Windows Warning Message! infection.

[HabsWarrior]

Hi!

I've been trying to kick out this new infection. My desktop backgroung changed to a picture of a window stating "Windows Warning Message!", infection of Win32/Adware.Virtumonde & win32/PrivacyRemover.M64.

Ran Spybot S&D after updating, found Virtumonde infection, cleaned it-up. re-scanned, no problems found. Please fin HJT log below. Kaspersky scan currently running while I type this. Will post log upon request.

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:46:53, on 2008-09-04
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\ProgramData\fqzynaho\bkhormna.exe
C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\lphc136j0ee8e.exe
C:\Windows\System32\zylwtslu.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {305BA16B-061F-4C80-9F2F-9ECC40B3D573} - C:\Windows\system32\AudioEn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ConnectionManager] C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [lphc136j0ee8e] C:\Windows\system32\lphc136j0ee8e.exe
O4 - HKCU\..\Run: [cmdproc] C:\Windows\system32\zylwtslu.exe
O4 - HKCU\..\Run: [AplHlpAdm] C:\Windows\system32\qlynsnuj.exe
O4 - HKCU\..\Run: [infocmd] C:\Windows\system32\xenebslw.exe
O4 - HKLM\..\Policies\Explorer\Run: [Nyc1WsKQSy] C:\ProgramData\fqzynaho\bkhormna.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Gestionnaire de connexion de Simple Comptable - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5254 bytes


Thanx in advance!

Habs!

 

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove and many of our tools will not run on Vista, all I can promise is to do my best.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log, the uninstall list and a new HJT log.

Thanks

 

[HabsWarrior]

Good evening Pskelley, and thank you for taking time to help me with my infection. (Kinda weird that I'd start a cold on the same day my PC got infected)

PC Background : Personnal PC wich I also use for my business. My kids also play games on it in the evening.


ComboFix Log

ComboFix 08-09-05.02 - Gestion Épidaure 2008-09-05 22:44:55.4 - NTFSx86
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6000.0.1252.1.1036.18.2068 [GMT -4:00]
Endroit: C:\Users\Gestion Épidaure.maison\Desktop\Benoit\ComboFix.exe
* Création d'un nouveau point de restauration
.

((((((((((((((((((((((((((((( Fichiers créés 2008-08-06 to 2008-09-06 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier créé dans cet espace de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 02:48 4,293,664 --sha-w C:\Windows\system32\drivers\fidbox.dat
2008-09-06 02:39 --------- d-----w C:\ProgramData\fqzynaho
2008-09-05 23:50 60,068 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-09-05 21:20 691 ----a-w C:\Users\Gestion Épidaure.maison\AppData\Roaming\GetValue.vbs
2008-09-05 21:20 35 ----a-w C:\Users\Gestion Épidaure.maison\AppData\Roaming\SetValue.bat
2008-09-05 21:20 1,762 ----a-w C:\Windows\System32\tmp.reg
2008-09-05 20:12 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\SUPERAntiSpyware.com
2008-09-05 20:12 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-09-05 20:12 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-05 20:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-04 17:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-04 17:00 --------- d-----w C:\Program Files\Trend Micro
2008-09-04 16:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-04 15:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 15:26 --------- d-----w C:\Program Files\Symantec
2008-09-04 15:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-04 15:25 --------- d-----w C:\ProgramData\Symantec
2008-09-04 14:13 --------- d-----w C:\ProgramData\ParetoLogic
2008-09-04 14:13 --------- d-----w C:\Program Files\Common Files\ParetoLogic
2008-09-04 13:41 --------- d-----w C:\Program Files\Hot Dish
2008-09-04 13:18 --------- d-----w C:\Program Files\PKR
2008-09-03 23:50 --------- d---a-w C:\ProgramData\TEMP
2008-09-03 14:31 --------- d-----w C:\Program Files\MSA
2008-09-03 14:25 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\Malwarebytes
2008-09-03 14:25 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-03 14:25 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 14:14 --------- d-----w C:\ProgramData\ParetoLogic Anti-Virus PLUS
2008-09-03 14:12 --------- d-----w C:\ProgramData\Downloaded Installations
2008-09-03 13:52 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-09-03 13:52 --------- d-----w C:\Program Files\BAE
2008-09-03 13:23 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-03 13:23 --------- d-----w C:\Program Files\Yahoo!
2008-09-03 13:23 --------- d-----w C:\Program Files\Simple Comptable Standard 2007
2008-09-03 13:23 --------- d-----w C:\Program Files\QuickTime
2008-09-03 13:23 --------- d-----w C:\Program Files\Dell
2008-09-03 13:23 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-09-03 13:23 --------- d-----w C:\Program Files\Apple Software Update
2008-09-03 12:45 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-03 12:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 12:29 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\LimeWire
2008-09-03 12:26 --------- d-----w C:\Program Files\Alwil Software
2008-09-03 03:58 88,576 ----a-w C:\Windows\System32\AntiXPVSTFix.exe
2008-09-02 20:51 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-09-02 04:16 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-09-01 17:12 --------- d-----w C:\Users\Jean-francois\AppData\Roaming\LimeWire
2008-08-29 02:36 82,432 ----a-w C:\Windows\System32\IEDFix.C.exe
2008-08-23 22:18 --------- d-----w C:\Program Files\Restaurant Rush
2008-08-22 03:35 --------- d-----w C:\Program Files\Jewel Quest III
2008-08-21 17:51 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\QSGames
2008-08-21 17:51 --------- d-----w C:\ProgramData\QSGames
2008-08-21 17:51 --------- d-----w C:\Program Files\Fury Race
2008-08-18 16:19 82,432 ----a-w C:\Windows\System32\404Fix.exe
2008-08-16 13:09 --------- d-----w C:\Program Files\Windows Mail
2008-08-16 13:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-11 16:44 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\Bullzip
2008-07-31 06:34 --------- d-----w C:\Program Files\Cradle Of Rome
2008-07-31 06:01 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\iWin
2008-07-31 05:24 --------- d-----w C:\Program Files\Dream Day Wedding 2
2008-07-30 19:57 --------- d-----w C:\Program Files\Hidden Secrets - The Nightmare
2008-07-30 19:39 --------- d-----w C:\Program Files\Restaurant Empire
2008-07-30 19:32 --------- d-----w C:\Program Files\Cooking Academy
2008-07-24 14:51 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\FarmerJane
2008-07-24 13:49 --------- d-----w C:\Program Files\Farmer Jane
2008-07-24 13:46 --------- d-----w C:\Program Files\Yummy Drink Factory
2008-07-22 15:51 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\blg
2008-07-21 15:24 --------- d-----w C:\Users\Jean-francois\AppData\Roaming\blg
2008-07-21 15:24 --------- d-----w C:\ProgramData\blg
2008-07-21 15:23 --------- d-----w C:\Program Files\Spa Mania
2008-07-20 17:46 --------- d-----w C:\Users\Jean-francois\AppData\Roaming\Sony
2008-07-20 17:46 --------- d-----w C:\ProgramData\Sony
2008-07-20 16:44 --------- d-----w C:\Program Files\Sony Ericsson
2008-07-20 16:44 --------- d-----w C:\Program Files\Sony
2008-07-20 16:40 --------- d-----w C:\ProgramData\BVRP Software
2008-07-20 16:40 --------- d-----w C:\Program Files\Avanquest update
2008-07-20 16:15 --------- d-----w C:\ProgramData\Sony Ericsson
2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll
2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll
2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll
2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll
2008-07-19 02:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll
2008-07-19 01:37 --------- d-----w C:\ProgramData\HiddenSecretsNightmare
2008-07-19 00:44 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-07-18 18:39 587,264 ----a-w C:\Windows\WLXPGSS.SCR
2008-07-15 23:53 --------- d-----w C:\ProgramData\Astar Games
2008-07-15 23:53 --------- d-----w C:\Program Files\Laura Jones and the Gates of Good and Evil
2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-07-11 15:04 --------- d-----w C:\Program Files\Tap'Touche
2008-07-09 07:09 174 --sha-w C:\Program Files\desktop.ini
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
.

