View original (French)

How to remove virus from .exe file?

Solved
roni034 Posted messages 138 Registration date   Status Membre Last intervention   -  
fix200 Posted messages 3365 Status Contributeur sécurité -
Hello,

I tried to install a word processing program, I naturally executed the setup.exe file of this program that was given to me; but when running it, my antivirus detected a virus named vitro which is apparently embedded in the setup.exe file and I can't remove the virus without also deleting the entire file (same for quarantine). Is there a way to isolate the virus in order to retrieve the healthy setup file?
Thank you for your help
roni
Configuration: Windows Vista Internet Explorer 8.0

16 réponses

Réponse 1 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
Re,

Hey Roni ;)

Uh... it's not finished! ^^

Please redo an RSIT for me.
1
Réponse 2 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
Hi,

I hope you haven't run the file! Otherwise, you will be infected by the worst malware in the world....!

We are trying to see:

Download Random's System Information Tool (RSIT) by random/random and save it to your Desktop.

▶ Double-click on RSIT.exe to launch it.

▶ Click on "Continue" on the "Disclaimer of warranty" screen.

▶ If the HijackThis tool (updated version) is not present or not detected on the computer, RSIT will download it and you will have to accept the license.

▶ When the scan is finished, two text files will open.

=> Post the content of log.txt (which will be displayed) as well as info.txt (which will be minimized in the Taskbar).

Note: Both reports are also saved here: C:\rsit
0
Réponse 3 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
Thank you for your attention, I'll send this to you in a few moments, the file is on a USB stick... but I imagine it might have infected the computer... see you soon.
0
Réponse 4 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
Here is the info file:

info.txt logfile of random's system information tool 1.06 2009-09-06 11:47:57

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
-->MsiExec.exe /I{2EA870FA-585F-4187-903D-CB9FFD21E2E0}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31403E22-2FDB-452F-AE9E-20854633226D}\Setup.exe" -uninst
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A450831D-25F6-4F42-9662-D000B25E0D82}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Acer Arcade Deluxe-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe" -uninstall
Acer Crystal Eye webcam-->C:\Program Files\InstallShield Installation Information\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}\setup.exe -runfromtemp -l0x040c -removeonly -u
Acer Crystal Eye webcam-->C:\Program Files\InstallShield Installation Information\{AA047D7C-5E7C-4878-B75C-77589151B563}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer GridVista-->C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x40c -removeonly
Acer ScreenSaver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer Tour-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x40c -removeonly
Acoolsoft PPT2Video Converter 3.0.0.38-->"C:\Program Files\Acoolsoft\PPT2Video Converter\unins000.exe"
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}
Adobe Reader 8.1.4-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Archiveur WinRAR-->C:\Program Files\WinRAR\uninstall.exe
Assistant de connexion Windows Live ID-->MsiExec.exe /X{10A44844-4465-456E-8C97-80BDD4F68845}
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Bricks of Egypt-->"C:\Program Files\Acer GameZone\Bricks of Egypt\Uninstall.exe" "C:\Program Files\Acer GameZone\Bricks of Egypt\install.log"
Broadcom Gigabit Integrated Controller-->MsiExec.exe /X{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CDBurnerXP-->"C:\Program Files\CDBurnerXP\unins000.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Ciel Auto-entrepreneur Facile 1.40-->MsiExec.exe /I{AF86BA3B-B465-4E12-B771-E12208FDB89B}
DavkaWriter Platinum-->MsiExec.exe /I{7CCF4B02-5AAB-455C-904F-3347DBD542D9}
FileZilla Client 3.2.6.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe
Galapago-->"C:\Program Files\Acer GameZone\Galapago\Uninstall.exe" "C:\Program Files\Acer GameZone\Galapago\install.log"
Garmin WebUpdater-->MsiExec.exe /X{366FFC89-C800-4366-B903-B9C4314109A5}
Gestionnaire pour appareils Windows Mobile-->MsiExec.exe /I{1F2A5DF9-40E1-4644-ADBD-D80F347BA6C8}
GIMP 2.6.7-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_9DE96A29E721D90A.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe -U -IAcrZUn32z.inf
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Customer Participation Program 8.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 8.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 8.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Photosmart Essential-->MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Photosmart.All-In-One Driver Software 8.0 .A-->C:\Program Files\HP\Digital Imaging\{282E5AB2-8E47-4571-B6FA-6B512555B557}\setup\hpzscr01.exe -datfile hposcr18.dat -onestop -showdisconnect -forcereboot
HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}
HP Solution Center 8.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{7059BDA7-E1DB-442C-B7A1-6144596720A4}
HPSSupply-->MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
Installation Windows Live-->C:\Program Files\Windows Live\Installer\wlarp.exe
Installation Windows Live-->MsiExec.exe /I{7370DF47-B4F9-4279-BFC3-3F09919F720D}
Intel PROSet Wireless-->Intel PROSet Wireless
iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}
IziSpot 4-->MsiExec.exe /X{117F577F-E35E-458A-87C5-FBF96879C5CE}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Jewel Quest Solitaire-->"C:\Program Files\Acer GameZone\Jewel Quest Solitaire\Uninstall.exe" "C:\Program Files\Acer GameZone\Jewel Quest Solitaire\install.log"
K-Lite Codec Pack 3.9.0 Full-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Launch Manager-->C:\Windows\UnInst32.exe QtZgAcer.UNI
LMSOFT Web Creator Pro 5-->C:\Program Files\Mindscape\LMSOFT Web Creator Pro 5\Uninstall.exe
Luxor 2-->"C:\Program Files\Acer GameZone\Luxor 2\Uninstall.exe" "C:\Program Files\Acer GameZone\Luxor 2\install.log"
Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Access MUI (French) 2007-->MsiExec.exe /X{90120000-0015-040C-0000-0000000FF1CE}
Microsoft Office Excel MUI (French) 2007-->MsiExec.exe /X{90120000-0016-040C-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (French) 2007-->MsiExec.exe /X{90120000-0044-040C-0000-0000000FF1CE}
Microsoft Office Live Add-in 1.4-->MsiExec.exe /I{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}
Microsoft Office Outlook MUI (French) 2007-->MsiExec.exe /X{90120000-001A-040C-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (French) 2007-->MsiExec.exe /X{90120000-0018-040C-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{9011040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Plus 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007-->MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (Arabic) 2007-->MsiExec.exe /X{90120000-001F-0401-0000-0000000FF1CE}
Microsoft Office Proof (Dutch) 2007-->MsiExec.exe /X{90120000-001F-0413-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007-->MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (French) 2007-->MsiExec.exe /X{90120000-002C-040C-0000-0000000FF1CE}
Microsoft Office Publisher MUI (French) 2007-->MsiExec.exe /X{90120000-0019-040C-0000-0000000FF1CE}
Microsoft Office Shared MUI (French) 2007-->MsiExec.exe /X{90120000-006E-040C-0000-0000000FF1CE}
Microsoft Office Word MUI (French) 2007-->MsiExec.exe /X{90120000-001B-040C-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Works-->MsiExec.exe /I{6B1CB38D-E2E4-4A30-933D-EFDEBA76AD9C}
Mise à jour du pilote du Gestionnaire pour appareils Windows Mobile-->MsiExec.exe /X{CB8CA439-DA83-419C-A4CF-5A0A50025144}
Module de compatibilité pour Microsoft Office System 2007-->MsiExec.exe /X{90120000-0020-040C-0000-0000000FF1CE}
Mozilla Firefox (2.0)-->C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Mystery Case Files - Prime Suspects-->"C:\Program Files\Acer GameZone\Mystery Case Files - Prime Suspects\Uninstall.exe" "C:\Program Files\Acer GameZone\Mystery Case Files - Prime Suspects\install.log"
Mystery Case Files Ravenhearst-->"C:\Program Files\Acer GameZone\Mystery Case Files Ravenhearst\Uninstall.exe" "C:\Program Files\Acer GameZone\Mystery Case Files Ravenhearst\install.log"
NTI Backup NOW! 4.7-->"C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1036 CDM7
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Outil de mise à jour Google-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Outil de téléchargement Windows Live-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
pdfforge Toolbar v1.0-->MsiExec.exe /X{B8B0FC8B-E69B-4215-AF1A-4BDFF20D794B}
PDF-XChange 3.0-->"C:\Program Files\PDF-XChange 3 Pro\unins000.exe"
PowerProducer 3.72-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\Setup.exe" -l0x40c anything
SIW version 2008-07-15-->"C:\Program Files\SIW\unins000.exe"
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TeamViewer 4-->C:\Program Files\TeamViewer\Version4\uninstall.exe
Treasures of the Deep-->"C:\Program Files\Acer GameZone\Treasures of the Deep\Uninstall.exe" "C:\Program Files\Acer GameZone\Treasures of the Deep\install.log"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Winbond CIR Drivers-->MsiExec.exe /X{427967BF-09F8-46D5-9275-37001CCBBA5D}
Windows Live Call-->MsiExec.exe /I{82C7B308-0BDD-49D8-8EA5-9CD3A3F9DF41}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Messenger-->MsiExec.exe /X{059C042E-796A-4ACC-A81A-ECC2010BB78C}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}

