PDA

View Full Version : Yes i'm virtumonde victim too...



Altaic
2008-06-27, 02:50
Hi, i've been infected by virtumonde for 2 days and i'm fed up so if someone can help me with that, it could be great !

Here is the logs (i hope i did in the good way...) :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:31:04, on 27/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {018B27FF-E05F-4CB5-8763-540CB3FD457A} - C:\Windows\system32\mlJCRKcy.dll
O2 - BHO: (no name) - {01abaca7-523a-4d73-9678-b15290f2349f} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {09484a1f-bb0a-10f8-0a54-93a9b137301a} - {a103731b-9a39-45a0-8f01-a0bbf1a48490} - C:\Windows\system32\llfkbkva.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMb33a57f5] Rundll32.exe "C:\Windows\system32\qirqqakg.dll",s
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\mlJCRKcy.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: OneNote 2007 - Capture d'écran et lancement.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Télécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Tout t&élécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alta.home
O17 - HKLM\Software\..\Telephony: DomainName = alta.home
O17 - HKLM\System\CCS\Services\Tcpip\..\{46F53741-6F7A-40C8-B383-D850DB83FAD9}: NameServer = 192.168.0.1,212.27.53.252,212.27.54.252
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alta.home
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = alta.home
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 7749 bytes


And here the combofix one :



ComboFix 08-06-20.4 - Kam 2008-06-27 1:17:06.1 - NTFSx86
Microsoft® Windows Vista™ Édition Intégrale 6.0.6000.0.1252.1.1036.18.1048 [GMT 2:00]
Endroit: C:\Users\Kam\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\AdMllnnn.ini
C:\Windows\System32\AdMllnnn.ini2
C:\Windows\System32\AHikmUvw.ini
C:\Windows\System32\AHikmUvw.ini2
C:\Windows\system32\byXPHwVn.dll
C:\Windows\system32\dxdlxpgk.ini
C:\Windows\system32\fyhamrcy.ini
C:\Windows\System32\iOooWvut.ini
C:\Windows\System32\iOooWvut.ini2
C:\Windows\system32\iryhhxho.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\nimiseuh.ini
C:\Windows\System32\nVwHPXyb.ini
C:\Windows\System32\nVwHPXyb.ini2
C:\Windows\system32\pxpsudpj.ini
C:\Windows\System32\QBcLRqru.ini
C:\Windows\System32\QBcLRqru.ini2
C:\Windows\system32\tuvWooOi.dll
C:\Windows\system32\vmaukgjf.ini

.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))))))))
.

2008-06-27 01:15 . 2008-06-27 01:15 91,648 --a------ C:\Windows\System32\qirqqakg.dll
2008-06-27 01:14 . 2008-06-27 01:14 <REP> d-------- C:\Program Files\Trend Micro
2008-06-26 23:21 . 2008-06-26 23:21 106,496 --a------ C:\Windows\System32\llfkbkva.dll
2008-06-26 23:18 . 2008-06-26 23:18 91,648 --a------ C:\Windows\System32\ynjrjnrk.dll
2008-06-26 23:12 . 2008-06-26 02:39 26,112 --a------ C:\Windows\System32\mlJCRKcy.dll
2008-06-26 21:34 . 2008-06-26 21:34 106,496 --a------ C:\Windows\System32\fvrmiutj.dll
2008-06-26 21:31 . 2008-06-26 21:31 91,648 --a------ C:\Windows\System32\svudmptv.dll
2008-06-26 15:06 . 2008-06-26 15:06 106,496 --a------ C:\Windows\System32\gmyilytm.dll
2008-06-26 15:06 . 2008-06-26 15:06 80,896 --a------ C:\Windows\System32\jpduspxp.dll
2008-06-26 15:03 . 2008-06-26 15:03 91,648 --a------ C:\Windows\System32\hefhtxib.dll
2008-06-26 02:52 . 2008-06-26 02:52 26,112 --a------ C:\Windows\System32\mlJYstTk.dll
2008-06-26 02:52 . 2008-06-26 02:52 26,112 --a------ C:\Windows\System32\mlJYroMG.dll
2008-06-26 02:52 . 2008-06-26 02:52 26,112 --a------ C:\Windows\System32\ljJYRLFw.dll
2008-06-26 02:52 . 2008-06-26 02:52 26,112 --a------ C:\Windows\System32\ljJDTjHw.dll
2008-06-26 02:50 . 2008-06-26 02:50 81,920 --------- C:\Windows\System32\ohxhhyri.dll
2008-06-26 02:45 . 2008-06-26 02:45 81,920 --------- C:\Windows\System32\kgpxldxd.dll
2008-06-26 02:40 . 2008-06-26 02:40 26,112 --a------ C:\Windows\System32\yaywwuSL.dll
2008-06-26 02:40 . 2008-06-26 02:40 26,112 --a------ C:\Windows\System32\wvUmkiHb.dll
2008-06-23 21:19 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Searches
2008-06-23 21:18 . 2008-06-23 21:18 <REP> dr------- C:\Users\Alta\Contacts
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Videos
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Saved Games
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Pictures
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Music
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Links
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Downloads
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Documents
2008-06-23 21:17 . 2006-11-02 14:35 <REP> d-------- C:\Users\Alta\AppData\Roaming\Media Center Programs
2008-06-23 21:17 . 2008-06-23 21:19 <REP> d--h----- C:\Users\Alta\AppData
2008-06-23 21:17 . 2008-06-23 21:19 <REP> d-------- C:\Users\Alta
2008-06-23 19:47 . 2008-06-23 19:47 <REP> d-------- C:\Program Files\RealVNC
2008-06-19 19:35 . 2008-06-19 19:35 <REP> d-------- C:\inetpub
2008-06-19 18:59 . 2008-06-19 18:59 <REP> d-------- C:\Users\Kam\AppData\Roaming\PeerNetworking
2008-06-17 20:52 . 2008-06-17 21:09 <REP> d-------- C:\Program Files\SopCast
2008-06-17 20:28 . 2008-06-17 20:28 <REP> d-------- C:\Program Files\FreePCvcR-0.5
2008-06-16 18:10 . 2008-06-16 18:10 <REP> d-------- C:\Users\All Users\Adobe
2008-06-16 14:30 . 2008-06-16 14:30 <REP> d-------- C:\Users\All Users\Codemasters
2008-06-16 14:30 . 2008-06-16 14:30 <REP> d-------- C:\ProgramData\Codemasters
2008-06-16 14:24 . 2008-06-16 14:24 <REP> d-------- C:\Program Files\OpenAL
2008-06-16 14:24 . 2008-04-28 15:53 805,400 -ra------ C:\Windows\System32\tmpCA3A.tmp
2008-06-16 14:24 . 2008-04-28 15:53 805,400 -ra------ C:\Windows\System32\tmpC96E.tmp
2008-06-13 08:44 . 2008-06-13 08:44 <REP> d-------- C:\Temp\SQL Server 2005 Developer Edition - 32-bit - CD2 (Francais)
2008-06-13 08:01 . 2008-06-13 08:01 <REP> d-------- C:\Temp\SQL Server 2005 Developer Edition - 32-bit - CD1 (Francais)
2008-06-13 07:28 . 2008-06-13 08:44 <REP> d-------- C:\Temp
2008-06-12 19:00 . 2008-06-15 21:21 6,144 --a------ C:\Windows\System32\BReWErS.dll
2008-06-11 19:41 . 2008-06-11 19:44 <REP> d-------- C:\Program Files\ControlMK
2008-06-11 19:29 . 2008-06-11 19:29 98,304 --a------ C:\Windows\System32\CmdLineExt.dll
2008-06-06 20:18 . 2008-06-06 20:18 <REP> d-------- C:\Windows\nvidia icons
2008-06-05 22:06 . 2008-06-05 22:06 <REP> d-------- C:\Program Files\Alwil Software
2008-06-05 22:06 . 2008-05-16 01:18 50,768 --a------ C:\Windows\System32\drivers\aswMonFlt.sys
2008-06-05 21:13 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-06-05 21:13 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-06-05 21:13 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-06-05 21:13 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-06-05 21:13 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-06-05 21:13 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-06-05 00:14 . 2008-06-27 00:00 54,156 --ah----- C:\Windows\QTFont.qfn
2008-06-05 00:14 . 2008-06-05 00:14 1,409 --a------ C:\Windows\QTFont.for
2008-06-04 20:20 . 2008-06-04 20:20 <REP> d-------- C:\Program Files\Native Instruments
2008-06-01 23:38 . 2008-06-01 23:38 80 --a------ C:\plug_in.ini
2008-05-30 22:54 . 2008-05-30 22:54 <REP> d-------- C:\Program Files\Common Files\BioWare
2008-05-28 23:28 . 2008-05-28 23:28 <REP> d-------- C:\Program Files\Common Files\INCA Shared
2008-05-28 23:26 . 2003-07-19 17:17 5,174 --a------ C:\Windows\System32\nppt9x.vxd
2008-05-28 23:26 . 2005-01-03 08:43 4,682 --a------ C:\Windows\System32\npptNT2.sys
2008-05-28 19:28 . 2008-06-25 00:03 <REP> d-------- C:\Program Files\Neffy

