View original (French)

Difference in report depending on anti-xxx software

Solved

tzai -
Anonymous user - 6 Apr 2009 at 18:07

Hello,

I scan my PC with MBAM, no malware is detected.

I scan my PC with BitDefender 2008 and it shows infected files.

Why such a difference?
Who should I trust?

Thank you

Configuration: Windows XP sp3 Internet Explorer 7

Show more

Liens connexes:

26 réponses

1
2

Suivant

Réponse 1 / 26

Anonymous user

Hello, please send your two reports, it will then be easier to respond to you :)
--
G3и-н@¢ки™©®

tzai

Le rapport de MBAM :
[quote]Malwarebytes' Anti-Malware 1.35

Database version: 1936

Windows 5.1.2600 Service Pack 3

03/04/2009 11:11:33

mbam-log-2009-04-03 (11-11-33).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|)

Items examined: 114149

Time elapsed: 31 minute(s), 8 second(s)

Infected memory processes: 0

Infected memory module(s): 0

Infected Registry key(s): 0

Infected Registry value(s): 0

Infected Registry data item(s): 0

Infected folder(s): 0

Infected file(s): 0

Infected memory processes:

(No harmful items detected)

Infected memory module(s):

(No harmful items detected)

Infected Registry key(s):

(No harmful items detected)

Infected Registry value(s):

(No harmful items detected)

Infected Registry data item(s):

(No harmful items detected)

Infected folder(s):

(No harmful items detected)

Infected file(s):

(No harmful items detected)
/quote

That of BitDefender 2008
[quote]BitDefender log file

Product: BitDefender Internet Security 2008

Version: BitDefender UIScanner V.11

Log date: 11:51:34 03/04/2009

Log path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1238752294_1_02.xml

Scan paths:Path0000: C:\

Path0001: D:\

Path0002: E:\

Scan options:Scan for viruses: Yes

Detect adware: Yes

Scan for spywares: Yes

Scan applications: Yes

Detect dialers: Yes

Scan for Rootkits: Yes

Target selection options:Scan Registry keys: Yes

Scan cookies: Yes

Scan boot sector: Yes

Scan memory processes: Yes

Scan archives: Yes

Scan packed files: Yes

Scan emails: Yes

Scan all files: Yes

Heuristic analysis: Yes

Extensions scanned:

Excluded extensions:

Target treatmentDefault action for infected objects: Disinfect

Default action for suspicious objects: Move to quarantine

Default action for hidden objects: Move to quarantine

Scan summaryNumber of virus signatures: 2816399

Archive plugins: 45

Messaging plugins: 6

Scan plugins: 13

Archive plugins: 45

System plugins: 5

Unpacking plugins: 7

General scan summaryItems scanned: 121757

Infected items: 4

Suspicious items: 0

Resolved items: 3

Individual viruses found: 4

Directories scanned: 4135

Boot sectors scanned: 4

Archives scanned: 2641

I/O errors: 0

Scan time: 00:00:32:49

Files per second: 61

Summary of scanned processesScanned: 35

Infected: 0

Summary of scanned Registry keysScanned: 827

Infected: 0

Summary of scanned cookiesScanned: 0

Infected: 0

Unresolved issues:Object name Threat name Final state

C:\System Volume Information\_restore{BE065684-E0C6-40C3-8A6D-E72922016F60}\RP6\A0003129.exe=](Instyler o)=](Instyler Module 0) Gen:Trojan.Heur.Dropper.1022DDDDDD Infected (no action could be taken, the file was in an archive)

Resolved issues:Object name Threat name Final state

C:\System Volume Information\_restore{BE065684-E0C6-40C3-8A6D-E72922016F60}\RP24\A0013163.dll Gen:Trojan.Heur.P4018E7A7A7 Moved to quarantine

C:\System Volume Information\_restore{BE065684-E0C6-40C3-8A6D-E72922016F60}\RP24\A0013250.dll Gen:Trojan.Heur.P5008F7B7B7 Moved to quarantine

C:\System Volume Information\_restore{BE065684-E0C6-40C3-8A6D-E72922016F60}\RP24\A0013155.dll Trojan.Vundo.GKW Deleted

Unscanned objects:Object name Reason Final state

/quote
Thank you.

Réponse 2 / 26

Anonymous user

Well, it's true that... MBAM could have detected this

maybe you didn't perform the scans under the same conditions !!??
--
G3и-н@¢ки™©®

tzai

That is to say under the same conditions?

Réponse 3 / 26

Anonymous user

antispyware enabled... different web pages open.... p2p open... etc....)

--
G3и-n@¢kм@иt™©®

tzai

Okay, I understand. So no, the two exams were conducted under the same conditions.

Réponse 4 / 26

Anonymous user

Clear the quarantines of both (Malwabytes and Bitdefender)

Then:

To decide:

Download Superantispyware (SAS)

Choose "Save" and save it to your desktop.

Double-click the installation icon that has just been created and follow the instructions.

Create an icon on the desktop.

Double-click on the SAS icon (a head in a red circle with a line through it) to launch it.

- If the tool asks you to update the program ("update the program definitions"), click yes.
- Under Configuration and Preferences, click the "Preferences" button
- Click on the "Scanning Control" tab
- In "Scanner Options", make sure the box next to the following lines is checked:

Close browsers before scanning
Scan for tracking cookies
Terminate memory threats before quarantining
- Leave the other lines unchecked.

- Click the "Close" button to exit the control center screen.

- In the main window, click on "Scan for Harmful Software", then "Scan your computer".

In the left column, check C:\Fixed Drive.

In the right column, under "Complete scan", click on "Perform Complete Scan"

Click "next" to start the scan. Wait for the duration of the scan.

At the end of the scan, a results window will open. Click OK.

Make sure all lines in the white window are checked and click "Next".

Everything that has been found will be quarantined. If you are prompted to restart the computer ("reboot"), click Yes.

To copy the information to the forum, do this:

- After restarting the computer, double-click the icon to launch SAS.
- Click "Preferences" then the "Statistics/Logs" tab.
- In "scanners logs", double-click on SUPERAntiSpyware Scan Log.

- The report will open in your default text editor.

- Copy its contents into your reply.

Be sure to check the SUPERAntiSpyware tutorial, it is very well explained.
--
G3и-н@¢км@и™©®

tzai

SUPERAntiSpyware Scan Log
https://www.superantispyware.com/

Generated 04/03/2009 at 02:17 PM

Application Version : 4.26.1000

Core Rules Database Version : 3827
Trace Rules Database Version: 1783

Scan type : Complete Scan
Total Scan Time : 00:21:38

Memory items scanned : 398
Memory threats detected : 2
Registry items scanned : 4814
Registry threats detected : 2
File items scanned : 15559
File threats detected : 21

Adware.Vundo/Variant-MSFake
C:\DOCUMENTS AND SETTINGS\PRINCIPAL01\APPLICATION DATA\MICROSOFT\LIVE SEARCH\NOTIFICATION-LIVESEARCH.EXE
C:\DOCUMENTS AND SETTINGS\PRINCIPAL01\APPLICATION DATA\MICROSOFT\LIVE SEARCH\NOTIFICATION-LIVESEARCH.EXE
C:\DOCUMENTS AND SETTINGS\PRINCIPAL01\APPLICATION DATA\MICROSOFT\LIVE SEARCH\MISE-A-JOUR-LIVESEARCH.EXE
C:\DOCUMENTS AND SETTINGS\PRINCIPAL01\APPLICATION DATA\MICROSOFT\LIVE SEARCH\MISE-A-JOUR-LIVESEARCH.EXE
C:\DOCUMENTS AND SETTINGS\PRINCIPAL01\APPLICATION DATA\MICROSOFT\LIVE SEARCH\SUPPRESSION-LIVE-SEARCH.EXE
C:\DOCUMENTS AND SETTINGS\PRINCIPAL01\MENU DÉMARRER\PROGRAMMES\DÉMARRAGE\OUTIL DE NOTIFICATION LIVE SEARCH.LNK

Adware.Tracking Cookie
C:\Documents and Settings\principal01\Cookies\principal01@tradedoubler[1].txt
C:\Documents and Settings\principal01\Cookies\principal01@serving-sys[1].txt
C:\Documents and Settings\principal01\Cookies\principal01@msnportal.112.2o7[1].txt
C:\Documents and Settings\principal01\Cookies\principal01@advertising[1].txt
C:\Documents and Settings\principal01\Cookies\principal01@doubleclick[2].txt
C:\Documents and Settings\principal01\Cookies\principal01@xiti[1].txt
C:\Documents and Settings\principal01\Cookies\principal01@bs.serving-sys[2].txt
C:\Documents and Settings\principal01\Cookies\principal01@atdmt[1].txt
C:\Documents and Settings\principal01\Cookies\principal01@smartadserver[1].txt

Rogue.Component/Trace
HKU\S-1-5-21-854245398-1897051121-1547161642-1004\Software\Microsoft\FIAS4051
HKU\S-1-5-21-854245398-1897051121-1547161642-1004\Software\Microsoft\FIAS4057

Adware.Vundo/Variant-PrintDlgA
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BE065684-E0C6-40C3-8A6D-E72922016F60}\RP24\A0012991.DLL

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\BIDIWAYE.DLL
C:\WINDOWS\SYSTEM32\FONEBIPI.DLL
C:\WINDOWS\SYSTEM32\YOZEKUTE.DLL

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\GIDOHANU.DLL
C:\WINDOWS\SYSTEM32\MURIBABI.DLL
C:\WINDOWS\SYSTEM32\TEBUDATI.DLL
C:\WINDOWS\SYSTEM32\VUZEJOFU.DLL

Réponse 5 / 26

Anonymous user

Well, apparently it's Bitdefender that was the most right :::)))

Hi,

Start with this to see what's going on, have an accurate diagnosis and therefore identify potential infections and neutralize them:

Download and install the diagnostic software:

here Hijackthis
or here Hijackthis
or here Hijackthis

1- Click on the setup to start the installation: let yourself be guided and do not modify the installation settings.
At the end of the installation, the program launches automatically: close it by clicking on the red cross.
In the end, you should have a shortcut on your desktop and also a path like:
"C:\ program files\Trend Micro\HijackThis\HijackThis.exe " .

tutorial for use :(thank you balltrap34)
Look here, it's perfectly explained with images,

( Do not fix ANY lines on your own, it could prevent your PC from functioning properly )

2- !! Disconnect and close all your running applications !!