((((((((((((((((((((((((((((( snapshot_2008-09-03_11.24.45.69 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-05 20:12:24 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-05 20:12:24 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-09-06 00:05:11 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-06 00:05:11 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-03 15:10:50 1,572,864 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-09-06 00:06:56 1,572,864 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
- 2008-09-03 15:10:50 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-09-06 02:48:07 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-09-03 14:39:02 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-06 00:05:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-03 14:39:02 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-06 00:05:57 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-03 14:39:02 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-06 00:05:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-03 12:17:15 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-06 02:44:41 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-06 02:44:41 262,144 ---ha-w C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1
+ 2004-07-31 22:50:36 51,200 ----a-w C:\Windows\System32\dumphive.exe
+ 2008-05-19 01:40:35 82,944 ----a-w C:\Windows\System32\IEDFix.exe
- 2008-08-05 18:11:01 15,888,504 ----a-w C:\Windows\System32\mrt.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\Windows\System32\mrt.exe
+ 2008-09-05 19:23:12 2,456 ----a-w C:\Windows\System32\networklist\icons\{03AF6652-E6C3-4C5B-AABC-18DCFC92EB30}_24.bin
+ 2008-09-05 19:23:12 4,280 ----a-w C:\Windows\System32\networklist\icons\{03AF6652-E6C3-4C5B-AABC-18DCFC92EB30}_32.bin
+ 2008-09-05 19:23:12 9,560 ----a-w C:\Windows\System32\networklist\icons\{03AF6652-E6C3-4C5B-AABC-18DCFC92EB30}_48.bin
+ 2003-06-06 01:13:00 53,248 ----a-w C:\Windows\System32\Process.exe
+ 2006-04-27 21:49:30 288,417 ----a-w C:\Windows\System32\SrchSTS.exe
+ 2007-09-06 04:22:23 289,144 ----a-w C:\Windows\System32\VCCLSID.exe
- 2008-09-03 14:35:16 10,168 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2077915589-448433217-3937035621-1001_UserData.bin
+ 2008-09-06 00:07:13 10,916 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2077915589-448433217-3937035621-1001_UserData.bin
- 2008-09-03 14:35:16 75,234 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-06 00:07:13 76,346 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-03 14:35:04 49,518 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-06 00:07:11 51,560 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2007-10-04 04:36:46 25,600 ----a-w C:\Windows\System32\WS2Fix.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConnectionManager"="C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-06-06 87336]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 13:10 18744 C:\Windows\System32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2077915589-448433217-3937035621-1000]
"EnableNotificationsRef"=dword:00000009