======Security center information======

AS: Windows Defender (disabled) (outdated)

======System event log======

Computer Name: AharonBloch
Event Code: 4374
Message: Windows Servicing has determined that this package KB958644 (Security Update) is not applicable to this system.
Record Number: 69909
Source Name: Microsoft-Windows-Servicing
Time Written: 20081023202213.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: AharonBloch
Event Code: 4374
Message: Windows Servicing has determined that this package KB958644 (Security Update) is not applicable to this system.
Record Number: 69910
Source Name: Microsoft-Windows-Servicing
Time Written: 20081023202213.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: AharonBloch
Event Code: 4227
Message: TCP/IP could not establish an outgoing connection because the selected local endpoint has recently been used to connect to the same remote endpoint. This error occurs when outbound connections are opened and closed at a high rate, causing all available local ports to be exhausted and forcing TCP/IP to reuse a local port for an outgoing connection. To reduce the risk of data corruption, the TCP/IP standard requires that a minimum time lapse occur between successive connections from a local endpoint to a remote endpoint.
Record Number: 69926
Source Name: Tcpip
Time Written: 20081023202704.101807-000
Event Type: Warning
User:

Computer Name: AharonBloch
Event Code: 6008
Message: The previous system shutdown at 01:02:56 on 24/10/2008 was unexpected.
Record Number: 69931
Source Name: EventLog
Time Written: 20081024053949.000000-000
Event Type: Error
User:

Computer Name: AharonBloch
Event Code: 4
Message: Broadcom NetLink (TM) Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.
Record Number: 69942
Source Name: b57nd60x
Time Written: 20081024053908.031325-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: AharonBloch
Event Code: 63
Message: The OffPr provider

Here is the log file

Logfile of random's system information tool 1.06 (written by random/random)
Run by Aharon at 2009-09-06 11:58:03
Microsoft® Windows Vista™ Home Premium Edition Service Pack 1
System drive C: has 34 GB (30%) free of 114 GB
Total RAM: 3070 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:08, on 06/09/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\pdfforge Toolbar\SearchSettings.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\WerCon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Aharon\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Davka Corp\DavkaWriter\davwrite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Aharon\Desktop\RSIT.exe
C:\Program Files\trend micro\Aharon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.cherche.us/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ww12.cherche.us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ww12.cherche.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tropal.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ww12.cherche.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.cherche.us/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ww12.cherche.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\pdfforge Toolbar\SearchSettings.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Assistant Help Program - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2
0
Réponse 5 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
Re,

Your USB keys are infected, along with an infected toolbar.

Let's get started ^^' :

▶ Under Vista :

Disable UAC which can greatly hinder the disinfection process. :

▶ Start Menu > Control Panel.

▶ Click on the " User Accounts " icon and then on " Turn User Account Control on or off ".

