PDA

View Full Version : Unable to delete Win32.Autorun.tmp



tintin30
2010-09-13, 19:39
Hi,

I have recently observed an abnormal behavior of my PC and, after performing SpyBot scan I found that Win32.Autorun.tmp is on it. As probably usual in my situation, I have run SpyBot several times in attempt to eliminate it, but without results. I have tried to follow the procedure described on this forum, but have not found the file 5kstzaw.exe.

As a last tentative (before formatting the OS partition), I put my DDS log below. Thanks in advance for any of you who will find time to take a look on this problem. :thanks:

P.S. I have a French version of Windows, but have not found an equivalent forum in French. It should not be a problem while reading DSS file, but if you find I should go to a more appropriate forum, please indicate me one.

P.S.S. As advised on certain forums, I have tried to perform a scan with GMER, but the virus was either completely slowing down the system or generating the error with following exit from OS (blue screen during a second, followed by shutdown)

Thanks again

-------------------------------------------------------------------------
DDS (Ver_10-03-17.01) - NTFSx86
Run by Artem at 15:38:04,06 on lun. 13/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1372 [GMT 2:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Documents and Settings\Artem\Bureau\dds.scr

============== Pseudo HJT Report ===============

uWindow Title =
mWinlogon: Taskman=c:\documents and settings\artem\application data\sjlp.exe
uWinlogon: Shell=explorer.exe,c:\documents and settings\artem\application data\sjlp.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ToshibaGLDocMon] "c:\program files\toshiba\toshiba e-studio client\GLDocMon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\fichiers communs\ahead\lib\NeroCheck.exe
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\artem\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\artem\menudm~1\progra~1\dmarra~1\skype.lnk - c:\windows\installer\{d103c4ba-f905-437a-8049-db24763bbe36}\SkypeIcon.exe
StartupFolder: c:\docume~1\alluse~1.win\menudm~1\progra~1\dmarra~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222447142812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {DC6EA748-82AF-4331-A1EE-0B19E2A69E1A} = 164.15.59.200
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\artem\applic~1\mozilla\firefox\profiles\mniywwju.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wwwdev.ulb.ac.be/webmail2/webmail2.php
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-4 343920]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2010-1-6 22816]
R2 McAfeeFramework;Service McAfee Framework;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2010-1-6 147472]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2010-1-6 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-4-19 70728]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-4 91832]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-4 43288]
R3 SynMini;Syntek USB2.0 2M WebCam;c:\windows\system32\drivers\SynMini.sys [2008-9-26 1208064]
R3 SynScan;Syntek USB2.0 2M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2008-9-26 8064]
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-9-11 38224]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-19 66600]

=============== Created Last 30 ================

2010-09-12 21:18:31 0 d-----w- c:\windows\pss
2010-09-11 19:37:39 0 d-sha-r- C:\Autorun.inf
2010-09-11 18:49:16 0 d-----w- c:\docume~1\artem\applic~1\Malwarebytes
2010-09-11 18:49:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-11 18:49:06 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-09-11 18:49:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-11 18:49:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-11 17:35:22 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-11 17:11:34 2941 ----a-w- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
2010-09-11 15:59:05 32768 ---ha-w- C:\SZKGFS.dat
2010-09-11 15:54:15 0 d-----w- C:\UsbFix
2010-09-11 15:53:54 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SITEguard
2010-09-11 15:52:47 0 d-----w- c:\program files\fichiers communs\iS3
2010-09-11 15:52:46 0 d-----w- c:\docume~1\alluse~1.win\applic~1\STOPzilla!
2010-09-10 01:47:23 0 d-----w- c:\program files\GnuChess
2010-09-01 13:00:45 91136 --sh--r- c:\docume~1\artem\applic~1\sjlp.exe

==================== Find3M ====================

2010-09-10 01:34:19 49898 ----a-w- c:\windows\system32\perfc00C.dat
2010-09-10 01:34:19 371218 ----a-w- c:\windows\system32\perfh00C.dat
2010-07-17 03:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:32:14 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:25:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02:32 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:10 80384 ----a-w- c:\windows\system32\iccvid.dll
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2009-09-04 07:30:47 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-09-04 07:30:47 32768 --sha-w- c:\windows\temp\fichiers internet temporaires\content.ie5\index.dat
2009-09-04 07:30:47 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat

============= FINISH: 15:39:24,78 ===============

ken545
2010-09-16, 03:02
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.




Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean






Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

tintin30
2010-09-16, 16:47
Hi ken545,

First of all, thanks a lot for your reply. :thanks: I have followed your instruction, and got the following log from Malwarebytes

---------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4628

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/09/2010 15:31:54
mbam-log-2010-09-16 (15-31-54).txt

Scan type: Quick scan
Objects scanned: 148149
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Worm.Palevo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Worm.Palevo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Artem\Application Data\sjlp.exe (Worm.Palevo) -> Delete on reboot.
C:\Documents and Settings\Administrateur\Application Data\sjlp.exe (Worm.Palevo) -> Quarantined and deleted successfully.
-------------------------------------------------------------------------

ken545
2010-09-16, 17:29
Great, lets check a bit deeper.


Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scan box paste this in



netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

tintin30
2010-09-16, 19:09
Hi ken545,

thanks for a quick reply and for your suggestions. Please find the logs of OTL below. Just to mention that SpyBot no longer detects win32.Autorun.tmp and that its apparent activity (browser page redirection, connections to unknown ip addresses, etc.) has decreased, if not disappeared.

Here is the OTL.txt file; the Extra.txt will follow.