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2077915589-448433217-3937035621-1001]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8D9F7E2C-5E71-488F-B6D2-AC2ADF9E107E}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{361BE25E-657C-4C4E-BAE5-BFADB5F7239F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{23C5790A-6E85-4B4C-B91D-D479531BAF98}"= UDP:C:\Windows\System32\dlcxcoms.exe:Lexmark Communications System
"{C0D9F33C-7932-486F-AC3B-D8DA34978A0D}"= TCP:C:\Windows\System32\dlcxcoms.exe:Lexmark Communications System
"{3C1CE574-1E5A-47D6-BD6A-8B57C319DE4D}"= UDP:C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exeevice Monitor
"{C0B47FC4-6F35-49FC-A3E0-DD6055B33219}"= TCP:C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exeevice Monitor
"{28522A6F-5F7C-48FC-AC66-BCF37565FE04}"= UDP:C:\Program Files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{B76A9D04-4787-4E58-A787-D9794A063151}"= TCP:C:\Program Files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{E9ADBDE9-F8ED-4088-AC17-F6C6B5BC1F62}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F08B37AB-68C0-4369-8DC8-086D8C3788F4}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{81516695-2652-4433-8785-E4A81757843D}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{EADB962C-4777-404E-8E5B-003C4651E8A8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{94A24A0D-12B6-4C86-BCF9-C68A909AE05B}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F9E8C007-A178-409B-B261-B4B24413F0E7}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{3439309F-73EB-4A96-8A96-5407E244D0C3}"= UDP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt.exe 5.0.38
"{E4655857-1622-4420-894C-040D61E37D58}"= TCP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt.exe 5.0.38
"{6FEADF2E-6016-43A4-AEAD-072F9FD1AFDB}"= UDP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager.exe
"{A0918321-AFA1-4695-A642-F77F0E0FA5BA}"= TCP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager.exe
"{3DABDACA-A52E-4A05-A64A-ACFF2569518B}"= UDP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt
"{B3B112EC-543D-4249-BAE5-62FCFC2506BD}"= TCP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt
"{84C01CD4-D344-44BD-946A-A71016EED219}"= UDP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager
"{7BA02A43-D5E8-47E4-B779-0F604A0470CE}"= TCP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager
"{73775915-98CD-4932-8B92-91BA4D54EF4F}"= UDP:C:\Program Files\Simple Comptable 2008\SimplyAccounting.exe:Simple Comptable 2008
"{0A5241C6-7EE2-4E6E-8EA4-3CD1EF4A8E27}"= TCP:C:\Program Files\Simple Comptable 2008\SimplyAccounting.exe:Simple Comptable 2008
"{8F306A4D-7CF5-4A3B-A6B4-4BA821C7BD3D}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{781C7A29-3EBD-4332-8E72-FA8DD2B17970}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{AAB2D48F-BAB4-4C9C-8A1C-9C41E093B69B}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{1D5C51E8-4C76-4875-8CDD-DB4942324EF2}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{387C9F13-9405-4277-B11E-6D1353AD3346}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{72E4806A-6BA3-43D6-91AD-B7ABE81EBA6D}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{66DEA6F8-E722-4213-87D1-C08BC69F1910}"= UDP:C:\Program Files\Symantec\pcAnywhere\awhost32.execAnywhere Host
"{5DEB9B02-251A-4B14-A2B2-2CE10509D2DF}"= TCP:C:\Program Files\Symantec\pcAnywhere\awhost32.execAnywhere Host
"{E1DBE254-49C2-4761-A129-28052ABE3EA0}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{15481A31-E4B3-44E9-8105-07C67BE92A14}"= UDP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{0D210770-7176-466F-8EEA-2FA0C549EDC8}"= TCP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{1D15D6E9-945C-460A-91A9-A2F06C591FEA}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F7CBF350-1061-46CD-A850-01A588D36C18}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{134EE19D-4C44-459F-8074-771D41DCACC0}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{E1284F98-8A2F-4FD4-A2B2-4DD967C6E413}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
"DisabledInterfaces"= {5F970AD0-1AA2-4725-BDB4-E82CF7112133}

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 51280]
R2 Gestionnaire de connexion de Simple Comptable;Gestionnaire de connexion de Simple Comptable;C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe [2008-06-06 18216]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 809296]
S3 s916bus;Sony Ericsson Device 916 driver (WDM);C:\Windows\system32\DRIVERS\s916bus.sys [2007-11-02 83496]
S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s916mdfl.sys [2007-11-02 15016]
S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s916mdm.sys [2007-11-02 109992]
S3 s916mgmt;Sony Ericsson Device 916 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s916mgmt.sys [2007-11-02 103976]
S3 s916obex;Sony Ericsson Device 916 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s916obex.sys [2007-11-02 100008]
S3 VX1000;VX-1000;C:\Windows\system32\DRIVERS\VX1000.sys [2007-04-10 1966312]
S4 dlcx_device;dlcx_device;C:\Windows\system32\dlcxcoms.exe [2006-11-03 537480]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = www.google.ca/
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: E&xporter vers Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 22:48:23
Windows 6.0.6000 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-09-05 22:50:41
ComboFix-quarantined-files.txt 2008-09-06 02:50:33
ComboFix2.txt 2008-09-03 15:25:25
ComboFix3.txt 2008-09-03 13:40:03
ComboFix4.txt 2008-09-03 12:21:58