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 23:06 --------- d-----w C:\Users\Kam\AppData\Roaming\uTorrent
2008-06-26 21:29 --------- d-----w C:\Users\Kam\AppData\Roaming\Hamachi
2008-06-26 18:24 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-26 01:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-24 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 22:24 --------- d-----w C:\ProgramData\Media Center Programs
2008-06-24 22:04 --------- d-----w C:\Program Files\MixVibesPro6DEMO
2008-06-20 17:47 --------- d-----w C:\Program Files\Steam
2008-06-20 17:47 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-16 16:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-07 11:04 --------- d-----w C:\ProgramData\NVIDIA
2008-05-28 21:22 --------- d-----w C:\Users\Kam\AppData\Roaming\skypePM
2008-05-28 21:22 --------- d-----w C:\Users\Kam\AppData\Roaming\Skype
2008-05-25 00:01 --------- d-----w C:\Program Files\MixVibesDVS
2008-05-24 23:41 --------- d-----w C:\Users\Kam\AppData\Roaming\invibes
2008-05-22 21:30 --------- d-----w C:\Users\Kam\AppData\Roaming\Media Player Classic
2008-05-19 21:19 --------- d-----w C:\Program Files\AGEIA Technologies
2008-05-19 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 16:49 --------- d-----w C:\Program Files\VirtualDJ
2008-05-16 05:39 --------- d-----w C:\Users\Kam\AppData\Roaming\Ableton
2008-05-16 05:37 --------- d-----w C:\Program Files\Ableton
2008-05-12 22:26 --------- d-----w C:\Users\Kam\AppData\Roaming\Winamp
2008-05-11 14:59 --------- d-----w C:\Program Files\Stardock
2008-05-09 23:51 --------- d-----w C:\ProgramData\Syncrosoft
2008-05-09 08:15 --------- d-----w C:\ProgramData\Ubisoft
2008-05-09 08:14 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-05-09 08:14 22,328 ----a-w C:\Users\Kam\AppData\Roaming\PnkBstrK.sys
2008-05-08 16:46 53,248 ----a-w C:\Windows\ipuninst.exe
2008-05-05 17:16 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-03 03:46 7,460,320 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2008-04-29 13:21 --------- d-----w C:\ProgramData\TrackMania
2008-04-27 23:55 --------- d-----w C:\Users\Kam\AppData\Roaming\Auslogics
2008-04-27 23:49 --------- d-----w C:\Users\Kam\AppData\Roaming\Thunderbird
2008-04-26 20:59 --------- d-----w C:\Program Files\Image-Line
2008-03-13 20:27 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-13 20:27 32 ----a-w C:\ProgramData\ezsid.dat
2006-11-02 12:49 174 --sha-w C:\Program Files\desktop.ini
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{018B27FF-E05F-4CB5-8763-540CB3FD457A}]
2008-06-26 02:39 26112 --a------ C:\Windows\system32\mlJCRKcy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01abaca7-523a-4d73-9678-b15290f2349f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3bace666-60e7-4698-a132-f9ac2d7be543}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56E9F31E-4BC0-4D0F-B9A0-FD95E734507B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a103731b-9a39-45a0-8f01-a0bbf1a48490}]
2008-06-26 23:21 106496 --a------ C:\Windows\system32\llfkbkva.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5BE1D14-ABDD-42C7-B40E-0413BEECF5CD}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 14:33 1196032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-15 12:02 482760]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18 202024]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:33 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-12 15:33 4186112 C:\Windows\RtHDVCpl.exe]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-31 06:44 36864]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-02-28 18:50 180224]
"P17RunE"="P17RunE.dll" [2007-04-09 03:40 14848 C:\Windows\System32\P17RunE.dll]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-03 05:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-03 05:46 92704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"b0096469"="C:\Windows\system32\huesimin.dll" [ ]
"BMb33a57f5"="C:\Windows\system32\qirqqakg.dll" [2008-06-27 01:15 91648]

C:\Users\Kam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 - Capture d'‚cran et lancement.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{018B27FF-E05F-4CB5-8763-540CB3FD457A}"= C:\Windows\system32\mlJCRKcy.dll [2008-06-26 02:39 26112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-02 14:32 1004136 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1476174540-626848999-1512591551-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8A28646F-4E01-46F6-B38A-A9D73CC81B74}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CBE757CB-616D-4F62-A70C-4704AB617B21}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CD40172F-5D40-4F62-A740-AB74A724C4D8}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{D79D67DF-9AFB-432F-A447-5D5B430F0A85}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A2FC97D3-E7B1-4105-A32D-D45440330076}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C4E1BCEF-9151-401E-96CA-9209D3422393}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{58EAED03-21AB-474D-8822-690CA2897AE0}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09159C6A-5FDC-4F0C-BFAA-C48539B688DB}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{053F3181-993A-49E1-A8C6-855CBC9E2471}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{E42A7C96-5641-49D5-8CD0-3349857C16D4}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{D1464063-E27B-4407-9466-3231094A313E}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{EAFA3CE9-3D1D-43FE-A493-2713D2E9B7FF}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{5425AABB-79CD-449E-9106-4E718670C3EA}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{3E47DFFB-6098-437F-8433-7618BCAFA257}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{1214C92C-99BE-445C-9957-6785F4C61311}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{C6308C97-D149-4488-BBAC-DDC1DD994BE1}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{A8F75539-7A81-4E31-A72A-3F404BFD8CDD}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{A0106710-7D9D-4D84-8166-62BDF74952FE}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{94C957DC-0E4D-496E-B624-715B5AE3AE4A}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{9A64EC00-6C8D-4A21-8215-84136EFBED9F}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{4DEF7AF2-91B6-4706-AF17-7C09F0B9042E}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{1BE71697-242F-48D1-82E7-DA86319FE2EA}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{BB628748-B55E-4F53-BEB9-44F2237344D2}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{7DFA6FBB-82BB-402C-8B3E-D53188593827}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{EF887A4E-97B3-4AC4-BB8A-2DD8D358B89A}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{C699F350-3612-4202-9B55-78232E6427A6}"= UDP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{D7FA8B37-A0D3-4D18-9A07-04E30A5FC6F6}"= TCP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{196C909A-775D-4CB9-B54D-8D146B928D34}"= UDP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{DD5E673E-7606-4CB7-9663-35FB16917F2B}"= TCP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{D0D19E01-F14D-493B-9970-4E95000C3A21}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{EEDB13F6-13F1-4994-9A86-2D8E2D4C7A19}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-05-16 01:18]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-22 09:12]
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2008-02-26 19:43]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-20 19:47]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 11:00]
S4 msvsmon80;Débogueur distant Visual Studio 2005;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-06-26 15:04:23 C:\Windows\Tasks\User_Feed_Synchronization-{B7CEC17B-CBA9-45EB-9DF9-EDE0881783FD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 01:23:39
Windows 6.0.6000 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
--------------------- DLLs a charg‚ sous des processus courants ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\qirqqakg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\conime.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\PnkBstrA.exe
C:\Windows\System32\PnkBstrB.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-06-27 1:26:46 - machine was rebooted [Kam]
ComboFix-quarantined-files.txt 2008-06-26 23:26:42

Pre-Run: 11,930,591,232 octets libres
Post-Run: 11,655,880,704 octets libres

282




Thanks for helping me !

Anyone ? I know the threads are all the same but tell me what to do please :red:

tashi
2008-06-27, 08:41
Hello,

Anyone ? I know the threads are all the same but tell me what to do please :red:

I realize an infected computer is frustrating, however this topic was started today, and our forum helpers are volunteers. Please read this forum's stickies.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)

The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/showthread.php?t=1137)

Regards.

Altaic
2008-06-27, 20:05
Ok that's right...i will read this and i'm going to be patient xD

So, I think I did wrong with my logs (regard to the stickies) maybe someone can tell me what I can do for the first step in removing that junk ?
Awaiting an answer to fix this... :scratch:

Blade81
2008-06-29, 19:54
Hi

Uninstall Spybot for now to make sure TeaTimer won't interfere fixing. You may reinstall it after system is clean (I'll let you know when :)).


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\Windows\System32\qirqqakg.dll
C:\Windows\System32\llfkbkva.dll
C:\Windows\System32\ynjrjnrk.dll
C:\Windows\System32\mlJCRKcy.dll
C:\Windows\System32\fvrmiutj.dll
C:\Windows\System32\svudmptv.dll
C:\Windows\System32\gmyilytm.dll
C:\Windows\System32\jpduspxp.dll
C:\Windows\System32\hefhtxib.dll
C:\Windows\System32\mlJYstTk.dll
C:\Windows\System32\mlJYroMG.dll
C:\Windows\System32\ljJYRLFw.dll
C:\Windows\System32\ljJDTjHw.dll
C:\Windows\System32\ohxhhyri.dll
C:\Windows\System32\kgpxldxd.dll
C:\Windows\System32\yaywwuSL.dll
C:\Windows\System32\wvUmkiHb.dll
C:\Windows\System32\BReWErS.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{018B27FF-E05F-4CB5-8763-540CB3FD457A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01abaca7-523a-4d73-9678-b15290f2349f}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3bace666-60e7-4698-a132-f9ac2d7be543}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56E9F31E-4BC0-4D0F-B9A0-FD95E734507B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a103731b-9a39-45a0-8f01-a0bbf1a48490}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5BE1D14-ABDD-42C7-B40E-0413BEECF5CD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b0096469"=-
"BMb33a57f5"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{018B27FF-E05F-4CB5-8763-540CB3FD457A}"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

Altaic
2008-06-30, 16:03
Hi Blade81, thanks for your help, I really appreciate =)

So here are the logs needed...


The ComboFix log with the script modifications


ComboFix 08-06-20.4 - Kam 2008-06-30 12:10:13.3 - NTFSx86
Microsoft® Windows Vista™ Édition Intégrale 6.0.6000.0.1252.1.1036.18.1366 [GMT 2:00]
Endroit: C:\Users\Kam\Desktop\ComboFix.exe
Command switches used :: C:\Users\Kam\Desktop\CFScript.txt
* Création d'un nouveau point de restauration

FILE ::
C:\Windows\System32\BReWErS.dll
C:\Windows\System32\fvrmiutj.dll
C:\Windows\System32\gmyilytm.dll
C:\Windows\System32\hefhtxib.dll
C:\Windows\System32\jpduspxp.dll
C:\Windows\System32\kgpxldxd.dll
C:\Windows\System32\ljJDTjHw.dll
C:\Windows\System32\ljJYRLFw.dll
C:\Windows\System32\llfkbkva.dll
C:\Windows\System32\mlJCRKcy.dll
C:\Windows\System32\mlJYroMG.dll
C:\Windows\System32\mlJYstTk.dll
C:\Windows\System32\ohxhhyri.dll
C:\Windows\System32\qirqqakg.dll
C:\Windows\System32\svudmptv.dll
C:\Windows\System32\wvUmkiHb.dll
C:\Windows\System32\yaywwuSL.dll
C:\Windows\System32\ynjrjnrk.dll
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\BReWErS.dll

.
((((((((((((((((((((((((((((( Fichiers créés 2008-05-28 to 2008-06-30 ))))))))))))))))))))))))))))))))))))
.

