PDA

View Full Version : routercontrol C:\WINDOWS:rtrcntrl.exe



Jérémie
2008-09-15, 23:43
Hi,

I've got an issue for like a big week now. I executed a software I shouldn't have (having a cat hair under an optical mouse isn't recommended for precise clicking), and TeaTimer woke up. But I guess it missed something, or I'm just unlucky, because now I have various issues.

First, about 10 times per minutes, TeaTimer still block the routercontrol thingie:
Denied (based on user blacklist) value "routercontrol" (new data: "C:\WINDOWS:rtrcntrl.exe") added in System Startup global entry!

Only one (recent) note of that found by Google, and I also have the same symptom as him: some of my key doesn't work anymore, like the ^ accent on some character (I have a French keyboard), or the ` accent. I tried re-installing my keyboard driver, didn't change anything.

I also have some special key on my keyboard, like for sound volume, quick launch of emails, that kind of things. Worked fine before, now if I touch one of those, the input devices froze. I can still move the mouse cursor, ctrl-alt-del still work, but any other mouse buttons or keyboards input doesn't.

Windows has also turn slow, but it's difficult to explain. It's not cpu usage (seems fine, I have plenty), but some software (at launch mainly, but not only) freeze Windows for some time. Like launching an Adobe software, I used to be able to put it in the background and continue working on something else while it was launching, now I can't.

I also had several other minor issues I seems to have gotten rid of, like unwanted windows focus switching.

I did a Kaspersky online check (17 hours, ouch) and it didn't found anything big. Several malware or virus in archives (like old archives of my mails, that kind of things) but since a virus can't escape and activate itself out of a rar, bzip2 or 7z archive, I guess I'm fine. However it did found a Win32.gen trojan as test.dll in my Steam program directory, removed it fine. It has come back 2 or 3 times now, Avast got it each time. No idea how it got in however.

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21:29, on 15/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fichiers communs\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {01a33d85-4706-452a-b71a-99510ada8c0c} - C:\WINDOWS\system32\jkkhHxuU.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {16FEF79E-4058-44FF-9BDD-386E2FAAD600} - C:\WINDOWS\system32\cbXrRhge.dll (file missing)
O2 - BHO: (no name) - {3482A825-D59E-4381-926B-63132A607A28} - (no file)
O2 - BHO: (no name) - {4C8C335A-B1F2-4AED-91FB-CAAD46E5763E} - C:\WINDOWS\system32\opnkjIxv.dll (file missing)
O2 - BHO: (no name) - {53384B1D-8BAB-4AFB-8358-F94E44C58D23} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Realtek Configuration audio HD.lnk = C:\WINDOWS\system32\RTSndMgr.cpl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190473207703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: ?????????? ???????????
O20 - Winlogon Notify: jkkhhxuu - jkkhHxuU.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Fichiers communs\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

--
End of file - 8968 bytes


If anyone can help me, I would appreciate it very much, thanks.

Jérémie
2008-09-15, 23:54
I forgot to add that of course I ran SpyBot, updated it, and it didn't found any issues after analysis. And my computer has all its latest vaccines :)

Shaba
2008-09-20, 12:03
Hi Jérémie

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Jérémie
2008-09-22, 04:44
Thanks for the reply!

Here's the Combofix log:

ComboFix 08-09-20.05 - J‚r‚mie 2008-09-22 3:17:54.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.1454 [GMT 2:00]
Lancé depuis: C:\Documents and Settings\J‚r‚mie\Bureau\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\WINDOWS\BMa773751f.txt
C:\WINDOWS\BMa773751f.xml
C:\WINDOWS\system32\bio2.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\zeqbqwp.sys

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_lptrdcsrv
-------\Legacy_ZEQBQWP
-------\Service_Iprip
-------\Service_zeqbqwp


((((((((((((((((((((((((((((( Fichiers créés du 2008-08-22 au 2008-09-22 ))))))))))))))))))))))))))))))))))))
.

