Java/Agent.DW removal help needed

[superb1000]

hi

yesterday after seeing a C++ compiler installed on a location where it should not be, i did a full scan on my system with nod32.

Nod 32 found:


C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\10\2db2554a-465fab38 Java/Agent.DW

C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\34\27cc5822-684aa012 variation of Java/Agent.DW

C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\41\76f3af69-56e3630d variation of Java/Agent.DW

As nod 32 did not remove it itself, What i did is remove the Cache directory and all it's content.
but I would like to know if there is not something else left that nod 32 has not seen or maybe a rootkit installed.

Here is the DDS log, after looking at this log I found 2 items that looks suspicious:

S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [2011-11-20 453504]

S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [2011-11-20 416640]

I found this site that suggest that FR.exe is a trojan.
http://www.auditmypc.com/fr.asp

I have not done anything yet to remove this 2 files.

I have also run Gmer to look for a rootkit, but nothing looks suspicious to me in this log.

thanks for your help !!
bye
philippe

DDS log & Gmer logs bellow:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by HP_Administrateur at 20:31:16 on 2011-11-21
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.204 [GMT 1:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
c:\progra~1\modsec~1\modsec~1.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Serveur Media\twonkymediaserverwatchdog.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Serveur Media\TwonkyMediaServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
C:\Program Files\Serveur Media\twonkymediaserverconfig.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Google Update] "c:\documents and settings\hp_administrateur\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [LaCie Ethernet Agent Startup] "c:\program files\lacie\network assistant\LaCie Network Assistant.exe" silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.ini"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\fichie~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\adobeg~1.lnk - c:\program files\fichiers communs\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\agents~1.lnk - c:\program files\serveur media\twonkymediaserverconfig.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photoweb.fr/telechargement/telechargement-photoweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{1CEDAE29-FA41-4AE6-BD3D-D3CBBA6A701C} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{8DB0263C-FA1D-4003-B095-14543902067D} : DhcpNameServer = 89.2.0.1 89.2.0.2
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 85.17.174.182 voyagesinterieurs.com www.voyagesinterieurs.com
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\hp_administrateur\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPBeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\videoegg\loader\2663\npvideoegg-loader.dll
FF - Ext: Cooliris: - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-3-14 8576]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [2008-1-1 138752]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 Serveur Média;Serveur Média;c:\program files\serveur media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\serveur media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-11-15 102912]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [2011-11-20 453504]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [2011-11-20 416640]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2006-12-2 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [2009-7-13 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
.
=============== Created Last 30 ================
.
2011-11-21 17:35:01 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a0d185ae-c8dc-4681-bc8e-34476ddce69b}\offreg.dll
2011-11-20 08:18:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-18 06:53:15 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a0d185ae-c8dc-4681-bc8e-34476ddce69b}\mpengine.dll
2011-11-15 21:15:04 -------- d-----w- c:\documents and settings\hp_administrateur\local settings\application data\LaCie
2011-11-15 21:12:41 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12:11 -------- d-----w- c:\program files\LaCie
.
==================== Find3M ====================
.
2011-10-10 14:23:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15:50 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06:46 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41:40 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:32:55,20 ===============




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-21 21:59:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.10.0
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\axlcafod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Elkbd.sys (Intel Corporation)

---- EOF - GMER 1.0.15 ----

[shelf life]

hi superb1000,

We will get a download to use, its called combofix. There is a guide to read first, read through the guide then apply the directions on your own machine. Post the combofix log in your reply.

Guide to using Combofix

[superb1000]

hi shelf life

thanks for helping me... here is the log of combofix run.