2008-06-30 12:07 . 2008-06-30 12:08 <REP> d-------- C:\327882R2FWJFW
2008-06-29 17:01 . 2008-06-29 17:02 46,634,384 --a------ C:\Users\Public\zaSUITE_Setup_fr.exe
2008-06-29 16:47 . 2007-07-21 15:24 68,096 --a------ C:\Users\Public\keygen.exe
2008-06-29 16:40 . 2008-06-29 16:40 <REP> d-------- C:\Users\Alta\AppData\Roaming\MailFrontier
2008-06-29 14:51 . 2008-06-29 14:51 <REP> d-------- C:\Users\All Users\MailFrontier
2008-06-29 14:51 . 2008-06-29 14:51 <REP> d-------- C:\ProgramData\MailFrontier
2008-06-29 14:04 . 2008-06-29 14:04 <REP> d-------- C:\Users\Kam\AppData\Roaming\MailFrontier
2008-06-28 02:24 . 2008-06-30 10:26 1,113 --a------ C:\rollback.ini
2008-06-28 01:24 . 2008-06-28 01:24 <REP> d-------- C:\Windows\System32\Adobe
2008-06-27 21:15 . 2008-06-30 11:55 4,838,432 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-06-27 21:15 . 2008-06-29 14:48 67,292 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-06-27 20:55 . 2008-03-03 15:05 75,248 --a------ C:\Windows\zllsputility.exe
2008-06-27 20:55 . 2008-03-03 15:05 54,672 --a------ C:\Windows\System32\vsutil_loc040c.dll
2008-06-27 20:55 . 2008-03-03 15:05 42,384 --a------ C:\Windows\zllsputility_loc040c.dll
2008-06-27 20:55 . 2008-03-03 15:05 21,904 --a------ C:\Windows\System32\imsinstall_loc040c.dll
2008-06-27 20:55 . 2008-03-03 15:05 17,808 --a------ C:\Windows\System32\imslsp_install_loc040c.dll
2008-06-27 20:55 . 2008-06-27 20:55 5,571 --a------ C:\Windows\System32\vsconfig.xml
2008-06-27 20:54 . 2008-06-27 20:54 <REP> d-------- C:\Users\All Users\CheckPoint
2008-06-27 20:54 . 2008-06-27 20:54 <REP> d-------- C:\ProgramData\CheckPoint
2008-06-27 20:54 . 2008-06-27 20:54 <REP> d-------- C:\Program Files\Zone Labs
2008-06-27 20:54 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-06-27 20:54 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-06-27 20:53 . 2008-06-29 11:42 <REP> d-------- C:\Windows\System32\ZoneLabs
2008-06-27 20:53 . 2008-06-27 20:53 803,840 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-06-27 20:53 . 2008-06-30 12:02 354,388 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-06-27 20:53 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-06-27 20:53 . 2008-06-27 20:53 217,272 --a------ C:\Windows\System32\drivers\netio.sys
2008-06-27 20:53 . 2008-06-27 20:53 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-06-27 20:53 . 2008-06-27 20:53 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-06-27 20:52 . 2008-06-30 11:56 <REP> d-------- C:\Windows\Internet Logs
2008-06-27 20:22 . 2008-06-27 20:22 <REP> d-------- C:\VundoFix Backups
2008-06-27 01:14 . 2008-06-27 01:14 <REP> d-------- C:\Program Files\Trend Micro
2008-06-23 21:19 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Searches
2008-06-23 21:18 . 2008-06-23 21:18 <REP> dr------- C:\Users\Alta\Contacts
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Videos
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Saved Games
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Pictures
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Music
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Links
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Downloads
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Documents
2008-06-23 21:17 . 2006-11-02 14:35 <REP> d-------- C:\Users\Alta\AppData\Roaming\Media Center Programs
2008-06-23 21:17 . 2008-06-23 21:19 <REP> d--h----- C:\Users\Alta\AppData
2008-06-23 21:17 . 2008-06-23 21:19 <REP> d-------- C:\Users\Alta
2008-06-23 19:47 . 2008-06-23 19:47 <REP> d-------- C:\Program Files\RealVNC
2008-06-19 19:35 . 2008-06-19 19:35 <REP> d-------- C:\inetpub
2008-06-19 18:59 . 2008-06-19 18:59 <REP> d-------- C:\Users\Kam\AppData\Roaming\PeerNetworking
2008-06-17 20:52 . 2008-06-17 21:09 <REP> d-------- C:\Program Files\SopCast
2008-06-17 20:28 . 2008-06-17 20:28 <REP> d-------- C:\Program Files\FreePCvcR-0.5
2008-06-16 18:10 . 2008-06-16 18:10 <REP> d-------- C:\Users\All Users\Adobe
2008-06-16 14:30 . 2008-06-16 14:30 <REP> d-------- C:\Users\All Users\Codemasters
2008-06-16 14:30 . 2008-06-16 14:30 <REP> d-------- C:\ProgramData\Codemasters
2008-06-16 14:24 . 2008-06-16 14:24 <REP> d-------- C:\Program Files\OpenAL
2008-06-16 14:24 . 2008-04-28 15:53 805,400 -ra------ C:\Windows\System32\tmpCA3A.tmp
2008-06-16 14:24 . 2008-04-28 15:53 805,400 -ra------ C:\Windows\System32\tmpC96E.tmp
2008-06-13 08:44 . 2008-06-13 08:44 <REP> d-------- C:\Temp\SQL Server 2005 Developer Edition - 32-bit - CD2 (Francais)
2008-06-13 08:01 . 2008-06-13 08:01 <REP> d-------- C:\Temp\SQL Server 2005 Developer Edition - 32-bit - CD1 (Francais)
2008-06-13 07:28 . 2008-06-13 08:44 <REP> d-------- C:\Temp
2008-06-11 19:41 . 2008-06-11 19:44 <REP> d-------- C:\Program Files\ControlMK
2008-06-11 19:29 . 2008-06-11 19:29 98,304 --a------ C:\Windows\System32\CmdLineExt.dll
2008-06-06 20:18 . 2008-06-06 20:18 <REP> d-------- C:\Windows\nvidia icons
2008-06-05 22:06 . 2008-06-05 22:06 <REP> d-------- C:\Program Files\Alwil Software
2008-06-05 21:13 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-06-05 21:13 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-06-05 21:13 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-06-05 21:13 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-06-05 21:13 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-06-05 21:13 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-06-05 00:14 . 2008-06-27 00:00 54,156 --ah----- C:\Windows\QTFont.qfn
2008-06-05 00:14 . 2008-06-05 00:14 1,409 --a------ C:\Windows\QTFont.for
2008-06-04 20:20 . 2008-06-04 20:20 <REP> d-------- C:\Program Files\Native Instruments
2008-06-01 23:38 . 2008-06-01 23:38 80 --a------ C:\plug_in.ini
2008-05-30 22:54 . 2008-05-30 22:54 <REP> d-------- C:\Program Files\Common Files\BioWare
2008-05-28 23:28 . 2008-05-28 23:28 <REP> d-------- C:\Program Files\Common Files\INCA Shared
2008-05-28 23:26 . 2003-07-19 17:17 5,174 --a------ C:\Windows\System32\nppt9x.vxd
2008-05-28 23:26 . 2005-01-03 08:43 4,682 --a------ C:\Windows\System32\npptNT2.sys
2008-05-28 19:28 . 2008-06-25 00:03 <REP> d-------- C:\Program Files\Neffy
2008-05-25 02:59 . 2008-06-25 00:04 <REP> d-------- C:\Program Files\MixVibesPro6DEMO
2008-05-25 01:41 . 2008-05-25 01:41 <REP> d-------- C:\Users\Kam\AppData\Roaming\invibes
2008-05-25 01:41 . 2008-05-25 02:01 <REP> d-------- C:\Program Files\MixVibesDVS
2008-05-22 23:30 . 2008-05-22 23:30 <REP> d-------- C:\Users\Kam\AppData\Roaming\Media Player Classic
2008-05-22 23:30 . 2006-03-20 15:37 5,689,344 --a------ C:\Program Files\mplayerc.exe
2008-05-19 23:19 . 2008-05-19 23:19 <REP> d-------- C:\Windows\System32\AGEIA
2008-05-19 23:17 . 2008-05-19 23:17 <REP> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 18:49 . 2008-05-18 18:49 <REP> d-------- C:\Program Files\VirtualDJ
2008-05-16 07:37 . 2008-05-16 07:39 <REP> d-------- C:\Users\Kam\AppData\Roaming\Ableton
2008-05-16 07:37 . 2008-05-16 07:37 <REP> d-------- C:\Program Files\Ableton
2008-05-16 07:37 . 2008-03-14 13:22 1,060,864 --a------ C:\Windows\System32\MFC71.dll
2008-05-16 07:37 . 2008-03-14 13:22 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-05-16 07:37 . 2008-03-14 13:22 233,472 --a------ C:\Windows\System32\REX Shared Library.dll
2008-05-11 17:01 . 2008-05-11 17:01 0 --------- C:\Windows\WB.ini
2008-05-11 17:00 . 2008-05-11 17:00 29 --a------ C:\Windows\.wb4
2008-05-11 16:59 . 2008-05-11 16:59 <REP> d-------- C:\Program Files\Stardock
2008-05-11 16:59 . 2007-09-12 17:58 58,792 --------- C:\Windows\System32\wbload.dll
2008-05-11 16:59 . 2007-07-11 14:06 42,672 --------- C:\Windows\System32\wbsys.dll
2008-05-10 02:48 . 2008-05-19 19:22 917 --a------ C:\Windows\GTA-SA_Trn_Settings.ini
2008-05-10 01:51 . 2008-05-10 01:51 <REP> d-------- C:\Users\All Users\Syncrosoft
2008-05-10 01:51 . 2008-05-10 01:51 <REP> d-------- C:\ProgramData\Syncrosoft
2008-05-10 01:46 . 2007-08-01 15:58 765,952 --a------ C:\Windows\System32\SYNSOACC.dll
2008-05-10 01:46 . 2006-01-29 12:48 401,462 --a------ C:\Windows\System32\temp.000
2008-05-09 10:14 . 2008-05-09 10:14 2,337,865 --a------ C:\Windows\System32\pbsvc.exe
2008-05-09 10:14 . 2008-05-09 10:14 107,832 --a------ C:\Windows\System32\PnkBstrB.exe
2008-05-09 10:14 . 2008-05-09 10:14 66,872 --a------ C:\Windows\System32\PnkBstrA.exe
2008-05-09 10:14 . 2008-05-09 10:14 22,328 --a------ C:\Windows\System32\drivers\PnkBstrK.sys
2008-05-09 10:14 . 2008-05-09 10:14 22,328 --a------ C:\Users\Kam\AppData\Roaming\PnkBstrK.sys
2008-05-08 18:46 . 2008-05-08 18:46 53,248 --a------ C:\Windows\ipuninst.exe
2008-05-05 19:16 . 2008-05-05 19:16 <REP> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 10:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-30 09:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-30 09:53 --------- d-----w C:\Users\Kam\AppData\Roaming\uTorrent
2008-06-29 09:40 2,881,024 ----a-w C:\Windows\Internet Logs\xDB7242.tmp
2008-06-28 09:11 1,997,312 ----a-w C:\Windows\Internet Logs\xDBA295.tmp
2008-06-28 09:07 --------- d-----w C:\Program Files\PKR
2008-06-26 21:29 --------- d-----w C:\Users\Kam\AppData\Roaming\Hamachi
2008-06-24 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 22:24 --------- d-----w C:\ProgramData\Media Center Programs
2008-06-20 17:47 --------- d-----w C:\Program Files\Steam
2008-06-20 17:47 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-16 16:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-16 12:24 444,952 ----a-w C:\Windows\System32\wrap_oal.dll
2008-06-16 12:24 109,080 ----a-w C:\Windows\System32\OpenAL32.dll
2008-06-07 11:04 --------- d-----w C:\ProgramData\NVIDIA
2008-05-28 21:22 --------- d-----w C:\Users\Kam\AppData\Roaming\skypePM
2008-05-28 21:22 --------- d-----w C:\Users\Kam\AppData\Roaming\Skype
2008-05-19 21:19 --------- d-----w C:\Program Files\AGEIA Technologies
2008-05-12 22:26 --------- d-----w C:\Users\Kam\AppData\Roaming\Winamp
2008-05-09 08:15 --------- d-----w C:\ProgramData\Ubisoft
2008-04-30 15:27 442,368 ----a-w C:\Windows\System32\NVUNINST.EXE
2008-04-29 13:21 --------- d-----w C:\ProgramData\TrackMania
2008-03-14 11:22 368,640 ----a-w C:\Windows\System32\rewire.dll
2008-03-13 20:27 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-13 20:27 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-04 10:33 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2006-11-02 12:49 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-06-27_ 1.26.16.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-26 23:23:01 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-30 10:01:58 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-06 18:17:15 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-06-27 18:54:18 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-06-06 18:17:09 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-06-27 18:54:17 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-06-06 18:17:15 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-06-27 18:54:18 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-06-30 10:01:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-30 10:01:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-26 23:23:18 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 10:03:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 10:03:56 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-26 23:23:18 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 10:03:51 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 10:03:51 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