▶ Uncheck the box: " Use User Account Control (UAC) to help protect your computer "

▶ Confirm with OK, you will be asked to restart the PC, do it! .

▶ To help you: Tutorial 1 - Tutorial 2 - Tutorial 3

========================

VERY IMPORTANT:
* During the entire disinfection process, ensure that UAC is indeed disabled.
* Always run disinfection programs as an administrator (Right-click > "Run as admin..." )

========================

Download ToolBar S&D ( by Eric_71/Team IDN )

▶ Start the installation of the program by running the downloaded file and let it guide you during the installation ..

! Disconnect and close all your running applications during the process!

▶ Right-click on the ToolbarS&D shortcut and choose "run as administrator"

▶ Press 2 (cleanup) then press [Enter].

▶ Do not touch anything during the scan

▶ A report will be generated at the end of the process: post its content in your next response

NOTE:
The report is saved here -> C:\TB.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

**********************************************************
********************* Vista_Option 1 (search) ****************
**********************************************************

Disable UAC

Download UsbFix (by C_XX, Chiquitine29, & Chimay8)
> Or here: UsbFix

▶ Run the downloaded file, do not touch the installation settings! .

Connect your external data sources to your PC (USB stick, external hard drive, etc...) that may have been infected (!) without opening them (!)

▶ Right-click on the UsbFix shortcut on your desktop and choose "Run as administrator".

▶ In the main menu choose the "F" option for French and press [Enter].

▶ In the second menu choose option 1 (search)

▶ Let the tool work

Then post the UsbFix.txt report that will appear

Notes:
1- the UsbFix.txt report is saved at the root of the disk

2- If the Desktop does not reappear press Ctrl + Alt + Del, Tab "File", "New Task", type explorer.exe and confirm

3- "Process.exe", a component of the tool, is detected by some antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility intended to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) hence the alert raised by these antivirus programs.
0
Réponse 6 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
RE

here is the TB report:

-----------\\ ToolBar S&D 1.2.9 XP/Vista

Microsoft® Windows Vista™ Home Premium Edition ( v6.0.6001 ) Service Pack 1
X86-based PC ( Multiprocessor Free : Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz )
BIOS : ZD1 v1.3809 3H09
USER : Aharon ( Not Administrator ! )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:111 Go (Free:33 Go)
D:\ (Local Disk) - NTFS - Total:108 Go (Free:107 Go)
E:\ (Local Disk) - FAT32 - Total:149 Go (Free:131 Go)
F:\ (CD or DVD)
G:\ (USB) - FAT32 - Total:3816 Mo (Free:2 Go)

"C:\ToolBar SD" ( LAST UPDATE : 22-08-2009|18:42 )
Option : [2] ( 06/09/2009|12:27 )

[ UAC => 0 ]

-----------\\ DELETION

Delete! - C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com

-----------\\ File / Folder Scan ...

-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="https://www.google.fr/?gws_rd=ssl"
"SEARCH PAGE"="http://ww12.cherche.us"
"Local Page"="C:\\Windows\\system32\\blank.htm"
"SearchMigratedDefaultURL"="http://ww12.cherche.us{searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8"
"Start Page_bak"="http://ww12.cherche.us"
"Search Bar"="http://ww12.cherche.us"
"Default_Search_URL"="http://www.cherche.us/keyword/%s"
"Url"="https://www.msn.com/fr-fr/actualite/"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="https://www.msn.com/fr-fr/"
"Default_Page_URL"="https://fr.yahoo.com/"
"Default_Search_URL"="https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF"
"Search Page"="https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF"
"Local Page"="C:\\Windows\\System32\\blank.htm"

--------------------\\ Searching for other infections

No other infection found!

[ UAC => 1 ]

1 - "C:\ToolBar SD\TB_1.txt" - 06/09/2009|12:27 - Option : [2]

-----------\\ End of report at 12:27:49,63

Here is the USBfix report

############################## | UsbFix V6.026 |

User : Aharon (Administrators) # AHARONBLOCH
Update on 06/09/2009 by Chiquitine29, C_XX & Chimay8
Start at: 12:29:27 | 06/09/2009
Website : http://pagesperso-orange.fr/NosTools/index.html

Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz
Microsoft® Windows Vista™ Home Premium Edition (6.0.6001 32-bit) # Service Pack 1
Internet Explorer 8.0.6001.18813
Windows Firewall Status : Enabled

C:\ -> Local Fixed Drive # 111.69 Go (34.09 Go free) [ACER] # NTFS
D:\ -> Local Fixed Drive # 108.19 Go (107.83 Go free) [DATA] # NTFS
E:\ -> Local Fixed Drive # 149.01 Go (131.88 Go free) [FREECOM HDD] # FAT32
F:\ -> CD-ROM
G:\ -> Removable Drive # 3.73 Go (2.92 Go free) [AHARON] # FAT32

############################## | Active Processes |

C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\pdfforge Toolbar\SearchSettings.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\WerCon.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Aharon\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

################## | Infected # Folders |

Present! D:\install.exe
Present! G:\MS32DLL.dll.vbs
Present! G:\Recycler\S-5-3-42-2819952290-8240758988-879315005-3665
Present! G:\Recycler\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

################## | Suspect ! ... | https://www.virustotal.com/gui/ |

################## | Registry # Infectious Run Keys |

################## | Registry # Mountpoints2 |

HKCU\..\..\Explorer\MountPoints2\{2648f02c-93e9-11dd-b1fa-001e6817d35b}
shell\AutoRun\command =E:\EXPLORER.EXE
shell\explore\Command =E:\EXPLORER.EXE
shell\open\Command =E:\EXPLORER.EXE

HKCU\..\..\Explorer\MountPoints2\{76845ae3-e2da-11dd-9a35-001e6817d35b}
shell\AutoRun\command =i.exe
shell\explore\Command =i.exe
shell\open\Command =i.exe

################## | ! End of report # UsbFix V6.026 ! |

THANK YOU VERY MUCH
0
Réponse 7 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
In addition to Conficker on your USB drive! In short, you're in deep trouble!!! :x

**********************************************************
********************* Vista_Option 2 (Cleaning) ***************
**********************************************************
Always with UAC disabled:

Connect your external data sources to your PC (USB drive, external hard drive, etc...) that might have been infected (!) without opening them (!)