Thanks again for your time. :bow: :bow: :bow:
--------------------------------------------------------------------------
OTL logfile created on: 16/09/2010 17:20:15 - Run 1
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Artem\Bureau
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000080C | Country: Belgique | Language: FRB | Date Format: d/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 66,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24,50 Gb Total Space | 5,33 Gb Free Space | 21,74% Space Free | Partition Type: NTFS
Drive D: | 9,77 Gb Total Space | 1,44 Gb Free Space | 14,79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ULB-614A9323631
Current User Name: Artem
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Artem\Bureau\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe (McAfee, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\UdaterUI.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\Common Framework\McTray.exe (McAfee, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
PRC - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\WINDOWS\ATK0100\HControl.exe ()
PRC - C:\WINDOWS\ATK0100\ATKOSD.exe ()
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\TOSHIBA e-STUDIO Client\GLDocMon.exe ()
PRC - C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Artem\Bureau\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msi.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\Program Files\Fichiers communs\Microsoft Shared\INK\SKCHUI.DLL (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (wampmysqld) -- c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe File not found
SRV - (wampapache) -- c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe File not found
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (McTaskManager) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (McAfee, Inc.)
SRV - (McAfeeEngineService) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (McAfee, Inc.)
SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
SRV - (NMIndexingService) -- C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (EvtEng) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (S24EventMonitor) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (RegSrvc) Intel(R) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (LightScribeService) -- C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (ose) -- C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (MDM) -- C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (mferkdk) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys File not found
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (eeCtrl) -- C:\Program Files\Fichiers communs\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (NETw4x32) Pilote de carte Intel(R) -- C:\WINDOWS\system32\drivers\NETw4x32.sys (Intel Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (smserial) -- C:\WINDOWS\system32\drivers\smserial.sys (Motorola Inc.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (SynMini) -- C:\WINDOWS\system32\drivers\SynMini.sys ()
DRV - (SynScan) -- C:\WINDOWS\system32\drivers\SynScan.sys ()
DRV - (Tosrfbd) -- C:\WINDOWS\system32\drivers\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\tosrfhid.sys (TOSHIBA Corporation.)
DRV - (tosporte) -- C:\WINDOWS\system32\drivers\tosporte.sys (TOSHIBA Corporation)
DRV - (Tosrfbnp) -- C:\WINDOWS\system32\drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (TosRfSnd) Bluetooth Audio Device (WDM) -- C:\WINDOWS\system32\drivers\tosrfsnd.sys (TOSHIBA Corporation)
DRV - (rismxdp) -- C:\WINDOWS\system32\drivers\rixdptsk.sys (REDC)
DRV - (rimmptsk) -- C:\WINDOWS\system32\drivers\rimmptsk.sys (REDC)
DRV - (rimsptsk) -- C:\WINDOWS\system32\drivers\rimsptsk.sys (REDC)
DRV - (Tosrfcom) -- C:\WINDOWS\system32\drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (toshidpt) -- C:\WINDOWS\system32\drivers\toshidpt.sys (TOSHIBA Corporation.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ATKACPI.sys ()
DRV - (tosrfnds) -- C:\WINDOWS\system32\drivers\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (MODEMCSA) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (PQNTDrv) -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=971163"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://wwwdev.ulb.ac.be/webmail2/webmail2.php"
FF - prefs.js..extensions.enabledItems: {dd3d7613-0246-469d-bc65-2a3cc1668adc}:0.7.1.1
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19
FF - prefs.js..extensions.enabledItems: fr@dictionaries.addons.mozilla.org:3.5
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: ru@dictionaries.addons.mozilla.org:0.4.4
FF - prefs.js..extensions.enabledItems: uk-ua@dictionaries.addons.mozilla.org:1.6.0
FF - prefs.js..extensions.enabledItems: nl-NL@dictionaries.addons.mozilla.org:2.2.0
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/11 22:31:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/15 11:47:11 | 000,000,000 | ---D | M]

[2008/09/26 16:26:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Extensions
[2010/09/16 12:49:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions
[2009/10/15 14:03:11 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2010/03/17 17:29:39 | 000,000,000 | ---D | M] (Flashblock) -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2010/09/11 22:57:33 | 000,000,000 | ---D | M] (BlockSite) -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2008/09/28 15:48:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2010/02/07 11:06:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\fr@dictionaries.addons.mozilla.org
[2009/08/28 21:14:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\LogMeInClient@logmein.com
[2009/08/12 12:08:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\nl-NL@dictionaries.addons.mozilla.org
[2010/09/16 12:49:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\ru@dictionaries.addons.mozilla.org
[2009/08/20 12:30:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\extensions\uk-ua@dictionaries.addons.mozilla.org
[2010/09/16 10:17:15 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/12 13:05:59 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/05/02 12:32:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/01 17:13:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2009/10/22 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/12/18 11:10:44 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/12/18 11:10:44 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/12/18 11:10:44 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/12/18 11:10:45 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/09/16 15:59:19 | 000,419,461 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 14474 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe ()
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [ToshibaGLDocMon] C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe ()
O4 - Startup: C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe ()
O4 - Startup: C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\Skype.lnk = C:\WINDOWS\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 3
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab (Symantec Script Runner Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222447142812 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Artem\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Artem\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/26 14:44:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/09/11 21:37:39 | 000,000,000 | RHSD | M] - C:\Autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/09/11 21:37:39 | 000,000,000 | RHSD | M] - D:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/16 17:14:06 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\OTL.exe
[2010/09/16 15:20:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/16 15:20:50 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/16 15:19:46 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Artem\Bureau\mbam-setup-1.46.exe
[2010/09/16 14:38:58 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\TFC.exe
[2010/09/16 14:14:13 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/09/15 13:32:28 | 000,000,000 | ---D | C] -- C:\Program Files\MiKTeX 2.7
[2010/09/13 15:04:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/13 14:51:29 | 000,000,000 | ---D | C] -- C:\ERDNT
[2010/09/13 14:50:21 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/09/12 23:18:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/09/12 12:32:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Bureau\PAPARS
[2010/09/11 22:28:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/09/11 21:37:39 | 000,000,000 | RHSD | C] -- C:\Autorun.inf
[2010/09/11 20:49:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Application Data\Malwarebytes
[2010/09/11 20:49:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2010/09/11 20:49:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/11 17:54:15 | 000,000,000 | ---D | C] -- C:\UsbFix
[2010/09/11 17:54:01 | 001,211,906 | ---- | C] (C_XX & El Desaparecido) -- C:\Documents and Settings\Artem\Bureau\UsbFix.exe
[2010/09/11 17:53:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
[2010/09/11 17:52:47 | 000,000,000 | ---D | C] -- C:\Program Files\Fichiers communs\iS3
[2010/09/11 17:52:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
[2010/09/10 03:53:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Bureau\Caniiso
[2010/09/10 03:47:23 | 000,000,000 | ---D | C] -- C:\Program Files\GnuChess
[2010/09/04 17:51:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Artem\Bureau\tempo
[2010/09/01 17:13:06 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/09/01 17:13:06 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/09/01 17:13:06 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe

========== Files - Modified Within 30 Days ==========

[2010/09/16 17:15:59 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job
[2010/09/16 17:14:18 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\OTL.exe
[2010/09/16 15:59:19 | 000,419,461 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/16 15:34:50 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\Skype.lnk
[2010/09/16 15:34:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/16 15:34:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/16 15:34:11 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/16 15:33:10 | 013,631,488 | -H-- | M] () -- C:\Documents and Settings\Artem\NTUSER.DAT
[2010/09/16 15:20:59 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Malwarebytes' Anti-Malware.lnk
[2010/09/16 15:19:48 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Artem\Bureau\mbam-setup-1.46.exe
[2010/09/16 14:40:36 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Artem\Application Data\winscp.rnd
[2010/09/16 14:38:58 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Artem\Bureau\TFC.exe
[2010/09/16 14:17:29 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/09/16 12:04:15 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/15 23:33:53 | 000,000,120 | ---- | M] () -- C:\WINDOWS\rcwin.ini
[2010/09/15 20:27:48 | 000,000,364 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/09/14 19:42:59 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\dds.scr
[2010/09/14 19:25:02 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100916-155919.backup
[2010/09/14 18:26:47 | 000,000,284 | -HS- | M] () -- C:\Documents and Settings\Artem\ntuser.ini
[2010/09/14 17:59:48 | 000,000,212 | -HS- | M] () -- C:\boot.ini
[2010/09/14 17:59:47 | 000,000,000 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/14 10:10:40 | 000,070,488 | ---- | M] () -- C:\Documents and Settings\Artem\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/14 09:57:18 | 000,001,320 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Cygwin.lnk
[2010/09/13 15:41:33 | 000,002,912 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\Attach.zip
[2010/09/13 14:50:26 | 000,000,767 | ---- | M] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\ERUNT AutoBackup.lnk
[2010/09/13 14:50:23 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\Artem\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010/09/13 14:50:23 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\ERUNT.lnk
[2010/09/12 13:40:46 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100914-192502.backup
[2010/09/12 13:32:52 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-134046.backup
[2010/09/12 12:48:44 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-133252.backup
[2010/09/11 21:37:39 | 000,002,941 | ---- | M] () -- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
[2010/09/11 19:35:39 | 000,000,744 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/09/11 19:19:22 | 000,000,796 | ---- | M] () -- C:\WINDOWS\gnuchess.ini
[2010/09/11 17:59:36 | 000,418,771 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-124843.backup
[2010/09/11 17:59:05 | 000,032,768 | -H-- | M] () -- C:\SZKGFS.dat
[2010/09/11 17:54:09 | 001,211,906 | ---- | M] (C_XX & El Desaparecido) -- C:\Documents and Settings\Artem\Bureau\UsbFix.exe
[2010/09/10 05:10:06 | 000,011,374 | ---- | M] () -- C:\Documents and Settings\Artem\gsview32.ini
[2010/09/10 03:48:06 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\GNUCHESS.EXE.lnk
[2010/09/10 03:34:19 | 000,782,488 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/09/10 03:34:19 | 000,371,218 | ---- | M] () -- C:\WINDOWS\System32\perfh00C.dat
[2010/09/10 03:34:19 | 000,314,842 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/09/10 03:34:19 | 000,049,898 | ---- | M] () -- C:\WINDOWS\System32\perfc00C.dat
[2010/09/10 03:34:19 | 000,041,170 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/09/05 15:40:41 | 000,417,012 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100911-170209.backup
[2010/09/04 22:59:57 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2010/09/01 23:42:02 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/28 22:43:07 | 001,172,672 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\SPARSKIT2.tar.gz
[2010/08/27 10:48:22 | 000,058,368 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\12.5.10.doc
[2010/08/25 20:01:46 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Adobe Reader 9.lnk
[2010/08/25 13:39:18 | 000,066,450 | ---- | M] () -- C:\Documents and Settings\Artem\Mes documents\dnew.f90
[2010/08/25 13:39:14 | 000,071,301 | ---- | M] () -- C:\Documents and Settings\Artem\Mes documents\dagmg.f90
[2010/08/24 16:06:42 | 000,046,814 | ---- | M] () -- C:\Documents and Settings\Artem\Bureau\inter_element.cc.htm
[2010/08/23 10:55:11 | 000,000,642 | -H-- | M] () -- C:\Documents and Settings\Artem\Mes documents\SWWATER.INI

