Java/Agent.DW removal help needed

S

superb1000

New member
hi

yesterday after seeing a C++ compiler installed on a location where it should not be, i did a full scan on my system with nod32.

Nod 32 found:


C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\10\2db2554a-465fab38 Java/Agent.DW

C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\34\27cc5822-684aa012 variation of Java/Agent.DW

C:\Documents and Settings\HP_Administrateur\Application Data\Sun\Java\Deployment\cache\6.0\41\76f3af69-56e3630d variation of Java/Agent.DW

As nod 32 did not remove it itself, What i did is remove the Cache directory and all it's content.
but I would like to know if there is not something else left that nod 32 has not seen or maybe a rootkit installed.

Here is the DDS log, after looking at this log I found 2 items that looks suspicious:

S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [2011-11-20 453504]

S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [2011-11-20 416640]

I found this site that suggest that FR.exe is a trojan.
http://www.auditmypc.com/fr.asp

I have not done anything yet to remove this 2 files.

I have also run Gmer to look for a rootkit, but nothing looks suspicious to me in this log.

thanks for your help !!
bye
philippe

DDS log & Gmer logs bellow:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by HP_Administrateur at 20:31:16 on 2011-11-21
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.204 [GMT 1:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
c:\progra~1\modsec~1\modsec~1.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Serveur Media\twonkymediaserverwatchdog.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Serveur Media\TwonkyMediaServer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
C:\Program Files\Serveur Media\twonkymediaserverconfig.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrateur\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Google Update] "c:\documents and settings\hp_administrateur\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [LaCie Ethernet Agent Startup] "c:\program files\lacie\network assistant\LaCie Network Assistant.exe" silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.ini"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\fichie~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\adobeg~1.lnk - c:\program files\fichiers communs\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\agents~1.lnk - c:\program files\serveur media\twonkymediaserverconfig.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photoweb.fr/telechargement/telechargement-photoweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{1CEDAE29-FA41-4AE6-BD3D-D3CBBA6A701C} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
TCP: Interfaces\{8DB0263C-FA1D-4003-B095-14543902067D} : DhcpNameServer = 89.2.0.1 89.2.0.2
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 85.17.174.182 voyagesinterieurs.com www.voyagesinterieurs.com
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\hp_administrateur\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPBeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - plugin: c:\program files\videoegg\loader\2663\npvideoegg-loader.dll
FF - Ext: Cooliris:
misc.php
- %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug:
misc.php
- %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux:
misc.php
- %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter:
misc.php
- c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-3-14 8576]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [2008-1-1 138752]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 Serveur Média;Serveur Média;c:\program files\serveur media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\serveur media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-11-15 102912]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [2011-11-20 453504]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [2011-11-20 416640]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2006-12-2 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [2009-7-13 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
.
=============== Created Last 30 ================
.
2011-11-21 17:35:01 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a0d185ae-c8dc-4681-bc8e-34476ddce69b}\offreg.dll
2011-11-20 08:18:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-18 06:53:15 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a0d185ae-c8dc-4681-bc8e-34476ddce69b}\mpengine.dll
2011-11-15 21:15:04 -------- d-----w- c:\documents and settings\hp_administrateur\local settings\application data\LaCie
2011-11-15 21:12:41 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12:11 -------- d-----w- c:\program files\LaCie
.
==================== Find3M ====================
.
2011-10-10 14:23:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15:50 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06:46 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41:40 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 20:32:55,20 ===============




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-11-21 21:59:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.10.0
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\axlcafod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Elkbd.sys (Intel Corporation)

---- EOF - GMER 1.0.15 ----
 
hi superb1000,

We will get a download to use, its called combofix. There is a guide to read first, read through the guide then apply the directions on your own machine. Post the combofix log in your reply.

Guide to using Combofix
 
hi shelf life

thanks for helping me... here is the log of combofix run.