Pre-Run: Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application.
Post-Run: 175,058,907,136 octets libres

269 --- E O F --- 2008-09-06 01:46:14


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:55:00, on 2008-09-05
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ConnectionManager] C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\users\gestio~1.mai\appdata\local\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\users\gestio~1.mai\appdata\local\temp\ntdll64.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Gestionnaire de connexion de Simple Comptable - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--

Uninstall List (From HJT)

ABBYY FineReader 6.0 Sprint
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2 - Français
Adobe® Photoshop® Album Edition Découverte 3.2
Animal Agents
Apple Mobile Device Support
Apple Software Update
Around the World in 80 Days (remove only)
Assistant de connexion Windows Live
Assistant Personnalisation du systéme Dell
Atari: The 80 Classic Games
Avanquest update
avast! Antivirus
Big City Adventure Sydney Australia
Big City Adventure: Sydney, Australia
Big Fish Games Client
Brother MFL-Pro Suite
Bullzip PDF Printer 5.0.0.590
Cate West The Vanishing Files
Comptabilité Dynacom 10
Cooking Academy
Cooking Academy
Cooking Quest
Cradle Of Rome
Dairy Dash
Dell Fax PC
Diner Dash Flo on the Go (remove only)
Discovery! A Seek and Find Adventure
Dream Day Wedding
Dream Day Wedding 2
Dynacom Automatic Updates 1.2.7.9
Dynacom Cadeau Gratuit
Dynacom Windows Component Update
Empire of the Gods
Enigma
Fairies (gratuit) (remove only)
Farmer Jane
First Class Flurry
Full Tilt Poker.Net
Fury Race
Galerie de photos Windows Live
Go Go Gourmet
GPL Ghostscript Lite 8.61
Guide de l'utilisateur
Haunted Hotel
Hell's Kitchen
Hidden Secrets: The Nightmare
Hidden Wonders of the Depths
Hide & Secret 2: Cliffhanger Castle
Hide and Secret (remove only)
HijackThis 2.0.2
Hot Dish (remove only)
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
iTunes
Janes Hotel
Java(TM) SE Runtime Environment 6
Jewel Quest III
Laura Jones and the Gates of Good and Evil
LiveReg (Symantec Corporation)
Magic Academy
Malwarebytes' Anti-Malware
MapSend DirectRoute North America
Menus intelligents (Windows Live Toolbar)
Microsoft LifeCam
Microsoft Office Excel MUI (French) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (French) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Word MUI (French) 2007
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MySQL Connector/ODBC 3.51
Mystery Stories: Island of Hope
Mysteryville
Nancy Drew: The Haunted Carousel
NVIDIA Drivers
Pastry Passion
Pizza Chef
PKR
Poker Superstars 2
QuickTime
QuickTime
Restaurant Rush
SA22xx Device Manager
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Sherlock Holmes: The Mystery of the Persian Carpet
SigmaTel Audio
Simple Comptable de Sage 2007
Simple Comptable de Sage 2008
Sonic Activation Module
Sony Ericsson Media Manager 1.1
Sony Ericsson PC Suite 3.204.00
Spa Mania
Spybot - Search & Destroy
SpywareBlaster 4.1
SUPERAntiSpyware Free Edition
Symantec pcAnywhere
Tap'Touche
The Hidden Object Show
Video Camer@
WebEx Record and Playback
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Toolbar
Windows Live Toolbar
Windows Live Writer
Yummy Drink Factory

Here you go!

 

[pskelley]

Good morning, thanks for returning your information. I needed to see an uninstall list from the previous member and neglected to remove the instruction before posting to you. It won't hurt to look at it but I don't know some Vista programs yet.

Uninstall list: looking for malware and security risks only.

Adobe Reader 8.1.2 - Français Hackers are exploiting old version of Adobe Reader, please wait until we finish and then update:
http://www.filehippo.com/download_adobe_reader/

Java(TM) SE Runtime Environment 6 << update and then uninsall the old
http://forums.spybot.info/showpost.php?p=12880&postcount=2

That is all I see in the uninstall list but a look at the HJT log shows malware that was NOT showing in the first HJT log:

O10 - Unknown file in Winsock LSP: c:\users\gestio~1.mai\appdata\local\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\users\gestio~1.mai\appdata\local\temp\ntdll64.dll
Have a look: ntdll64.dll
http://www.google.com/search?hl=en&q=ntdll64.dll&btnG=Google+Search&aq=f&oq=
There is little doubt this was put there by the rouge program but the problem is we cannot remove it as we normally would because it can damage your internet connection, in fact HJT will no longer even remove 010 items.
This needs to be removed first, here are the directions, read them carefully.

1) http://www.snapfiles.com/get/winsockxpfix.html <<< download this file to your Desktop,
you may not need it, it is for an emergency only. If you should lose your ability to connect to the internet, that tool wil repair it.