========== Files Created - No Company Name ==========

[2010/09/16 15:20:59 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Bureau\Malwarebytes' Anti-Malware.lnk
[2010/09/14 19:42:35 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\dds.scr
[2010/09/14 17:59:56 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\Skype.lnk
[2010/09/14 17:59:56 | 000,000,767 | ---- | C] () -- C:\Documents and Settings\Artem\Menu Démarrer\Programmes\Démarrage\ERUNT AutoBackup.lnk
[2010/09/14 17:59:56 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Bluetooth Manager.lnk
[2010/09/13 15:41:33 | 000,002,912 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\Attach.zip
[2010/09/13 14:50:23 | 000,000,610 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\Microsoft\Internet Explorer\Quick Launch\ERUNT.lnk
[2010/09/13 14:50:23 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\ERUNT.lnk
[2010/09/11 23:26:56 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\prof.exe
[2010/09/11 19:35:22 | 000,000,744 | ---- | C] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/09/11 19:11:34 | 000,002,941 | ---- | C] () -- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
[2010/09/11 17:59:05 | 000,032,768 | -H-- | C] () -- C:\SZKGFS.dat
[2010/09/10 03:48:06 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\GNUCHESS.EXE.lnk
[2010/08/28 22:43:01 | 001,172,672 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\SPARSKIT2.tar.gz
[2010/08/26 22:15:14 | 000,058,368 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\12.5.10.doc
[2010/08/25 13:39:17 | 000,066,450 | ---- | C] () -- C:\Documents and Settings\Artem\Mes documents\dnew.f90
[2010/08/25 13:39:13 | 000,071,301 | ---- | C] () -- C:\Documents and Settings\Artem\Mes documents\dagmg.f90
[2010/08/24 16:06:41 | 000,046,814 | ---- | C] () -- C:\Documents and Settings\Artem\Bureau\inter_element.cc.htm
[2010/08/23 10:55:11 | 000,000,642 | -H-- | C] () -- C:\Documents and Settings\Artem\Mes documents\SWWATER.INI
[2010/03/31 14:01:12 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2010/03/28 14:37:40 | 000,246,784 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
[2010/03/08 23:00:29 | 000,000,186 | ---- | C] () -- C:\WINDOWS\WinCom.INI
[2009/09/08 14:54:25 | 000,540,776 | ---- | C] () -- C:\WINDOWS\ES1mi.dll
[2009/09/08 14:54:25 | 000,503,908 | ---- | C] () -- C:\WINDOWS\ES1Disc.dll
[2009/09/08 14:54:25 | 000,376,832 | ---- | C] () -- C:\WINDOWS\ES1Snmpp.dll
[2009/09/08 14:54:25 | 000,204,800 | ---- | C] () -- C:\WINDOWS\eSDMLD.dll
[2009/09/08 14:54:15 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\eSTsnmp.dll
[2009/09/08 14:54:15 | 000,274,432 | ---- | C] () -- C:\WINDOWS\eSTsnmp.dll
[2009/09/08 14:54:05 | 000,016,597 | ---- | C] () -- C:\WINDOWS\RIO1_40c.ini
[2009/08/28 15:03:20 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\winscp.rnd
[2009/08/15 13:05:47 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2009/07/08 23:45:07 | 000,037,376 | ---- | C] () -- C:\Documents and Settings\Artem\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/06/19 10:51:29 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\PUTTY.RND
[2009/04/27 06:13:36 | 000,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2009/04/14 19:03:18 | 000,000,071 | ---- | C] () -- C:\WINDOWS\sex-oneclick-repertoire.ini
[2009/02/26 22:56:16 | 000,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2009/02/26 22:56:16 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2008/12/12 12:38:46 | 000,000,072 | ---- | C] () -- C:\WINDOWS\MSYS.INI
[2008/12/03 16:18:29 | 000,000,796 | ---- | C] () -- C:\WINDOWS\gnuchess.ini
[2008/11/07 11:26:54 | 000,003,252 | ---- | C] () -- C:\WINDOWS\System32\drivers\PQNTDRV.SYS
[2008/10/31 14:19:14 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2008/10/15 23:38:02 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/10/10 23:49:54 | 000,233,525 | ---- | C] () -- C:\WINDOWS\System32\isutil.dll
[2008/10/10 23:49:53 | 000,000,271 | ---- | C] () -- C:\WINDOWS\apptune.ini
[2008/10/07 12:00:18 | 000,000,120 | ---- | C] () -- C:\WINDOWS\rcwin.ini
[2008/10/05 20:48:06 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2008/09/27 23:44:38 | 000,058,880 | ---- | C] () -- C:\Documents and Settings\Artem\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/09/26 20:06:55 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\Dtctrace.dll
[2008/09/26 19:06:56 | 000,000,379 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/09/26 16:03:54 | 000,028,143 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/09/26 15:51:43 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008/09/26 15:19:04 | 000,014,848 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynSam.sys
[2008/09/26 15:19:04 | 000,008,064 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynScan.sys
[2008/09/26 15:18:59 | 000,498,688 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynPin.sys
[2008/09/26 15:18:59 | 000,030,848 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynCamd.sys
[2008/09/26 15:18:58 | 001,208,064 | R--- | C] () -- C:\WINDOWS\System32\drivers\SynMini.sys
[2008/09/26 15:10:43 | 000,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2008/09/26 14:57:57 | 000,028,822 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008/09/26 14:57:47 | 000,005,632 | R--- | C] () -- C:\WINDOWS\System32\drivers\ATKACPI.sys
[2008/09/26 14:57:30 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/04/28 13:05:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/04/28 13:05:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/04/28 13:05:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/04/28 13:05:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/04/17 10:35:49 | 000,286,208 | ---- | C] () -- C:\WINDOWS\System32\cncs232.dll
[2005/09/02 14:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 21:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/07/20 17:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/31 05:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

========== LOP Check ==========

[2008/09/30 11:14:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\LightScribe
[2010/09/11 17:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\SITEguard
[2010/04/13 11:39:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STDUConverter
[2010/09/11 19:39:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\STOPzilla!
[2010/02/19 10:56:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Tarma Installer
[2010/03/28 15:20:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
[2009/06/08 10:23:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
[2010/05/29 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
[2009/04/14 09:59:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\DisplayTune
[2010/03/08 21:37:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\FileZilla
[2008/11/22 11:42:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\IcoFX
[2009/06/11 14:31:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\KDE
[2010/06/29 13:02:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Publish or Perish
[2009/07/08 23:43:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\Toshiba
[2010/09/16 17:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Artem\Application Data\WinEdt
[2010/06/06 12:25:17 | 000,000,364 | ---- | M] () -- C:\WINDOWS\Tasks\Install_NSS.job
[2010/09/16 17:15:59 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/05 14:00:00 | 018,779,217 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/05 14:00:00 | 018,779,217 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/26 19:09:52 | 023,892,017 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/05 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\system32\DRIVERS\atapi.sys
[2004/08/05 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[1999/10/02 10:24:46 | 000,017,408 | ---- | M] () MD5=1363337A5301619F00F8033835EF30E9 -- C:\MATLAB\R2007b\sys\perl\win32\site\lib\auto\Win32\EventLog\EventLog.dll
[2004/08/05 14:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=21E83876A6287F15538EF187D286FE11 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008/04/14 04:33:24 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=4EC800BDF80521B0207BD2301DFC7D14 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 04:33:24 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=4EC800BDF80521B0207BD2301DFC7D14 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 04:33:34 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=04821179C3171554C1BD1F9888A113E2 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 04:33:34 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=04821179C3171554C1BD1F9888A113E2 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/05 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=FAF07FDCDE76000621A28D19F8E2E8EB -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 04:33:40 | 000,187,392 | ---- | M] (Microsoft Corporation) MD5=973B36634C544948C663E8269AA1B3A3 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 04:33:40 | 000,187,392 | ---- | M] (Microsoft Corporation) MD5=973B36634C544948C663E8269AA1B3A3 -- C:\WINDOWS\system32\scecli.dll
[2004/08/05 14:00:00 | 000,186,368 | ---- | M] (Microsoft Corporation) MD5=DEC0397F35D027874804EC72979D03CC -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/09/26 15:40:27 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/09/26 15:40:27 | 000,663,552 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/09/26 15:40:27 | 000,458,752 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >
---------------------------------------------------------------------