Combofix saw that this is a french OS, and generated a french speaking report, if you need help for some translations do ask.


bye
philippe

ComboFix 11-11-23.01 - HP_Administrateur 23/11/2011 21:47:14.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.458 [GMT 1:00]
Lancé depuis: c:\data\security\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrateur\WINDOWS
c:\documents and settings\All Users\Application Data\VideoEgg
c:\documents and settings\All Users\Application Data\VideoEgg\user.dat
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\eMule_Secure\WINDOWS
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\avcodec.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\crashRpt.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\dataCollection.tmp
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\FLVEncoder.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\lame_enc.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\LevelMeter.ax
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\libcurlve.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\libpng.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\npvideoegg-publisher.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\remoteblacklist
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\report.log
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\aol_watermark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\audio_combo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\audio_source.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\big_gray_logo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\big_logo_cropped.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\blank_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\button_browse_up.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorder_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorder_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\camcorders_title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_left.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_left_curve.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_bottom_right.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\corners_top_right.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\done_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_bottom_left.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_horiz.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropshadow_vertical.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dropzone.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_fast_forward.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\dv_stop.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_instructions.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\email_sent_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\eraser.CUR
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\eraser_cursor.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\file_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\file_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\help.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorder_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_camcorders.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_ff.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_file_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_file_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_phone_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_phone_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_stop.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam_dark.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcam_light.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\icon_webcams.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\loading.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\loading_movie.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\locating.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_bottom.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_middle.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\logo_top.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\mobile_slide_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\movie_placeholder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\ok_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fast_forward.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fast_forward_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_fill.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_pause.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_play.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\player_rewind_to_start.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\playhead.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\powered_by.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\progress.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\refresh_list_up.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\restart.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\restart_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_over_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\start_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_disabled.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_capture_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\stop_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\tab_slide_deselected.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\tape_control.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_camcorder.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_camcorder_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_file.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_file_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_phone.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_phone_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_webcam.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\text_webcam_highlight.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_down.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_from.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\upload_over.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_fill.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_high.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_low.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_medium.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\uploading_thumbnail.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_gray.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_green.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_high.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_low.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_orange.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_red.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\volume_slider.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\waiting_for_email.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcam_btn_highlighted.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcam_slide.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\images\webcams_title.png
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\resources\VideoEgg\messages\messages.en-US.bundle
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\VideoEgg_FLVWriter.ax
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\3461\zlib.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Publisher\publisher.ver
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\2663\libcurlve.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\2663\updater.dll
c:\documents and settings\HP_Administrateur\Application Data\VideoEgg\Updater\updater.ver
c:\documents and settings\HP_Administrateur\WINDOWS
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
G:\install.exe
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-10-23 au 2011-11-23 ))))))))))))))))))))))))))))))))))))
.
.
2011-11-21 19:29 . 2011-11-21 19:29 -------- d-----w- c:\program files\ERUNT
2011-11-20 08:18 . 2011-10-03 01:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-15 21:15 . 2011-11-15 21:15 -------- d-----w- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\LaCie
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\LaCie
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:23 . 2004-08-10 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2007-03-31 07:27 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 04:06 . 2011-06-08 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15 . 2011-09-28 15:15 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06 . 2004-08-10 11:00 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41 . 2007-10-09 11:03 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2004-08-10 04:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2004-08-10 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10 . 2004-08-10 11:00 1859072 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-11-15 313856]
"LaCie Ethernet Agent Startup"="c:\program files\LaCie\Network Assistant\LaCie Network Assistant.exe" [2011-08-26 9803264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-22 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7622656]
"nwiz"="nwiz.exe" [2006-06-21 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 128000]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregFre\Ereg.exe" [2003-07-07 729088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\eMule_Secure\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
c:\documents and settings\HP_Administrateur\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Adobe Gamma Loader.exe.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-2 113664]
Agent Serveur Média.lnk - c:\program files\Serveur Media\twonkymediaserverconfig.exe [2010-12-14 603736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-6-28 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
c:\documents and settings\Default User\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserverwatchdog.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestion à distance de Windows
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [21/12/2010 14:04 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [14/03/2008 22:47 8576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/01/2011 15:41 810144]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]
R2 Serveur Média;Serveur Média;c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [01/01/2008 15:29 138752]
S3 FR;FR;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe [?]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S3 RNZF;RNZF;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [02/12/2006 08:56 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [13/07/2009 17:20 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/08/2004 12:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contenu du dossier 'Tâches planifiées'
.
2011-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007Core.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007UA.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
FF - ProfilePath - c:\documents and settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: contact@petitscailloux.com - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHELINS SUPPRIMES - - - -
.
HKLM-Run-PCDrProfiler - (no file)
AddRemove-CloneDVD - c:\program files\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe
AddRemove-FileZilla - c:\program files\FileZilla\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-23 22:09
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
Heure de fin: 2011-11-23 22:14:43
ComboFix-quarantined-files.txt 2011-11-23 21:14
.
Avant-CF: 10*745*180*160 octets libres
Après-CF: 18*706*194*432 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C4510EA29F04B1B1067FF1309886B6D4
 