▶ Right-click on the shortcut UsbFix on your desktop and choose "Run as administrator".

▶ In the main menu, choose option "F" for French and press [Enter].

▶ In the second menu, choose option 2 (Removal)

▶ Your desktop will disappear and the PC will restart.

▶ Upon restarting, UsbFix will scan your PC, let the tool run.

Then post the UsbFix.txt report that will appear with the desktop.

▶ Note: The UsbFix.txt report is saved at the root of the drive.( C:\UsbFix.txt )

Help: How to Use UsbFix

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disable UAC

**********************************************************
********************* Option S (Scan) *********************
**********************************************************

Download AD-Remover (from C_XX) to your desktop:

! Disconnect and close all running applications!

• Double-click on "AD-R.exe" to start the installation and leave the installation settings at default.

• Right-click on the Ad-remover shortcut on your desktop and choose "Run as administrator".

• In the main menu, choose option "S" and press [Enter].

• Let the tool run and do not touch anything...

--> Post the report that appears at the end on the forum ... <--

Notes:

1- The report is also saved under C:\Ad-report-scan.log
2- "Process.exe", a component of the tool, is detected by some antivirus software:
(AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility intended to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) hence the alert issued by these antivirus programs.
0
Réponse 8 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
here is the usbfix log

############################## | UsbFix V6.026 |

User : Aharon (Administrators) # AHARONBLOCH
Update on 06/09/2009 by Chiquitine29, C_XX & Chimay8
Start at: 12:59:14 | 06/09/2009
Website : http://pagesperso-orange.fr/NosTools/index.html

Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz
Microsoft® Windows Vista™ Home Premium Edition (6.0.6001 32-bit) # Service Pack 1
Internet Explorer 8.0.6001.18813
Windows Firewall Status : Enabled

C:\ -> Local fixed disk # 111.69 Go (34.09 Go free) [ACER] # NTFS
D:\ -> Local fixed disk # 108.19 Go (107.83 Go free) [DATA] # NTFS
E:\ -> Local fixed disk # 149.01 Go (131.88 Go free) [FREECOM HDD] # FAT32
F:\ -> CD-ROM disk
G:\ -> Removable disk # 3.73 Go (2.92 Go free) [AHARON] # FAT32

############################## | Active Processes |

C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Aharon\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\conime.exe

################## | Infectious Files # Folders |

Present ! D:\install.exe
Present ! G:\MS32DLL.dll.vbs
Present ! G:\Recycler\S-5-3-42-2819952290-8240758988-879315005-3665
Present ! G:\Recycler\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

################## | Suspect ! ... | https://www.virustotal.com/gui/ |

################## | Registry # Infectious Run Keys |

################## | Registry # Mountpoints2 |

HKCU\..\..\Explorer\MountPoints2\{2648f02c-93e9-11dd-b1fa-001e6817d35b}
shell\AutoRun\command =E:\EXPLORER.EXE
shell\explore\Command =E:\EXPLORER.EXE
shell\open\Command =E:\EXPLORER.EXE

HKCU\..\..\Explorer\MountPoints2\{76845ae3-e2da-11dd-9a35-001e6817d35b}
shell\AutoRun\command =i.exe
shell\explore\Command =i.exe
shell\open\Command =i.exe

################## | ! End of report # UsbFix V6.026 ! |

here is the ad-report log

.
======= AD-REMOVER REPORT 1.1.4.5_T | XP/VISTA/7 ONLY =======
.
Updated by C_XX on 05/09/2009 at 12:20 PM
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Started at: 13:02:17, 06/09/2009 | Normal Mode | Option: SCAN
Executed from: C:\Program Files\Ad-Remover\
Operating System: Microsoft® Windows Vista™ Home Premium Service Pack 1 v6.0.6001
PC Name: AHARONBLOCH | Current User: Aharon
.
============== ITEM(S) FOUND ==============
.
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
HKLM\Software\Classes\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
.
C:\Users\Aharon\AppData\LocalLow\Search Settings
C:\Windows\Installer\a9ccaa.msi
C:\Program Files\Windows Live\Messenger\Riched20.dll
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 2.0 *
.
Profile Name: ahe19kzn.default (Aharon)
.
(Prefs.js) user_pref("browser.search.defaultenginename", "Google");
(Prefs.js) user_pref("browser.search.selectedEngine", "Google");
(Prefs.js) user_pref("browser.search.defaulturl", "hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=");
(Prefs.js) user_pref("browser.startup.homepage", "hxxp://www.cherche.us/");
(Prefs.js) user_pref("browser.startup.homepage_override.mstone", "rv:1.8.1");
.
.
.
* Internet Explorer Version 8.0.6001.18813 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Start Page: hxxp://www.google.fr/
SEARCH PAGE: hxxp://www.cherche.us
Start Page_bak: hxxp://www.cherche.us
Search Bar: hxxp://www.cherche.us
Default_Search_URL: hxxp://www.cherche.us/keyword/%s
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Start Page: hxxp://www.msn.com/
Default_Page_URL: hxxp://fr.fr.acer.yahoo.com
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
===================================
.
2249 Bytes - C:\Ad-Report-SCAN.log
.
107 Files - C:\Users\Aharon\AppData\Local\Temp
30 Files - C:\Windows\Temp
.
1 File - C:\Program Files\Ad-Remover\BACKUP
0 Files - C:\Program Files\Ad-Remover\QUARANTINE
.
End at: 13:32:25 | 06/09/2009
.
============== E.O.F ==============
.
thank you very much
0
Réponse 9 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
Re,

Please reread the instructions; UsbFix option 2!

**********************************************************
********************* Option L (cleaning) *********************
**********************************************************

! Disconnect and close all running applications!