tintin30
2010-09-16, 19:23
and here is the Extras.txt log. As mentioned in my first log, my Windows version is French. To ease the reading of the last section of this log, I include few (homemade) translations:

Service s'est terminé de façon inattendue pour la 1ème fois. = Service unexpectedly interrupted for the first time.
Application bloquée = blocked application
Application défaillante = failing application

I should also mention that, in the attempt to understand whether these are regular tasks that suddenly start using a lot of CPU/memory resources, or whether it is trojan activity, I have intentionally killed the tasks that was "consuming" the most. This probably explains the number of interrupted services.

Thanks again for your help. :thanks:

--------------------------------------------------------------------------
OTL Extras logfile created on: 16/09/2010 17:20:15 - Run 1
OTL by OldTimer - Version 3.2.12.1 Folder = C:\Documents and Settings\Artem\Bureau
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000080C | Country: Belgique | Language: FRB | Date Format: d/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 66,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 24,50 Gb Total Space | 5,33 Gb Free Space | 21,74% Space Free | Partition Type: NTFS
Drive D: | 9,77 Gb Total Space | 1,44 Gb Free Space | 14,79% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ULB-614A9323631
Current User Name: Artem
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3306:TCP" = 3306:TCP:*:Enabled:MySQL Server
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\cygwin\usr\X11R6\bin\XWin.exe" = C:\cygwin\usr\X11R6\bin\XWin.exe:*:Enabled:XWin -- File not found
"C:\MATLAB\R2007b\bin\win32\MATLAB.exe" = C:\MATLAB\R2007b\bin\win32\MATLAB.exe:*:Enabled:MATLAB -- (The MathWorks Inc.)
"C:\WINDOWS\system32\ftp.exe" = C:\WINDOWS\system32\ftp.exe:*:Enabled:Logiciel de transfert de fichiers -- (Microsoft Corporation)
"C:\cygwin\bin\XWin.exe" = C:\cygwin\bin\XWin.exe:*:Enabled:XWin -- ()
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
"C:\GMSH\gmsh.exe" = C:\GMSH\gmsh.exe:*:Enabled:gmsh -- ()
"C:\Program Files\WinSCP\WinSCP.exe" = C:\Program Files\WinSCP\WinSCP.exe:*:Enabled:WinSCP: SFTP, FTP and SCP client -- (Martin Prikryl)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{02D7C83F-FCCB-4EEC-9E4B-C6FF8AADC015}" = Power4 Gear
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{147BCE03-C0F1-4C9F-8157-6A89B6D2D973}" = McAfee VirusScan Enterprise
"{1E5007FA-DA5E-4EDD-BDE5-14D128D66887}" = PowerQuest PartitionMagic 7.0
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 21
"{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
"{29D3773E-54F4-23C2-D523-236A4453B844}_is1" = FileAlyzer
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C940c-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B63B2922B174135AFC0E1377DD81EC2}" =
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-040C-0000-0000000FF1CE}" = Module de compatibilité pour Microsoft Office System 2007
"{901E040C-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 French User Interface Pack
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{94ECA004-8B62-45E8-B83D-A85F61A1F0B9}" = eWebEditPro 4 Client
"{975C8028-51D8-44A9-9585-82E9810FE96A}" = hp LaserJet 1000
"{97F32DF8-D66E-446A-A425-C1D7B45C1036}" = Nero 7 Essentials
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{985556E5-353F-4AA9-9E75-29AB8A5E4E14}" = Harzing's Publish or Perish 2.8.3644
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser
"{AFA9D219-A7FD-4240-8793-E5C7C9D715F4}" = IKEA Home Planner
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C3BDF1C8-66EF-4A0F-B427-A99E39706F45}_is1" = RMVB Converter 1.8
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D5A9B7C0-8751-11D8-9D75-000129760D75}" = MediaShow 3.0
"{E008BEB1-AB63-46C1-BD3D-08D3A1F8E26D}" = McAfee Agent
"{E4A41F8D-5DFD-422F-8C7A-D77D56116A56}" = Le Grand Robert & Collins
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EC3D786A-C56F-427B-9B7A-9AC0CA7DB140}" = TOSHIBA e-STUDIO850 Series Client
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Active Ports" = Active Ports
"Adobe AIR" = Adobe AIR
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
"CamStudio" = CamStudio
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup.divx.com" = DivX Setup
"ERUNT_is1" = ERUNT 1.1j
"FileZilla Client" = FileZilla Client 3.1.4.1
"GPL Ghostscript 8.63" = GPL Ghostscript 8.63
"GSview 4.9" = GSview 4.9
"HControl" = ATK0100 ACPI UTILITY
"IcoFX_is1" = IcoFX 1.6.4
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Imagicon" = Imagicon
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabR2007b" = MATLAB R2007b
"McAfee Anti-Spyware Enterprise Module" = McAfee AntiSpyware Enterprise Module
"MiKTeX 2.7" = MiKTeX 2.7
"MinGW" = MinGW 5.1.4
"Mozilla Firefox (3.5.12)" = Mozilla Firefox (3.5.12)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSFortranPowerStation" = Microsoft Fortran PowerStation 4.0
"MSYS-1.0_is1" = "Minimal SYStem 1.0.10"
"MSYS-DTK_is1" = "MSYS Developer Tool Kit 1.0.1"
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"ProInst" = Intel(R) PROSet/Wireless Software
"Services Off-line de Home'Bank_is1" = Services Off-line de Home'Bank 4.04
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"USB2.0 2M WebCam" = USB2.0 2M WebCam
"Usbfix" = Usbfix By C_XX & El Desaparecido
"WinDjView" = WinDjView 1.0.3
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Lecteur Windows Media*11
"Windows XP Service" = Windows XP Service Pack*3
"WinRAR archiver" = WinRAR archiver
"winscp3_is1" = WinSCP 4.2.3 beta
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/08/2010 13:29:14 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
Description = Application bloquée MATLAB.exe, version 1.0.0.1, module bloqué hungapp,
version 0.0.0.0, adresse de blocage 0x00000000.