Click on the desktop shortcut to launch the program:

If it doesn't launch click here

perform a HijackThis scan by clicking on: "Do a system scan and save a logfile"

--->copy-paste the generated report for analysis
--
G3и-н@¢км@и™©®

Réponse 6 / 26

tzai

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:03, on 03/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fwww.msn.fr%2fimg%2ffr%2ffr-fr%2fdivertissement%2fcelebrites%2fgalery%2fwentworth02.jpg%3f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xporter to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Notepad - {AF4F850B-68FF-404C-8417-549F86B1E236} - notepad.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O20 - AppInit_DLLs: C:\WINDOWS\system32\ruvoziyi.dll C:\WINDOWS\system32\nukatojo.dll C:\WINDOWS\system32\hahonuhe.dll lghzio.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 6759 bytes

Réponse 7 / 26

Anonymous user

Download LOP S&D to your Desktop.

* Double-click it to start the installation
* Then double-click the LOP S&D shortcut on your Desktop
* Select the desired language, then choose option 1 (Search)
* Wait until the scan is complete
* Post the generated report (C:\lopR.txt)
--
G3и-н@¢км@и™©®

tzai

Here is the LOP S&D report:

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz )
BIOS : PhoenixBIOS 4.0 Release 6.1
USER : principal01 ( Administrator )
BOOT : Normal boot
Antivirus : Bitdefender Antivirus 8.0 (Activated)
Firewall : Bitdefender Firewall 8.0 (Activated)
C:\ (Local Disk) - NTFS - Total:48 Go (Free:39 Go)
D:\ (Local Disk) - NTFS - Total:10 Go (Free:9 Go)
E:\ (Local Disk) - NTFS - Total:52 Go (Free:48 Go)
F:\ (USB)
G:\ (CD or DVD)

"C:\Lop SD" ( LAST UPDATED : 19-12-2008|23:40 )
Option : [1] ( 03/04/2009|14:41 )

--------------------\\ List of folders in APPLIC~1

[10/10/2008|19:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[07/10/2008|19:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[10/10/2008|18:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
[10/10/2008|19:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[07/10/2008|20:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
[10/10/2008|17:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[03/04/2009|09:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[27/02/2009|16:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[08/10/2008|15:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
[03/04/2009|13:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
[08/10/2008|11:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[08/10/2008|15:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller

[04/10/2008|17:54] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft

[04/10/2008|17:54] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[04/10/2008|17:54] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[10/10/2008|19:31] C:\DOCUME~1\PRINCI~1\APPLIC~1\Adobe
[10/10/2008|19:00] C:\DOCUME~1\PRINCI~1\APPLIC~1\Apple Computer
[08/10/2008|15:51] C:\DOCUME~1\PRINCI~1\APPLIC~1\Auslogics
[07/10/2008|20:29] C:\DOCUME~1\PRINCI~1\APPLIC~1\Bitdefender
[03/12/2008|14:24] C:\DOCUME~1\PRINCI~1\APPLIC~1\Canon
[30/12/2008|19:03] C:\DOCUME~1\PRINCI~1\APPLIC~1\foobar2000
[04/10/2008|17:59] C:\DOCUME~1\PRINCI~1\APPLIC~1\Identities
[10/10/2008|19:31] C:\DOCUME~1\PRINCI~1\APPLIC~1\Macromedia
[03/04/2009|09:58] C:\DOCUME~1\PRINCI~1\APPLIC~1\Malwarebytes
[08/10/2008|15:47] C:\DOCUME~1\PRINCI~1\APPLIC~1\Media Player Classic
[17/01/2009|22:50] C:\DOCUME~1\PRINCI~1\APPLIC~1\Microsoft
[24/12/2008|11:41] C:\DOCUME~1\PRINCI~1\APPLIC~1\Real
[07/10/2008|17:48] C:\DOCUME~1\PRINCI~1\APPLIC~1\Sun
[03/04/2009|13:46] C:\DOCUME~1\PRINCI~1\APPLIC~1\SUPERAntiSpyware.com
[07/10/2008|16:55] C:\DOCUME~1\PRINCI~1\APPLIC~1\WinRAR
[25/01/2009|14:29] C:\DOCUME~1\PRINCI~1\APPLIC~1\XnView

--------------------\\ Scheduled tasks in C:\WINDOWS\tasks

[08/10/2008 11:38][--ah-----] C:\WINDOWS\tasks\SA.DAT
[14/04/2008 14:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ List of folders in C:\Program Files

[07/10/2008|19:15] C:\Program Files\Adobe
[07/10/2008|19:20] C:\Program Files\Ahead
[10/10/2008|18:58] C:\Program Files\Apple Software Update
[07/10/2008|17:39] C:\Program Files\AusLogics Disk Defrag
[07/10/2008|20:28] C:\Program Files\BitDefender
[10/10/2008|18:59] C:\Program Files\Bonjour
[10/10/2008|17:22] C:\Program Files\CanonBJ
[04/10/2008|18:47] C:\Program Files\CCleaner
[04/10/2008|17:51] C:\Program Files\ComPlus Applications
[07/10/2008|17:21] C:\Program Files\CONEXANT
[07/10/2008|17:10] C:\Program Files\Everest Ultimate Engineer Edition 4.60 Build 1500 final
[03/04/2009|13:46] C:\Program Files\Common Files
[08/10/2008|15:43] C:\Program Files\foobar2000
[07/10/2008|17:38] C:\Program Files\HD Tune
[07/10/2008|16:56] C:\Program Files\Intel
[08/10/2008|15:46] C:\Program Files\Internet Explorer
[10/10/2008|19:00] C:\Program Files\iPod
[10/10/2008|19:00] C:\Program Files\iTunes
[07/10/2008|17:49] C:\Program Files\Java
[08/10/2008|15:45] C:\Program Files\K-Lite Codec Pack
[03/04/2009|09:58] C:\Program Files\Malwarebytes' Anti-Malware
[07/10/2008|17:16] C:\Program Files\Marvell
[08/10/2008|11:38] C:\Program Files\Messenger
[04/10/2008|17:55] C:\Program Files\microsoft frontpage
[08/10/2008|11:37] C:\Program Files\Microsoft Office
[17/01/2009|22:48] C:\Program Files\Microsoft Silverlight
[07/10/2008|19:32] C:\Program Files\Microsoft Works
[07/10/2008|19:31] C:\Program Files\Microsoft.NET
[04/10/2008|17:52] C:\Program Files\Movie Maker
[07/10/2008|17:58] C:\Program Files\MSBuild
[08/10/2008|11:37] C:\Program Files\MSECache
[04/10/2008|17:50] C:\Program Files\MSN
[04/10/2008|17:51] C:\Program Files\MSN Gaming Zone
[04/10/2008|17:53] C:\Program Files\NetMeeting
[04/10/2008|17:51] C:\Program Files\Online Services
[04/10/2008|17:53] C:\Program Files\Outlook Express
[07/10/2008|17:15] C:\Program Files\PageDefrag
[04/10/2008|18:48] C:\Program Files\PhotoFiltre
[10/10/2008|18:59] C:\Program Files\QuickTime Alternative
[07/10/2008|17:55] C:\Program Files\Reference Assemblies
[04/10/2008|17:53] C:\Program Files\Online Services
[03/04/2009|14:20] C:\Program Files\SpeedFan
[03/04/2009|13:46] C:\Program Files\SUPERAntiSpyware
[03/04/2009|14:32] C:\Program Files\Trend Micro
[04/10/2008|17:59] C:\Program Files\Uninstall Information
[04/10/2008|18:47] C:\Program Files\Unlocker
[08/10/2008|15:50] C:\Program Files\Windows Live
[08/10/2008|11:35] C:\Program Files\Windows Media Connect 2
[08/10/2008|11:35] C:\Program Files\Windows Media Player
[04/10/2008|17:50] C:\Program Files\Windows NT
[04/10/2008|17:53] C:\Program Files\WindowsUpdate
[07/10/2008|17:15] C:\Program Files\WindowsXP-KB924732-x86-ENU STATECHANGE
[07/10/2008|16:55] C:\Program Files\WinRAR
[04/10/2008|17:55] C:\Program Files\xerox
[07/10/2008|19:16] C:\Program Files\XnView
[07/10/2008|17:40] C:\Program Files\xp-AntiSpy

--------------------\\ List of folders in C:\Program Files\Common Files

[07/10/2008|19:15] C:\Program Files\Common Files\Adobe
[07/10/2008|19:20] C:\Program Files\Common Files\Ahead
[10/10/2008|18:59] C:\Program Files\Common Files\Apple
[07/10/2008|20:28] C:\Program Files\Common Files\BitDefender
[07/10/2008|19:32] C:\Program Files\Common Files\DESIGNER
[07/10/2008|17:48] C:\Program Files\Common Files\Java
[08/10/2008|15:48] C:\Program Files\Common Files\Microsoft Shared
[04/10/2008|17:53] C:\Program Files\Common Files\MSSoap
[04/10/2008|19:42] C:\Program Files\Common Files\ODBC
[04/10/2008|17:53] C:\Program Files\Common Files\Services
[04/10/2008|19:42] C:\Program Files\Common Files\SpeechEngines
[04/10/2008|17:52] C:\Program Files\Common Files\System
[08/10/2008|15:48] C:\Program Files\Common Files\WindowsLiveInstaller
[03/04/2009|13:46] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

( 39 Processes )

iexplore.exe ~ [PID:2828]

--------------------\\ Search with S_Lop

No Lop files / folders found!