+ 2008-06-17 14:12:42 114,688 ----a-w C:\Windows\System32\Adobe\Director\np32dsw.dll
+ 2008-06-17 14:23:02 202,168 ----a-w C:\Windows\System32\Adobe\Director\SwDir.dll
+ 2008-06-17 14:13:22 487,424 ----a-w C:\Windows\System32\Adobe\Shockwave 11\Control.dll
+ 2008-06-17 13:36:00 1,798,144 ----a-w C:\Windows\System32\Adobe\Shockwave 11\dirapi.dll
+ 2008-06-17 14:13:26 9,216 ----a-w C:\Windows\System32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2008-06-17 13:25:58 697,344 ----a-w C:\Windows\System32\Adobe\Shockwave 11\gi.dll
+ 2008-06-17 13:26:00 1,145,896 ----a-w C:\Windows\System32\Adobe\Shockwave 11\gt.exe
+ 2008-06-17 13:25:58 52,288 ----a-w C:\Windows\System32\Adobe\Shockwave 11\gtapi.dll
+ 2008-06-17 13:32:18 892,928 ----a-w C:\Windows\System32\Adobe\Shockwave 11\iml32.dll
+ 2008-06-17 14:11:56 253,952 ----a-w C:\Windows\System32\Adobe\Shockwave 11\Plugin.dll
+ 2008-06-17 14:15:00 446,464 ----a-w C:\Windows\System32\Adobe\Shockwave 11\Proj.dll
+ 2008-06-17 14:22:46 439,736 ----a-w C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1100458.exe
+ 2008-06-17 14:15:44 114,688 ----a-w C:\Windows\System32\Adobe\Shockwave 11\SwInit.exe
+ 2008-06-17 14:11:44 94,208 ----a-w C:\Windows\System32\Adobe\Shockwave 11\SwMenu.dll
+ 2008-06-17 13:25:58 50,808 ----a-w C:\Windows\System32\Adobe\Shockwave 11\SYMCCHECKER.DLL
+ 1999-06-25 08:55:30 149,504 ----a-w C:\Windows\System32\Adobe\Shockwave 11\UNWISE.EXE
- 2008-06-26 23:03:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-30 10:02:05 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-26 23:03:49 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-30 10:02:05 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-26 23:03:49 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-30 10:02:05 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-26 23:17:01 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-06-27 19:14:05 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-06-27 19:14:05 262,144 ---ha-w C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1
+ 2007-07-20 19:10:32 127,768 ----a-w C:\Windows\System32\drivers\klif.sys
+ 2008-03-03 13:06:04 279,440 ----a-w C:\Windows\System32\DriverStore\FileRepository\vsdatant.inf_52bc6cc9\vsdatant.sys
- 2006-11-02 09:46:11 49,152 ----a-w C:\Windows\System32\migration\netiomig.dll
+ 2008-06-27 18:53:53 49,152 ----a-w C:\Windows\System32\migration\netiomig.dll
- 2008-06-26 21:14:35 111,384 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-30 10:06:59 111,384 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-26 21:14:35 127,210 ----a-w C:\Windows\System32\perfc00C.dat
+ 2008-06-30 10:06:59 127,210 ----a-w C:\Windows\System32\perfc00C.dat
- 2008-06-26 21:14:35 639,836 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-30 10:06:59 639,836 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-26 21:14:35 725,342 ----a-w C:\Windows\System32\perfh00C.dat
+ 2008-06-30 10:06:59 725,342 ----a-w C:\Windows\System32\perfh00C.dat
- 2008-06-23 17:52:58 5,767,168 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-06-27 19:16:36 5,767,168 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-03-03 13:04:54 95,720 ----a-w C:\Windows\System32\vsdata.dll
+ 2008-03-03 13:04:54 165,352 ----a-w C:\Windows\System32\vsinit.dll
+ 2008-03-03 13:04:54 103,912 ----a-w C:\Windows\System32\vsmonapi.dll
+ 2008-03-03 13:04:54 275,944 ----a-w C:\Windows\System32\vspubapi.dll
+ 2008-03-03 13:04:54 71,144 ----a-w C:\Windows\System32\vsregexp.dll
+ 2008-03-03 13:04:56 493,032 ----a-w C:\Windows\System32\vsutil.dll
+ 2008-03-03 13:04:56 46,568 ----a-w C:\Windows\System32\vswmi.dll
+ 2008-03-03 13:04:56 99,816 ----a-w C:\Windows\System32\vsxml.dll
- 2008-06-26 21:12:08 6,652 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1476174540-626848999-1512591551-1000_UserData.bin
+ 2008-06-30 10:04:14 7,240 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1476174540-626848999-1512591551-1000_UserData.bin
- 2008-06-26 21:12:07 54,042 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 10:04:14 57,490 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-26 23:21:35 4,118 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-06-29 12:48:06 4,282 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-06-26 21:12:06 26,854 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-29 12:52:02 28,774 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-03-03 13:04:56 83,432 ----a-w C:\Windows\System32\zlcomm.dll
+ 2008-03-03 13:04:56 71,144 ----a-w C:\Windows\System32\zlcommdb.dll
+ 2008-03-03 13:04:50 398,888 ----a-w C:\Windows\System32\ZoneLabs\av.dll
+ 2008-03-03 13:05:26 26,000 ----a-w C:\Windows\System32\ZoneLabs\av_loc040c.dll
+ 2007-04-17 22:58:26 65,248 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 13:47:36 21,568 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-04-17 22:58:26 1,628 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2008-06-30 10:09:05 346,840 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\sfdb.dat
+ 2007-04-17 22:58:18 77,824 ----a-w C:\Windows\System32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-04-17 22:58:18 110,592 ----a-w C:\Windows\System32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-04-17 22:58:18 331,776 ----a-w C:\Windows\System32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-07-20 19:10:28 38,400 ----a-w C:\Windows\System32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-19 22:12:14 208,960 ----a-w C:\Windows\System32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 13:04:52 282,624 ----a-w C:\Windows\System32\ZoneLabs\avsys\kave.dll
+ 2007-02-03 16:08:28 1,093,632 ----a-w C:\Windows\System32\ZoneLabs\avsys\libeay32.dll
+ 2007-04-17 22:58:20 548,864 ----a-w C:\Windows\System32\ZoneLabs\avsys\msvcp80.dll
+ 2007-04-17 22:58:20 626,688 ----a-w C:\Windows\System32\ZoneLabs\avsys\msvcr80.dll
+ 2007-04-17 22:58:18 184,320 ----a-w C:\Windows\System32\ZoneLabs\avsys\prloader.dll
+ 2007-04-17 22:58:20 90,112 ----a-w C:\Windows\System32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 13:04:52 139,264 ----a-w C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
+ 2007-02-03 16:08:28 200,704 ----a-w C:\Windows\System32\ZoneLabs\avsys\ssleay32.dll
+ 2008-03-03 13:04:52 99,816 ----a-w C:\Windows\System32\ZoneLabs\camupd.dll
+ 2004-01-30 11:35:08 813,568 ----a-w C:\Windows\System32\ZoneLabs\dbghelp.dll
+ 2008-03-03 13:04:52 136,680 ----a-w C:\Windows\System32\ZoneLabs\fbl.dll
+ 2008-03-03 13:04:52 50,672 ----a-w C:\Windows\System32\ZoneLabs\featuremap.dll
+ 2008-03-03 13:05:28 26,000 ----a-w C:\Windows\System32\ZoneLabs\imsecure_loc040c.dll
+ 2008-03-03 13:05:28 288,144 ----a-w C:\Windows\System32\ZoneLabs\lib\ConfigWizard_loc040c.zip.dll
+ 2008-03-03 13:05:28 152,976 ----a-w C:\Windows\System32\ZoneLabs\lib\LicenseUI_loc040c.zip.dll
+ 2008-03-03 13:05:30 54,672 ----a-w C:\Windows\System32\ZoneLabs\lib\WelcomeUI_loc040c.zip.dll
+ 2008-03-03 13:05:08 26,000 ----a-w C:\Windows\System32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-03-03 13:05:08 1,361,296 ----a-w C:\Windows\System32\ZoneLabs\lib\zpy.zip.dll
+ 2008-03-03 13:05:08 71,056 ----a-w C:\Windows\System32\ZoneLabs\lib\zui.zip.dll
+ 2008-03-03 13:06:06 30,192 ----a-w C:\Windows\System32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-03-03 13:06:06 30,216 ----a-w C:\Windows\System32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-12-11 18:58:04 714,208 ----a-w C:\Windows\System32\ZoneLabs\qrbase.dll
+ 2007-12-11 18:58:04 792,032 ----a-w C:\Windows\System32\ZoneLabs\qrsrecl.dll
+ 2008-03-03 13:04:52 173,544 ----a-w C:\Windows\System32\ZoneLabs\scheduler.dll
+ 2008-03-03 13:05:30 17,808 ----a-w C:\Windows\System32\ZoneLabs\scheduler_loc040c.dll
+ 2008-06-28 14:24:22 9,676,234 ----a-w C:\Windows\System32\ZoneLabs\spyware.dat
+ 2008-06-28 00:25:46 9,472,739 ----a-w C:\Windows\System32\ZoneLabs\spyware0.dat
+ 2007-12-11 18:58:06 1,504,736 ----a-w C:\Windows\System32\ZoneLabs\srescan.dll
+ 2008-03-03 13:04:54 456,168 ----a-w C:\Windows\System32\ZoneLabs\ssleay32.dll
+ 2008-03-03 13:05:28 26,000 ----a-w C:\Windows\System32\ZoneLabs\streamapi\imslsp\imslsp_loc040c.dll
+ 2006-09-04 19:59:14 503,875 ----a-w C:\Windows\System32\ZoneLabs\upd_core.dll
+ 2007-04-20 03:44:28 833,248 ----a-w C:\Windows\System32\ZoneLabs\updating.dll
+ 2008-03-03 13:05:02 169,512 ----a-w C:\Windows\System32\ZoneLabs\updclient.exe
+ 2008-03-03 13:05:30 99,728 ----a-w C:\Windows\System32\ZoneLabs\updClient_loc040c.dll
+ 2007-02-03 16:08:40 286,787 ----a-w C:\Windows\System32\ZoneLabs\updtrsdk.dll
+ 2008-03-03 13:04:54 112,104 ----a-w C:\Windows\System32\ZoneLabs\vsavpro.dll
+ 2008-03-03 13:06:04 279,440 ----a-w C:\Windows\System32\ZoneLabs\vsdatant.sys
+ 2008-03-03 13:04:54 75,240 ----a-w C:\Windows\System32\ZoneLabs\vsdb.dll
+ 2008-03-03 13:05:30 17,808 ----a-w C:\Windows\System32\ZoneLabs\vsdb_loc040c.dll
+ 2008-03-03 13:05:02 64,912 ----a-w C:\Windows\System32\ZoneLabs\vsdrinst.exe
+ 2008-03-03 13:05:02 79,400 ----a-w C:\Windows\System32\ZoneLabs\vsmon.exe
+ 2008-03-03 13:05:30 50,576 ----a-w C:\Windows\System32\ZoneLabs\vsmon_loc040c.dll
+ 2008-03-03 13:04:54 2,086,376 ----a-w C:\Windows\System32\ZoneLabs\vsmondll.dll
+ 2008-03-03 13:04:56 1,361,384 ----a-w C:\Windows\System32\ZoneLabs\vsruledb.dll
+ 2008-03-03 13:05:30 198,032 ----a-w C:\Windows\System32\ZoneLabs\vsruledb_loc040c.dll
+ 2008-03-03 13:04:56 243,176 ----a-w C:\Windows\System32\ZoneLabs\vsvault.dll
+ 2008-03-03 13:05:30 17,808 ----a-w C:\Windows\System32\ZoneLabs\vsvault_loc040c.dll
+ 2008-01-21 07:25:00 7,603,688 ----a-w C:\Windows\System32\ZoneLabs\zlasdbup.dat
+ 2008-03-03 13:04:56 177,640 ----a-w C:\Windows\System32\ZoneLabs\zlparser.dll
+ 2008-06-28 13:11:19 3,676,672 ----a-w C:\Windows\System32\ZoneLabs\zlqrtdb.dat
+ 2008-03-03 13:04:56 79,344 ----a-w C:\Windows\System32\ZoneLabs\zlquarantine.dll
+ 2008-03-03 13:05:30 17,808 ----a-w C:\Windows\System32\ZoneLabs\zlquarantine_loc040c.dll
+ 2008-03-03 13:04:58 398,824 ----a-w C:\Windows\System32\ZoneLabs\zlsre.dll
+ 2008-03-03 13:05:30 21,904 ----a-w C:\Windows\System32\ZoneLabs\zlsre_loc040c.dll
+ 2008-03-03 13:04:58 120,296 ----a-w C:\Windows\System32\ZoneLabs\zlupdate.dll
+ 2008-06-27 18:53:53 217,272 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6000.20582_none_54ea4862d183ae20\netio.sys
+ 2008-06-27 18:53:53 49,152 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20582_none_5fd47169ab8fd179\netiomig.dll
+ 2008-06-27 18:53:53 22,016 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20582_none_5fd47169ab8fd179\netiougc.exe
+ 2008-06-27 18:53:53 803,840 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20582_none_5fd47169ab8fd179\tcpip.sys
+ 2008-06-27 18:53:53 167,424 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.20582_none_5fd47169ab8fd179\tcpipcfg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 14:33 1196032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-15 12:02 482760]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18 202024]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-02-28 18:50 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-03 05:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-03 05:46 92704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 15:05 959976]