2) Read this tutorial so you know how to remove the junk.
http://www.bleepingcomputer.com/tutorials/tutorial59.html

3) http://www.bleepingcomputer.com/files/lspfix.php <<< download location.
This is the file you want to REMOVE: ntdll64.dll

When this is complete, post a new HJT log and we will move on to anything else that needs to be done. Please mention any malware symptoms also at that time.

Thanks

 

[HabsWarrior]

Done!

New HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:23, on 2008-09-06
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ConnectionManager] C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Gestionnaire de connexion de Simple Comptable - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4962 bytes


Weird Behavior

Prior to running LSPFix:

When surfing, I end up on a bogus site and I get a message as described below:

(1st odd thing, my Vista is french and the message is in english)
Title : Critical Error!
Text : Attention! Some dangerous viruses detected in your system. Microsoft Windows XP (2nd odd thing, I'm running Vista)files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!
Click OK to download the antispyware (Recomended) (3rd odd thing, notice the misspell, as I typed it exactly as seen)
Choices : OK & Annuler (Cancel in french)

Wheter I click OK or CANCEL, I end up on some other bogus site. If I click the red X to close the windows, I get another message containing pretty much the same crap

Bogus site description:

Warning - you infected by this site! Please, read our suggestions!

You can learn more about harmful web content and protect your computer at AntiSpy DeLuxe Antivirus.
Just download AntiSpy DeLuxe Antivirus Now and Protect your Business Forever!

Suggestions:

Make backup of important files and and documents!
Read more about AntiSpy DeLuxe Antivirus.
Return to previous page and pick another result.
Try another search to find what you're looking for.
If nothing will help you - reinstall windows or e-mail AntiSpy DeLuxe Antivirus.

Or you can continue to visit this site at your own risk.
If you are owner of this web site, you can request a review of your site Google's Webmasters Tools.

After LSPFix, I can't confirm anything as of yet, more info within next reply (if any weird behavior detected).

 

[HabsWarrior]

Update!

Adter LSPFix bogus messages still do pop-up while surfing.

Same bogus site, Same 1st message, probable same 2nd message (described below)

Title : Windows Internet Explorer
Text : Do you really don<t want to protect your PC? Remember that some worms can steal you personal information credit cards numbers which csv codes, there is some dangerous keyloggers, password steallers, e-gold, paypal or other electronic payment system.
Choices : OK

(Message typed as is to the last letter, with all errors in the text)

 

[pskelley]

This one is a puzzle and I am struggling with the language also. Let's start looking for the reason for this like this.

Open notepad and copy/paste the text in the codebox below into it:

Folder::
C:\ProgramData\fqzynaho

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

If you still have MBAM, update it and run it like this:

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the logs from MBAB and a new HJT log.

Add any comments you think will help.

Thanks

 

[HabsWarrior]

CFScript Log

ComboFix 08-09-05.02 - Gestion Épidaure 2008-09-06 15:22:43.5 - NTFSx86
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6000.0.1252.1.1036.18.1950 [GMT -4:00]
Endroit: C:\Users\Gestion Épidaure.maison\Desktop\Benoit\ComboFix.exe
Command switches used :: C:\Users\Gestion Épidaure.maison\Desktop\CFScript.txt
* Création d'un nouveau point de restauration
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\fqzynaho

.
((((((((((((((((((((((((((((( Fichiers créés 2008-08-06 to 2008-09-06 ))))))))))))))))))))))))))))))))))))
.

