnhst.dat
2008-02-28 07:34 --------- d-----w C:\Users\Mike Town\AppData\Roaming\Template
2008-02-23 09:55 --------- d-----w C:\Program Files\Java
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-20 18:39 --------- d-----w C:\Users\Mike Town\AppData\Roaming\Ventrilo
2008-02-20 18:37 --------- d-----w C:\Program Files\Ventrilo
2008-02-20 17:44 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-20 12:10 --------- d-----w C:\Program Files\DivX
2008-02-20 12:10 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-02-20 10:15 --------- d-----w C:\Program Files\Common Files\Deterministic Networks
2008-02-20 10:14 --------- d-----w C:\Program Files\Cisco Systems
2008-02-20 09:35 --------- d-----w C:\Program Files\CONEXANT
2008-02-20 09:34 --------- d-----w C:\ProgramData\NVIDIA
2008-02-20 05:04 --------- d-----w C:\Program Files\Norton Internet Security
2008-02-19 22:51 805 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-02-19 22:51 123,952 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-02-19 22:51 10,740 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-02-19 22:51 --------- d-----w C:\Program Files\Symantec
2008-02-19 22:32 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-19 21:53 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-19 21:53 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-19 21:47 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-02-19 21:47 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-02-19 21:47 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-19 21:47 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-02-19 21:47 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-02-19 21:47 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-19 21:47 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-19 21:47 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-02-19 21:47 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-19 21:47 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-19 21:47 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-19 21:47 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-19 21:45 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-02-19 21:45 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-02-19 21:45 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-02-19 21:45 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-02-19 21:44 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-02-19 21:44 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-02-19 21:44 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-19 21:44 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-19 21:44 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-19 21:44 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-19 21:44 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-19 21:44 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-19 21:44 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-02-19 21:43 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-02-19 21:42 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2008-02-19 21:42 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2008-02-19 21:42 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2008-02-19 21:42 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2008-02-19 21:42 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2008-02-19 21:41 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-19 21:40 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-02-19 21:37 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2008-02-19 21:15 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2008-02-19 21:15 43,352 ----a-w C:\Windows\System32\wups2.dll
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 03:51 316784 --a------ c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-20 00:50 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-25 03:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-02-19 23:43 1232896]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 18:36 455968]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"i8qKN45FXc"="C:\ProgramData\taxcnodc\vsfihqty.exe" [ ]
"vkqtuiyd"="C:\ProgramData\vkqtuiyd\dczmlwhc.exe" [ ]
"MSServer"="C:\Users\MIKETO~1\AppData\Local\Temp\fccdcCRj.dll" [ ]
"cmds"="C:\Users\MIKETO~1\AppData\Local\Temp\ddcBRhhI.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 10:29 102400]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-09-30 20:34 181544]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 15:31 202032]
"OnScreenDisplay"="C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 14:54 554320]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 00:13 218408]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-11-21 07:33 1006264]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 12:01 51048]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [ ]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 09:47 480560]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 16:53 311296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00 132496]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11 49152]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-07 09:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-07 09:05 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-07 09:05 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
GlobeTrotter Connect.lnk - C:\Program Files\Orange\GlobeTrotter Connect\GlobeTrotter Connect.exe [2007-07-13 16:07:14 729088]
VPN Client.lnk - C:\Windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-02-20 12:17:43 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4AF0322B-AAD7-402A-B8CB-99A58770B302}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{934729F5-EC09-4FC2-815F-F7AFA561463F}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{7F6B03D3-3A77-4F9E-89AB-88E8A19DC1AC}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"TCP Query User{27D14592-093B-4F92-A8ED-A16C674A195A}C:\\users\\mike town\\desktop\\wow-frfr-installer-downloader.exe"= UDP:C:\users\mike town\desktop\wow-frfr-installer-downloader.exe:wow-frfr-installer-downloader.exe
"UDP Query User{3AAB78BB-290E-4D42-B5A1-3F3916E9043A}C:\\users\\mike town\\desktop\\wow-frfr-installer-downloader.exe"= TCP:C:\users\mike town\desktop\wow-frfr-installer-downloader.exe:wow-frfr-installer-downloader.exe
"{AF3D0C53-786B-4AE1-ADD9-59D72E112C52}"= UDP:3724:Blizzard Downloader
"{65BF55F4-CCDC-4892-88B5-8551CB3C8C90}"= UDP:6112:Blizzard Downloader
"TCP Query User{E157C0D7-0DEE-4E19-BF56-29B2FC42F06A}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{E7667D67-7549-44D2-81F9-6ADA72189B7C}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{01AD6BE6-95F8-4780-8FEC-97F22439EB6E}"= TCP:46423:Azerues
"TCP Query User{C1464651-8F33-4BC4-A5CD-49E54E24F911}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{24CA4F46-94C7-4EDF-8DCD-05D270871F23}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire
"{903D4C0E-159E-4A82-A16E-120B5C76D97F}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{CA3419C2-3D0C-47EC-A2A7-E486A604895B}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{7FC187B0-350C-409F-8BD0-4C6C00356DBC}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{B508A06D-F522-4A0C-B2B5-3B6C057D423F}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{FB207074-181F-4B12-B40B-D108C53337C3}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"{3AB0732F-D645-4EA7-89EF-28478B92A547}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{14F5D33E-3647-494E-8B6E-5CF3B6C1F2BA}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20080415.001\IDSvix86.sys [2008-02-13 18:18]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 19:32]
R2 GtFlashSwitch;GtFlashSwitch;"C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe" [2007-02-09 15:48]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-09-30 20:34]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-09-30 20:34]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-08-07 07:26]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-05-30 16:40]
R3 COH_Mon;COH_Mon;C:\Windows\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 11:30]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 23:50]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-08-13 20:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 09:30]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;C:\Windows\system32\DRIVERS\Gtm51Irp.sys [2007-04-14 06:05]
S3 GTPTSER;GT PT SER;C:\Windows\system32\DRIVERS\gtptser.sys [2007-04-14 06:05]
S3 GTUQBUS;GT UQ BUS;C:\Windows\system32\DRIVERS\gtuqbus.sys [2007-04-14 06:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3afce11c-e7d1-11dc-a7e1-ab2386be6749}]
\shell\AutoRun\command - F:\.\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cdcbf04-df71-11dc-899a-001e68052d06}]
\shell\AutoRun\command - wd_windows_tools\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-04-07 18:55:29 C:\Windows\Tasks\Norton Internet Security - Effectuer une analyse complète du système - Mike Town.job"
- c:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeB/TASK:
"2008-04-17 10:20:34 C:\Windows\Tasks\User_Feed_Synchronization-{DF0924FD-7C7F-4E27-875E-F9FA2153C953}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 12:19:33
Windows 6.0.6000 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