2008-09-09 02:19 . 2008-09-12 01:34 1,159,168 --a------ C:\upx_save2file.exe
2008-09-08 05:36 . 2008-05-01 16:36 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-08 05:35 . 2008-07-22 16:59 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-08 05:35 . 2008-07-22 16:59 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-08 05:35 . 2008-04-11 21:05 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-08 05:35 . 2008-07-22 16:59 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-01 16:15 . 2008-09-01 16:15 <REP> d-------- C:\Program Files\Telltale
2008-08-28 15:56 . 2008-08-28 16:04 <REP> d-------- C:\ovhrev
2008-08-26 04:50 . 2008-08-26 04:50 <REP> d-------- C:\Program Files\Freelancer Mod Manager
2008-08-26 04:30 . 2008-08-29 16:43 <REP> d-------- C:\Program Files\Freelancer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 01:09 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\FileZilla
2008-09-22 00:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-09-20 16:09 --------- d-----w C:\Program Files\Steam
2008-09-20 12:33 --------- d-----w C:\Program Files\Opera
2008-09-19 13:35 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\uTorrent
2008-09-14 21:01 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\gtk-2.0
2008-09-13 13:23 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Real
2008-09-13 12:33 --------- d-----w C:\Program Files\Winamp
2008-09-13 12:33 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Winamp
2008-09-12 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-09-08 22:48 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-08 22:48 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-09-08 03:08 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\OpenOffice.org2
2008-09-08 00:02 --------- d-----w C:\Program Files\Medieval II Total War
2008-09-07 21:05 --------- d-----w C:\Program Files\Avast4
2008-09-07 19:20 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\HLSW
2008-09-07 19:12 --------- d-s---w C:\Program Files\HLSW
2008-09-07 06:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-07 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 06:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 21:25 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Babylon
2008-08-27 09:14 --------- d-----w C:\Program Files\Lavasoft
2008-08-27 09:13 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-08-27 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 01:28 --------- d-----w C:\Program Files\Valve
2008-08-18 19:45 --------- d-----w C:\Program Files\Inkscape
2008-08-18 19:25 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Inkscape
2008-08-17 18:03 --------- d-----w C:\Program Files\Sid Meier's Civilization 4
2008-08-12 16:51 --------- d-----w C:\Program Files\FileZilla Client
2008-08-10 09:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-08 09:48 --------- d-----w C:\Program Files\Real Alternative
2008-08-04 23:29 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\teamspeak2
2008-07-13 20:01 42 ----a-w C:\Documents and Settings\Jérémie\checkdisk.bat
2007-10-06 07:15 22,328 ----a-w C:\Documents and Settings\Jérémie\Application Data\PnkBstrK.sys
2006-03-20 14:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
2008-04-14 07:25 201,212 --sha-w C:\WINDOWS\system32\eghRrXbc.ini2
2008-04-11 22:36 8,105 --sha-w C:\WINDOWS\system32\vxIjknpo.ini2
2008-06-12 00:28 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008061220080613\index.dat
.

------- Sigcheck -------

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 19:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-05 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-11 21:03 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-09-09 00:48 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-09-09 00:48 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-05-25 1953792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 2512392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 86016]
"nwiz"="nwiz.exe" [2008-05-02 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vae84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"Adobe_ID0EYTHM"=C:\PROGRA~1\FICHIE~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Steam\\steamapps\\jeremiedorem\\team fortress 2\\hl2.exe"=
"C:\\cygwin\\bin\\rsync.exe"=
"C:\\Program Files\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Program Files\\VideoLAN VLC\\vlc.exe"=
"C:\\Program Files\\Freeplayer\\vlc\\vlc.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\steamapps\\jeremiedorem\\the ship\\ship.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Program Files\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Steam\\steamapps\\jeremiedorem\\source sdk base\\hl2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:*:Disabled:Groupement homologue Windows
"3540:UDP"= 3540:UDP:Protocole PNRP (Peer Name Resolution Protocol)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S0 vae84;vae84;C:\WINDOWS\system32\Drivers\Vae84.sys [ ]
S3 p2pgasvc;Authentification de groupe réseau homologue;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Gestionnaire d'identité réseau homologue;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Réseau homologue;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PNRPSvc;Protocole de résolution de noms d'homologues;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f4c366d-6938-11dc-8f6d-806d6172696f}]
\Shell\AutoRun\command - F:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F277B357-CF8F-0B76-A44E-BA96F46162F6}]
C:\WINDOWS:rtrcntrl.exe
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{16FEF79E-4058-44FF-9BDD-386E2FAAD600} - C:\WINDOWS\system32\cbXrRhge.dll
BHO-{3482A825-D59E-4381-926B-63132A607A28} - (no file)
BHO-{4C8C335A-B1F2-4AED-91FB-CAAD46E5763E} - C:\WINDOWS\system32\opnkjIxv.dll
BHO-{53384B1D-8BAB-4AFB-8358-F94E44C58D23} - (no file)
HKLM-Run-routercontrol - C:\WINDOWS:rtrcntrl.exe
Notify-jkkhhxuu - jkkhHxuU.dll


.
------- Examen supplémentaire -------
.
R0 -: HKCU-Main,Start Page = about:blank
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Translate with &Babylon - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 03:23:26
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...