• Right-click on the Ad-remover shortcut on your desktop and select "Run as administrator."

• In the main menu, choose option "L" and press [enter].

• Let the tool work and do not touch anything...

--> Post the report that appears at the end on the forum... <--

Notes:

1- The report is also saved under C:\Ad-report-clean.log
2- "Process.exe," a component of the tool, is detected by some antivirus software:
(AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility intended to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...), hence the alert issued by these antivirus programs.


Help with images (Cleaning)

**********************************************************
********************* Vista_Option 2 (Cleaning) ***************
**********************************************************
Always with UAC disabled:

Connect your external data sources to your PC (USB stick, external hard drive, etc.) that may have been infected (!) without opening them (!)

▶ Right-click on the UsbFix shortcut on your desktop and select "Run as administrator."

▶ In the main menu, choose option "F" for French and press [enter].

▶ In the second menu, choose option 2 (Removal)

▶ Your desktop will disappear and the PC will restart.

▶ Upon restarting, UsbFix will scan your PC, let the tool work.

Then post the UsbFix.txt report that will appear with the desktop.

▶ Note: The UsbFix.txt report is saved at the root of the drive.( C:\UsbFix.txt )

Help: How to Use UsbFix
0
Réponse 10 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
usbfix report

############################## | UsbFix V6.026 |

User : Aharon (Administrators) # AHARONBLOCH
Updated on 06/09/2009 by Chiquitine29, C_XX & Chimay8
Started at: 17:57:14 | 06/09/2009
Website : http://pagesperso-orange.fr/NosTools/index.html

Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz
Microsoft® Windows Vista™ Home Premium Edition (6.0.6001 32-bit) # Service Pack 1
Internet Explorer 8.0.6001.18813
Windows Firewall Status : Enabled

C:\ -> Local fixed disk # 111.69 Go (33.67 Go free) [ACER] # NTFS
D:\ -> Local fixed disk # 108.19 Go (107.83 Go free) [DATA] # NTFS
F:\ -> CD-ROM drive
G:\ -> Removable drive # 3.73 Go (2.92 Go free) [AHARON] # FAT32

############################## | Active Processes |

C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\runonce.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Calendar\WinCal.exe

################## | Infected Files # Folders |

Deleted! D:\install.exe
Deleted! G:\MS32DLL.dll.vbs
Deleted! G:\Recycler\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Deleted! G:\Recycler\S-5-3-42-2819952290-8240758988-879315005-3665

################## | Other |

################## | Suspect ! ... | https://www.virustotal.com/gui/ |

################## | Registry # Infected Run Keys |

################## | Registry # Mountpoints2 |

Deleted! HKCU\...\Explorer\MountPoints2\{2648f02c-93e9-11dd-b1fa-001e6817d35b}\Shell\AutoRun\Command
Deleted! HKCU\...\Explorer\MountPoints2\{76845ae3-e2da-11dd-9a35-001e6817d35b}\Shell\AutoRun\Command