Ok thanks for the log. To help show all files you can do this:

For XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

Next take a look here:
c:\docume~1\hp_adm~1\locals~1\temp

C:\documents and settings\HP admin\local settings\Temp
Delete everything you can from the Temp directory.

Next download and run malwarebytes;

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

NOTE: The free version must be updated manually and a scan started manually
 
hi shelf life,

thanks for the analysis.

Except from this,
>c:\docume~1\hp_adm~1\locals~1\temp
>C:\documents and settings\HP admin\local settings\Temp

did you saw something suspicious in the log ?

I will do Malwarebytes scan tonight. Is Malwarebytes complementeray to Nod32 ? and should I get the Pro version ?

Also I did run into malware problems on an external multimedia HDD a couple of months ago, I did ask support to Nod32 and to the EXternal drive company but did not get anywere. I ended up reformating & upgrading the firmware of the external multimedia HDD. (It was like if the malware had infetced the operating system of the external multimedia HHD).

But when I got this trojan problems on my main computer recently I also got a warning from NOD32 about the old malware on the Exeternal HDD.

Should I post here the initial issues I had with the external multimedia HDD ?
Should I do a DDS scan on this drive as well ?

Also I have a laptop running Windows 7, I did a full scan search with Nod32 and It did not found anything, can I use DDS to do a scan on this as well ? or another utility that is windows7 compatible ?

Last entry: My wife has a Mac Ipad, should I have a look there, if yes with what utility ?


bye
philippe
 
malwarebytes will be ok with NOD32. The pro version of offers a real time protection component that runs in the background. Its worth the money.
Log looks ok other than the processes running out of a temp directory.

If the external drive is connected then combofix would have scanned it. It looks like two drives (other than C) were connected at the time it ran:
D:\Autorun.inf
G:\install.exe
DDS will run on W7, you can post a log.

Any malware on a Ipad will not run on the Windows OS and Windows malware will not run on a Ipad. They are two completly different operating systems.
 
hi shelf life,

here is the log of malwarebytes:

Database version: 8234

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/11/2011 06:40:32
mbam-log-2011-11-25 (06-40-32).txt

Scan type: Full scan (C:\|D:\|E:\|G:\|)
Objects scanned: 771266
Time elapsed: 7 hour(s), 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\VideoEgg.ActiveXLoader (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/Publisher,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/Updater,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\VideoEgg\Loader\2663\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
 
hi shelf life,

Before running malwarebytes I did as you suggested, removed everything in:

>C:\documents and settings\HP admin\local settings\Temp

However I was not able to remove 2 files that where used by another application (I don't know wich one).
and also to my surprise I did not find the very suspicious RNZF.exe & FR.exe....

Did Combofix removed then when I run it ? if not can they still be hidden somewhere else.