--------------------\\ Search for Lop Files / Folders

C:\DOCUME~1\PRINCI~1\Cookies\principal01@advertising[1].txt

--------------------\\ Registry Check

..... OK !

--------------------\\ Hosts file Check

Clean Hosts file

--------------------\\ Search for files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 14:42:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 14

--------------------\\ Search for other infections

No other infections found!

[F:1936][D:9]-> D:\temp
[F:18][D:0]-> C:\DOCUME~1\PRINCI~1\Cookies
[F:213][D:4]-> D:\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 03/04/2009|14:42 - Option : [1]

--------------------\\ End of report at 14:42:53

Réponse 8 / 26

Anonymous user

double-click on the Lop S&D shortcut present on your Desktop
* Select the desired language, then choose the "Removal + Hosts" option
* Wait until the scan is complete
* Post the generated report (C:\lopR.txt)

then restart and send both rsit logs please
--
G3и-н@¢км@и™©®

tzai

Here is the report:

I don't understand what I need to do after the restart
"then restart and send back both rsit logs please"

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Multiprocessor Free: Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz)
BIOS: PhoenixBIOS 4.0 Release 6.1
USER: principal01 (Administrator)
BOOT: Normal boot
Antivirus: Bitdefender Antivirus 8.0 (Activated)
Firewall: Bitdefender Firewall 8.0 (Activated)
C:\ (Local Disk) - NTFS - Total:48 GB (Free:39 GB)
D:\ (Local Disk) - NTFS - Total:10 GB (Free:9 GB)
E:\ (Local Disk) - NTFS - Total:52 GB (Free:48 GB)
F:\ (USB)
G:\ (CD or DVD)

"C:\Lop SD" (UPDATE: 19-12-2008|23:40)
Option: [2] (03/04/2009|15:03)

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

--------------------\\ Listing directories in APPLIC~1

[10/10/2008|19:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[07/10/2008|19:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[10/10/2008|18:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
[10/10/2008|19:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[07/10/2008|20:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender
[10/10/2008|17:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[03/04/2009|09:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[27/02/2009|16:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[08/10/2008|15:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
[03/04/2009|13:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
[08/10/2008|11:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[08/10/2008|15:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller

[04/10/2008|17:54] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft

[04/10/2008|17:54] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft

[04/10/2008|17:54] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft

[10/10/2008|19:31] C:\DOCUME~1\PRINCI~1\APPLIC~1\Adobe
[10/10/2008|19:00] C:\DOCUME~1\PRINCI~1\APPLIC~1\Apple Computer
[08/10/2008|15:51] C:\DOCUME~1\PRINCI~1\APPLIC~1\Auslogics
[07/10/2008|20:29] C:\DOCUME~1\PRINCI~1\APPLIC~1\Bitdefender
[03/12/2008|14:24] C:\DOCUME~1\PRINCI~1\APPLIC~1\Canon
[30/12/2008|19:03] C:\DOCUME~1\PRINCI~1\APPLIC~1\foobar2000
[04/10/2008|17:59] C:\DOCUME~1\PRINCI~1\APPLIC~1\Identities
[10/10/2008|19:31] C:\DOCUME~1\PRINCI~1\APPLIC~1\Macromedia
[03/04/2009|09:58] C:\DOCUME~1\PRINCI~1\APPLIC~1\Malwarebytes
[08/10/2008|15:47] C:\DOCUME~1\PRINCI~1\APPLIC~1\Media Player Classic
[17/01/2009|22:50] C:\DOCUME~1\PRINCI~1\APPLIC~1\Microsoft
[24/12/2008|11:41] C:\DOCUME~1\PRINCI~1\APPLIC~1\Real
[07/10/2008|17:48] C:\DOCUME~1\PRINCI~1\APPLIC~1\Sun
[03/04/2009|13:46] C:\DOCUME~1\PRINCI~1\APPLIC~1\SUPERAntiSpyware.com
[07/10/2008|16:55] C:\DOCUME~1\PRINCI~1\APPLIC~1\WinRAR
[25/01/2009|14:29] C:\DOCUME~1\PRINCI~1\APPLIC~1\XnView

--------------------\\ Scheduled tasks in C:\WINDOWS\tasks

[08/10/2008 11:38][--ah-----] C:\WINDOWS\tasks\SA.DAT
[14/04/2008 14:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing directories in C:\Program Files

[07/10/2008|19:15] C:\Program Files\Adobe
[07/10/2008|19:20] C:\Program Files\Ahead
[10/10/2008|18:58] C:\Program Files\Apple Software Update
[07/10/2008|17:39] C:\Program Files\AusLogics Disk Defrag
[07/10/2008|20:28] C:\Program Files\BitDefender
[10/10/2008|18:59] C:\Program Files\Bonjour
[10/10/2008|17:22] C:\Program Files\CanonBJ
[04/10/2008|18:47] C:\Program Files\CCleaner
[04/10/2008|17:51] C:\Program Files\ComPlus Applications
[07/10/2008|17:21] C:\Program Files\CONEXANT
[07/10/2008|17:10] C:\Program Files\Everest Ultimate Engineer Edition 4.60 Build 1500 final
[03/04/2009|13:46] C:\Program Files\Common Files
[08/10/2008|15:43] C:\Program Files\foobar2000
[07/10/2008|17:38] C:\Program Files\HD Tune
[07/10/2008|16:56] C:\Program Files\Intel
[08/10/2008|15:46] C:\Program Files\Internet Explorer
[10/10/2008|19:00] C:\Program Files\iPod
[10/10/2008|19:00] C:\Program Files\iTunes
[07/10/2008|17:49] C:\Program Files\Java
[08/10/2008|15:45] C:\Program Files\K-Lite Codec Pack
[03/04/2009|09:58] C:\Program Files\Malwarebytes' Anti-Malware
[07/10/2008|17:16] C:\Program Files\Marvell
[08/10/2008|11:38] C:\Program Files\Messenger
[04/10/2008|17:55] C:\Program Files\microsoft frontpage
[08/10/2008|11:37] C:\Program Files\Microsoft Office
[17/01/2009|22:48] C:\Program Files\Microsoft Silverlight
[07/10/2008|19:32] C:\Program Files\Microsoft Works
[07/10/2008|19:31] C:\Program Files\Microsoft.NET
[04/10/2008|17:52] C:\Program Files\Movie Maker
[07/10/2008|17:58] C:\Program Files\MSBuild
[08/10/2008|11:37] C:\Program Files\MSECache
[04/10/2008|17:50] C:\Program Files\MSN
[04/10/2008|17:51] C:\Program Files\MSN Gaming Zone
[04/10/2008|17:53] C:\Program Files\NetMeeting
[04/10/2008|17:51] C:\Program Files\Online Services
[04/10/2008|17:53] C:\Program Files\Outlook Express
[07/10/2008|17:15] C:\Program Files\PageDefrag
[04/10/2008|18:48] C:\Program Files\PhotoFiltre
[10/10/2008|18:59] C:\Program Files\QuickTime Alternative
[07/10/2008|17:55] C:\Program Files\Reference Assemblies
[04/10/2008|17:53] C:\Program Files\Online Services
[03/04/2009|14:20] C:\Program Files\SpeedFan
[03/04/2009|13:46] C:\Program Files\SUPERAntiSpyware
[03/04/2009|14:32] C:\Program Files\Trend Micro
[04/10/2008|17:59] C:\Program Files\Uninstall Information
[04/10/2008|18:47] C:\Program Files\Unlocker
[08/10/2008|15:50] C:\Program Files\Windows Live
[08/10/2008|11:35] C:\Program Files\Windows Media Connect 2
[08/10/2008|11:35] C:\Program Files\Windows Media Player
[04/10/2008|17:50] C:\Program Files\Windows NT
[04/10/2008|17:53] C:\Program Files\WindowsUpdate
[07/10/2008|17:15] C:\Program Files\WindowsXP-KB924732-x86-ENU STATECHANGE
[07/10/2008|16:55] C:\Program Files\WinRAR
[04/10/2008|17:55] C:\Program Files\xerox
[07/10/2008|19:16] C:\Program Files\XnView
[07/10/2008|17:40] C:\Program Files\xp-AntiSpy

--------------------\\ Listing directories in C:\Program Files\Common Files

[07/10/2008|19:15] C:\Program Files\Common Files\Adobe
[07/10/2008|19:20] C:\Program Files\Common Files\Ahead
[10/10/2008|18:59] C:\Program Files\Common Files\Apple
[07/10/2008|20:28] C:\Program Files\Common Files\BitDefender
[07/10/2008|19:32] C:\Program Files\Common Files\DESIGNER
[07/10/2008|17:48] C:\Program Files\Common Files\Java
[08/10/2008|15:48] C:\Program Files\Common Files\Microsoft Shared
[04/10/2008|17:53] C:\Program Files\Common Files\MSSoap
[04/10/2008|19:42] C:\Program Files\Common Files\ODBC
[04/10/2008|17:53] C:\Program Files\Common Files\Services
[04/10/2008|19:42] C:\Program Files\Common Files\SpeechEngines
[04/10/2008|17:52] C:\Program Files\Common Files\System
[08/10/2008|15:48] C:\Program Files\Common Files\WindowsLiveInstaller
[03/04/2009|13:46] C:\Program Files\Common Files\Wise Installation Wizard

--------------------\\ Process

(38 Processes)

... OK!