C:\Users\Mike Town\AppData\Local\Microsoft\Messenger\riessmickael@hotmail.com\SharingMetadata\Working\database_7FCF_504D_71D7_B368\$db_clean$ 0 bytes

Scan terminé avec succès
Les fichiers cachés: 5

**************************************************************************
.
Temps d'accomplissement: 2008-04-18 12:20:50
ComboFix-quarantined-files.txt 2008-04-18 10:20:40

Pre-Run: 40,608,026,624 octets libres
Post-Run: 40,760,610,816 octets libres
.
2008-04-16 08:41:32 --- E O F ---

And here is the fresh hjt log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:15, on 18.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Orange\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_ch&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=fr_ch&c=81&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [i8qKN45FXc] C:\ProgramData\taxcnodc\vsfihqty.exe
O4 - HKCU\..\Run: [vkqtuiyd] C:\ProgramData\vkqtuiyd\dczmlwhc.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\Orange\GlobeTrotter Connect\GlobeTrotter Connect.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Planificateur LiveUpdate automatique (Automatic LiveUpdate Scheduler) - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10357 bytes

Blade81 · Apr 18, 2008

Hi

Do you have both Avast and Symantec's antivirus product installed? It's not recommended to have multiple antivirus product installed in same system.

Disable Spybot's TeaTimer

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

Code:

DirLook::
C:\327882R2FWJFW

Folder::
C:\Users\All Users\vkqtuiyd
C:\ProgramData\vkqtuiyd
C:\SDFix
C:\Users\All Users\qaolmqxy
C:\ProgramData\qaolmqxy
C:\Users\All Users\eaqvzrue
C:\ProgramData\eaqvzrue
C:\Users\All Users\vsmgcsjz
C:\ProgramData\vsmgcsjz
C:\Users\All Users\vlohyeqs
C:\ProgramData\vlohyeqs
C:\Users\All Users\taxcnodc
C:\Users\All Users\cwtxnqsc
C:\ProgramData\taxcnodc
C:\ProgramData\cwtxnqsc

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"i8qKN45FXc"=-
"vkqtuiyd"=-
"MSServer"=-
"cmds"=-

Save this as
CFScript

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting ComboFix resultant log I asked for above).

Blade81 · Apr 25, 2008

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Tojan Vundo + Virtumonde

Bizaro

New member

Blade81

Security Expert: Emeritus

Bizaro

New member

Blade81

Security Expert: Emeritus

Bizaro

New member

Blade81

Security Expert: Emeritus

Bizaro

New member

Blade81

Security Expert: Emeritus

Blade81

Security Expert: Emeritus