################## | Listing of present files |

[21/12/2007 07:23|--a------|3377] C:\-20071221.log
[21/05/2008 20:56|--a------|3913] C:\-20080521.log
[06/09/2009 13:32|--a------|2565] C:\Ad-Report-SCAN.log
[18/09/2006 23:43|--a------|24] C:\autoexec.bat
[19/01/2008 09:45|-rahs----|333203] C:\bootmgr
[21/12/2007 13:31|-ra-s----|8192] C:\BOOTSECT.BAK
[18/09/2006 23:43|--a------|10] C:\config.sys
[11/08/2008 12:47|--a------|117] C:\finfos.txt
[?|?|?] C:\hiberfil.sys
[06/09/2009 11:35|--a------|1029] C:\InstallHelper.log
[11/08/2008 12:50|-rahs----|0] C:\IO.SYS
[11/11/2008 01:09|--a------|7] C:\ISACER.id
[16/08/2005 09:49|---------|40960] C:\junction.exe
[28/06/2007 10:44|--a------|512] C:\MDR.iss
[22/02/2008 18:11|--a------|20] C:\Medion.ini
[11/08/2008 12:46|--a------|438] C:\mpeg.txt
[11/08/2008 12:50|-rahs----|0] C:\MSDOS.SYS
[29/02/2004 17:44|--a------|52576] C:\orange.bmp
[?|?|?] C:\pagefile.sys
[22/02/2008 18:08|--a------|60] C:\Partition.txt
[22/02/2008 18:01|--a------|426] C:\RHDSetup.log
[21/12/2007 07:09|--a------|178] C:\setup.log
[25/03/2009 00:58|--ah-----|268] C:\sqmdata00.sqm
[30/04/2009 20:58|--ah-----|232] C:\sqmdata01.sqm
[01/05/2009 10:41|--ah-----|232] C:\sqmdata02.sqm
[02/05/2009 22:28|--ah-----|232] C:\sqmdata03.sqm
[03/05/2009 02:32|--ah-----|232] C:\sqmdata04.sqm
[21/06/2009 01:23|--ah-----|232] C:\sqmdata05.sqm
[07/07/2009 15:49|--ah-----|232] C:\sqmdata06.sqm
[01/02/2009 19:04|--ah-----|232] C:\sqmdata07.sqm
[01/02/2009 19:10|--ah-----|232] C:\sqmdata08.sqm
[01/02/2009 19:18|--ah-----|232] C:\sqmdata09.sqm
[17/02/2009 15:44|--ah-----|232] C:\sqmdata10.sqm
[17/02/2009 18:36|--ah-----|232] C:\sqmdata11.sqm
[04/03/2009 16:43|--ah-----|232] C:\sqmdata12.sqm
[04/03/2009 16:45|--ah-----|232] C:\sqmdata13.sqm
[04/03/2009 17:27|--ah-----|232] C:\sqmdata14.sqm
[06/03/2009 15:04|--ah-----|232] C:\sqmdata15.sqm
[08/03/2009 09:53|--ah-----|232] C:\sqmdata16.sqm
[08/03/2009 12:51|--ah-----|232] C:\sqmdata17.sqm
[08/03/2009 12:51|--ah-----|232] C:\sqmdata18.sqm
[08/03/2009 13:35|--ah-----|232] C:\sqmdata19.sqm
[25/03/2009 00:58|--ah-----|244] C:\sqmnoopt00.sqm
[30/04/2009 20:58|--ah-----|244] C:\sqmnoopt01.sqm
[01/05/2009 10:41|--ah-----|244] C:\sqmnoopt02.sqm
[02/05/2009 22:28|--ah-----|244] C:\sqmnoopt03.sqm
[03/05/2009 02:32|--ah-----|244] C:\sqmnoopt04.sqm
[21/06/2009 01:23|--ah-----|244] C:\sqmnoopt05.sqm
[07/07/2009 15:49|--ah-----|244] C:\sqmnoopt06.sqm
[01/02/2009 19:04|--ah-----|244] C:\sqmnoopt07.sqm
[01/02/2009 19:10|--ah-----|244] C:\sqmnoopt08.sqm
[01/02/2009 19:18|--ah-----|244] C:\sqmnoopt09.sqm
[17/02/2009 15:44|--ah-----|244] C:\sqmnoopt10.sqm
[17/02/2009 18:36|--ah-----|244] C:\sqmnoopt11.sqm
[04/03/2009 16:43|--ah-----|244] C:\sqmnoopt12.sqm
[04/03/2009 16:45|--ah-----|244] C:\sqmnoopt13.sqm
[04/03/2009 17:27|--ah-----|244] C:\sqmnoopt14.sqm
[06/03/2009 15:04|--ah-----|244] C:\sqmnoopt15.sqm
[08/03/2009 09:53|--ah-----|244] C:\sqmnoopt16.sqm
[08/03/2009 12:51|--ah-----|244] C:\sqmnoopt17.sqm
[08/03/2009 12:51|--ah-----|244] C:\sqmnoopt18.sqm
[08/03/2009 13:35|--ah-----|244] C:\sqmnoopt19.sqm
[06/09/2009 12:27|--a------|2236] C:\TB.txt
[06/09/2009 18:01|--a------|6895] C:\UsbFix.txt
[07/11/2007 08:00|--a------|17734] D:\eula.1028.txt
[07/11/2007 08:00|--a------|17734] D:\eula.1031.txt
[07/11/2007 08:00|--a------|10134] D:\eula.1033.txt
[07/11/2007 08:00|--a------|17734] D:\eula.1036.txt
[07/11/2007 08:00|--a------|17734] D:\eula.1040.txt
[07/11/2007 08:00|--a------|118] D:\eula.1041.txt
[07/11/2007 08:00|--a------|17734] D:\eula.1042.txt
[07/11/2007 08:00|--a------|17734] D:\eula.2052.txt
[07/11/2007 08:00|--a------|17734] D:\eula.3082.txt
[07/11/2007 08:00|--a------|1110] D:\globdata.ini
[07/11/2007 08:00|--a------|843] D:\install.ini
[07/11/2007 08:03|--a------|76304] D:\install.res.1028.dll
[07/11/2007 08:03|--a------|96272] D:\install.res.1031.dll
[07/11/2007 08:03|--a------|91152] D:\install.res.1033.dll
[07/11/2007 08:03|--a------|97296] D:\install.res.1036.dll
[07/11/2007 08:03|--a------|95248] D:\install.res.1040.dll
[07/11/2007 08:03|--a------|81424] D:\install.res.1041.dll
[07/11/2007 08:03|--a------|79888] D:\install.res.1042.dll
[07/11/2007 08:03|--a------|75792] D:\install.res.2052.dll
[07/11/2007 08:03|--a------|96272] D:\install.res.3082.dll
[05/01/2002 11:48|--a------|974848] D:\mfc70.dll
[05/01/2002 11:36|--a------|964608] D:\mfc70u.dll
[05/01/2002 10:37|--a------|344064] D:\msvcr70.dll
[07/11/2007 08:00|--a------|5686] D:\vcredist.bmp
[07/11/2007 08:09|--a------|1442522] D:\VC_RED.cab
[07/11/2007 08:12|--a------|232960] D:\VC_RED.MSI
[18/06/2009 00:44|---h-----|1150464] G:\~WRL0004.tmp
[05/09/2009 23:44|--a------|1622] G:\BOOTEX.LOG

################## | Upload |

Please send the file: C:\Users\Aharon\Desktop\UsbFix_Upload_Me_AharonBloch.zip : https://www.androidworld.fr/
Thank you for your contribution.

ad-report report

.
======= AD-REMOVER REPORT 1.1.4.5_T | ONLY XP/VISTA/7 =======
.
Updated by C_XX on 05/09/2009 at 12:20 PM
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Started at: 18:05:13, 06/09/2009 | Normal Mode | Option: CLEAN
Executed from: C:\Program Files\Ad-Remover\
Operating System: Microsoft® Windows Vista™ Home Premium Service Pack 1 v6.0.6001
Computer Name: AHARONBLOCH | Current User: Aharon
.
============== NEUTRALIZED ITEM(S) ==============
.
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
.
C:\Users\Aharon\AppData\LocalLow\Search Settings\kb128
C:\Users\Aharon\AppData\LocalLow\Search Settings\kb128\temp
C:\Users\Aharon\AppData\LocalLow\Search Settings\kb128\temp\ws-14490.log
C:\Users\Aharon\AppData\LocalLow\Search Settings\kb128\temp\ws-14493.log
C:\Users\Aharon\AppData\LocalLow\Search Settings
C:\Windows\Installer\a9ccaa.msi
C:\Program Files\Windows Live\Messenger\riched20.dll

(!) -- Temporary files deleted.