--------------------\\ Search with S_Lop

No Lop files/folders found!

--------------------\\ Search for Lop Files/Folders

C:\DOCUME~1\PRINCI~1\Cookies\principal01@advertising[2].txt

--------------------\\ Registry Check

..... OK!

--------------------\\ Hosts file check

Hosts file CLEAN

--------------------\\ Searching for files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 15:03:55
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 14

--------------------\\ Searching for other infections

No other infections found!

[F:1936][D:9]-> D:\temp
[F:19][D:0]-> C:\DOCUME~1\PRINCI~1\Cookies
[F:409][D:4]-> D:\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - 03/04/2009|14:42 - Option: [1]
2 - "C:\Lop SD\LopR_2.txt" - 03/04/2009|15:04 - Option: [2]

--------------------\\ End of report at 15:04:26

Réponse 9 / 26

Anonymous user

as much for me:

Download Random's System Information Tool (RSIT) from random/random and save the executable on your Desktop.

! Disconnect and close all your running applications!

Double-click on "RSIT.exe" to launch it.

-> A first window will open with the title: "Disclaimer of warranty".

* In front of the option "List files/folders created ...", choose: 2 months

* then click on "Continue" to start the scan ...

-> let the scan run and do not touch the PC ...

When the scan is finished, two text files will open (probably with Notepad).

Post the content of "log.txt" (the one that appears on the screen), as well as "info.txt" (which you will see in the taskbar), for analysis and wait for further instructions ...

Important: post one report, then the other in the next reply
If you try to post both at the same time, it may take too long for the forum

(Note: the reports will also be saved in this folder -> C:\rsit)

--
G3и-н@¢км@и™©®

tzai

first report:

Logfile of random's system information tool 1.06 (written by random/random)
Run by principal01 at 2009-04-03 15:40:45
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 41 GB (81%) free of 50 GB
Total RAM: 2038 MB (79% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:40:51, on 04/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\principal01\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\principal01.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/en-us/?redirfallthru=http%3a%2f%2fwww.msn.fr%2fimg%2fen%2fen-us%2fentertainment%2fcelebrities%2fgalery%2fwentworth02.jpg%3f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/en-us/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/en-us/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
O1 - Hosts: 82.98.231.89 browser-security.microsoft.com
O1 - Hosts: 82.98.231.89 best-click-scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Assistant Help Program - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Notepad - {AF4F850B-68FF-404C-8417-549F86B1E236} - notepad.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O20 - AppInit_DLLs: C:\WINDOWS\system32\ruvoziyi.dll C:\WINDOWS\system32\nukatojo.dll C:\WINDOWS\system32\hahonuhe.dll lghzio.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 7002 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Assistant Help Program - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll [2008-02-28 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-08-11 143360]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-08-11 172032]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-08-11 143360]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe [2007-10-09 61440]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe [2008-10-07 368640]
"QuickTime Task"=C:\Program Files\QuickTime Alternative\qttask.exe [2008-09-06 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-03-23 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe

C:\Documents and Settings\principal01\Start Menu\Programs\Startup
Event Reminder.lnk - C:\pmw\PMREMIND.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\ruvoziyi.dll C:\WINDOWS\system32\nukatojo.dll C:\WINDOWS\system32\hahonuhe.dll lghzio.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-08-11 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\ruvoziyi.dll
C:\WINDOWS\system32\nukatojo.dll
C:\WINDOWS\system32\hahonuhe.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\services.exe"="C:\WINDOWS\system32\services.exe:*:Enabled:services"
"C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe"="C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe:*:Enabled:livesrv"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 2 months======

2009-04-03 15:40:45 ----D---- C:\rsit
2009-04-03 14:41:25 ----A---- C:\lopR.txt
2009-04-03 14:41:01 ----D---- C:\Lop SD
2009-04-03 14:32:01 ----D---- C:\Program Files\Trend Micro
2009-04-03 13:46:41 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46:27 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-03 13:46:27 ----D---- C:\Documents and Settings\principal01\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-03 11:26:30 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2009-04-03 09:58:25 ----D---- C:\Documents and Settings\principal01\Application Data\Malwarebytes
2009-04-03 09:58:13 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-03 09:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-29 12:22:14 ----SH---- C:\WINDOWS\system32\iyebemer.ini
2009-03-25 18:46:20 ----SH---- C:\WINDOWS\system32\niwebazi.dll
2009-03-25 18:46:20 ----A---- C:\WINDOWS\system32\limevilo.dll
2009-03-21 12:27:38 ----A---- C:\bla.exe
2009-03-21 12:00:57 ----A---- C:\gtb.exe

======List of files/folders modified in the last 2 months======

2009-04-03 15:17:36 ----D---- C:\WINDOWS\system32
2009-04-03 15:09:15 ----D---- C:\Program Files\SpeedFan
2009-04-03 15:07:53 ----A---- C:\WINDOWS\bdagent.INI
2009-04-03 14:32:01 ----RD---- C:\Program Files
2009-04-03 13:51:39 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-03 13:46:32 ----SHD---- C:\WINDOWS\Installer
2009-04-03 13:46:08 ----D---- C:\Program Files\Common Files
2009-04-03 13:17:18 ----D---- C:\WINDOWS
2009-04-03 12:00:00 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-03 11:54:00 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-04-03 11:32:46 ----D---- C:\WINDOWS\SoftwareDistribution
2009-04-03 11:32:45 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-03 11:32:45 ----D---- C:\WINDOWS\Temp
2009-04-03 11:29:06 ----HD---- C:\WINDOWS\inf
2009-04-03 11:29:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-03 11:26:34 ----D---- C:\WINDOWS\Help
2009-04-03 10:37:43 ----D---- C:\WINDOWS\system32\drivers
2009-03-29 12:23:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-27 11:47:38 ----ASH---- C:\WINDOWS\system32\mezutilo.exe
2009-03-21 21:48:11 ----A---- C:\WINDOWS\xnview.ini
2009-02-27 16:30:21 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40576]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service; C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-10-07 86792]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-01-07 196368]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys []
R3 CmBatt;Microsoft ACPI Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDAud.sys [2007-06-28 631808]
R3 HDAudBus;Microsoft UAA High Definition Audio Bus Driver; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-08-11 6044864]
R3 mouhid;HID Mouse Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12288]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-18 264576]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft Universal Host Controller Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2008-08-18 290176]
S1 kbdhid;HID Keyboard Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14720]
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbccgp;Microsoft Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB Printer Class Driver; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2008-11-28 1179648]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe [2008-10-07 1261568]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 XCOMM;BitDefender Communicator; C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe [2007-11-27 86016]
R2 yksvc;Marvell Yukon Service; ykx32mpcoinst,serviceStartProc []
R3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader Service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

Réponse 10 / 26

tzai

le second :
info.txt logfile of random's system information tool 1.06 2009-04-03 15:40:52

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9 - English-->MsiExec.exe /I{AC76BA86-7AD7-1036-7B44-A90000000001}
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
WinRAR Archiver-->C:\Program Files\WinRAR\uninstall.exe
Windows Live Connection Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
AusLogics Disk Defrag 1.4-->"C:\Program Files\AusLogics Disk Defrag\unins000.exe"
BitDefender Internet Security 2008-->MsiExec.exe /I{BF7D87C5-CFC3-40C5-A367-24586EEBB8CA}
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Canon MX300 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX300_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX300_series /L0x000c
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-040C-0000-0000000FF1CE}
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_HDAUDIO\UIU32a.exe -U -I*.INF
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
foobar2000 v0.9.5.5-->"C:\Program Files\foobar2000\uninstall.exe"
HD Tune 2.54-->"C:\Program Files\HD Tune\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Mega Codec Pack 4.1.7-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marvell Miniport Driver-->C:\Program Files\Marvell\Miniport Driver\Uninst.exe
Microsoft .NET Framework 1.1 French Language Pack-->MsiExec.exe /X{9A394342-4A68-4EBA-85A6-55B559F4E700}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - ENG-->MsiExec.exe /I{3F7924B9-D148-3141-87B1-68F36043A940}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - ENG-->MsiExec.exe /I{511DF669-2930-30C0-8EB6-552887E29EC8}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{9011040C-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Security update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Nero 6 Ultra Edition-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
PhotoFiltre-->"C:\Program Files\PhotoFiltre\Uninst.exe"
PrintMaster Gold 4.03-->c:\pmw\msrun.exe
QuickTime Alternative 2.7.0-->"C:\Program Files\QuickTime Alternative\unins000.exe"
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
VB Runtime-->C:\WINDOWS\system32\UNINSTAL.EXE /A /R C:\WINDOWS\system32\VBRunTme.LOG
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{FD44E544-E7D0-4DBA-9FA0-8AE1A1300390}
Windows Live Messenger-->MsiExec.exe /X{BADF6744-3787-48F6-B8C9-4C4995401D65}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XnView 1.94.2-->"C:\Program Files\XnView\unins000.exe"
xp-AntiSpy 3.96-8-->C:\Program Files\xp-AntiSpy\Uninstall.exe

======Hosts File======

127.0.0.1 localhost
82.98.231.89 browser-security.microsoft.com
82.98.231.89 best-click-scanner.info
82.98.231.89 antivirus-xp-pro-2009.com
82.98.231.89 microsoft.infosecuritycenter.com
82.98.231.89 microsoft.softwaresecurityhelp.com
82.98.231.89 onlinenotifyq.net
82.98.231.89 antivirusxp-pro-2009.com
82.98.231.89 microsoft.browser-security-center.com

======Security center information======

AV: Bitdefender Antivirus
FW: Bitdefender Firewall

======System event log======

Computer Name: T5800
Event Code: 7036
Message: The User Mode Switch Compatibility service entered the state: running.