Pas de nouveau fichier créé dans cet espace de temps

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-06 19:22 4,383,264 --sha-w C:\Windows\system32\drivers\fidbox.dat
2008-09-05 23:50 60,068 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-09-05 21:20 691 ----a-w C:\Users\Gestion Épidaure.maison\AppData\Roaming\GetValue.vbs
2008-09-05 21:20 35 ----a-w C:\Users\Gestion Épidaure.maison\AppData\Roaming\SetValue.bat
2008-09-05 21:20 1,762 ----a-w C:\Windows\System32\tmp.reg
2008-09-05 20:12 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\SUPERAntiSpyware.com
2008-09-05 20:12 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-09-05 20:12 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-05 20:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-04 17:16 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-04 17:00 --------- d-----w C:\Program Files\Trend Micro
2008-09-04 16:21 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-04 15:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-04 15:26 --------- d-----w C:\Program Files\Symantec
2008-09-04 15:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-04 15:25 --------- d-----w C:\ProgramData\Symantec
2008-09-04 14:13 --------- d-----w C:\ProgramData\ParetoLogic
2008-09-04 14:13 --------- d-----w C:\Program Files\Common Files\ParetoLogic
2008-09-04 13:41 --------- d-----w C:\Program Files\Hot Dish
2008-09-04 13:18 --------- d-----w C:\Program Files\PKR
2008-09-03 23:50 --------- d---a-w C:\ProgramData\TEMP
2008-09-03 14:31 --------- d-----w C:\Program Files\MSA
2008-09-03 14:25 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\Malwarebytes
2008-09-03 14:25 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-03 14:25 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-03 14:14 --------- d-----w C:\ProgramData\ParetoLogic Anti-Virus PLUS
2008-09-03 14:12 --------- d-----w C:\ProgramData\Downloaded Installations
2008-09-03 13:52 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-09-03 13:52 --------- d-----w C:\Program Files\BAE
2008-09-03 13:23 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-03 13:23 --------- d-----w C:\Program Files\Yahoo!
2008-09-03 13:23 --------- d-----w C:\Program Files\Simple Comptable Standard 2007
2008-09-03 13:23 --------- d-----w C:\Program Files\QuickTime
2008-09-03 13:23 --------- d-----w C:\Program Files\Dell
2008-09-03 13:23 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-09-03 13:23 --------- d-----w C:\Program Files\Apple Software Update
2008-09-03 12:45 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-03 12:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-03 12:29 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\LimeWire
2008-09-03 12:26 --------- d-----w C:\Program Files\Alwil Software
2008-09-03 03:58 88,576 ----a-w C:\Windows\System32\AntiXPVSTFix.exe
2008-09-02 20:51 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-09-02 04:16 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-02 04:16 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-09-01 17:12 --------- d-----w C:\Users\Jean-francois\AppData\Roaming\LimeWire
2008-08-29 02:36 82,432 ----a-w C:\Windows\System32\IEDFix.C.exe
2008-08-23 22:18 --------- d-----w C:\Program Files\Restaurant Rush
2008-08-22 03:35 --------- d-----w C:\Program Files\Jewel Quest III
2008-08-21 17:51 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\QSGames
2008-08-21 17:51 --------- d-----w C:\ProgramData\QSGames
2008-08-21 17:51 --------- d-----w C:\Program Files\Fury Race
2008-08-18 16:19 82,432 ----a-w C:\Windows\System32\404Fix.exe
2008-08-16 13:09 --------- d-----w C:\Program Files\Windows Mail
2008-08-16 13:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-11 16:44 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\Bullzip
2008-07-31 06:34 --------- d-----w C:\Program Files\Cradle Of Rome
2008-07-31 06:01 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\iWin
2008-07-31 05:24 --------- d-----w C:\Program Files\Dream Day Wedding 2
2008-07-30 19:57 --------- d-----w C:\Program Files\Hidden Secrets - The Nightmare
2008-07-30 19:39 --------- d-----w C:\Program Files\Restaurant Empire
2008-07-30 19:32 --------- d-----w C:\Program Files\Cooking Academy
2008-07-24 14:51 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\FarmerJane
2008-07-24 13:49 --------- d-----w C:\Program Files\Farmer Jane
2008-07-24 13:46 --------- d-----w C:\Program Files\Yummy Drink Factory
2008-07-22 15:51 --------- d-----w C:\Users\Gestion Épidaure.maison\AppData\Roaming\blg
2008-07-21 15:24 --------- d-----w C:\Users\Jean-francois\AppData\Roaming\blg
2008-07-21 15:24 --------- d-----w C:\ProgramData\blg
2008-07-21 15:23 --------- d-----w C:\Program Files\Spa Mania
2008-07-20 17:46 --------- d-----w C:\Users\Jean-francois\AppData\Roaming\Sony
2008-07-20 17:46 --------- d-----w C:\ProgramData\Sony
2008-07-20 16:44 --------- d-----w C:\Program Files\Sony Ericsson
2008-07-20 16:44 --------- d-----w C:\Program Files\Sony
2008-07-20 16:40 --------- d-----w C:\ProgramData\BVRP Software
2008-07-20 16:40 --------- d-----w C:\Program Files\Avanquest update
2008-07-20 16:15 --------- d-----w C:\ProgramData\Sony Ericsson
2008-07-19 14:36 51,280 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-07-19 05:10 53,448 ----a-w C:\Windows\System32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\Windows\System32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\Windows\System32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\Windows\System32\wuapi.dll
2008-07-19 05:09 1,811,656 ----a-w C:\Windows\System32\wuaueng.dll
2008-07-19 03:44 83,456 ----a-w C:\Windows\System32\wudriver.dll
2008-07-19 03:44 1,524,736 ----a-w C:\Windows\System32\wucltux.dll
2008-07-19 02:08 163,904 ----a-w C:\Windows\System32\wuwebv.dll
2008-07-19 01:37 --------- d-----w C:\ProgramData\HiddenSecretsNightmare
2008-07-19 00:44 31,232 ----a-w C:\Windows\System32\wuapp.exe
2008-07-18 18:39 587,264 ----a-w C:\Windows\WLXPGSS.SCR
2008-07-15 23:53 --------- d-----w C:\ProgramData\Astar Games
2008-07-15 23:53 --------- d-----w C:\Program Files\Laura Jones and the Gates of Good and Evil
2008-07-15 23:48 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-07-11 15:04 --------- d-----w C:\Program Files\Tap'Touche
2008-07-09 07:09 174 --sha-w C:\Program Files\desktop.ini
2008-06-27 03:54 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-06-27 03:54 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-06-27 03:54 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-06-27 03:54 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-06-26 00:34 7,964,672 ----a-w C:\Windows\System32\NlsLexicons0024.dll
2008-06-26 00:33 9,892,864 ----a-w C:\Windows\System32\NlsLexicons000a.dll
2008-06-19 03:25 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-06-19 03:25 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
.