>If the external drive is connected then combofix would have scanned it. It >looks like two drives (other than C) were connected at the time it ran:

Now that things looks ok on the main PC, Whould it be a good idea to re-run combofix with the external multimedia drive connected to the PC ?

bye
philippe
 
hi,

Those files in the temp may not exsist and have aleady been removed:
try this script like you did before:

Code: 
Driver:
FR
RNZF

Go ahead and connect your external drive then rerun combofix and malwarebytes, i think with malwarebytes you will have to chose the external drive with a check mark for it to scan it
 
hi shelf life,

>try this script like you did before:

I did not use any scripts form you yet.

>Go ahead and connect your external drive then rerun combofix and >malwarebytes, i think with malwarebytes you will have to chose the external >drive with a check mark for it to scan it

Will do and post the logs.

thanks again.


bye
philippe
 
hi shelf life,


Bellow you can find the DDS log of my laptop, I did not see anything suspicious, but I am not sure.



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by admin at 21:14:39 on 2011-11-25
Microsoft Windows*7 Édition Familiale Premium 6.1.7601.1.1252.33.1036.18.3037.1875 [GMT 1:00]
.
AV: ESET Smart Security 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET Smart Security 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Pare-feu personnel d'ESET *Disabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\windows\system32\atieclxx.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Samsung Casual Games\GameConsole\OberonGameConsoleService.exe
C:\windows\SYSTEM32\Rezip.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\taskeng.exe
C:\windows\system32\Dwm.exe
C:\Program Files\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\windows\Explorer.EXE
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\ICQ7.0\ICQ.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\wbem\wmiprvse.exe
c:\program files\windows defender\MpCmdRun.exe
C:\windows\explorer.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.icq.com/
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=smsn&bmod=smsn
uInternet Settings,ProxyServer = localhost:8080
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
mURLSearchHooks: H - No File
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: ICQToolBar: {855f3b16-6d32-4fe6-8a56-bbb695989046} - c:\program files\icq6toolbar\20101006185636\ICQToolBar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [ICQ] "c:\program files\icq7.0\ICQ.exe" silent loginmode=4
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Nexus Radio] c:\program files\nexus radio\Nexus Radio.exe -0
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {88EB38EF-4D2C-436D-ABD3-56B232674062} - c:\program files\icq7.0\ICQ.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUpldfr-fr.cab
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B} : DhcpNameServer = 89.2.0.1 89.2.0.2
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\3596475636F6D61405 : DhcpNameServer = 192.168.5.17
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\4556C656B6F6D6 : DhcpNameServer = 10.120.136.116
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\C496675626F687D266566683 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\E4545564F544147383 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\E4545564F593338383 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A0BC012-1A84-4E36-9E00-069211749A1B}\E45657660275966496 : DhcpNameServer = 84.103.237.147 86.64.145.147
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\08dxgdyg.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.1.2&q=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2009-10-7 10752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-10-8 172032]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-11-16 38240]
R2 ICQ Service;ICQ Service;c:\program files\icq6toolbar\ICQ Service.exe [2010-3-13 246520]
R2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files\samsung casual games\gameconsole\OberonGameConsoleService.exe [2009-12-25 44312]
R2 Rezip;Rezip;c:\windows\system32\Rezip.exe [2009-10-7 311296]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-3-9 92592]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-25 54632]
S3 fsssvc;Service Windows Live Contrôle parental;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-9 52224]
S3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-8 1343400]
.
=============== Created Last 30 ================
.
2011-11-25 20:03:51 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90608144-3dd6-46d5-8bfc-4d6c3d53e234}\offreg.dll
2011-11-25 12:57:14 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{90608144-3dd6-46d5-8bfc-4d6c3d53e234}\mpengine.dll
2011-11-09 20:04:11 1290608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-09 20:04:10 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-09 20:04:09 2341888 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2011-11-25 19:22:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 21:15:41,62 ===============
 
hi shelf life,

here is the ComboFix run I did with your script on my main PC, the strange this is that FR.exe & RNZF.exe are still in the log ...?