C:\Users\Kam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 - Capture d'‚cran et lancement.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-02 14:32 1004136 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1476174540-626848999-1512591551-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8A28646F-4E01-46F6-B38A-A9D73CC81B74}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{5898347B-BAC4-4FCD-8D18-CA17597C9581}"= UDP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{820C6E9B-D402-40F6-B4AF-50B71F9CC680}"= TCP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{CBE757CB-616D-4F62-A70C-4704AB617B21}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CD40172F-5D40-4F62-A740-AB74A724C4D8}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{D79D67DF-9AFB-432F-A447-5D5B430F0A85}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A2FC97D3-E7B1-4105-A32D-D45440330076}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C4E1BCEF-9151-401E-96CA-9209D3422393}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{58EAED03-21AB-474D-8822-690CA2897AE0}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09159C6A-5FDC-4F0C-BFAA-C48539B688DB}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{053F3181-993A-49E1-A8C6-855CBC9E2471}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{E42A7C96-5641-49D5-8CD0-3349857C16D4}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{D1464063-E27B-4407-9466-3231094A313E}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{EAFA3CE9-3D1D-43FE-A493-2713D2E9B7FF}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{5425AABB-79CD-449E-9106-4E718670C3EA}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{3E47DFFB-6098-437F-8433-7618BCAFA257}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{1214C92C-99BE-445C-9957-6785F4C61311}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{C6308C97-D149-4488-BBAC-DDC1DD994BE1}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{A8F75539-7A81-4E31-A72A-3F404BFD8CDD}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{A0106710-7D9D-4D84-8166-62BDF74952FE}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{94C957DC-0E4D-496E-B624-715B5AE3AE4A}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{9A64EC00-6C8D-4A21-8215-84136EFBED9F}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{4DEF7AF2-91B6-4706-AF17-7C09F0B9042E}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{1BE71697-242F-48D1-82E7-DA86319FE2EA}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{BB628748-B55E-4F53-BEB9-44F2237344D2}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{7DFA6FBB-82BB-402C-8B3E-D53188593827}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{EF887A4E-97B3-4AC4-BB8A-2DD8D358B89A}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{C699F350-3612-4202-9B55-78232E6427A6}"= UDP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{D7FA8B37-A0D3-4D18-9A07-04E30A5FC6F6}"= TCP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{196C909A-775D-4CB9-B54D-8D146B928D34}"= UDP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{DD5E673E-7606-4CB7-9663-35FB16917F2B}"= TCP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{D0D19E01-F14D-493B-9970-4E95000C3A21}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{EEDB13F6-13F1-4994-9A86-2D8E2D4C7A19}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{403AA6F0-2460-4ABB-B730-8A9427A57AB1}"= UDP:E:\Jeux\Mass Effect\Binaries\MassEffect.exe:Mass Effect Game
"{BC273D03-53FB-4A43-97A2-76FD6FC03661}"= TCP:E:\Jeux\Mass Effect\Binaries\MassEffect.exe:Mass Effect Game
"{AFC30DDC-8259-4F6F-BBE6-590A58575486}"= UDP:E:\Jeux\Mass Effect\MassEffectLauncher.exe:Mass Effect Launcher
"{985AB388-02AF-4038-AF38-A0285AB8BB20}"= TCP:E:\Jeux\Mass Effect\MassEffectLauncher.exe:Mass Effect Launcher
"{6225606B-80AD-4DCF-86F4-4A67A812AE9B}"= UDP:E:\Jeux\GRID\GRID.exe:GRID
"{2D6A54B6-112D-46FD-B44D-4AE4952B8A7E}"= TCP:E:\Jeux\GRID\GRID.exe:GRID
"{94B98E1E-003E-4EFA-AC78-9BF8DFC6E469}"= UDP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{68DDD87B-2E97-4F54-8E31-E92978EF261E}"= TCP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{92CF4D8E-22A0-4E0B-BA30-2B2D7D996926}"= UDP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9EAF064F-9D86-45DB-BAC2-DA73CF863C3C}"= TCP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-22 09:12]
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2008-02-26 19:43]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-20 19:47]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 11:00]
S4 msvsmon80;Débogueur distant Visual Studio 2005;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-06-29 20:35:16 C:\Windows\Tasks\User_Feed_Synchronization-{B7CEC17B-CBA9-45EB-9DF9-EDE0881783FD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 12:13:51
Windows 6.0.6000 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-06-30 12:15:13
ComboFix-quarantined-files.txt 2008-06-30 10:15:10
ComboFix2.txt 2008-06-27 17:37:38
ComboFix3.txt 2008-06-26 23:26:47