Combofix saw that this is a french OS, and generated a french speaking report, if you need help for some translations do ask.


bye
philippe

ComboFix 11-11-23.01 - HP_Administrateur 23/11/2011 21:47:14.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.458 [GMT 1:00]
Lancé depuis: c:\data\security\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrateur\WINDOWS
c:\documents and settings\All Users\Application Data\VideoEgg
c:\documents and settings\All Users\Application Data\VideoEgg\user.dat
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\eMule_Secure\WINDOWS
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\avcodec.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\crashRpt.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\dataCollection.tmp
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\FLVEncoder.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\lame_enc.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\LevelMeter.ax
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\libcurlve.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\libpng.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\npvideoegg-publisher.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\remoteblacklist
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\report.log
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\aol_watermark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\audio_combo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\audio_source.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\big_gray_logo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\big_logo_cropped.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\blank_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_up.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorder_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorder_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorders_title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_left.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_left_curve.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_right.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_top_right.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_bottom_left.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_horiz.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_vertical.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropzone.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_fast_forward.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_stop.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_instructions.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\eraser.CUR
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\eraser_cursor.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\file_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\file_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\help.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorders.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_ff.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_file_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_file_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_phone_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_phone_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_stop.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcams.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\loading.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\loading_movie.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\locating.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_bottom.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_middle.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_top.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_slide_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\movie_placeholder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fast_forward.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fast_forward_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fill.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind_to_start.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\playhead.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\powered_by.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\progress.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_up.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\restart.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\restart_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_over_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\tab_slide_deselected.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\tape_control.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_camcorder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_camcorder_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_file.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_file_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_phone.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_phone_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_webcam.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_webcam_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_from.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_fill.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_high.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_low.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_medium.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_thumbnail.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_gray.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_green.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_high.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_low.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_orange.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_red.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\waiting_for_email.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcam_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcam_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcams_title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\messages\messages.en-US.bundle
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\VideoEgg_FLVWriter.ax
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\zlib.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\publisher.ver
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\2663\libcurlve.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\2663\updater.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\updater.ver
c:\documents and settings\HP_Administrateur\WINDOWS
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
G:\install.exe
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-10-23 au 2011-11-23 ))))))))))))))))))))))))))))))))))))
.
.
2011-11-21 19:29 . 2011-11-21 19:29 -------- d-----w- c:\program files\ERUNT
2011-11-20 08:18 . 2011-10-03 01:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-15 21:15 . 2011-11-15 21:15 -------- d-----w- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\LaCie
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\LaCie
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:23 . 2004-08-10 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2007-03-31 07:27 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 04:06 . 2011-06-08 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15 . 2011-09-28 15:15 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06 . 2004-08-10 11:00 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41 . 2007-10-09 11:03 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2004-08-10 04:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2004-08-10 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10 . 2004-08-10 11:00 1859072 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-11-15 313856]
"LaCie Ethernet Agent Startup"="c:\program files\LaCie\Network Assistant\LaCie Network Assistant.exe" [2011-08-26 9803264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-22 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7622656]
"nwiz"="nwiz.exe" [2006-06-21 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 128000]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregFre\Ereg.exe" [2003-07-07 729088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\eMule_Secure\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
c:\documents and settings\HP_Administrateur\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Adobe Gamma Loader.exe.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-2 113664]
Agent Serveur Média.lnk - c:\program files\Serveur Media\twonkymediaserverconfig.exe [2010-12-14 603736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-6-28 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
c:\documents and settings\Default User\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserverwatchdog.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestion à distance de Windows
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [21/12/2010 14:04 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [14/03/2008 22:47 8576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/01/2011 15:41 810144]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]
R2 Serveur Média;Serveur Média;c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [01/01/2008 15:29 138752]
S3 FR;FR;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe [?]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S3 RNZF;RNZF;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [02/12/2006 08:56 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [13/07/2009 17:20 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/08/2004 12:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contenu du dossier 'Tâches planifiées'
.
2011-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007Core.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007UA.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
FF - ProfilePath - c:\documents and settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: contact@petitscailloux.com - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHELINS SUPPRIMES - - - -
.
HKLM-Run-PCDrProfiler - (no file)
AddRemove-CloneDVD - c:\program files\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe
AddRemove-FileZilla - c:\program files\FileZilla\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-23 22:09
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
Heure de fin: 2011-11-23 22:14:43
ComboFix-quarantined-files.txt 2011-11-23 21:14
.
Avant-CF: 10*745*180*160 octets libres
Après-CF: 18*706*194*432 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C4510EA29F04B1B1067FF1309886B6D4