Record Number: 3609
Source Name: Service Control Manager
Time Written: 20090118182352.000000+060
Event Type: Information
User:

Computer Name: T5800
Event Code: 7035
Message: A Start control has been successfully sent to the User Mode Switch Compatibility service.

Record Number: 3608
Source Name: Service Control Manager
Time Written: 20090118182352.000000+060
Event Type: Information
User: NT AUTHORITY\SYSTEM

Computer Name: T5800
Event Code: 7036
Message: The Terminal Services service entered the state: running.

Record Number: 3607
Source Name: Service Control Manager
Time Written: 20090118182352.000000+060
Event Type: Information
User:

Computer Name: T5800
Event Code: 4201
Message: The system has detected that the network card \DEVICE\TCPIP_{E4391893-3415-4F71-91BF-A922758322FB} was connected to the network,
and has initiated a normal operation on the network card.

Record Number: 3606
Source Name: Tcpip
Time Written: 20090118182245.000000+060
Event Type: Information
User:

Computer Name: T5800
Event Code: 4201
Message: The system has detected that the network card \DEVICE\TCPIP_{E4391893-3415-4F71-91BF-A922758322FB} was connected to the network,
and has initiated a normal operation on the network card.

Record Number: 3605
Source Name: Tcpip
Time Written: 20090118182245.000000+060
Event Type: Information
User:

=====Application event log=====

Computer Name: T5800
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Successfully compiled: WindowsFormsIntegration, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Record Number: 211
Source Name: .NET Runtime Optimization Service
Time Written: 20081007193730.000000+120
Event Type:
User:

Computer Name: T5800
Event Code: 1100
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Began compiling: WindowsFormsIntegration, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Record Number: 210
Source Name: .NET Runtime Optimization Service
Time Written: 20081007193728.000000+120
Event Type: Information
User:

Computer Name: T5800
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Successfully compiled: UIAutomationClient, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Record Number: 209
Source Name: .NET Runtime Optimization Service
Time Written: 20081007193728.000000+120
Event Type:
User:

Computer Name: T5800
Event Code: 1100
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Began compiling: UIAutomationClient, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Record Number: 208
Source Name: .NET Runtime Optimization Service
Time Written: 20081007193728.000000+120
Event Type: Information
User:

Computer Name: T5800
Event Code: 1102
Message: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Successfully compiled: UIAutomationClientsideProviders, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35

Record Number: 207
Source Name: .NET Runtime Optimization Service
Time Written: 20081007193728.000000+120
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime Alternative\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0f0d
"TEMP"=D:\temp
"TMP"=D:\temp
"windir"=%SystemRoot%
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

Réponse 11 / 26

Anonymous user

Download HostXpert to your Desktop:

---> Extract it (Right click >> Extract here)

---> Double-click on HostsXpert to launch it

---> Click on the "Restore MS Hosts File" button and then close the program

PS: Before clicking on the "Restore MS Hosts File" button, check that the padlock at the top left is open; otherwise, you will get an error message.

If it is closed, click on it :)

Then:

Download SDFix to your desktop:
here: SDFix
or here SDFix
or here SDFix

--> Double-click on SDFix.exe and select "Install".

Tutorial

Once the installation is complete,

Mandatory: Boot in Safe Mode.

/!\ Never start in Safe Mode via MSCONFIG /!\

How to enter Safe Mode:
1) Restart your computer.
2) Tap the F8 key immediately (F5 on some PCs) just after the "Beep".
3) Continue tapping until the screen with the boot options appears.
4) Choose the first option: Safe Mode, and confirm by pressing [Enter].
5) Choose your usual account (not Administrator).
Note: No login is possible in Safe Mode, so make sure to copy or print the instructions to avoid errors...

Open the SDFix folder that was just created in the C:\ directory and double-click on RunThis.bat to launch the tool.
--> Type Y to run the script...
The Fix removes the virus services and cleans the registry, so a restart is necessary; therefore:
Press a key to restart when prompted.

The PC will take some time to boot (this is normal), after the Desktop loads, press a key when "Finished" appears.

The SDFix report will open on the screen and will also be saved in the folder
C:\SDFix as "Report.txt".

Post this in your next response

If SDFix does not launch (it happens!)

* Start->Run

* Copy/paste this:

%systemroot%\system32\cmd.exe /K %systemdrive%\SDFix\apps\FixPath.exe

* Click OK, and confirm.

* Restart and try to launch SDFix again.
--
G3и-н@¢км@и™©®

tzai

SDFix Report:

[b]SDFix: Version 1.240 [/b]
Run by principal01 on 03/04/2009 at 16:10

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

[b]Checking Files [/b]:

No Trojan Files Found

Removing Temp Files

[b]ADS Check [/b]:

[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 16:16:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys"
"inst"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\main]
"ver"="icv230309"
"cid"="02"
"bid"="282063696-854245398-1897051121-1547161642"
"aid"="303369"
"sid"="16"
"feed"=hex:22,64,78,36,3c,2e,3b,29,39,3b,3b,3a,04,4f,01,0c,09,65
"cmddelay"=dword:00003841

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\modules]
"ovfsth.dll"="\systemroot\system32\ovfsthnseeobiwwrujdaijwfyjqseimyxdapap.dll"
"ovfsth.sys"="\systemroot\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys"
"ovfsthlog.dat"="\systemroot\system32\ovfsthxbmsdxvifmmxdbtkkwripvhlqsuabewd.dat"
"ovfsthwi.dll"="\systemroot\system32\ovfsthaurpsboasdmjthbyvbxcqrskdrvtopvs.dll"
"ovfsthff.dll"="\systemroot\system32\ovfsthqkfnkfonxknkmvpqomufuthautcumupk.dll"
"ovfsth.dat"="\systemroot\system32\ovfsthewkgwaxtwdtcjfqiwvfywamqluddhywy.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys"
"inst"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\main]
"ver"="icv230309"
"cid"="02"
"bid"="282063696-854245398-1897051121-1547161642"
"aid"="303369"
"sid"="16"
"feed"=hex:22,64,78,36,3c,2e,3b,29,39,3b,3b,3a,04,4f,01,0c,09,65
"cmddelay"=dword:00003841

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\modules]
"ovfsth.dll"="\systemroot\system32\ovfsthnseeobiwwrujdaijwfyjqseimyxdapap.dll"
"ovfsth.sys"="\systemroot\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys"
"ovfsthlog.dat"="\systemroot\system32\ovfsthxbmsdxvifmmxdbtkkwripvhlqsuabewd.dat"
"ovfsthwi.dll"="\systemroot\system32\ovfsthaurpsboasdmjthbyvbxcqrskdrvtopvs.dll"
"ovfsthff.dll"="\systemroot\system32\ovfsthqkfnkfonxknkmvpqomufuthautcumupk.dll"
"ovfsth.dat"="\systemroot\system32\ovfsthewkgwaxtwdtcjfqiwvfywamqluddhywy.dat"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\services.exe"="C:\\WINDOWS\\system32\\services.exe:*:Enabled:services"
"C:\\Program Files\\Fichiers communs\\BitDefender\\BitDefender Update Service\\livesrv.exe"="C:\\Program Files\\Fichiers communs\\BitDefender\\BitDefender Update Service\\livesrv.exe:*:Enabled:livesrv"
"C:\\WINDOWS\\system32\\lsass.exe"="C:\\WINDOWS\\system32\\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:

[b]Files with Hidden Attributes [/b]:

Fri 27 Mar 2009 61,440 A.SH. --- "C:\WINDOWS\system32\mezutilo.exe"
Wed 25 Mar 2009 912 ..SH. --- "C:\WINDOWS\system32\niwebazi.dll"
Wed 8 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 3 Apr 2009 31,704,608 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\639c248436bca5596d153e4f866b3b18\BIT86.tmp"
Fri 3 Apr 2009 242,743,296 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\BIT82.tmp"

[b]Finished![/b>

Réponse 12 / 26

Anonymous user

---> Disable your antivirus during the process as OTMoveIt3 is mistakenly detected as an infection.

---> Download OTMoveIt3 (OldTimer) to your Desktop:

---> Double-click on OTMoveIt3.exe to launch it.

---> Copy (Ctrl+C) the text below:

:processes
explorer.exe

:files
C:\WINDOWS\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys
C:\WINDOWS\system32\ovfsthnseeobiwwrujdaijwfyjqseimyxdapap.dll
C:\WINDOWS\system32\ovfsthxbmsdxvifmmxdbtkkwripvhlqsuabewd.dat
C:\WINDOWS\system32\ovfsthaurpsboasdmjthbyvbxcqrskdrvtopvs.dll
C:\WINDOWS\system32\ovfsthqkfnkfonxknkmvpqomufuthautcumupk.dll
C:\WINDOWS\system32\ovfsthewkgwaxtwdtcjfqiwvfywamqluddhywy.dat
C:\WINDOWS\system32\mezutilo.exe
C:\WINDOWS\system32\niwebazi.dll
C:\WINDOWS\SoftwareDistribution\Download\639c248436bca5596d153e4f866b3b18\BIT86.tmp
C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\BIT82.tmp

:reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru]

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

---> Paste (Ctrl+V) the previously copied text in the Paste Instructions for Items to be Moved box.