Pre-Run: 9,898,708,992 octets libres
Post-Run: 9,784,975,360 octets libres

433



I'm doing the kapersky scan so I'll post it when it's done with a fresh Hijck scan. Thank you for your advices :)

Altaic
2008-06-30, 21:08
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, June 30, 2008 8:05:57 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/06/2008
Kaspersky Anti-Virus database records: 898413
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\


Scan Statistics:
Total number of scanned objects: 197941
Number of viruses found: 3
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 02:32:19

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\45ed61ed476512599e4f9c655cbe59ba_7dc9ace2-4bf5-4dd5-aa54-2fa3a5285d73 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\b32c9f941b295fcd472ede6296898b37_7dc9ace2-4bf5-4dd5-aa54-2fa3a5285d73 Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.124.Crwl Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.124.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.ci Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wsb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010019.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy2060.gthr Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5C04.tmp Object is locked skipped
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\Ntf5C05.tmp Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Users\Kam\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\Kam\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008063020080701\index.dat Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\UsrClass.dat{89b105c8-e224-11dc-aafd-001a4d74dd77}.TM.blf Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\UsrClass.dat{89b105c8-e224-11dc-aafd-001a4d74dd77}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows\UsrClass.dat{89b105c8-e224-11dc-aafd-001a4d74dd77}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Kam\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Kam\AppData\Local\Mozilla\Firefox\Profiles\w72y1i4a.default\Cache\_CACHE_001_ Object is locked skipped
C:\Users\Kam\AppData\Local\Mozilla\Firefox\Profiles\w72y1i4a.default\Cache\_CACHE_002_ Object is locked skipped
C:\Users\Kam\AppData\Local\Mozilla\Firefox\Profiles\w72y1i4a.default\Cache\_CACHE_003_ Object is locked skipped
C:\Users\Kam\AppData\Local\Mozilla\Firefox\Profiles\w72y1i4a.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Users\Kam\AppData\Local\Mozilla\Firefox\Profiles\w72y1i4a.default\urlclassifier3.sqlite Object is locked skipped
C:\Users\Kam\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
C:\Users\Kam\AppData\Local\Temp\~DF7817.tmp Object is locked skipped
C:\Users\Kam\AppData\Roaming\MailFrontier\ASD.log Object is locked skipped
C:\Users\Kam\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\cert8.db Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\content-prefs.sqlite Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\cookies.sqlite Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\downloads.sqlite Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\formhistory.sqlite Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\key3.db Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\parent.lock Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\permissions.sqlite Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\places.sqlite Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\places.sqlite-journal Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\places.sqlite-stmtjrnl Object is locked skipped
C:\Users\Kam\AppData\Roaming\Mozilla\Firefox\Profiles\w72y1i4a.default\search.sqlite Object is locked skipped
C:\Users\Kam\NTUSER.DAT Object is locked skipped
C:\Users\Kam\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Kam\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Kam\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Users\Kam\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Kam\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\CSC\v2.0.6\pq Object is locked skipped
C:\Windows\Debug\netlogon.log Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Internet Logs\AKIRA.ldb Object is locked skipped
C:\Windows\Internet Logs\fwdbglog.txt Object is locked skipped
C:\Windows\Internet Logs\fwpktlog.txt Object is locked skipped
C:\Windows\Internet Logs\IAMDB.RDB Object is locked skipped
C:\Windows\Internet Logs\tvDebug.log Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TM.blf Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\RegBack\COMPONENTS Object is locked skipped
C:\Windows\System32\config\RegBack\DEFAULT Object is locked skipped
C:\Windows\System32\config\RegBack\SAM Object is locked skipped
C:\Windows\System32\config\RegBack\SECURITY Object is locked skipped
C:\Windows\System32\config\RegBack\SOFTWARE Object is locked skipped
C:\Windows\System32\config\RegBack\SYSTEM Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\drivers\fidbox.dat Object is locked skipped
C:\Windows\System32\drivers\fidbox.idx Object is locked skipped
C:\Windows\System32\drivers\sptd.sys Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTm.blf Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000001 Object is locked skipped
C:\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002 Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Object is locked skipped
C:\Windows\System32\wfp\wfpdiag.etl Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\ODiag.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\OSession.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\TEMP\ZLT014ee.TMP Object is locked skipped
C:\Windows\TEMP\ZLT0188b.TMP Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
E:\Cours\Linux crack Windows.zip/Linux crack Windows/ophcrack-win32-installer-2.2.exe/file36 Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
E:\Cours\Linux crack Windows.zip/Linux crack Windows/ophcrack-win32-installer-2.2.exe/file37 Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
E:\Cours\Linux crack Windows.zip/Linux crack Windows/ophcrack-win32-installer-2.2.exe/file55 Infected: not-a-virus:PSWTool.Win32.PWDump.4 skipped
E:\Cours\Linux crack Windows.zip/Linux crack Windows/ophcrack-win32-installer-2.2.exe/file56 Infected: not-a-virus:PSWTool.Win32.PWDump.4 skipped
E:\Cours\Linux crack Windows.zip/Linux crack Windows/ophcrack-win32-installer-2.2.exe Infected: not-a-virus:PSWTool.Win32.PWDump.4 skipped
E:\Cours\Linux crack Windows.zip ZIP: infected - 5 skipped
E:\Download\Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial.rar/Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial/install_virtualdj_v5.0.rev6.exe/data0000.cab/is202010.exe Infected: Trojan.Win32.Monder.gen skipped
E:\Download\Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial.rar/Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial/install_virtualdj_v5.0.rev6.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
E:\Download\Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial.rar/Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial/install_virtualdj_v5.0.rev6.exe Infected: Trojan.Win32.Monder.gen skipped
E:\Download\Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial.rar RAR: infected - 3 skipped
E:\LiberKey\Apps\DShutdown\DShutdown.exe Object is locked skipped
E:\LiberKey\Apps\Etoolz\eToolz.exe Object is locked skipped
E:\LiberKey\Apps\OpenedFilesView\OpenedFilesView.exe Object is locked skipped
E:\LiberKey\Apps\RegScanner\RegScanner.exe Object is locked skipped

Scan process completed.

Altaic
2008-06-30, 21:12
Sorry for multi-posts but I think it's more clear like this :s

here the fresh Hijck scan after ComboFix and kapersky...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11:36, on 30/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: OneNote 2007 - Capture d'écran et lancement.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Télécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Tout t&élécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alta.home
O17 - HKLM\Software\..\Telephony: DomainName = alta.home
O17 - HKLM\System\CCS\Services\Tcpip\..\{46F53741-6F7A-40C8-B383-D850DB83FAD9}: NameServer = 192.168.0.1,212.27.53.252,212.27.54.252
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alta.home
O17 - HKLM\System\CS1\Services\Tcpip\..\{46F53741-6F7A-40C8-B383-D850DB83FAD9}: NameServer = 192.168.0.1,212.27.53.252,212.27.54.252
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 6192 bytes


So if you see something wierd tell me thx =)

Blade81
2008-06-30, 21:25
Hi


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\Users\Public\keygen.exe
E:\Cours\Linux crack Windows.zip
E:\Download\Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial.rar

Folder::
C:\VundoFix Backups



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Altaic
2008-06-30, 21:44
Woah already answered ? =)
So as usual I did what you said and there are the logs


ComboFix 08-06-20.4 - Kam 2008-06-30 20:33:48.4 - NTFSx86
Microsoft® Windows Vista™ Édition Intégrale 6.0.6000.0.1252.1.1036.18.872 [GMT 2:00]
Endroit: C:\Users\Kam\Desktop\ComboFix.exe
Command switches used :: C:\Users\Kam\Desktop\CFScript.txt
* Création d'un nouveau point de restauration
* Resident AV is active


FILE ::
C:\Users\Public\keygen.exe
E:\Cours\Linux crack Windows.zip
E:\Download\Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial.rar
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Public\keygen.exe
E:\Cours\Linux crack Windows.zip
E:\Download\Atomix Virtual DJ Pro 5.0 R6. + Plugin Pack + Skin Pack + Serial.rar

.
((((((((((((((((((((((((((((( Fichiers créés 2008-05-28 to 2008-06-30 ))))))))))))))))))))))))))))))))))))
.