C:\WINDOWS:rtrcntrl.exe 18944 bytes executable

Scan terminé avec succès
Fichiers cachés: 1

**************************************************************************
.
------------------------ Autres processus actifs ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Fichiers communs\Logitech\KhalShared\KHALMNPR.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Heure de fin: 2008-09-22 3:28:00 - La machine a redémarré [J‚r‚mie]
ComboFix-quarantined-files.txt 2008-09-22 01:27:57

Avant-CF: 249ÿ547ÿ366ÿ400 octets libres
Après-CF: 249,846,853,632 octets libres

248

Sorry it was produced by the dos text routines, I can't get the charset right :( It also uses my default Windows language (French)... I think you know enough Combifix log by heart not to be bothered by it, but if necessary I can translate any sentence you might need.

Notes: it may be pefectly normal, but still:


I think the first Combofix use disabled TeaTimer, and now the windows:rtrctrnl.exe was in my windows startup. I did not use SpyBot to remove it, to not interfere with what you're doing
Combofix did remove my Avast startup routine, I let him for the same reason.
There's a number of things changed after Combofix (Avast not back up, no more Windows wallpaper, etc.) which are no problem, I just wanted to point it out.


Hijackthis log afterward:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:31:47, on 22/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Realtek Configuration audio HD.lnk = C:\WINDOWS\system32\RTSndMgr.cpl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190473207703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Fichiers communs\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

--
End of file - 7827 bytes

Shaba
2008-09-22, 11:46
Do you recognize this folder?

C:\ovhrev

Also please do this:

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Jérémie
2008-09-22, 13:21
Do you recognize this folder?
C:\ovhrev
Yup I do. It's a simple webpage backup I did with wget some time ago.


To access the Uninstall Manager you would do the following:

7-Zip 4.42
AAA Logo 2008 2.10
Ad-Aware
Add or Remove Adobe Creative Suite 3 Web Premium
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Web Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AGEIA PhysX v7.09.13
AHV content for Acrobat and Flash
Aspell English Dictionary-0.50-2
Aspell French Dictionary-0.50-3
Assassin's Creed
Audacity 1.2.6
Audiosurf
Auto Gordian Knot 2.48b
AV Voice Changer Software DIAMOND 6.0
avast! Antivirus
AviSynth 2.5
Babylon
Bibliothèques GTK+ 2.12.8 rev a (supprimer uniquement)
Calendes Version 4.1
Canon MP500
CDDRV_Installer
CDisplay 1.8
ClearType Tuning Control Panel Applet
Correctif pour Windows Internet Explorer 7 (KB947864)
Correctif pour Windows XP (KB952287)
Crysis(R)
Deus Ex
Deus Ex - HDTP
DirectVobSub (remove only)
DivX Codec
Easy Video Splitter 1.28
Exact Audio Copy 0.99pb4
Fallout2
FileZilla Client 3.1.1.1
FO2 Expansion Pack 1.1
Freelancer
Freeplayer
Garry's Mod
Gigabyte Raid Configurer
GNU Aspell 0.50-3
Google Earth
Google SketchUp 6
Google SketchUp 6
GRID
GTA San Andreas
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Half-Life Dedicated Server Update Tool
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HLSW v1.2.1
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
ImageMagick 6.3.5-10 Q16 (09/15/07)
Inkscape 0.46
Insurgency: Modern Infantry Combat
Intel(R) Matrix Storage Manager
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
KhalInstallWrapper
Logitech SetPoint
Mass Effect
MediaInfo 0.7.5.5
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 French Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - FRA
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - FRA
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB944533)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB950759)
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB953838)
Mise à jour de sécurité pour Windows XP (KB923789)
Mise à jour de sécurité pour Windows XP (KB941569)
Mise à jour de sécurité pour Windows XP (KB946648)
Mise à jour de sécurité pour Windows XP (KB950760)
Mise à jour de sécurité pour Windows XP (KB950762)
Mise à jour de sécurité pour Windows XP (KB950974)
Mise à jour de sécurité pour Windows XP (KB951066)
Mise à jour de sécurité pour Windows XP (KB951376)
Mise à jour de sécurité pour Windows XP (KB951376-v2)
Mise à jour de sécurité pour Windows XP (KB951698)
Mise à jour de sécurité pour Windows XP (KB951748)
Mise à jour de sécurité pour Windows XP (KB952954)
Mise à jour de sécurité pour Windows XP (KB953839)
Mise à jour pour Windows XP (KB951072-v2)
Mise à jour pour Windows XP (KB951618-v2)
Mise à jour pour Windows XP (KB951978)
Movica
Mozilla Firefox (3.0.1)
Mozilla Thunderbird (2.0.0.16)
MPEG Video Wizard DVD
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MultipleIEs
MySQL Connector/ODBC 3.51
Notepad++
NVIDIA Drivers
O&O Defrag Professional Edition
Oblivion
Oddworld: Abe's Exoddus
Oddworld: Abe's Oddysee
OpenAL
OpenOffice.org 2.4
Opera 9.52
Package de base Microsoft de service de chiffrement pour cartes à puce
PDF Settings
Peggle Extreme
Pidgin
Pilote de clavier français enrichi
Portal
PuTTY version 0.60
QT Lite 2.3.0
Real Alternative 1.8.2 Lite
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Red Orchestra
S.T.A.L.K.E.R. - Shadow of Chernobyl [v1.0005]
Sam & Max Season 1
Sins of a Solar Empire
Sins of a Solar Empire
Source SDK
Source SDK Base
Source SDK Base - Orange Box
SprayR 1.0 RC7
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Stardock Central
Steam
Team Fortress 2
TeamSpeak 2 RC2
The Ship
The Witcher
TortoiseSVN 1.4.8.12137 (32 bit)
Unlocker 1.8.6
Unreal Tournament 2004
VideoLAN VLC media player 0.8.6d
VTFEdit 1.2.4
Winamp
Windows Imaging Component
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Presentation Foundation
Windows XP Service Pack*3
WinMerge 2.6.8.0
WinRAR archiver
XML Paper Specification Shared Components Language Pack 1.0
Xvid 1.1.3 final uninstall
XviD MPEG4 Video Codec (remove only)

Shaba
2008-09-22, 15:16
Thank you for information.

Open notepad and copy/paste the text in the codebox below into it:


Rootkit::
C:\WINDOWS:rtrcntrl.exe

File::
C:\upx_save2file.exe
C:\WINDOWS\system32\eghRrXbc.ini2
C:\WINDOWS\system32\vxIjknpo.ini2

Driver::
vae84

Folder::
C:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F277B357-CF8F-0B76-A44E-BA96F46162F6}]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vae84.sys]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Jérémie
2008-09-22, 22:42
After Combofix rebooted my computer, I had a Windows alert: "system settings protector" has crashed. Otherwise, it went fine.

ComboFix.txt:

ComboFix 08-09-20.05 - J‚r‚mie 2008-09-22 21:24:41.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.1421 [GMT 2:00]
Lancé depuis: C:\Documents and Settings\J‚r‚mie\Bureau\ComboFix.exe
Commutateurs utilisés :: C:\Documents and Settings\J‚r‚mie\Bureau\CFScript.txt

FILE ::
C:\upx_save2file.exe
C:\WINDOWS\system32\eghRrXbc.ini2
C:\WINDOWS\system32\vxIjknpo.ini2
.
ADS - WINDOWS: deleted 18944 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\uTorrent
C:\Program Files\uTorrent\uTorrent.exe
C:\upx_save2file.exe
C:\WINDOWS\system32\eghRrXbc.ini2
C:\WINDOWS\system32\vxIjknpo.ini2

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_vae84
-------\Service_vae84


((((((((((((((((((((((((((((( Fichiers créés du 2008-08-22 au 2008-09-22 ))))))))))))))))))))))))))))))))))))
.

2008-09-08 05:36 . 2008-05-01 16:36 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-09-08 05:35 . 2008-07-22 16:59 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-09-08 05:35 . 2008-07-22 16:59 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-09-08 05:35 . 2008-04-11 21:05 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-09-08 05:35 . 2008-07-22 16:59 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-09-01 16:15 . 2008-09-01 16:15 <REP> d-------- C:\Program Files\Telltale
2008-08-28 15:56 . 2008-08-28 16:04 <REP> d-------- C:\ovhrev
2008-08-26 04:50 . 2008-08-26 04:50 <REP> d-------- C:\Program Files\Freelancer Mod Manager
2008-08-26 04:30 . 2008-08-29 16:43 <REP> d-------- C:\Program Files\Freelancer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 19:22 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\uTorrent
2008-09-22 19:20 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\FileZilla
2008-09-22 16:21 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-09-20 16:09 --------- d-----w C:\Program Files\Steam
2008-09-20 12:33 --------- d-----w C:\Program Files\Opera
2008-09-14 21:01 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\gtk-2.0
2008-09-13 13:23 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Real
2008-09-13 12:33 --------- d-----w C:\Program Files\Winamp
2008-09-13 12:33 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Winamp
2008-09-12 18:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Babylon
2008-09-08 22:48 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-08 22:48 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-09-08 03:08 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\OpenOffice.org2
2008-09-08 00:02 --------- d-----w C:\Program Files\Medieval II Total War
2008-09-07 21:05 --------- d-----w C:\Program Files\Avast4
2008-09-07 19:20 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\HLSW
2008-09-07 19:12 --------- d-s---w C:\Program Files\HLSW
2008-09-07 06:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-07 06:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-07 06:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-30 21:25 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Babylon
2008-08-27 09:14 --------- d-----w C:\Program Files\Lavasoft
2008-08-27 09:13 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-08-27 09:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-20 01:28 --------- d-----w C:\Program Files\Valve
2008-08-18 19:45 --------- d-----w C:\Program Files\Inkscape
2008-08-18 19:25 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\Inkscape
2008-08-17 18:03 --------- d-----w C:\Program Files\Sid Meier's Civilization 4
2008-08-12 16:51 --------- d-----w C:\Program Files\FileZilla Client
2008-08-10 09:08 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-08-08 09:48 --------- d-----w C:\Program Files\Real Alternative
2008-08-04 23:29 --------- d-----w C:\Documents and Settings\Jérémie\Application Data\teamspeak2
2008-07-13 20:01 42 ----a-w C:\Documents and Settings\Jérémie\checkdisk.bat
2007-10-06 07:15 22,328 ----a-w C:\Documents and Settings\Jérémie\Application Data\PnkBstrK.sys
2006-03-20 14:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
2008-06-12 00:28 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008061220080613\index.dat
.

------- Sigcheck -------

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2007-10-30 19:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-05 14:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2007-10-11 21:03 359808 de891ad282e856acfd40990094a63b6f C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-09-09 00:48 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-09-09 00:48 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-09-22_ 3.27.44.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-22 19:29:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_284.dat
+ 2008-09-22 19:29:22 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_64c.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"36X Raid Configurer"="C:\WINDOWS\system32\xRaidSetup.exe" [2007-05-25 1953792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 2512392]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 86016]
"nwiz"="nwiz.exe" [2008-05-02 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vae84.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"Adobe_ID0EYTHM"=C:\PROGRA~1\FICHIE~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Steam\\steamapps\\jeremiedorem\\team fortress 2\\hl2.exe"=
"C:\\cygwin\\bin\\rsync.exe"=
"C:\\Program Files\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\Program Files\\VideoLAN VLC\\vlc.exe"=
"C:\\Program Files\\Freeplayer\\vlc\\vlc.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Steam\\steamapps\\jeremiedorem\\the ship\\ship.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"C:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Program Files\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\Steam\\steamapps\\jeremiedorem\\source sdk base\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:*:Disabled:Groupement homologue Windows
"3540:UDP"= 3540:UDP:Protocole PNRP (Peer Name Resolution Protocol)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
S3 p2pgasvc;Authentification de groupe réseau homologue;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2pimsvc;Gestionnaire d'identité réseau homologue;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 p2psvc;Réseau homologue;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S3 PNRPSvc;Protocole de résolution de noms d'homologues;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f4c366d-6938-11dc-8f6d-806d6172696f}]
\Shell\AutoRun\command - F:\setup.exe
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 21:29:48
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

PROCESSUS: C:\WINDOWS\explorer.exe
-> C:\Program Files\TortoiseSVN\iconv\_tbl_simple.so
-> C:\Program Files\TortoiseSVN\iconv\windows-1252.so
-> C:\Program Files\TortoiseSVN\iconv\utf-8.so
.
------------------------ Autres processus actifs ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Fichiers communs\Logitech\KhalShared\KHALMNPR.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Heure de fin: 2008-09-22 21:34:20 - La machine a redémarré
ComboFix-quarantined-files.txt 2008-09-22 19:34:17
ComboFix2.txt 2008-09-22 01:28:01

Avant-CF: 249ÿ852ÿ637ÿ184 octets libres
Après-CF: 249,837,424,640 octets libres

231


New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:40:53, on 22/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Fichiers communs\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Realtek Configuration audio HD.lnk = C:\WINDOWS\system32\RTSndMgr.cpl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190473207703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Fichiers communs\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

--
End of file - 7827 bytes

Shaba
2008-09-22, 22:51
Much better :)

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Jérémie
2008-09-22, 23:25
Ok I'll run it, see you in–at least–17 hours ;)

By the way, the last Combofix log didn't say anything about rtrcntrl.exe being deleted while it was asked to do it; is that normal? Is that pest really gone, so I can start dancing naked on my balcony? :)

Jérémie
2008-09-23, 14:55
Here's the Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 23, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 22, 2008 20:57:34
Records in database: 1249052
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
G:\
P:\
X:\

Scan statistics:
Files scanned: 879027
Threat name: 4
Infected objects: 3
Suspicious objects: 1
Duration of the scan: 14:57:45


File name / Threat name / Threats count
C:\QooBox\Quarantine\C\upx_save2file.exe.vir Infected: Trojan.Win32.Agent.aeep 1
G:\Documents de Jérémie\Fichiers de logiciels\Thunderbird 2008-08-07.rar Infected: Trojan-Downloader.HTML.Agent.km 1
P:\piassou.exe Infected: Backdoor.Win32.Ciadoor.gn 1
P:\Bordel des disques 07-2007\D\Disque H\Backup\Email Attachments.rar Suspicious: Exploit.HTML.Iframe.FileDownload 1

The selected area was scanned.

Note: P:\piassou.exe was deleted by Avast as soon as I put him back on after the Kaspersky scan and went to look at what was that infected file.


And the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52:44, on 23/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Fichiers communs\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Realtek Configuration audio HD.lnk = C:\WINDOWS\system32\RTSndMgr.cpl
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk.disabled
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190473207703
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Fichiers communs\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

--
End of file - 7794 bytes

Shaba
2008-09-23, 15:42
Delete these unless you need them:

G:\Documents de Jérémie\Fichiers de logiciels\Thunderbird 2008-08-07.rar
P:\Bordel des disques 07-2007\D\Disque H\Backup\Email Attachments.rar

Empty this folder:

C:\QooBox\Quarantine

Empty Recycle Bin.

Still problems?

Jérémie
2008-09-24, 18:49
I can't seem to reproduce any of the previous symptoms. Thank you very, very much!!

Apart from the System Settings Protector crash at each Windows startup (which I guess is Tea Timer, and a new reinstall of SPybot should take care of this) I have one strange problem that appeared after the ComboFix use.

My microphone isn't handled by Windows anymore, the audio control panel grayed every audio input option there is. I still got back some very basic control through my audio chip drivers, but it's messing with it more than it's helpful.

Do you have any idea about what ComboFix did that could have affected my drivers or my Windows audio stack? I spent several hours googling it, there's no easy (as far as I can tell, neither hard ones) way to get back my microphone directly under Win XP care; which is a big problem for me.

Shaba
2008-09-24, 18:52
You can try this:

Go to start - run

Type combofix /u and click ok.

And tell me if it helped.

Jérémie
2008-09-24, 19:56
I did it, even rebooted, it didn't change anything.

Shaba
2008-09-24, 19:59
Please try this (http://forums.majorgeeks.com/showthread.php?t=147786) next.

Shaba
2008-09-29, 12:01
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.