---> Now click on the MoveIt! button and then close OTMoveIt3.

If a file or folder cannot be deleted immediately, the software will ask you to restart.
Accept by clicking YES.

---> Post the report located in this folder: C:\_OTMoveIt\MovedFiles\
The report name corresponds to the time of its creation: date_time.log

--
G3и-н@¢ки™©®

tzai

There was an error message and a restart.
The report:
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys not found.
File/Folder C:\WINDOWS\system32\ovfsthnseeobiwwrujdaijwfyjqseimyxdapap.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthxbmsdxvifmmxdbtkkwripvhlqsuabewd.dat not found.
File/Folder C:\WINDOWS\system32\ovfsthaurpsboasdmjthbyvbxcqrskdrvtopvs.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthqkfnkfonxknkmvpqomufuthautcumupk.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthewkgwaxtwdtcjfqiwvfywamqluddhywy.dat not found.
C:\WINDOWS\system32\mezutilo.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\niwebazi.dll
C:\WINDOWS\system32\niwebazi.dll NOT unregistered.
C:\WINDOWS\system32\niwebazi.dll moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\639c248436bca5596d153e4f866b3b18\BIT86.tmp moved successfully.
C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\BIT82.tmp moved successfully.
========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\\ .
Unable to delete registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\\ .
========== COMMANDS ==========
File delete failed. D:\temp\Perflib_Perfdata_f0c.dat scheduled to be deleted on reboot.
File delete failed. D:\temp\sfareca00001.dll scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04032009_164703

Files moved on Reboot...
File D:\temp\Perflib_Perfdata_f0c.dat not found!
DllUnregisterServer procedure not found in D:\temp\sfareca00001.dll
D:\temp\sfareca00001.dll NOT unregistered.
D:\temp\sfareca00001.dll moved successfully.

Réponse 13 / 26

Anonymous user

ok, boot it in safe mode without network support please
--
G3и-н@¢ки™©®

tzai

Indeed, there were no errors this time.
The report:
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys not found.
File/Folder C:\WINDOWS\system32\ovfsthnseeobiwwrujdaijwfyjqseimyxdapap.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthxbmsdxvifmmxdbtkkwripvhlqsuabewd.dat not found.
File/Folder C:\WINDOWS\system32\ovfsthaurpsboasdmjthbyvbxcqrskdrvtopvs.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthqkfnkfonxknkmvpqomufuthautcumupk.dll not found.
File/Folder C:\WINDOWS\system32\ovfsthewkgwaxtwdtcjfqiwvfywamqluddhywy.dat not found.
File/Folder C:\WINDOWS\system32\mezutilo.exe not found.
File/Folder C:\WINDOWS\system32\niwebazi.dll not found.
File/Folder C:\WINDOWS\SoftwareDistribution\Download\639c248436bca5596d153e4f866b3b18\BIT86.tmp not found.
File/Folder C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\BIT82.tmp not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ovfsthtlidwyrobodjbpjnqtwrfwosnqvdlhru\\ deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04032009_171931

Réponse 14 / 26

Anonymous user

Click on the Start menu / Control Panel / Folder Options / then in the View tab
- Check Show hidden files and folders
- Uncheck Hide extensions for known file types
- Uncheck Hide protected operating system files (recommended)
click Apply, then OK.

then check if you find these files:

C:\WINDOWS\system32\drivers\ovfsthrqllenborwulvhupltxumxmkmrvpaftb.sys
C:\WINDOWS\system32\ovfsthnseeobiwwrujdaijwfyjqseimyxdapap.dll
C:\WINDOWS\system32\ovfsthxbmsdxvifmmxdbtkkwripvhlqsuabewd.dat
C:\WINDOWS\system32\ovfsthaurpsboasdmjthbyvbxcqrskdrvtopvs.dll
C:\WINDOWS\system32\ovfsthqkfnkfonxknkmvpqomufuthautcumupk.dll
C:\WINDOWS\system32\ovfsthewkgwaxtwdtcjfqiwvfywamqluddhywy.dat

if you find any, delete them manually; otherwise, tell which ones you couldn't delete

then:

restart rsit
--
G3и-н@¢ки™©®

tzai

I can't seem to find any!

report:
Logfile of random's system information tool 1.06 (written by random/random)
Run by principal01 at 2009-04-03 17:57:55
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 40 GB (81%) free of 50 GB
Total RAM: 2038 MB (80% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:58:02, on 03/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\principal01\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\principal01.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fwww.msn.fr%2fimg%2ffr%2ffr-fr%2fdivertissement%2fcelebrites%2fgalery%2fwentworth02.jpg%3f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xporter to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Notepad - {AF4F850B-68FF-404C-8417-549F86B1E236} - notepad.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O20 - AppInit_DLLs: C:\WINDOWS\system32\ruvoziyi.dll C:\WINDOWS\system32\nukatojo.dll C:\WINDOWS\system32\hahonuhe.dll lghzio.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 6597 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Assistant Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll [2008-02-28 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-08-11 143360]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-08-11 172032]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-08-11 143360]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe [2007-10-09 61440]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe [2008-10-07 368640]
"QuickTime Task"=C:\Program Files\QuickTime Alternative\qttask.exe [2008-09-06 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-03-23 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe

C:\Documents and Settings\principal01\Start Menu\Programs\Startup
Event Reminder.lnk - C:\pmw\PMREMIND.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\ruvoziyi.dll C:\WINDOWS\system32\nukatojo.dll C:\WINDOWS\system32\hahonuhe.dll lghzio.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-08-11 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\ruvoziyi.dll
C:\WINDOWS\system32\nukatojo.dll
C:\WINDOWS\system32\hahonuhe.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\services.exe"="C:\WINDOWS\system32\services.exe:*:Enabled:services"
"C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe"="C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe:*:Enabled:livesrv"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 2 months======

2009-04-03 16:47:03 ----D---- C:\_OTMoveIt
2009-04-03 16:08:06 ----D---- C:\WINDOWS\ERUNT
2009-04-03 16:06:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-03 16:03:27 ----D---- C:\SDFix
2009-04-03 15:40:45 ----D---- C:\rsit
2009-04-03 14:41:25 ----A---- C:\lopR.txt
2009-04-03 14:41:01 ----D---- C:\Lop SD
2009-04-03 14:32:01 ----D---- C:\Program Files\Trend Micro
2009-04-03 13:46:41 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46:27 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-03 13:46:27 ----D---- C:\Documents and Settings\principal01\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-03 11:26:30 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2009-04-03 09:58:25 ----D---- C:\Documents and Settings\principal01\Application Data\Malwarebytes
2009-04-03 09:58:13 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-03 09:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-29 12:22:14 ----SH---- C:\WINDOWS\system32\iyebemer.ini
2009-03-25 18:46:20 ----A---- C:\WINDOWS\system32\limevilo.dll
2009-03-21 12:27:38 ----A---- C:\bla.exe
2009-03-21 12:00:57 ----A---- C:\gtb.exe

======List of files/folders modified in the last 2 months======

2009-04-03 17:50:50 ----D---- C:\WINDOWS\system32
2009-04-03 17:20:31 ----D---- C:\Program Files\SpeedFan
2009-04-03 17:16:41 ----A---- C:\WINDOWS\bdagent.INI
2009-04-03 16:08:06 ----D---- C:\WINDOWS
2009-04-03 14:32:01 ----RD---- C:\Program Files
2009-04-03 13:51:39 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-03 13:46:32 ----SHD---- C:\WINDOWS\Installer
2009-04-03 13:46:08 ----D---- C:\Program Files\Common Files
2009-04-03 12:00:00 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-03 11:54:00 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-04-03 11:32:46 ----D---- C:\WINDOWS\SoftwareDistribution
2009-04-03 11:32:45 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-03 11:32:45 ----D---- C:\WINDOWS\Temp
2009-04-03 11:29:06 ----HD---- C:\WINDOWS\inf
2009-04-03 11:29:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-03 11:26:34 ----D---- C:\WINDOWS\Help
2009-04-03 10:37:43 ----D---- C:\WINDOWS\system32\drivers
2009-03-29 12:23:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-21 21:48:11 ----A---- C:\WINDOWS\xnview.ini
2009-02-27 16:30:21 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40576]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service; C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-10-07 86792]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-01-07 196368]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys []
R3 CmBatt;Microsoft ACPI Compliant Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDAud.sys [2007-06-28 631808]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-08-11 6044864]
R3 mouhid;HID Mouse Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12288]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-18 264576]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft Universal Host Controller Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2008-08-18 290176]
S1 kbdhid;HID Keyboard Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14720]
S3 catchme;catchme; \??\D:\temp\catchme.sys []
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbccgp;Microsoft Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB Printer Driver; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2008-11-28 1179648]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe [2008-10-07 1261568]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 XCOMM;BitDefender Communicator; C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe [2007-11-27 86016]
R2 yksvc;Marvell Yukon Service; ykx32mpcoinst,serviceStartProc []
R3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader Service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

Réponse 15 / 26

Anonymous user

/!\ WARNING FOLLOW THESE INSTRUCTIONS SCRUPULOUSLY /!\

______________________________________________________________________
>This software is to be used only as prescribed by a qualified helper trained in the tool.<
>>>>>>>Do not use outside of this context: dangerous!<<<<<<<<
===========================================================

During its execution,

ComboFix will check if the Microsoft Windows Recovery Console is installed. With infections like those today, it is highly recommended to have it pre-installed on your PC before any removal of pests.
It will allow you to boot into a special recovery mode, which enables us to assist you more easily if your computer encounters an issue after a cleaning attempt.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console

and when prompted, accept the End User License Agreement to install the Microsoft Windows Recovery Console.