((((((((((((((((((((((((((((( snapshot_2008-09-05_22.49.20.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-06 02:48:07 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-09-06 19:26:06 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
- 2008-09-06 00:05:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-06 16:10:18 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-06 00:05:57 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-06 16:10:18 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-06 00:05:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-06 16:10:18 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConnectionManager"="C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2008-06-06 87336]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2007-04-27 13:10 18744 C:\Windows\System32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2077915589-448433217-3937035621-1000]
"EnableNotificationsRef"=dword:00000009

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2077915589-448433217-3937035621-1001]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8D9F7E2C-5E71-488F-B6D2-AC2ADF9E107E}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{361BE25E-657C-4C4E-BAE5-BFADB5F7239F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{23C5790A-6E85-4B4C-B91D-D479531BAF98}"= UDP:C:\Windows\System32\dlcxcoms.exe:Lexmark Communications System
"{C0D9F33C-7932-486F-AC3B-D8DA34978A0D}"= TCP:C:\Windows\System32\dlcxcoms.exe:Lexmark Communications System
"{3C1CE574-1E5A-47D6-BD6A-8B57C319DE4D}"= UDP:C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exeevice Monitor
"{C0B47FC4-6F35-49FC-A3E0-DD6055B33219}"= TCP:C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exeevice Monitor
"{28522A6F-5F7C-48FC-AC66-BCF37565FE04}"= UDP:C:\Program Files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{B76A9D04-4787-4E58-A787-D9794A063151}"= TCP:C:\Program Files\Dell Photo AIO Printer 926\dlcxaiox.exe:All In One Center
"{E9ADBDE9-F8ED-4088-AC17-F6C6B5BC1F62}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F08B37AB-68C0-4369-8DC8-086D8C3788F4}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{81516695-2652-4433-8785-E4A81757843D}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{EADB962C-4777-404E-8E5B-003C4651E8A8}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{94A24A0D-12B6-4C86-BCF9-C68A909AE05B}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F9E8C007-A178-409B-B261-B4B24413F0E7}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{3439309F-73EB-4A96-8A96-5407E244D0C3}"= UDP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt.exe 5.0.38
"{E4655857-1622-4420-894C-040D61E37D58}"= TCP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt.exe 5.0.38
"{6FEADF2E-6016-43A4-AEAD-072F9FD1AFDB}"= UDP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager.exe
"{A0918321-AFA1-4695-A642-F77F0E0FA5BA}"= TCP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager.exe
"{3DABDACA-A52E-4A05-A64A-ACFF2569518B}"= UDP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt
"{B3B112EC-543D-4249-BAE5-62FCFC2506BD}"= TCP:C:\Program Files\winsim\ConnectionManager\MySqlBinary\5.0.38\mysql\mysqld-nt.exe:mysqld-nt
"{84C01CD4-D344-44BD-946A-A71016EED219}"= UDP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager
"{7BA02A43-D5E8-47E4-B779-0F604A0470CE}"= TCP:C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe:SimplyConnectionManager
"{73775915-98CD-4932-8B92-91BA4D54EF4F}"= UDP:C:\Program Files\Simple Comptable 2008\SimplyAccounting.exe:Simple Comptable 2008
"{0A5241C6-7EE2-4E6E-8EA4-3CD1EF4A8E27}"= TCP:C:\Program Files\Simple Comptable 2008\SimplyAccounting.exe:Simple Comptable 2008
"{8F306A4D-7CF5-4A3B-A6B4-4BA821C7BD3D}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{781C7A29-3EBD-4332-8E72-FA8DD2B17970}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{AAB2D48F-BAB4-4C9C-8A1C-9C41E093B69B}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{1D5C51E8-4C76-4875-8CDD-DB4942324EF2}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{387C9F13-9405-4277-B11E-6D1353AD3346}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{72E4806A-6BA3-43D6-91AD-B7ABE81EBA6D}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{66DEA6F8-E722-4213-87D1-C08BC69F1910}"= UDP:C:\Program Files\Symantec\pcAnywhere\awhost32.execAnywhere Host
"{5DEB9B02-251A-4B14-A2B2-2CE10509D2DF}"= TCP:C:\Program Files\Symantec\pcAnywhere\awhost32.execAnywhere Host
"{E1DBE254-49C2-4761-A129-28052ABE3EA0}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{15481A31-E4B3-44E9-8105-07C67BE92A14}"= UDP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{0D210770-7176-466F-8EEA-2FA0C549EDC8}"= TCP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.1
"{1D15D6E9-945C-460A-91A9-A2F06C591FEA}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{F7CBF350-1061-46CD-A850-01A588D36C18}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{134EE19D-4C44-459F-8074-771D41DCACC0}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{E1284F98-8A2F-4FD4-A2B2-4DD967C6E413}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)
"DisabledInterfaces"= {5F970AD0-1AA2-4725-BDB4-E82CF7112133}