2008-06-30 12:25 . 2008-06-30 12:26 210,642,717 --a------ C:\Windows\MEMORY.DMP
2008-06-30 12:23 . 2008-06-30 12:23 <REP> d-------- C:\Windows\System32\Kaspersky Lab
2008-06-30 12:23 . 2008-06-30 12:23 <REP> d-------- C:\Users\All Users\Kaspersky Lab
2008-06-30 12:23 . 2008-06-30 12:23 <REP> d-------- C:\ProgramData\Kaspersky Lab
2008-06-29 17:01 . 2008-06-29 17:02 46,634,384 --a------ C:\Users\Public\zaSUITE_Setup_fr.exe
2008-06-29 16:40 . 2008-06-29 16:40 <REP> d-------- C:\Users\Alta\AppData\Roaming\MailFrontier
2008-06-29 14:51 . 2008-06-29 14:51 <REP> d-------- C:\Users\All Users\MailFrontier
2008-06-29 14:51 . 2008-06-29 14:51 <REP> d-------- C:\ProgramData\MailFrontier
2008-06-29 14:04 . 2008-06-29 14:04 <REP> d-------- C:\Users\Kam\AppData\Roaming\MailFrontier
2008-06-28 02:24 . 2008-06-30 16:24 805 --a------ C:\rollback.ini
2008-06-28 01:24 . 2008-06-28 01:24 <REP> d-------- C:\Windows\System32\Adobe
2008-06-27 21:15 . 2008-06-30 20:38 8,472,608 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-06-27 21:15 . 2008-06-29 14:48 67,292 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-06-27 20:55 . 2008-03-03 15:05 75,248 --a------ C:\Windows\zllsputility.exe
2008-06-27 20:55 . 2008-03-03 15:05 54,672 --a------ C:\Windows\System32\vsutil_loc040c.dll
2008-06-27 20:55 . 2008-03-03 15:05 42,384 --a------ C:\Windows\zllsputility_loc040c.dll
2008-06-27 20:55 . 2008-03-03 15:05 21,904 --a------ C:\Windows\System32\imsinstall_loc040c.dll
2008-06-27 20:55 . 2008-03-03 15:05 17,808 --a------ C:\Windows\System32\imslsp_install_loc040c.dll
2008-06-27 20:55 . 2008-06-27 20:55 5,571 --a------ C:\Windows\System32\vsconfig.xml
2008-06-27 20:54 . 2008-06-27 20:54 <REP> d-------- C:\Users\All Users\CheckPoint
2008-06-27 20:54 . 2008-06-27 20:54 <REP> d-------- C:\ProgramData\CheckPoint
2008-06-27 20:54 . 2008-06-27 20:54 <REP> d-------- C:\Program Files\Zone Labs
2008-06-27 20:54 . 2008-03-03 15:05 1,086,952 --a------ C:\Windows\System32\zpeng24.dll
2008-06-27 20:54 . 2008-03-03 15:06 279,440 --a------ C:\Windows\System32\drivers\~GLH0014.TMP
2008-06-27 20:53 . 2008-06-29 11:42 <REP> d-------- C:\Windows\System32\ZoneLabs
2008-06-27 20:53 . 2008-06-27 20:53 803,840 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-06-27 20:53 . 2008-06-30 12:26 354,388 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-06-27 20:53 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-06-27 20:53 . 2008-06-27 20:53 217,272 --a------ C:\Windows\System32\drivers\netio.sys
2008-06-27 20:53 . 2008-06-27 20:53 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-06-27 20:53 . 2008-06-27 20:53 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-06-27 20:52 . 2008-06-30 20:37 <REP> d-------- C:\Windows\Internet Logs
2008-06-27 01:14 . 2008-06-27 01:14 <REP> d-------- C:\Program Files\Trend Micro
2008-06-23 21:19 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Searches
2008-06-23 21:18 . 2008-06-23 21:18 <REP> dr------- C:\Users\Alta\Contacts
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Videos
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Saved Games
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Pictures
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Music
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Links
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Downloads
2008-06-23 21:17 . 2008-06-23 21:19 <REP> dr------- C:\Users\Alta\Documents
2008-06-23 21:17 . 2006-11-02 14:35 <REP> d-------- C:\Users\Alta\AppData\Roaming\Media Center Programs
2008-06-23 21:17 . 2008-06-23 21:19 <REP> d--h----- C:\Users\Alta\AppData
2008-06-23 21:17 . 2008-06-23 21:19 <REP> d-------- C:\Users\Alta
2008-06-23 19:47 . 2008-06-23 19:47 <REP> d-------- C:\Program Files\RealVNC
2008-06-19 19:35 . 2008-06-19 19:35 <REP> d-------- C:\inetpub
2008-06-19 18:59 . 2008-06-19 18:59 <REP> d-------- C:\Users\Kam\AppData\Roaming\PeerNetworking
2008-06-17 20:52 . 2008-06-17 21:09 <REP> d-------- C:\Program Files\SopCast
2008-06-17 20:28 . 2008-06-17 20:28 <REP> d-------- C:\Program Files\FreePCvcR-0.5
2008-06-16 18:10 . 2008-06-16 18:10 <REP> d-------- C:\Users\All Users\Adobe
2008-06-16 14:30 . 2008-06-16 14:30 <REP> d-------- C:\Users\All Users\Codemasters
2008-06-16 14:30 . 2008-06-16 14:30 <REP> d-------- C:\ProgramData\Codemasters
2008-06-16 14:24 . 2008-06-16 14:24 <REP> d-------- C:\Program Files\OpenAL
2008-06-16 14:24 . 2008-04-28 15:53 805,400 -ra------ C:\Windows\System32\tmpCA3A.tmp
2008-06-16 14:24 . 2008-04-28 15:53 805,400 -ra------ C:\Windows\System32\tmpC96E.tmp
2008-06-13 08:44 . 2008-06-13 08:44 <REP> d-------- C:\Temp\SQL Server 2005 Developer Edition - 32-bit - CD2 (Francais)
2008-06-13 08:01 . 2008-06-13 08:01 <REP> d-------- C:\Temp\SQL Server 2005 Developer Edition - 32-bit - CD1 (Francais)
2008-06-13 07:28 . 2008-06-13 08:44 <REP> d-------- C:\Temp
2008-06-11 19:41 . 2008-06-11 19:44 <REP> d-------- C:\Program Files\ControlMK
2008-06-11 19:29 . 2008-06-11 19:29 98,304 --a------ C:\Windows\System32\CmdLineExt.dll
2008-06-06 20:18 . 2008-06-06 20:18 <REP> d-------- C:\Windows\nvidia icons
2008-06-05 22:06 . 2008-06-05 22:06 <REP> d-------- C:\Program Files\Alwil Software
2008-06-05 21:13 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-06-05 21:13 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-06-05 21:13 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-06-05 21:13 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-06-05 21:13 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-06-05 21:13 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-06-05 00:14 . 2008-06-27 00:00 54,156 --ah----- C:\Windows\QTFont.qfn
2008-06-05 00:14 . 2008-06-05 00:14 1,409 --a------ C:\Windows\QTFont.for
2008-06-04 20:20 . 2008-06-04 20:20 <REP> d-------- C:\Program Files\Native Instruments
2008-06-01 23:38 . 2008-06-01 23:38 80 --a------ C:\plug_in.ini
2008-05-30 22:54 . 2008-05-30 22:54 <REP> d-------- C:\Program Files\Common Files\BioWare
2008-05-28 23:28 . 2008-05-28 23:28 <REP> d-------- C:\Program Files\Common Files\INCA Shared
2008-05-28 23:26 . 2003-07-19 17:17 5,174 --a------ C:\Windows\System32\nppt9x.vxd
2008-05-28 23:26 . 2005-01-03 08:43 4,682 --a------ C:\Windows\System32\npptNT2.sys
2008-05-28 19:28 . 2008-06-25 00:03 <REP> d-------- C:\Program Files\Neffy
2008-05-25 02:59 . 2008-06-25 00:04 <REP> d-------- C:\Program Files\MixVibesPro6DEMO
2008-05-25 01:41 . 2008-05-25 01:41 <REP> d-------- C:\Users\Kam\AppData\Roaming\invibes
2008-05-25 01:41 . 2008-05-25 02:01 <REP> d-------- C:\Program Files\MixVibesDVS
2008-05-22 23:30 . 2008-05-22 23:30 <REP> d-------- C:\Users\Kam\AppData\Roaming\Media Player Classic
2008-05-22 23:30 . 2006-03-20 15:37 5,689,344 --a------ C:\Program Files\mplayerc.exe
2008-05-19 23:19 . 2008-05-19 23:19 <REP> d-------- C:\Windows\System32\AGEIA
2008-05-19 23:17 . 2008-05-19 23:17 <REP> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 18:49 . 2008-05-18 18:49 <REP> d-------- C:\Program Files\VirtualDJ
2008-05-16 07:37 . 2008-05-16 07:39 <REP> d-------- C:\Users\Kam\AppData\Roaming\Ableton
2008-05-16 07:37 . 2008-05-16 07:37 <REP> d-------- C:\Program Files\Ableton
2008-05-16 07:37 . 2008-03-14 13:22 1,060,864 --a------ C:\Windows\System32\MFC71.dll
2008-05-16 07:37 . 2008-03-14 13:22 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-05-16 07:37 . 2008-03-14 13:22 233,472 --a------ C:\Windows\System32\REX Shared Library.dll
2008-05-11 17:01 . 2008-05-11 17:01 0 --------- C:\Windows\WB.ini
2008-05-11 17:00 . 2008-05-11 17:00 29 --a------ C:\Windows\.wb4
2008-05-11 16:59 . 2008-05-11 16:59 <REP> d-------- C:\Program Files\Stardock
2008-05-11 16:59 . 2007-09-12 17:58 58,792 --------- C:\Windows\System32\wbload.dll
2008-05-11 16:59 . 2007-07-11 14:06 42,672 --------- C:\Windows\System32\wbsys.dll
2008-05-10 02:48 . 2008-05-19 19:22 917 --a------ C:\Windows\GTA-SA_Trn_Settings.ini
2008-05-10 01:51 . 2008-05-10 01:51 <REP> d-------- C:\Users\All Users\Syncrosoft
2008-05-10 01:51 . 2008-05-10 01:51 <REP> d-------- C:\ProgramData\Syncrosoft
2008-05-10 01:46 . 2007-08-01 15:58 765,952 --a------ C:\Windows\System32\SYNSOACC.dll
2008-05-10 01:46 . 2006-01-29 12:48 401,462 --a------ C:\Windows\System32\temp.000
2008-05-09 10:14 . 2008-05-09 10:14 2,337,865 --a------ C:\Windows\System32\pbsvc.exe
2008-05-09 10:14 . 2008-05-09 10:14 107,832 --a------ C:\Windows\System32\PnkBstrB.exe
2008-05-09 10:14 . 2008-05-09 10:14 66,872 --a------ C:\Windows\System32\PnkBstrA.exe
2008-05-09 10:14 . 2008-05-09 10:14 22,328 --a------ C:\Windows\System32\drivers\PnkBstrK.sys
2008-05-09 10:14 . 2008-05-09 10:14 22,328 --a------ C:\Users\Kam\AppData\Roaming\PnkBstrK.sys
2008-05-08 18:46 . 2008-05-08 18:46 53,248 --a------ C:\Windows\ipuninst.exe
2008-05-05 19:16 . 2008-05-05 19:16 <REP> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 10:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-30 09:54 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-30 09:53 --------- d-----w C:\Users\Kam\AppData\Roaming\uTorrent
2008-06-29 09:40 2,881,024 ----a-w C:\Windows\Internet Logs\xDB7242.tmp
2008-06-28 09:11 1,997,312 ----a-w C:\Windows\Internet Logs\xDBA295.tmp
2008-06-28 09:07 --------- d-----w C:\Program Files\PKR
2008-06-26 21:29 --------- d-----w C:\Users\Kam\AppData\Roaming\Hamachi
2008-06-24 22:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-24 22:24 --------- d-----w C:\ProgramData\Media Center Programs
2008-06-20 17:47 --------- d-----w C:\Program Files\Steam
2008-06-20 17:47 --------- d-----w C:\Program Files\Common Files\Steam
2008-06-16 16:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-16 12:24 444,952 ----a-w C:\Windows\System32\wrap_oal.dll
2008-06-16 12:24 109,080 ----a-w C:\Windows\System32\OpenAL32.dll
2008-06-07 11:04 --------- d-----w C:\ProgramData\NVIDIA
2008-05-28 21:22 --------- d-----w C:\Users\Kam\AppData\Roaming\skypePM
2008-05-28 21:22 --------- d-----w C:\Users\Kam\AppData\Roaming\Skype
2008-05-19 21:19 --------- d-----w C:\Program Files\AGEIA Technologies
2008-05-12 22:26 --------- d-----w C:\Users\Kam\AppData\Roaming\Winamp
2008-05-09 08:15 --------- d-----w C:\ProgramData\Ubisoft
2008-04-30 15:27 442,368 ----a-w C:\Windows\System32\NVUNINST.EXE
2008-04-29 13:21 --------- d-----w C:\ProgramData\TrackMania
2008-03-14 11:22 368,640 ----a-w C:\Windows\System32\rewire.dll
2008-03-13 20:27 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-13 20:27 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-04 10:33 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2006-11-02 12:49 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot_2008-06-30_12.14.31,49 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 10:01:58 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-30 10:25:45 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-30 10:01:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-30 10:25:46 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-06-30 10:01:59 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-06-30 10:25:46 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-30 10:03:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-30 10:28:05 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-06-30 10:03:51 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 10:27:59 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-30 10:27:59 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-30 10:02:05 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-30 10:26:10 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-30 10:02:05 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-30 10:26:10 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-30 10:02:05 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-30 10:26:15 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2005-05-24 10:27:16 213,048 ----a-w C:\Windows\System32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\Windows\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\Windows\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-06-30 10:06:59 111,384 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-30 10:32:00 111,384 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-30 10:06:59 127,210 ----a-w C:\Windows\System32\perfc00C.dat
+ 2008-06-30 10:32:00 127,210 ----a-w C:\Windows\System32\perfc00C.dat
- 2008-06-30 10:06:59 639,836 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-30 10:32:00 639,836 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-30 10:06:59 725,342 ----a-w C:\Windows\System32\perfh00C.dat
+ 2008-06-30 10:32:00 725,342 ----a-w C:\Windows\System32\perfh00C.dat
- 2008-06-30 10:04:14 7,240 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1476174540-626848999-1512591551-1000_UserData.bin
+ 2008-06-30 10:28:20 7,296 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1476174540-626848999-1512591551-1000_UserData.bin
- 2008-06-30 10:04:14 57,490 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-30 10:28:20 57,840 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-30 10:09:05 346,840 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-30 14:24:38 514,344 ----a-w C:\Windows\System32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-06-28 13:11:19 3,676,672 ----a-w C:\Windows\System32\ZoneLabs\zlqrtdb.dat
+ 2008-06-30 18:33:51 4,204,544 ----a-w C:\Windows\System32\ZoneLabs\zlqrtdb.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 14:33 1196032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-15 12:02 482760]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 19:40 1421824]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-10-23 14:18 202024]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2007-02-28 18:50 180224]
"UpdReg"="C:\Windows\UpdReg.EXE" [2000-05-11 02:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57 153136]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-03 05:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-03 05:46 92704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 15:05 959976]