On XP

On Vista

Important note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its procedures for removing pests.

Read This, Imperative !!!!

Download Combofix:

And important, save it as <>highlight "moi.exe"</highlight> on your desktop.

Before using ComboFix:
______________________________________________________________________
? Disconnect from the internet and close all currently running program windows.
? Temporarily disable only for the duration of ComboFix usage,
the real-time protection of your Antivirus and Anti-spywares,
which can greatly interfere with the tool's search and cleaning process.
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

Once done, double-click on "moi.exe" on your desktop

- Respond yes to the warning message for the program to start scanning the PC.

/!\ During this step, do not use the PC or any other peripherals, and do not open any programs.

- At the end of the scan, ComboFix may need to restart the PC to finalize the disinfection/search, let it do so.

- A report will then open in Notepad, this report file Combofix.txt, is automatically saved and located at C:\Combofix.txt)

? Reactivate the real-time protection of your Antivirus and Anti-spywares before reconnecting to the internet.

? Return to the forum and

copy and paste the entire content of C:\Combofix.txt in your next message.

--

--
G3и-н@¢ки™©®

tzai

It's really creepy, that thing! :/

I don't know if the console is already installed or not... And I don't want to mess up my PC....

Réponse 16 / 26

Anonymous user

The console, as stated if you read everything, is installed by default by ComboFix; you just need to follow the instructions precisely as specified, and it's perfect.

You just have to understand that you don't mess around with ComboFix like a cheap €2 antispyware.
--
G3и-н@¢км@и™©®

tzai

The comboFix report:
ComboFix 09-04-01.01 - principal01 2009-04-03 18:57:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1036.18.2038.1619 [GMT 2:00]
Run from: c:\documents and settings\principal01\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
FW: Bitdefender Firewall *enabled*
* A new restore point has been created
* Resident AV is active

.

(((((((((((((((((((((((((((((((((((( Other deletions )))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iyebemer.ini
c:\windows\system32\x64

.
((((((((((((((((((((((((((((( Files created from 2009-03-03 to 2009-04-03 ))))))))))))))))))))))))))))))))))))
.

2009-04-03 16:47 . 2009-04-03 16:47 <REP> d-------- C:\_OTMoveIt
2009-04-03 16:08 . 2009-04-03 16:08 <REP> d-------- c:\windows\ERUNT
2009-04-03 16:03 . 2009-04-03 16:17 <REP> d-------- C:\SDFix
2009-04-03 15:40 . 2009-04-03 15:40 <REP> d-------- C:\rsit
2009-04-03 14:41 . 2009-04-03 15:04 <REP> d-------- C:\Lop SD
2009-04-03 14:32 . 2009-04-03 14:32 <REP> d-------- c:\program files\Trend Micro
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\program files\SUPERAntiSpyware
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\documents and settings\principal01\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 11:26 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuapi.dll.mui
2009-04-03 09:58 . 2009-04-03 09:58 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 09:58 . 2009-04-03 09:58 <REP> d-------- c:\documents and settings\principal01\Application Data\Malwarebytes
2009-04-03 09:58 . 2009-04-03 09:58 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 09:58 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 09:58 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-29 12:28 . 2009-03-29 12:28 244 --ah----- C:\sqmnoopt03.sqm
2009-03-29 12:28 . 2009-03-29 12:28 244 --ah----- C:\sqmnoopt02.sqm
2009-03-29 12:28 . 2009-03-29 12:28 232 --ah----- C:\sqmdata03.sqm
2009-03-29 12:28 . 2009-03-29 12:28 232 --ah----- C:\sqmdata02.sqm
2009-03-29 12:22 . 2009-03-29 12:22 244 --ah----- C:\sqmnoopt01.sqm
2009-03-29 12:22 . 2009-03-29 12:22 232 --ah----- C:\sqmdata01.sqm
2009-03-25 18:46 . 2009-03-25 19:46 912 --a------ c:\windows\system32\limevilo.dll
2009-03-21 12:27 . 2009-03-21 12:27 912 --a------ C:\bla.exe
2009-03-21 12:00 . 2009-03-21 12:14 912 --a------ C:\gtb.exe

.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 17:00 --------- d-----w c:\program files\SpeedFan
.

((((((((((((((((((((((((((((((((( Reg Load Points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty items & legitimate initial items are not listed
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-11 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-11 172032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-11 143360]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-10-07 368640]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\principal01\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-11-03 254128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2008-08-19 3562496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\[u]0/upgdfgsvc C 1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\BitDefender\\BitDefender Update Service\\livesrv.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-01-25 86792]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-10-07 264576]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Additional examination -------
.
uStart Page = hxxp://www.msn.fr/
uInternet Settings,ProxyOverride = *.local
IE: Ex&port to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{AF4F850B-68FF-404C-8417-549F86B1E236} - notepad.exe
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 19:00:49
Windows 5.1.2600 Service Pack 3 NTFS

Searching for hidden processes ...

Searching for hidden auto start items ...

Searching for hidden files ...

Scan completed successfully
Hidden files: 0

**************************************************************************
.
--------------------- DLLs loaded in active processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other active processes ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\windows\system32\ntvdm.exe
c:\program files\BitDefender\BitDefender 2008\vsserv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
End time: 2009-04-03 19:03:02 - The machine has rebooted
ComboFix-quarantined-files.txt 2009-04-03 17:02:58

Before-CF: 42,317,426,688 bytes free
After-CF: 42,252,173,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

145

Réponse 17 / 26

Anonymous user

______________________________________________________________________
=>/!\ WARNING /!\ The following script has been written specifically for this computer,<====
=>it's strongly advised not to transfer it to another computer!<====
-------------------------------------------------------------------------

Still with all protections disabled, do this:

• Open Notepad (Start menu --> programs --> accessories --> Notepad)
• Copy/paste into Notepad what is between the lines below (without the lines):

----------------------------------------------------------
File::
c:\windows\system32\limevilo.dll
C:\bla.exe
C:\gtb.exe
------------------------------------------------------------------

• Save this file on your Desktop (and not elsewhere!) under the name CFScript.txt
• Exit Notepad

• Drag and drop this CFScript file onto the C-Fix.exe (combofix) file, the program you launched earlier, just like dragging a file into a folder.

• Wait for the scan to finish. The Desktop will disappear several times: this is normal! Do not touch anything until the scan is complete.
• Once the scan is finished, a report will appear: post its content.
• If the file does not open, it is located here? C:\ComboFix.txt

--
G3и-н@¢км@и™©®

tzai

Again present :)

ComboFix report:
ComboFix 09-04-01.01 - principal01 2009-04-04 7:51:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1036.18.2038.1617 [GMT 2:00]
Started from: c:\documents and settings\principal01\Desktop\ComboFix.exe
Switches used :: c:\documents and settings\principal01\Desktop\CFScript.txt
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated)
FW: Bitdefender Firewall *disabled*
* A new restore point has been created

FILE ::
C:\bla.exe
C:\gtb.exe
c:\windows\system32\limevilo.dll
.

(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bla.exe
C:\gtb.exe
c:\windows\system32\limevilo.dll

.
((((((((((((((((((((((((((((( Files created from 2009-03-04 to 2009-04-04 ))))))))))))))))))))))))))))))))))))
.

2009-04-03 16:47 . 2009-04-03 16:47 <REP> d-------- C:\_OTMoveIt
2009-04-03 16:08 . 2009-04-03 16:08 <REP> d-------- c:\windows\ERUNT
2009-04-03 16:03 . 2009-04-03 16:17 <REP> d-------- C:\SDFix
2009-04-03 15:40 . 2009-04-03 15:40 <REP> d-------- C:\rsit
2009-04-03 14:41 . 2009-04-03 15:04 <REP> d-------- C:\Lop SD
2009-04-03 14:32 . 2009-04-03 14:32 <REP> d-------- c:\program files\Trend Micro
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\program files\SUPERAntiSpyware
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\documents and settings\principal01\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46 . 2009-04-03 13:46 <REP> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 11:26 . 2008-10-16 14:08 27,672 --a------ c:\windows\system32\wuapi.dll.mui
2009-04-03 09:58 . 2009-04-03 09:58 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 09:58 . 2009-04-03 09:58 <REP> d-------- c:\documents and settings\principal01\Application Data\Malwarebytes
2009-04-03 09:58 . 2009-04-03 09:58 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 09:58 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 09:58 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-29 12:28 . 2009-03-29 12:28 244 --ah----- C:\sqmnoopt03.sqm
2009-03-29 12:28 . 2009-03-29 12:28 244 --ah----- C:\sqmnoopt02.sqm
2009-03-29 12:28 . 2009-03-29 12:28 232 --ah----- C:\sqmdata03.sqm
2009-03-29 12:28 . 2009-03-29 12:28 232 --ah----- C:\sqmdata02.sqm
2009-03-29 12:22 . 2009-03-29 12:22 244 --ah----- C:\sqmnoopt01.sqm
2009-03-29 12:22 . 2009-03-29 12:22 232 --ah----- C:\sqmdata01.sqm

.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 05:53 81,984 ----a-w c:\windows\system32\bdod.bin
2009-04-04 05:42 --------- d-----w c:\program files\SpeedFan
.