Error - 8/08/2010 14:26:12 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
Description = Application bloquée gmsh.exe, version 0.0.0.0, module bloqué hungapp,
version 0.0.0.0, adresse de blocage 0x00000000.

Error - 8/08/2010 14:27:16 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
Description = Application bloquée gmsh.exe, version 0.0.0.0, module bloqué hungapp,
version 0.0.0.0, adresse de blocage 0x00000000.

Error - 14/08/2010 16:52:54 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
Description = Application bloquée MATLAB.exe, version 1.0.0.1, module bloqué hungapp,
version 0.0.0.0, adresse de blocage 0x00000000.

Error - 16/08/2010 16:38:58 | Computer Name = ULB-614A9323631 | Source = Application Error | ID = 1000
Description = Application défaillante divxupdate.exe, version 1.0.1.10, module défaillant
msvcp80.dll, version 8.0.50727.4053, adresse de défaillance 0x000100b5.

Error - 27/08/2010 17:17:22 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
Description = Application bloquée firefox.exe, version 1.9.1.3834, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 6/09/2010 15:25:05 | Computer Name = ULB-614A9323631 | Source = Application Error | ID = 1000
Description = Application défaillante explorer.exe, version 6.0.2900.5512, module
défaillant kernel32.dll, version 5.1.2600.5781, adresse de défaillance 0x00012afb.

Error - 8/09/2010 20:05:16 | Computer Name = ULB-614A9323631 | Source = Application Error | ID = 1000
Description = Application défaillante divxupdate.exe, version 1.0.1.10, module défaillant
msvcp80.dll, version 8.0.50727.4053, adresse de défaillance 0x000100b5.

Error - 9/09/2010 21:29:37 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
Description = Application bloquée msimn.exe, version 6.0.2900.5512, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 11/09/2010 13:08:08 | Computer Name = ULB-614A9323631 | Source = Application Hang | ID = 1002
Description = Application bloquée iFrmewrk.exe, version 11.1.0.2, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

[ System Events ]
Error - 16/09/2010 8:40:48 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service Intel(R) PROSet/Wireless Service s'est terminé de façon
inattendue pour la 1ème fois.

Error - 16/09/2010 8:40:48 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service LightScribeService Direct Disc Labeling Service s'est terminé
de façon inattendue pour la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service McAfee Engine Service s'est terminé de façon inattendue
pour la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service Java Quick Starter s'est terminé de façon inattendue pour
la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service Service McAfee Framework s'est terminé de façon inattendue
pour la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service Machine Debug Manager s'est terminé de façon inattendue
pour la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service McAfee Task Manager s'est terminé de façon inattendue pour
la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service NVIDIA Display Driver Service s'est terminé de façon inattendue
pour la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service Intel(R) PROSet/Wireless Registry Service s'est terminé
de façon inattendue pour la 1ème fois.

Error - 16/09/2010 8:40:49 | Computer Name = ULB-614A9323631 | Source = Service Control Manager | ID = 7034
Description = Le service Cyberlink RichVideo Service(CRVS) s'est terminé de façon
inattendue pour la 1ème fois.


< End of report >

ken545
2010-09-16, 23:45
Hi,

You still have a few things going on that need to be fixed, run this tool please

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

tintin30
2010-09-17, 01:48
Hi ken545,

thanks for your rapid response. ComboFix has detected the OS language and generated the report in French (again...). Based on some other posts on the forum, I've translated it. You will fine the "translated version" below. I did my best, but if some things are still unclear, I am at your complete disposal.

Another (probably) important point: I had some problems disabling McAfee and I simply renamed the containing folder (before starting Windows). That is why it is treated as orphan.

Thanks again for your time :thanks: ;)

-------------------------------------------------------------------------
ComboFix 10-09-16.04 - Artem 16/09/2010 23:41:04.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1397 [GMT 2:00]
Running from: c:\documents and settings\Artem\Bureau\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\spool\prtprocs\w32x86\pcldll6l.dll
c:\windows\system32\spool\prtprocs\w32x86\zpp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 ))))))))))))))))))))))))))))))))))))
.

2010-09-16 13:20 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-16 13:20 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 11:32 . 2010-09-15 11:56 -------- d-----w- c:\program files\MiKTeX 2.7
2010-09-13 12:51 . 2010-09-13 12:51 -------- d-----w- C:\ERDNT
2010-09-13 12:50 . 2010-09-13 12:50 -------- d-----w- c:\program files\ERUNT
2010-09-11 20:31 . 2010-09-11 20:31 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\Mozilla
2010-09-11 20:29 . 2010-09-11 20:29 -------- d-sh--w- c:\documents and settings\Administrateur\IETldCache
2010-09-11 18:49 . 2010-09-11 18:49 -------- d-----w- c:\documents and settings\Artem\Application Data\Malwarebytes
2010-09-11 18:49 . 2010-09-11 18:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-09-11 18:49 . 2010-09-16 13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-11 17:11 . 2010-09-11 19:37 2941 ----a-w- C:\UsbFix_Upload_Me_ULB-614A9323631.zip
2010-09-11 15:59 . 2010-09-11 15:59 32768 ---ha-w- C:\SZKGFS.dat
2010-09-11 15:54 . 2010-09-11 19:37 -------- d-----w- C:\UsbFix
2010-09-11 15:53 . 2010-09-11 15:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2010-09-11 15:52 . 2010-09-11 15:52 -------- d-----w- c:\program files\Fichiers communs\iS3
2010-09-11 15:52 . 2010-09-11 17:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-09-10 01:47 . 2010-09-10 01:48 -------- d-----w- c:\program files\GnuChess