C:\Users\Kam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 - Capture d'‚cran et lancement.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-02 14:32 1004136 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1476174540-626848999-1512591551-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8A28646F-4E01-46F6-B38A-A9D73CC81B74}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{5898347B-BAC4-4FCD-8D18-CA17597C9581}"= UDP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{820C6E9B-D402-40F6-B4AF-50B71F9CC680}"= TCP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{CBE757CB-616D-4F62-A70C-4704AB617B21}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{CD40172F-5D40-4F62-A740-AB74A724C4D8}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{D79D67DF-9AFB-432F-A447-5D5B430F0A85}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A2FC97D3-E7B1-4105-A32D-D45440330076}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C4E1BCEF-9151-401E-96CA-9209D3422393}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{58EAED03-21AB-474D-8822-690CA2897AE0}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{09159C6A-5FDC-4F0C-BFAA-C48539B688DB}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{053F3181-993A-49E1-A8C6-855CBC9E2471}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{E42A7C96-5641-49D5-8CD0-3349857C16D4}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{D1464063-E27B-4407-9466-3231094A313E}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{EAFA3CE9-3D1D-43FE-A493-2713D2E9B7FF}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{5425AABB-79CD-449E-9106-4E718670C3EA}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{3E47DFFB-6098-437F-8433-7618BCAFA257}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{1214C92C-99BE-445C-9957-6785F4C61311}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{C6308C97-D149-4488-BBAC-DDC1DD994BE1}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{A8F75539-7A81-4E31-A72A-3F404BFD8CDD}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{A0106710-7D9D-4D84-8166-62BDF74952FE}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{94C957DC-0E4D-496E-B624-715B5AE3AE4A}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{9A64EC00-6C8D-4A21-8215-84136EFBED9F}"= UDP:E:\Jeux\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{4DEF7AF2-91B6-4706-AF17-7C09F0B9042E}"= TCP:E:\Jeux\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{1BE71697-242F-48D1-82E7-DA86319FE2EA}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{BB628748-B55E-4F53-BEB9-44F2237344D2}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{7DFA6FBB-82BB-402C-8B3E-D53188593827}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{EF887A4E-97B3-4AC4-BB8A-2DD8D358B89A}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{C699F350-3612-4202-9B55-78232E6427A6}"= UDP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{D7FA8B37-A0D3-4D18-9A07-04E30A5FC6F6}"= TCP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Game.exe:Tom Clancy's Rainbow Six Vegas 2
"{196C909A-775D-4CB9-B54D-8D146B928D34}"= UDP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{DD5E673E-7606-4CB7-9663-35FB16917F2B}"= TCP:E:\Jeux\Tom Clancy's Rainbow Six Vegas 2\Binaries\R6Vegas2_Launcher.exe:Tom Clancy's Rainbow Six Vegas 2 Update
"{D0D19E01-F14D-493B-9970-4E95000C3A21}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{EEDB13F6-13F1-4994-9A86-2D8E2D4C7A19}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{403AA6F0-2460-4ABB-B730-8A9427A57AB1}"= UDP:E:\Jeux\Mass Effect\Binaries\MassEffect.exe:Mass Effect Game
"{BC273D03-53FB-4A43-97A2-76FD6FC03661}"= TCP:E:\Jeux\Mass Effect\Binaries\MassEffect.exe:Mass Effect Game
"{AFC30DDC-8259-4F6F-BBE6-590A58575486}"= UDP:E:\Jeux\Mass Effect\MassEffectLauncher.exe:Mass Effect Launcher
"{985AB388-02AF-4038-AF38-A0285AB8BB20}"= TCP:E:\Jeux\Mass Effect\MassEffectLauncher.exe:Mass Effect Launcher
"{6225606B-80AD-4DCF-86F4-4A67A812AE9B}"= UDP:E:\Jeux\GRID\GRID.exe:GRID
"{2D6A54B6-112D-46FD-B44D-4AE4952B8A7E}"= TCP:E:\Jeux\GRID\GRID.exe:GRID
"{94B98E1E-003E-4EFA-AC78-9BF8DFC6E469}"= UDP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{68DDD87B-2E97-4F54-8E31-E92978EF261E}"= TCP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{92CF4D8E-22A0-4E0B-BA30-2B2D7D996926}"= UDP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9EAF064F-9D86-45DB-BAC2-DA73CF863C3C}"= TCP:C:\Users\Kam\Program Files\uTorrent\uTorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-22 09:12]
S0 OemBiosDevice;Royalty OEM Bios Extension;C:\Windows\system32\drivers\royal.sys [2008-02-26 19:43]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-06-20 19:47]
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2007-05-04 11:00]
S4 msvsmon80;Débogueur distant Visual Studio 2005;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-06-29 20:35:16 C:\Windows\Tasks\User_Feed_Synchronization-{B7CEC17B-CBA9-45EB-9DF9-EDE0881783FD}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 20:39:16
Windows 6.0.6000 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-06-30 20:41:36
ComboFix-quarantined-files.txt 2008-06-30 18:40:32
ComboFix2.txt 2008-06-30 10:15:14
ComboFix3.txt 2008-06-27 17:37:38
ComboFix4.txt 2008-06-26 23:26:47

Pre-Run: 9,778,831,360 octets libres
Post-Run: 8,774,938,624 octets libres

315



And a new Hijck

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43:53, on 30/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\conime.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: OneNote 2007 - Capture d'écran et lancement.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: &Télécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Tout t&élécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = alta.home
O17 - HKLM\Software\..\Telephony: DomainName = alta.home
O17 - HKLM\System\CCS\Services\Tcpip\..\{46F53741-6F7A-40C8-B383-D850DB83FAD9}: NameServer = 192.168.0.1,212.27.53.252,212.27.54.252
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = alta.home
O17 - HKLM\System\CS1\Services\Tcpip\..\{46F53741-6F7A-40C8-B383-D850DB83FAD9}: NameServer = 192.168.0.1,212.27.53.252,212.27.54.252
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 6277 bytes


So is it clear Doctor ? xD

Blade81
2008-06-30, 22:17
Hi

Yes, looks good :) You may reinstall Spybot now.


Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.


B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.


Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

Altaic
2008-06-30, 23:04
I did everything you suggest.
So I install Spybot and Spywreblaster up to date everything seems good after scans (virtumonde seems to be gone).
My IE rules/options are good like yours.

But each time I reboot my system my Internet connexion is down I've to re-type my personal gateway in my connexion proprieties to have access to the net...it's weird no ?
I don't really use IE but I can also see a shortcut on my desktop on reboot (I delete it each time)...
I think something is still here but my system is actually more stable and faster than 2 days ago. (thx you for that :) )

Maybe you've got ideas on my assumption...but except that it ok, thx a lot for your work and advises. I will update my OS further security. :red:

Altaic
2008-07-01, 01:22
I'm back with good news, after vista updates and some scans/reboots, things mentioned above don't come back (IE "self-short cut" and internet access restricted). I can say my system is clear and working good right now.

Thanks a lot again for your attention and help Blade81.
You can close this thread and add a success in your stats ;)
I hope I'll never come back here, but I know if it's needed people here are very helpful.
Have a good day. :cool:

Alta

Blade81
2008-07-01, 08:04
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.