.
============== Additional scan ==============
.
.
* Mozilla FireFox Version 2.0 *
.
Profile name: ahe19kzn.default (Aharon)
.
(Prefs.js) user_pref("browser.search.defaultenginename", "Google");
(Prefs.js) user_pref("browser.search.selectedEngine", "Google");
(Prefs.js) user_pref("browser.search.defaulturl", "hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=");
(Prefs.js) user_pref("browser.startup.homepage", "hxxp://www.cherche.us/");
(Prefs.js) user_pref("browser.startup.homepage_override.mstone", "rv:1.8.1");
.
.
.
* Internet Explorer Version 8.0.6001.18813 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Start Page: Window Title
SEARCH PAGE: hxxp://www.cherche.us
Start Page_bak: hxxp://www.cherche.us
Search Bar: hxxp://go.microsoft.com/fwlink/?linkid=54896
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Default_page_url: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Start Page: hxxp://fr.msn.com/
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search bar: hxxp://search.msn.com/spbasic.htm
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
===================================
.
2735 Bytes - C:\Ad-Report-CLEAN.log
2565 Bytes - C:\Ad-Report-SCAN.log
.
1 File(s) - C:\Users\Aharon\AppData\Local\Temp
1 File(s) - C:\Windows\Temp
.
21 File(s) - C:\Program Files\Ad-Remover\BACKUP
2 File(s) - C:\Program Files\Ad-Remover\QUARANTINE
.
End at: 18:36:37 | 06/09/2009
.
============== E.O.F ==============
.
0
Réponse 11 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
Hi,

Very good ...! ;)

Redo RSIT and paste the obtained report for analysis.

++
0
Réponse 12 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
Here is the translation: voila :)

Logfile of random's system information tool 1.06 (written by random/random)
Run by Aharon at 2009-09-06 19:28:14
Microsoft® Windows Vista™ Home Premium Edition Service Pack 1
System drive C: has 39 GB (34%) free of 114 GB
Total RAM: 3070 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:28:33, on 06/09/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Aharon\Desktop\RSIT.exe
C:\Program Files\trend micro\Aharon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ww12.cherche.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Window Title
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ww12.cherche.us
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.cherche.us/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ww12.cherche.us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-In Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: pdfforge Toolbar - {B922D405-6D13-4A2B-AE89-08A030DA4402} - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.secuser.com
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/mygarmin/m/GarminAxControl.CAB
O16 - DPF: {DFB5BCF1-06AE-4ABB-BFA8-1E228F41C50A} - https://www.bobtv.fr/download/cfweb_www.bobtv.fr-download_instmodule.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8800 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\User_Feed_Synchronization-{4CC4458E-AF2E-4351-B93C-B22A63D5170E}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2009-03-26 312928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-In Assistant Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-06 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll [2009-09-06 761840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll [2009-01-30 650752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-09-06 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B922D405-6D13-4A2B-AE89-08A030DA4402} - pdfforge Toolbar - C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll [2009-01-30 650752]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-09-06 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"ALaunch"=C:\Acer\ALaunch\AlaunchClient.exe []
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-12-14 102400]
"Acer Tour"= []
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-12-14 4702208]
"LManager"=C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE [2008-01-02 707080]
"PLFSet"=C:\Windows\PLFSet.dll [2007-04-25 45056]
"eRecoveryService"= []
"Acer Tour Reminder"=C:\Acer\AcerTour\Reminder.exe [2007-08-01 151552]
"WarReg_PopUp"=C:\Acer\WR_PopUp\WarReg_PopUp.exe [2006-11-05 57344]
"pdfSaver3"= []
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-12-14 86016]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-12-14 8501792]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-12-14 81920]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-03-26 198160]
"Google Quick Search Box"=C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe [2009-09-06 122368]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"=C:\Acer\AcerTour\Reminder.exe [2007-08-01 151552]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-05-11 68856]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanalPlayer]
C:\Program Files\Lecteur CANALPLAY\CanalPlayer.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\Aharon\AppData\Local\Google\Update\GoogleUpdate.exe /c []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe [2007-12-05 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Aharon^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Orion.lnk]
C:\Convesoft\Orion\Messenger.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"FilterAdministratorToken"=1
"EnableUIADesktopToggle"=0
"UacDisableNotify"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=FFFFFFFF
"NoDriveTypeAutoRun"=255
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-09-06 17:57:10 ----A---- C:\UsbFix.txt
2009-09-06 13:02:14 ----D---- C:\Program Files\Ad-Remover
2009-09-06 12:29:08 ----D---- C:\UsbFix
2009-09-06 12:27:03 ----A---- C:\TB.txt
2009-09-06 12:25:37 ----D---- C:\ToolBar SD
2009-09-06 11:47:42 ----D---- C:\Program Files\trend micro
2009-09-06 11:47:41 ----D---- C:\rsit
2009-09-06 10:57:38 ----D---- C:\Program Files\Microsoft Visual Studio
2009-09-06 10:48:08 ----D---- C:\Program Files\Microsoft Visual Studio 8
2009-09-06 10:45:28 ----RHD---- C:\MSOCache
2009-09-02 23:31:41 ----A---- C:\Windows\system32\Apphlpdm.dll
2009-09-02 23:31:40 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-09-01 18:20:42 ----A---- C:\Windows\system32\kerberos.dll
2009-09-01 18:20:41 ----A---- C:\Windows\system32\msv1_0.dll
2009-09-01 18:20:40 ----A---- C:\Windows\system32\wdigest.dll
2009-09-01 18:20:39 ----A---- C:\Windows\system32\lsasrv.dll
2009-09-01 18:20:38 ----A---- C:\Windows\system32\schannel.dll
2009-09-01 18:20:36 ----A---- C:\Windows\system32\secur32.dll
2009-09-01 18:20:36 ----A---- C:\Windows\system32\lsass.exe
2009-08-30 15:56:28 ----D---- C:\Program Files\Acoolsoft
2009-08-30 15:31:50 ----D---- C:\Users\Aharon\AppData\Roaming\TeamViewer
2009-08-30 15:31:46 ----D---- C:\Program Files\TeamViewer
2009-08-30 14:41:56 ----D---- C:\Users\Aharon\AppData\Roaming\gtk-2.0
2009-08-30 14:25:54 ----D---- C:\Program Files\GIMP-2.0
2009-08-27 19:51:13 ----D---- C:\Users\Aharon\AppData\Roaming\LMSOFT
2009-08-27 19:41:28 ----D---- C:\Program Files\Mindscape
2009-08-27 14:38:51 ----A---- C:\Windows\system32\tzres.dll
2009-08-14 15:53:23 ----D---- C:\Program Files\Maïdo Production
2009-08-14 01:52:22 ----D---- C:\Program Files\LimeWire
2009-08-12 16:21:17 ----A---- C:\Windows\system32\atl.dll
2009-08-12 16:21:14 ----A---- C:\Windows\system32\wkssvc.dll
2009-08-12 16:21:06 ----A---- C:\Windows\system32\wmp.dll
2009-08-12 16:21:05 ----A---- C:\Windows\system32\wmpdxm.dll
2009-08-12 16:21:04 ----A---- C:\Windows\system32\spwmp.dll
2009-08-12 16:21:03 ----A---- C:\Windows\system32\dxmasf.dll
2009-08-12 16:21:02 ----A---- C:\Windows\system32\wmploc.DLL
2009-08-12 16:20:59 ----A---- C:\Windows\system32\avifil32.dll
2009-08-12 16:20:55 ----A---- C:\Windows\system32\mstscax.dll