[shelf life]

Ok thanks for the log. To help show all files you can do this:

For XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

Next take a look here:
c:\docume~1\hp_adm~1\locals~1\temp

C:\documents and settings\HP admin\local settings\Temp
Delete everything you can from the Temp directory.

Next download and run malwarebytes;

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

NOTE: The free version must be updated manually and a scan started manually

[superb1000]

hi shelf life,

thanks for the analysis.

Except from this,
>c:\docume~1\hp_adm~1\locals~1\temp
>C:\documents and settings\HP admin\local settings\Temp

did you saw something suspicious in the log ?

I will do Malwarebytes scan tonight. Is Malwarebytes complementeray to Nod32 ? and should I get the Pro version ?

Also I did run into malware problems on an external multimedia HDD a couple of months ago, I did ask support to Nod32 and to the EXternal drive company but did not get anywere. I ended up reformating & upgrading the firmware of the external multimedia HDD. (It was like if the malware had infetced the operating system of the external multimedia HHD).

But when I got this trojan problems on my main computer recently I also got a warning from NOD32 about the old malware on the Exeternal HDD.

Should I post here the initial issues I had with the external multimedia HDD ?
Should I do a DDS scan on this drive as well ?

Also I have a laptop running Windows 7, I did a full scan search with Nod32 and It did not found anything, can I use DDS to do a scan on this as well ? or another utility that is windows7 compatible ?

Last entry: My wife has a Mac Ipad, should I have a look there, if yes with what utility ?


bye
philippe

[shelf life]

malwarebytes will be ok with NOD32. The pro version of offers a real time protection component that runs in the background. Its worth the money.
Log looks ok other than the processes running out of a temp directory.

If the external drive is connected then combofix would have scanned it. It looks like two drives (other than C) were connected at the time it ran:
D:\Autorun.inf
G:\install.exe
DDS will run on W7, you can post a log.

Any malware on a Ipad will not run on the Windows OS and Windows malware will not run on a Ipad. They are two completly different operating systems.

[superb1000]

hi shelf life,

here is the log of malwarebytes:

Database version: 8234

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/11/2011 06:40:32
mbam-log-2011-11-25 (06-40-32).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 771266
Time elapsed: 7 hour(s), 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\VideoEgg.ActiveXLoader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/Publisher,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/Updater,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\VideoEgg\Loader\2663\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.

[superb1000]

hi shelf life,

Before running malwarebytes I did as you suggested, removed everything in:

>C:\documents and settings\HP admin\local settings\Temp

However I was not able to remove 2 files that where used by another application (I don't know wich one).
and also to my surprise I did not find the very suspicious RNZF.exe & FR.exe....

Did Combofix removed then when I run it ? if not can they still be hidden somewhere else.


>If the external drive is connected then combofix would have scanned it. It >looks like two drives (other than C) were connected at the time it ran:

Now that things looks ok on the main PC, Whould it be a good idea to re-run combofix with the external multimedia drive connected to the PC ?

bye
philippe

[shelf life]

hi,

Those files in the temp may not exsist and have aleady been removed:
try this script like you did before:

Code:

Driver:
FR
RNZF

Go ahead and connect your external drive then rerun combofix and malwarebytes, i think with malwarebytes you will have to chose the external drive with a check mark for it to scan it

[superb1000]

hi shelf life,

>try this script like you did before:

I did not use any scripts form you yet.

>Go ahead and connect your external drive then rerun combofix and >malwarebytes, i think with malwarebytes you will have to chose the external >drive with a check mark for it to scan it

Will do and post the logs.

thanks again.


bye
philippe