S3 FR;FR;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe [?]
S3 RNZF;RNZF;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe [?]

bye
philippe

Log Bellow:

ComboFix 11-11-25.02 - HP_Administrateur 25/11/2011 22:19:15.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.268 [GMT 1:00]
Lancé depuis: c:\data\security\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\HP_Administrateur\Bureau\CFScript.txt
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-10-25 au 2011-11-25 ))))))))))))))))))))))))))))))))))))
.
.
2011-11-25 20:46 . 2011-11-25 20:46 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{43F97699-455E-4096-A504-DD61228B0A58}\offreg.dll
2011-11-25 20:46 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{43F97699-455E-4096-A504-DD61228B0A58}\mpengine.dll
2011-11-24 19:54 . 2011-11-24 19:54 -------- d-----w- c:\documents and settings\HP_Administrateur\Application Data\Malwarebytes
2011-11-24 19:54 . 2011-11-24 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-24 19:54 . 2011-11-24 19:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-24 19:54 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-21 19:29 . 2011-11-21 19:29 -------- d-----w- c:\program files\ERUNT
2011-11-20 08:18 . 2011-10-03 01:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-15 21:15 . 2011-11-15 21:15 -------- d-----w- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\LaCie
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12 . 2011-11-15 21:12 -------- d-----w- c:\program files\LaCie
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:23 . 2004-08-10 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2007-03-31 07:27 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-10-03 04:06 . 2011-06-08 05:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15 . 2011-09-28 15:15 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06 . 2004-08-10 11:00 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41 . 2007-10-09 11:03 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2004-08-10 04:00 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41 . 2004-08-10 04:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10 . 2004-08-10 11:00 1859072 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-23_21.09.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-25 20:39 . 2011-11-25 20:39 16384 c:\windows\Temp\Perflib_Perfdata_374.dat
+ 2011-11-25 20:42 . 2011-11-25 20:42 233472 c:\windows\ERDNT\AutoBackup\25-11-2011\Users\00000002\UsrClass.dat
+ 2011-11-25 20:42 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\25-11-2011\ERDNT.EXE
+ 2011-11-24 19:34 . 2011-11-24 19:34 233472 c:\windows\ERDNT\AutoBackup\24-11-2011\Users\00000002\UsrClass.dat
+ 2011-11-24 19:34 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\24-11-2011\ERDNT.EXE
+ 2011-11-25 20:42 . 2011-11-25 20:42 14565376 c:\windows\ERDNT\AutoBackup\25-11-2011\Users\00000001\NTUSER.DAT
+ 2011-11-24 19:34 . 2011-11-24 19:34 14548992 c:\windows\ERDNT\AutoBackup\24-11-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2008-11-15 313856]
"LaCie Ethernet Agent Startup"="c:\program files\LaCie\Network Assistant\LaCie Network Assistant.exe" [2011-08-26 9803264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-22 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-21 7622656]
"nwiz"="nwiz.exe" [2006-06-21 1519616]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"SbUsb AudCtrl"="sbusbdll.dll" [2005-05-26 128000]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregFre\Ereg.exe" [2003-07-07 729088]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-05-14 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\eMule_Secure\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
c:\documents and settings\HP_Administrateur\Menu Démarrer\Programmes\Démarrage\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Adobe Gamma Loader.exe.lnk - c:\program files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-2 113664]
Agent Serveur Média.lnk - c:\program files\Serveur Media\twonkymediaserverconfig.exe [2010-12-14 603736]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2001-6-28 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
c:\documents and settings\Default User\Menu Démarrer\Programmes\Démarrage\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-3 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-1-3 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserverwatchdog.exe"=
"c:\\Program Files\\Serveur Media\\twonkymediaserver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Gestion à distance de Windows
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [21/12/2010 14:04 115008]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [14/03/2008 22:47 8576]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [12/01/2011 15:41 810144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [24/11/2011 20:54 366152]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 18:07 35088]
R2 Serveur Média;Serveur Média;c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 --> c:\program files\Serveur Media\twonkymediaserverwatchdog.exe -serviceversion 0 [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 17:19 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [24/11/2011 20:54 22216]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S2 modsecurity-console;modsecurity-console;c:\progra~1\modsec~1\modsec~1.exe [01/01/2008 15:29 138752]
S3 FR;FR;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\FR.exe [?]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/03/2010 18:55 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RNZF;RNZF;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RNZF.exe [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [02/12/2006 08:56 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [13/07/2009 17:20 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [10/08/2004 12:00 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contenu du dossier 'Tâches planifiées'
.
2011-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-02 17:55]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007Core.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1826305023-3480081972-1771391958-1007UA.job
- c:\documents and settings\HP_Administrateur\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-02 16:36]
.
2011-11-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 16:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 89.2.0.1 89.2.0.2
FF - ProfilePath - c:\documents and settings\HP_Administrateur\Application Data\Mozilla\Firefox\Profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: contact@petitscailloux.com - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 22:39
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(3840)
c:\windows\system32\nview.dll
c:\windows\system32\NVWRSFR.DLL
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\fr-fr\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\fr-fr\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2011-11-25 22:47:28
ComboFix-quarantined-files.txt 2011-11-25 21:47
ComboFix2.txt 2011-11-23 21:14
.
Avant-CF: 18*642*481*152 octets libres
Après-CF: 18*625*835*008 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 760C2EE3076FC5C473AF20286EC5FD7F
 
Thanks for the info. The log from your Windows 7 machine looks ok. The two .exe from the other log must not exist anymore and have been removed.
 
hi shelf life,

I just got a notification from nod32 for my Windows 7 laptop: supected file send for analisys: json/Parser.class

I installed Java JRE 7.

Do you think there can be any links with the Initial java problem reported by Nod32 on my main XP pc ?

bye
philippe
 
I installed Java JRE 7.
Click to expand...
Probably better off without it. Is that the latest version? Old versions are full of exploits, java patches come out more the adobe's. Do a search for java exploit in your favorite search engine. You could also disable it in your browser.

Nod32 must have picked something up in your java cache and took care of it.
 
I would install the free version of malwarebytes on your W7 machine. Note that the free version must be updated manually and a scan started manually. Hows it all looking on your end now?
 
hi shelf life,

I installed the free version of malwarebytes and Spybox 2 beta 4, on my 2 systems XP & W7. (Nod 32 is also there on the 2 systems).

However I get a very slow XP system especially just after the boot,
at a point where I can not really use Firefox or Chrome,
and when it stabelize I still get a lot of disk activity.

Maybe it's due to some background file scanning going on because of the recent install of malwarebytes and Spybox 2.

What I noticed is that the systems become more usable when I un-plug the network cable.

What I plan to do is make some room, remove all unecessary soft, and defragment the disk.

I have also installed some sysinternals tools from windows to try understand what is going on.

Any advices on tools to use to monitor what is driving this disk activity ?
(the CPU is ok).


bye
philippe
 
hi shelf life,

I forgoted to mention that there is also Windows defender on the XP box, that was installed a while ago, and I never got any notification from it when I got some problems... so maybe I should remouve that.

bye
philippe
 
I installed the free version of malwarebytes and Spybox 2 beta 4, on my 2 systems XP & W7. (Nod 32 is also there on the 2 systems).

However I get a very slow XP system especially just after the boot,
Click to expand...

The free MBAM dosnt have a real time protection component, I think Spybot does. You could try disabling it and see if anything improves.

You can also remove combofix like this:
start>run and type in:
combofix /uninstall
click ok or enter
Note the space after the x and before the /

Also, on your XP machine please post a new DDS log, both logs. You only posted one last time. You can just rerun DDS again to generate the two logs.
 
hi shelf life,

when trying to post my reply I just got this error message in chrome ?
Erreur 147 (net::ERR_ADDRESS_IN_USE) : Erreur inconnue

Here is the DDS logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by HP_Administrateur at 21:09:23 on 2011-12-01
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1022.404 [GMT 1:00]
.
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Pare-feu personnel d'ESET *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sandboxie\SbieSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\rundll32.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_FR&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [LaCie Ethernet Agent Startup] "c:\program files\lacie\network assistant\LaCie Network Assistant.exe" silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregfre\ereg.ini"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
dRun: [DWQueuedReporting] "c:\progra~1\fichie~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\menudm~1\progra~1\dmarra~1\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\adobeg~1.lnk - c:\program files\fichiers communs\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.photoweb.fr/telechargement/telechargement-photoweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{1CEDAE29-FA41-4AE6-BD3D-D3CBBA6A701C} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\hp_administrateur\application data\mozilla\firefox\profiles\ubl5jbee.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\hp_administrateur\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npaudio.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npavi32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\NPBeatnk.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npnul32.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\netscape\communicator\program\plugins\npswf32.dll
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Firesizer: {04426594-bce6-4705-b811-bcdba2fd9c7b} - %profile%\extensions\{04426594-bce6-4705-b811-bcdba2fd9c7b}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Petitscailloux: contact@petitscailloux.com - %profile%\extensions\contact@petitscailloux.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]
R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\spybot - search & destroy 2\SDHookDrv32.sys [2011-11-26 38504]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-3-14 8576]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-24 366152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-24 22216]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2008-11-15 102912]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\spybot - search & destroy 2\SDHookSvc.exe [2011-11-26 130976]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-11-26 892336]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-11-26 955816]
S3 FR;FR;c:\docume~1\hp_adm~1\locals~1\temp\fr.exe --> c:\docume~1\hp_adm~1\locals~1\temp\FR.exe [?]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-2 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RNZF;RNZF;c:\docume~1\hp_adm~1\locals~1\temp\rnzf.exe --> c:\docume~1\hp_adm~1\locals~1\temp\RNZF.exe [?]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\drivers\sbusb.sys [2006-12-2 1694592]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [2009-7-13 19024]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
.
=============== Created Last 30 ================
.
2011-12-01 18:32:04 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{d4df4242-9ac7-4e83-9071-0ec8db0702de}\offreg.dll
2011-11-29 17:50:04 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{d4df4242-9ac7-4e83-9071-0ec8db0702de}\mpengine.dll
2011-11-28 21:04:07 -------- d-----w- C:\ProcAlyzer Dumps
2011-11-26 17:36:44 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-11-26 17:35:54 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-11-26 17:35:41 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-11-25 20:57:56 -------- d-sha-r- C:\cmdcons
2011-11-24 19:54:32 -------- d-----w- c:\documents and settings\hp_administrateur\application data\Malwarebytes
2011-11-24 19:54:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-24 19:54:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-24 19:54:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-23 20:05:21 98816 ----a-w- c:\windows\sed.exe
2011-11-23 20:05:21 518144 ----a-w- c:\windows\SWREG.exe
2011-11-23 20:05:21 256000 ----a-w- c:\windows\PEV.exe
2011-11-23 20:05:21 208896 ----a-w- c:\windows\MBR.exe
2011-11-20 08:18:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-15 21:15:04 -------- d-----w- c:\documents and settings\hp_administrateur\local settings\application data\LaCie
2011-11-15 21:12:41 -------- d-----w- c:\program files\Bonjour
2011-11-15 21:12:11 -------- d-----w- c:\program files\LaCie
.
==================== Find3M ====================
.
2011-10-10 14:23:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-03 04:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-28 15:15:50 1409 ----a-w- c:\windows\QTFont.for
2011-09-28 07:06:46 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 09:41:40 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 21:11:18,75 ===============
 
You must log in or register to reply here.
Back
Top