======List of files/folders modified in the last 1 months======

2009-09-06 19:28:25 ----D---- C:\Windows\Prefetch
2009-09-06 19:28:18 ----D---- C:\Windows\Temp
2009-09-06 19:27:08 ----RSD---- C:\Windows\Fonts
2009-09-06 19:14:33 ----SHD---- C:\System Volume Information
2009-09-06 19:13:07 ----D---- C:\Windows\System32
2009-09-06 19:13:07 ----D---- C:\Windows\inf
2009-09-06 19:13:07 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-09-06 19:11:08 ----SHD---- C:\Windows\Installer
2009-09-06 18:01:09 ----SD---- C:\Windows\Downloaded Program Files
2009-09-06 17:59:23 ----D---- C:\Windows\Tasks
2009-09-06 17:59:01 ----SHD---- C:\$RECYCLE.BIN
2009-09-06 17:06:22 ----D---- C:\Program Files\Google
2009-09-06 13:02:14 ----RD---- C:\Program Files
2009-09-06 11:40:04 ----HD---- C:\Program Files\InstallShield Installation Information
2009-09-06 11:36:00 ----D---- C:\ProgramData\eBay
2009-09-06 11:09:52 ----D---- C:\ProgramData\Microsoft Help
2009-09-06 11:09:47 ----D---- C:\Program Files\Common Files\microsoft shared
2009-09-06 11:09:01 ----D---- C:\Windows\ShellNew
2009-09-06 11:08:48 ----A---- C:\Windows\win.ini
2009-09-06 11:08:39 ----D---- C:\Program Files\Common Files\System
2009-09-06 11:04:16 ----RSD---- C:\Windows\assembly
2009-09-06 11:04:06 ----D---- C:\Windows\winsxs
2009-09-06 11:00:28 ----D---- C:\ProgramData\Pinnacle
2009-09-06 10:59:12 ----D---- C:\Program Files\Microsoft Works
2009-09-06 10:58:17 ----D---- C:\Program Files\MSBuild
2009-09-06 10:57:46 ----D---- C:\Program Files\Microsoft Office
2009-09-06 10:56:08 ----SD---- C:\ProgramData\Microsoft
2009-09-06 10:40:09 ----D---- C:\ProgramData\Google Updater
0
Réponse 13 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
Re,

OK this report is clean :)

I have a question: the USB key, are you working with it? If so, then your work PC is infected with Conficker, we can disinfect it if you want, but once it's disinfected, I'll open a topic by writing your username...

Anyway, let's continue:

Download MalwareBytes' Anti-Malware (MBAM).

▶ Double-click the downloaded file to start the installation process, choose "French" and accept when prompted to update it.

▶ Make sure to check this Tutorial to use the program properly.

! Log out and close all running applications !

⇒ Launch MBAM.

▶ Under the settings tab, check the box: "Stop Internet Explorer during removal"

▶ Now click on the scan tab and check the box: "Run a quick scan".

▶ Then click on "Search".

▶ Let it scan the PC...

▶ Once the scan is finished, click on "OK", then on "Show results"

▶ Ensure everything is checked and click on "Remove selected."

▶ It may ask you to restart to finish removing the threats, accept by clicking on "Yes".

▶ At the end, a report will open, save it so you can find it to post on the forum.

Come back to the forum and copy and paste the report in your next reply.

Note: reports are also stored in the Report/Log tab.
0
Réponse 14 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
Hello, sorry for this long absence, I had to be away for a few days...
here is the log

thank you

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6001 Service Pack 1

12/09/2009 10:30:49 PM
mbam-log-2009-09-12 (10-30-49).txt

Scan type: Quick Scan
Items examined: 104581
Time elapsed: 6 minute(s), 10 second(s)

Infected memory processes: 0
Infected memory modules: 0
Infected Registry keys: 1
Infected Registry values: 0
Infected Registry data items: 0
Infected folders: 0
Infected files: 0

Infected memory processes:
(No malicious items detected)

Infected memory modules:
(No malicious items detected)

Infected Registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Infected Registry values:
(No malicious items detected)

Infected Registry data items:
(No malicious items detected)

Infected folders:
(No malicious items detected)

Infected files:
(No malicious items detected)
0
Réponse 15 / 16
fix200 Posted messages 3365 Status Contributeur sécurité 158
 
Re,

Hello :)

Answer the questions!

I have a question: are you working with the USB drive? If so, then your work PC is infected with Conficker. We can disinfect it if you'd like, but once it's disinfected, I will open a topic using your username ...


How's your PC doing? Is it getting better??
0
Réponse 16 / 16
roni034 Posted messages 138 Registration date   Status Membre Last intervention   8
 
Hello

the PC is better

thank you for your help

see you soon
0