((((((((((((((((((((((((((((((((( Reg loading points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty items & legitimate initial items are not listed
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-11 143360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-11 172032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-11 143360]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-10-07 368640]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\principal01\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-11-03 254128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SpeedFan.lnk - c:\program files\SpeedFan\speedfan.exe [2008-08-19 3562496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\[u]0/upgdfgsvc C 1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\BitDefender\\BitDefender Update Service\\livesrv.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-01-25 86792]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-10-07 264576]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Additional examination -------
.
uStart Page = hxxp://www.msn.fr/
uInternet Settings,ProxyOverride = *.local
IE: E&xporter to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{AF4F850B-68FF-404C-8417-549F86B1E236} - notepad.exe
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 07:53:02
Windows 5.1.2600 Service Pack 3 NTFS

Searching hidden processes ...

Searching for hidden autostart items ...

Searching for hidden files ...

Scan completed successfully
Hidden files: 0

**************************************************************************
.
--------------------- DLLs loaded in active processes ---------------------

- - - - - - - > 'winlogon.exe'(1244)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
End time: 2009-04-04 7:54:00
ComboFix-quarantined-files.txt 2009-04-04 05:53:58
ComboFix2.txt 2009-04-03 17:03:04

Before-CF: 42,229,178,368 bytes free
After-CF: 42,219,253,760 bytes free

128

Réponse 18 / 26

Anonymous user

Hi, please follow up on rsit
--
G3и-н@¢ки™©®

tzai

Hello,
RSIT report:
Logfile of random's system information tool 1.06 (written by random/random)
Run by principal01 at 2009-04-04 10:05:51
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 40 GB (81%) free of 50 GB
Total RAM: 2038 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:54, on 04/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\principal01\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\principal01.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?redirfallthru=http%3a%2f%2fwww.msn.fr%2fimg%2ffr%2ffr-fr%2fdivertissement%2fcelebrites%2fgalery%2fwentworth02.jpg%3f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Assistant Help Program - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Notepad - {AF4F850B-68FF-404C-8417-549F86B1E236} - notepad.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 6119 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Assistant Help Program - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{381FFDE8-2394-4f90-B10D-FC6124A40F8C} - BitDefender Toolbar - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll [2008-02-28 86016]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-08-11 143360]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-08-11 172032]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-08-11 143360]
"BitDefender Antiphishing Helper"=C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe [2007-10-09 61440]
"BDAgent"=C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe [2008-10-07 368640]
"QuickTime Task"=C:\Program Files\QuickTime Alternative\qttask.exe [2008-09-06 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-03-23 1830128]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
SpeedFan.lnk - C:\Program Files\SpeedFan\speedfan.exe

C:\Documents and Settings\principal01\Start Menu\Programs\Startup
Event Reminder.lnk - C:\pmw\PMREMIND.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-08-11 217088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe"="C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe:*:Enabled:livesrv"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 2 months======

2009-04-04 07:54:02 ----D---- C:\WINDOWS\temp
2009-04-04 07:54:01 ----A---- C:\ComboFix.txt
2009-04-04 07:50:56 ----D---- C:\ComboFix
2009-04-03 18:57:00 ----A---- C:\Boot.bak
2009-04-03 18:56:56 ----RASHD---- C:\cmdcons
2009-04-03 18:53:10 ----A---- C:\WINDOWS\zip.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\VFIND.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\SWSC.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\SWREG.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\sed.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\grep.exe
2009-04-03 18:53:10 ----A---- C:\WINDOWS\fdsv.exe
2009-04-03 18:52:49 ----D---- C:\WINDOWS\ERDNT
2009-04-03 18:41:35 ----D---- C:\Qoobox
2009-04-03 16:47:03 ----D---- C:\_OTMoveIt
2009-04-03 16:08:06 ----D---- C:\WINDOWS\ERUNT
2009-04-03 16:06:29 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-03 16:03:27 ----D---- C:\SDFix
2009-04-03 15:40:45 ----D---- C:\rsit
2009-04-03 14:41:25 ----A---- C:\lopR.txt
2009-04-03 14:41:01 ----D---- C:\Lop SD
2009-04-03 14:32:01 ----D---- C:\Program Files\Trend Micro
2009-04-03 13:46:41 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46:27 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-03 13:46:27 ----D---- C:\Documents and Settings\principal01\Application Data\SUPERAntiSpyware.com
2009-04-03 13:46:08 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-03 11:26:30 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2009-04-03 09:58:25 ----D---- C:\Documents and Settings\principal01\Application Data\Malwarebytes
2009-04-03 09:58:13 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-03 09:58:13 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

======List of files/folders modified in the last 2 months======

2009-04-04 07:57:46 ----D---- C:\WINDOWS\system32
2009-04-04 07:54:02 ----D---- C:\WINDOWS
2009-04-04 07:53:03 ----A---- C:\WINDOWS\system.ini
2009-04-04 07:53:03 ----A---- C:\WINDOWS\bdagent.INI
2009-04-04 07:52:39 ----D---- C:\WINDOWS\system32\drivers
2009-04-04 07:52:39 ----D---- C:\WINDOWS\AppPatch
2009-04-04 07:52:36 ----D---- C:\Program Files\Common Files
2009-04-04 07:51:41 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-04 07:42:13 ----D---- C:\Program Files\SpeedFan
2009-04-03 18:58:53 ----D---- C:\WINDOWS\system32\config
2009-04-03 18:57:00 ----RASH---- C:\boot.ini
2009-04-03 18:43:37 ----SD---- C:\Documents and Settings\principal01\Application Data\Microsoft
2009-04-03 14:32:01 ----RD---- C:\Program Files
2009-04-03 13:46:32 ----SHD---- C:\WINDOWS\Installer
2009-04-03 12:00:00 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-03 11:54:00 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-04-03 11:32:46 ----D---- C:\WINDOWS\SoftwareDistribution
2009-04-03 11:32:45 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-03 11:29:06 ----HD---- C:\WINDOWS\inf
2009-04-03 11:29:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-03 11:26:34 ----D---- C:\WINDOWS\Help
2009-03-29 12:23:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-21 21:48:11 ----A---- C:\WINDOWS\xnview.ini
2009-02-27 16:30:21 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 bdftdif;bdftdif; \??\C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40576]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service; C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-10-07 86792]
R3 bdfsfltr;bdfsfltr; C:\WINDOWS\system32\drivers\bdfsfltr.sys [2008-01-07 196368]
R3 BDSelfPr;BDSelfPr; \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys []
R3 CmBatt;Microsoft ACPI Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\CHDAud.sys [2007-06-28 631808]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-08-11 6044864]
R3 mouhid;HID Mouse Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12288]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-18 264576]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Microsoft Enhanced Host Controller Miniport Driver USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft Universal Host Controller Miniport Driver USB; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2008-08-18 290176]
S1 kbdhid;HID Keyboard Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14720]
S3 catchme;catchme; \??\D:\temp\catchme.sys []
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbccgp;Microsoft Generic Parent Driver USB; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB Printer Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 LIVESRV;BitDefender Desktop Update Service; C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe [2008-11-28 1179648]
R2 VSSERV;BitDefender Virus Shield; C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe [2008-10-07 1261568]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 XCOMM;BitDefender Communicator; C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe [2007-11-27 86016]
R3 scan;BitDefender Threat Scanner; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 yksvc;Marvell Yukon Service; ykx32mpcoinst,serviceStartProc []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;USN Journal Reader Messenger Sharing Folders Service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

Réponse 19 / 26

Anonymous user

---> Double-click on OTMoveIt3.exe to launch it.

---> Copy (Ctrl+C) the following text below:

:processes
explorer.exe

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Persistence"=-
"QuickTime Task"=-

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

---> Paste (Ctrl+V) the previously copied text in the Paste Instructions for Items to be Moved box.

---> Now click on the MoveIt! button, then close OTMoveIt3.

If a file or folder cannot be deleted immediately, the software will prompt you to restart.
Accept by clicking YES.

---> Post the report located in this folder: C:\_OTMoveIt\MovedFiles\
The report name corresponds to the time of its creation: date_time.log

--
G3и-н@¢ки™©®

tzai

the report :

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Persistence deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\QuickTime Task deleted successfully.
========== COMMANDS ==========
File delete failed. D:\temp\Perflib_Perfdata_428.dat scheduled to be deleted on reboot.
File delete failed. D:\temp\sfareca00001.dll scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04042009_114055

Files moved on Reboot...
File D:\temp\Perflib_Perfdata_428.dat not found!
DllUnregisterServer procedure not found in D:\temp\sfareca00001.dll
D:\temp\sfareca00001.dll NOT unregistered.
D:\temp\sfareca00001.dll moved successfully.

Réponse 20 / 26

Anonymous user

Here you go... I think you're clean (or almost)
--
G3и-н@¢ки™©®

tzai

Thank you so much for spending all this time with me.

Is it possible to get a brief summary of what was there and what you did? I won't hide from you that I didn't understand much.

Should I keep the installed software or uninstall it?
Are they on a trial period or really free?
How can I avoid having these issues happen again?

Thanks again for everything :)

1
2

Suivant

Dernières discussions traduites

Texture issues in enshrouded

le 2 Jun
Bank account charged but aliexpress order not found.

le 31 May
Can there be fake players in scrabble go?

le 31 May
My samsung galaxy tab 3 won't turn on and won't charge.

le 31 May
Philips sbc headphones batteries

le 31 May
Dhgate, reliable site or not?

le 31 May
Universal remote control temium remo3/1 code

le 31 May
Free plug sync problem

le 31 May
Very very slow internet...

le 31 May
Taskbar does not hide anymore

le 31 May

Autres langues

🇫🇷 Français