.
(((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-16 21:49 . 2009-04-11 22:02 -------- d-----w- c:\documents and settings\Artem\Application Data\Skype
2010-09-16 21:21 . 2010-09-16 21:21 50 ----a-w- c:\program files\.directory
2010-09-16 21:16 . 2008-11-13 14:43 -------- d-----w- c:\documents and settings\Artem\Application Data\WinEdt
2010-09-16 12:14 . 2008-09-26 14:04 -------- d-----w- c:\program files\Fichiers communs\Adobe
2010-09-16 09:07 . 2008-09-27 15:40 -------- d-----w- c:\documents and settings\Artem\Application Data\AdobeUM
2010-09-14 08:10 . 2009-07-08 21:46 70488 ----a-w- c:\documents and settings\Artem\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-12 15:25 . 2010-06-23 12:00 -------- d-----w- c:\program files\yapakit-release-2008.10.27.21.28.26-win32-ix86
2010-09-11 17:35 . 2010-09-11 17:35 744 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-09-10 01:34 . 2004-08-05 12:00 49898 ----a-w- c:\windows\system32\perfc00C.dat
2010-09-10 01:34 . 2004-08-05 12:00 371218 ----a-w- c:\windows\system32\perfh00C.dat
2010-09-01 21:42 . 2010-06-03 06:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-01 15:13 . 2008-09-28 11:10 -------- d-----w- c:\program files\Fichiers communs\Java
2010-09-01 15:13 . 2008-09-28 11:28 -------- d-----w- c:\program files\Java
2010-09-01 13:20 . 2009-02-28 22:29 -------- d-----w- c:\documents and settings\Artem\Application Data\U3
2010-08-20 22:10 . 2010-08-20 22:10 503808 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c8ec525-n\msvcp71.dll
2010-08-20 22:10 . 2010-08-20 22:10 499712 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c8ec525-n\jmc.dll
2010-08-20 22:10 . 2010-08-20 22:10 348160 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c8ec525-n\msvcr71.dll
2010-08-20 22:09 . 2010-08-20 22:09 61440 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4bedf1a5-n\decora-sse.dll
2010-08-20 22:09 . 2010-08-20 22:09 12800 ----a-w- c:\documents and settings\Artem\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-4bedf1a5-n\decora-d3d.dll
2010-08-17 13:17 . 2004-08-05 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-11 08:53 . 2010-05-18 18:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\DivX
2010-07-22 15:48 . 2004-08-05 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 06:19 . 2008-05-05 05:25 5632 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 03:00 . 2010-05-02 10:32 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:32 . 2004-08-05 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:25 . 2004-08-05 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 09:02 . 2004-08-05 12:00 1852032 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-05 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2009-10-22 18:07 . 2010-04-19 15:00 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToshibaGLDocMon"="c:\program files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe" [2005-09-12 835584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-05-14 248552]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 638976]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-08 16125952]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"NeroFilterCheck"="c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2007-03-26 161328]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

c:\documents and settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2006-5-24 49152]

c:\documents and settings\Artem\Menu D‚marrer\Programmes\D‚marrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Skype.lnk - c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe [2010-7-12 371272]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\MATLAB\\R2007b\\bin\\win32\\MATLAB.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\cygwin\\bin\\XWin.exe"=
"c:\\GMSH\\gmsh.exe"=
"c:\\Program Files\\WinSCP\\WinSCP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [19/04/2010 17:00 70728]
R3 SynMini;Syntek USB2.0 2M WebCam;c:\windows\system32\drivers\SynMini.sys [26/09/2008 15:18 1208064]
R3 SynScan;Syntek USB2.0 2M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [26/09/2008 15:19 8064]
S2 McAfeeEngineService;McAfee Engine Service;"c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe" --> c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [?]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [19/04/2010 17:00 66600]
.
Contents of the 'Scheduled Tasks' folder

2010-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-06-06 c:\windows\Tasks\Install_NSS.job
- c:\program files\DivX\Symantec\scstubinstaller.exe [2010-03-08 18:00]

2010-09-16 c:\windows\Tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {DC6EA748-82AF-4331-A1EE-0B19E2A69E1A} = 164.15.59.200
FF - ProfilePath - c:\documents and settings\Artem\Application Data\Mozilla\Firefox\Profiles\mniywwju.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://wwwdev.ulb.ac.be/webmail2/webmail2.php
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=971163&p=
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-McAfee Anti-Spyware Enterprise Module - c:\program files\McAfee\VirusScan Enterprise\scan32.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-16 23:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2960)
c:\program files\Fichiers communs\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Fichiers communs\LightScribe\LSSrvc.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\windows\ATK0100\ATKOSD.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
.
**************************************************************************
.
Completion time: 2010-09-16 23:53:30 - computer rebooted
ComboFix-quarantined-files.txt 2010-09-16 21:53

Pre-Run: 5.624.242.176 octets libres
Post-Run: 5.478.584.320 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

- - End Of File - - 7D4B8E52A98E5289BE8ACAFCA2DDA036

ken545
2010-09-17, 02:54
France Ahhhh . I have family in Italy and go to visit every few years, I have never been to France but have always wanted to visit, maybe on my next trip.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following


:OTL
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
[2010/09/14 19:25:02 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100916-155919.backup
[2010/09/12 13:40:46 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100914-192502.backup
[2010/09/12 13:32:52 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-134046.backup
[2010/09/12 12:48:44 | 000,419,283 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-133252.backup
[2010/09/11 17:59:36 | 000,418,771 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100912-124843.backup
[2010/09/11 19:35:39 | 000,000,744 | ---- | M] () -- C:\WINDOWS\System32\drivers\kgpcpy.cfg
[2010/09/11 17:59:05 | 000,032,768 | -H-- | M] () -- C:\SZKGFS.dat



:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

tintin30
2010-09-17, 10:20
Hi ken545,

if you live or work in the south of France (or in Italy), it should be like vacation all year :) I am from Belgium, and the climate there is close to the one in south of UK (it rains most of the time). The same holds actually for the northern France as well.