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 51280]
R2 Gestionnaire de connexion de Simple Comptable;Gestionnaire de connexion de Simple Comptable;C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe [2008-06-06 18216]
R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 809296]
S3 s916bus;Sony Ericsson Device 916 driver (WDM);C:\Windows\system32\DRIVERS\s916bus.sys [2007-11-02 83496]
S3 s916mdfl;Sony Ericsson Device 916 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s916mdfl.sys [2007-11-02 15016]
S3 s916mdm;Sony Ericsson Device 916 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s916mdm.sys [2007-11-02 109992]
S3 s916mgmt;Sony Ericsson Device 916 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s916mgmt.sys [2007-11-02 103976]
S3 s916obex;Sony Ericsson Device 916 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s916obex.sys [2007-11-02 100008]
S3 VX1000;VX-1000;C:\Windows\system32\DRIVERS\VX1000.sys [2007-04-10 1966312]
S4 dlcx_device;dlcx_device;C:\Windows\system32\dlcxcoms.exe [2006-11-03 537480]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-06 15:26:19
Windows 6.0.6000 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-09-06 15:28:17
ComboFix-quarantined-files.txt 2008-09-06 19:28:09
ComboFix2.txt 2008-09-06 02:50:42
ComboFix3.txt 2008-09-03 15:25:25
ComboFix4.txt 2008-09-03 13:40:03
ComboFix5.txt 2008-09-06 19:21:56

Pre-Run: Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application.
Post-Run: 175,258,705,920 octets libres

240 --- E O F --- 2008-09-06 01:46:14


MBAM Log

Malwarebytes' Anti-Malware 1.26
Database version: 1120
Windows 6.0.6000

2008-09-06 17:11:09
mbam-log-2008-09-06 (17-11-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 151487
Time elapsed: 1 hour(s), 1 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Gestion Épidaure.maison\AppData\Local\TempInfoWin\hedgfgdq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\PCHealthCenter\5.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Windows\System32\lphc136j0ee8e.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.


New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:12:15, on 2008-09-06
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ConnectionManager] C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Gestionnaire de connexion de Simple Comptable - Sage Software - C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 4909 bytes

 

[pskelley]

AntiSpy DeLuxe Antivirus <<< this is the item that is trying to goad a purchase:
http://www.google.com/search?hl=en&q=Remove+AntiSpy+DeLuxe+Antivirus&btnG=Search
I have not run into it before, it may even be valid software?

Take a look at the items on your uninstall list, you have so much stuff I recognize only about one half of it. If you sptt anything that you don't know, uninstall it.

Update and run SUPERAntiSpyware and post the scan results to see if it shows anything.

Thanks

 

[HabsWarrior]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/06/2008 at 06:53 PM

Application Version : 4.21.1004

Core Rules Database Version : 3558
Trace Rules Database Version: 1546

Scan type : Complete Scan
Total Scan Time : 00:34:19

Memory items scanned : 545
Memory threats detected : 0
Registry items scanned : 6975
Registry threats detected : 0
File items scanned : 23792
File threats detected : 15

Adware.Tracking Cookie
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\gestion_épidaure@adcentriconline[2].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\gestion_épidaure@ads.sun[1].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\gestion_épidaure@lescokines.sexy.carasexe[2].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\gestion_épidaure@kontera[2].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\gestion_épidaure@carasexe[1].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@xiti[1].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@advertising[2].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@adcentriconline[1].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@www.meteomedia[1].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@ads.revsci[1].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@networldmedia[2].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@ads.networldmedia[2].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@revsci[2].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@vitamine.networldmedia[1].txt
C:\Users\Gestion Épidaure.maison\AppData\Roaming\Microsoft\Windows\Cookies\Low\gestion_épidaure@canadapost.112.2o7[1].txt

 

[pskelley]

Not sure what to tell you, I have never owned this operating system and I am not sure what is causing this. It is your computer, you have no ideas?

http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

 

[HabsWarrior]

You don't know the immense joys of windows Vista then hey?

I've checked through my uninstall list, there's a LOT of games installed by the kids (wich I'll go through with them to delete the majority). As far as language barrier, if I can be of any help, please let me know.

Personnal background : Studied programming back in the 90s, graduaded in '94. Worked as a technician for the IT dept of a fairly large company for 3 years. I'm fairly at ease with most computer problems, but this one sorta beats me...

The system seems stable as of now, will continue supervising anti-virus check-ups...

Just ran SpyBot, here's the only thing that came up...

--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()


Fraud.XPAntivirus: [SBI $F39E0CF4] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-2077915589-448433217-3937035621-1001\Software\Microsoft\WinId


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

Does this ring any bells?

 

[pskelley]

That item Spybot found would cause the problem running in the registry, but it looks like Spybot S&D fixed the junk? I am surprised MBAM did not fix that, since that it exactly what MBAM looks for, rouge programs. I guess it has to be in the database and the hackers are constantly changing their junk. Have a look at what is going on:
http://news.cnet.com/8301-1009_3-9992897-83.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://en.wikipedia.org/wiki/Russian_Business_Network
http://rbnexploit.blogspot.com/
http://www.google.com/search?hl=en&q=infected+websites&btnG=Google+Search
and that is the tip of the iceberg.

Let's remove combofix fro the computer:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

I'll post some information, keep in mind it all may not apply to Vista:
Get maximum performance from Windows Vista
http://windowshelp.microsoft.com/windows/en-us/Help/596FB57F-CC9D-4AC5-A813-5C0830E9156A1033.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

 

[HabsWarrior]

Just re-checked with SpyBot, MBAM, and Avast... The PC seems clean now!

Thanx a bunch pskelley!

Will go and read up on your links....