Thanks again for a quick answer. I have run OTL and got the log below. As an additional observation, I've run gmer (renamed) to see whether the system tasks are still reacting on this program by dramatically increasing their activity (100% CPU usage, slowing down of the PC), and it is still the case. Once I kill the most active tasks, the other start doing the same...

Thanks for being so kind and reacting so quickly! I could hardly guess that my PC is infected to that point...
--------------------------------------------------------------------
All processes killed
========== OTL ==========
No active process named Explorer.EXE was found!
C:\WINDOWS\system32\drivers\etc\hosts.20100916-155919.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20100914-192502.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20100912-134046.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20100912-133252.backup moved successfully.
C:\WINDOWS\system32\drivers\etc\hosts.20100912-124843.backup moved successfully.
C:\WINDOWS\system32\drivers\kgpcpy.cfg moved successfully.
C:\SZKGFS.dat moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrateur
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Artem
->Temp folder emptied: 590464 bytes
->Temporary Internet Files folder emptied: 5275893 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 58485281 bytes
->Flash cache emptied: 689 bytes

User: Default User

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 61,00 mb


OTL by OldTimer - Version 3.2.12.1 log created on 09172010_083820

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
-----------------------------------------------------------------------

ken545
2010-09-17, 13:28
Hello,

Try running GMER in Safemode

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)




If it still wont run then try this one.

Please download Rooter Rootkit Detector (http://eric.71.mespages.googlepages.com/Rooter.exe) to your Desktop

Doubleclick it to start the tool.
A Notepad file containing the report will open, also found at %systemdrive% (usually C:\Rooter.txt.
Post the report for me to see.

tintin30
2010-09-17, 21:46
Hi,

Thanks for your reply. I have tried what you suggest: gmer runs without problem when started in safe mode. I have waited till it has finished, and the generated log is void (nothing has been found). Outside safe mode, it behaves like before: slows down (while other processes rapidly occupy 100% CPU) and, if I change priority, quits OS with error message (blue screen, message visible 1 second, then reboot) .

Regarding Rooter Rootkit Detector, I have followed indicated steps (with the one in addition, namely "press on Scan button to run the program"). You can find the resulting log below.

Thanks for your comments and help! :thanks:

--------------------------------------------------------------------------
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.5.13 (en-GB)
.
C:\ [Fixed-NTFS] .. ( Total:24 Go - Free:5 Go )
D:\ [Fixed-NTFS] .. ( Total:9 Go - Free:1 Go )
E:\ [CD_Rom]
.
Scan : 20:37.33
Path : C:\Documents and Settings\Artem\Bureau\Rooter.exe
User : Artem ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (920)
______ \??\C:\WINDOWS\system32\csrss.exe (1288)
______ \??\C:\WINDOWS\system32\winlogon.exe (1324)
______ C:\WINDOWS\system32\services.exe (1368)
______ C:\WINDOWS\system32\lsass.exe (1388)
______ C:\WINDOWS\system32\svchost.exe (1552)
______ C:\WINDOWS\system32\svchost.exe (1600)
______ C:\WINDOWS\System32\svchost.exe (1640)
______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1696)
______ C:\WINDOWS\system32\svchost.exe (1752)
______ C:\WINDOWS\system32\svchost.exe (1876)
______ C:\WINDOWS\system32\spoolsv.exe (276)
______ C:\WINDOWS\system32\svchost.exe (460)
______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (752)
______ C:\Program Files\Java\jre6\bin\jqs.exe (796)
______ C:\WINDOWS\Explorer.EXE (880)
______ C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe (492)
______ C:\WINDOWS\system32\ctfmon.exe (1100)
______ C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe (1112)
______ C:\Program Files\McAfee\Common Framework\FrameworkService.exe (1140)
______ C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (1240)
______ C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE (1516)
______ C:\WINDOWS\system32\mfevtps.exe (1800)
______ C:\WINDOWS\system32\nvsvc32.exe (1824)
______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (1976)
______ C:\Program Files\CyberLink\Shared Files\RichVideo.exe (528)
______ C:\WINDOWS\system32\svchost.exe (620)
______ C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (748)
______ C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe (228)
______ C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (2164)
______ C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (2172)
______ C:\WINDOWS\RTHDCPL.EXE (2196)
______ C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (2208)
______ C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (2272)
______ C:\WINDOWS\ATK0100\HControl.exe (2288)
______ C:\Program Files\McAfee\Common Framework\udaterui.exe (2428)
______ C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe (2460)
______ C:\Program Files\McAfee\Common Framework\McTray.exe (2516)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (2588)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (2676)
______ C:\Program Files\Skype\Phone\Skype.exe (2692)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (2744)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (2800)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (2976)
______ C:\WINDOWS\ATK0100\ATKOSD.exe (3068)
______ C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (3200)
______ C:\WINDOWS\system32\wbem\wmiapsrv.exe (1504)
______ C:\WINDOWS\System32\alg.exe (1136)
______ C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe (3584)
______ C:\Program Files\Mozilla Firefox\firefox.exe (2780)
______ C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (1904)
______ C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (3752)
______ C:\Documents and Settings\Artem\Bureau\Rooter.exe (1244)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\User_Feed_Synchronization-{D7B34122-7D38-4DB9-BA5B-FA6966AD0A11}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 20:37.48
.
C:\Rooter$\Rooter_3.txt - (17/09/2010 | 20:37.49)

ken545
2010-09-17, 22:37
Looks fine. GMER for some reason wont run on some systems, why I dont know.

How are things running now ?

tintin30
2010-09-17, 23:39
Hi ken,

all the symptoms of trojan activity have disappeared. Thank you for all your help: you did a really great job! :bigthumb: I wonder if there is something I can do to thank you for your help? If yes, Just let me know ;)

Anyway, it was a pleasure to follow your advices. :2thumb:

ken545
2010-09-18, 01:21
Your very welcome, glad things are back to normal. :) If you look up at the top right you will see a donate button, any donation big or small is used for malware research and to help keep us online, but its not mandatory.


Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken