View original (French)

Host.exe and copy.exe

Elo -  
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   -
Hello,
I am a complete novice in computing, and Symantec is telling me that my PC is infected with host.exe and copy.exe. Could you help me get rid of it? I imagine I need to make a report, but since I don't know anything about it, I don't know how to go about it.
Thank you in advance for your help.
Configuration: Windows XP Firefox 3.5.7

47 réponses

  • 1
  • 2
  • 3
Réponse 1 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Hello,

You are infected with a worm that spreads through your computer via removable media (USB drives, floppy disks, digital cameras, external hard drives, etc.)

Download and install UsbFix from C_XX & El desaparecido:
= = = = >>> Click here <<< = = = =

Connect your external data sources to your PC (USB drives, external hard drives, etc.) that may have been infected without opening them!

* Double-click on the UsbFix shortcut on your desktop.
* Choose option 1 (Search)
* Let the tool work.
* Then post the entire UsbFix.txt report that will appear.

Notes:
- The UsbFix.txt report is saved at the root of the drive. (C:\UsbFix.txt)
(CTRL+A to select all, CTRL+C to copy, and CTRL+V to paste on the forum).
- "Process.exe," a component of the tool, is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool. It is not a virus, but a utility designed to terminate processes. In the wrong hands, this utility could stop security software (Antivirus, Firewall...), hence the alert issued by these antivirus programs.

--
Got a problem? Head over to CCM!
There is no problem without a solution.
0
Réponse 2 / 47
Elo
 
What speed!!!
Here is the report:

############################## | UsbFix V6.075 |

User : Elodie (Administrators) # ELO
Update on 19/01/2010 by El Desaparecido , C_XX & Chimay8
Start at: 20:52:39 | 20/01/2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : FindyKill.Contact@gmail.com

Intel(R) Pentium(R) 4 CPU 3.20GHz
Microsoft Windows XP Home Edition (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 7.0.5730.11
Windows Firewall Status : Enabled

C:\ -> Local fixed disk # 145.95 Go (58.37 Go free) [Elodie C] # NTFS
D:\ -> CD-ROM drive
E:\ -> Local fixed disk # 279.47 Go (38.95 Go free) # NTFS
F:\ -> Removable disk
G:\ -> Removable disk
H:\ -> Removable disk
I:\ -> CD-ROM drive
J:\ -> Removable disk # 1.92 Go (1.92 Go free) # FAT
K:\ -> Removable disk # 981.05 Mo (865.78 Mo free) [ I-ZI-I] # FAT32

############################## | Active processes |

C:\WINDOWS\System32\smss.exe 732
C:\WINDOWS\system32\csrss.exe 780
C:\WINDOWS\system32\winlogon.exe 808
C:\WINDOWS\system32\services.exe 852
C:\WINDOWS\system32\lsass.exe 864
C:\WINDOWS\system32\Ati2evxx.exe 1032
C:\WINDOWS\system32\svchost.exe 1048
C:\WINDOWS\system32\svchost.exe 1132
C:\WINDOWS\System32\svchost.exe 1228
C:\WINDOWS\system32\svchost.exe 1316
C:\WINDOWS\system32\svchost.exe 1436
C:\WINDOWS\system32\spoolsv.exe 1608
C:\WINDOWS\Explorer.EXE 1856
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe 1996
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe 2008
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe 2024
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe 2036
C:\WINDOWS\system32\Rundll32.exe 2044
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe 212
C:\Program Files\Dell\Media Experience\DMXLauncher.exe 208
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe 244
C:\DOCUME~1\ELODIE~1\LOCALS~1\Temp\clclean.0001 284
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe 336
C:\WINDOWS\stsystra.exe 392
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe 408
C:\Program Files\DAEMON Tools\daemon.exe 588
C:\Program Files\TomTom HOME 2\HOMERunner.exe 596
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE 624
C:\WINDOWS\system32\ctfmon.exe 656
C:\WINDOWS\system32\svchost.exe 1120
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 1200
C:\Program Files\Bonjour\mDNSResponder.exe 1212
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe 1256
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe 1348
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe 1580
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe 1992
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe 256
C:\WINDOWS\System32\snmp.exe 480
C:\WINDOWS\system32\svchost.exe 548
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe 2360
C:\WINDOWS\System32\alg.exe 2792
C:\WINDOWS\System32\svchost.exe 3412
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE 3556
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE 3716
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe 2016
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE 3940
C:\Program Files\Mozilla Firefox\firefox.exe 568
C:\WINDOWS\system32\wbem\wmiprvse.exe 2616

################## | Infectious elements |

C:\Documents and Settings\Elodie LEFIL\new.txt
C:\Install\Ghost.exe

################## | Registry |

################## | Mountpoints2 |

################## | ! End of report # UsbFix V6.075 ! |
0
Réponse 3 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
It seems like Symantec might have eradicated them??

*****

Send this file
C:\Documents and Settings\Elodie LEFIL\new.txt
here please:
http://cijoint.fr/
Send me the URL so that I can check it.

*****Then***

Cleaning with UsbFix:

Connect your external data sources to your PC (USB key, external hard drive, etc...) that may have been infected without opening them!

*Double click on the UsbFix shortcut present on your desktop.
* Choose option 2 (Removal)
* Your desktop will disappear and the PC will restart.
* Upon restart, UsbFix will scan your PC. Let the tool work.
* Then post the entire UsbFix.txt report that will appear with the desktop.

Note:
The UsbFix.txt report is saved at the root of the disk. (C:\UsbFix.txt)

********

For a more in-depth diagnosis of your PC:
Download Random’s System Information Tool (RSIT) from random/random and save the executable on the Desktop.
= = = = >>> Click here <<< = = = =

* Double click on RSIT.exe to launch it.
* A first window will open, then click on Continue (Disclaimer).
* If the latest version of HijackThis is not detected on your PC, RSIT will download it and ask you to accept the license.
* When the scan is finished, two text files will open (probably with Notepad).
* Post the content of log.txt.

--
Got a problem? Visit CCM!
There is no problem without a solution.
0
Réponse 4 / 47
Elo
 
I can't send it, it tells me that the file is invalid.
0
Réponse 5 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Alright, let's move on.
--
Got a problem? Check out CCM!
There's no problem without a solution.
0
Réponse 6 / 47
Elo
 
Currently, I have not executed option 2 of USB Fix, and here is the complete PC log:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Elodie LEFIL at 2010-01-20 21:11:07
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 60 GB (40%) free of 149 GB
Total RAM: 1022 MB (29% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:11:21, on 20/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\ELODIE~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Elodie LEFIL\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Elodie LEFIL.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.dell.com/fr-fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xeoo.com/?p=h&a=f
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [EPSON Stylus SX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\WINDOWS\TEMP\E_S51.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert selected links to Adobe PDF file - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menu item: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menu item: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menu item: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://copainsdavant.linternaute.com/...
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab
O21 - SSODL: system32 - {E6DCBE03-B92A-47EF-88C7-3464EBC717CE} - sysprinters.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe

--
End of file - 10369 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\One-click Maintenance.job
C:\WINDOWS\tasks\Subscription Reminder 1 with ISP.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}]
C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll [2005-06-14 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Assistant Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 143420]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2005-04-28 53248]
"CTSysVol"=C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [2005-09-15 57344]
"MBMon"=Rundll32 CTMBHA.DLL,MBMon []
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"VoiceCenter"=C:\Program Files\Creative\VoiceCenter\AndreaVC.exe [2005-09-19 1159168]
"DMXLauncher"=C:\Program Files\Dell\Media Experience\DMXLauncher.exe [2005-01-27 86016]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"MoneyStartUp10.0"=C:\Program Files\Microsoft Money\System\Activation.exe [2001-07-25 245810]
"ISUSPM Startup"=c:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\isuspm.exe [2004-06-16 221184]
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe [2004-03-10 406016]
"AVFX Engine"=C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe [2006-10-19 20480]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe [2002-09-02 77824]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2002-07-30 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
system32 - {E6DCBE03-B92A-47EF-88C7-3464EBC717CE} - sysprinters.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\WINDOWS\system32\LEXPPS.EXE"="C:\WINDOWS\system32\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\Program Files\MSN BackUp\MSNBackup.exe"="C:\Program Files\MSN BackUp\MSNBackup.exe:*:Enabled:18 July 2005"
"C:\Documents and Settings\Elodie LEFIL\Desktop\Elodie\MSN BackUp\MSNBackup.exe"="C:\Documents and Settings\Elodie LEFIL\Desktop\Elodie\MSN BackUp\MSNBackup.exe:*:Enabled:18 July 2005"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\SightSpeed\SightSpeed.exe"="C:\Program Files\SightSpeed\SightSpeed.exe:*:Enabled:SightSpeed"
"C:\Program Files\Pinnacle\Studio 10\programs\RM.exe"="C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:*:Enabled:Render Manager"
"C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe"="C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:*:Enabled:Studio"
"C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe"="C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\Program Files\Pinnacle\Studio 10\programs\umi.exe"="C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:*:Enabled:umi"
"C:\Program Files\Pinnacle\Shared Files\Programs\MediaManager\PMSManager.exe"="C:\Program Files\Pinnacle\Shared Files\Programs\MediaManager\PMSManager.exe:*:Enabled:MediaManager Application"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Freeplayer\vlc\vlc.exe"="C:\Program Files\Freeplayer\vlc\vlc.exe:*:Enabled:VLC media player"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare"

======List of files/folders created in the last 1 months======

2010-01-20 21:11:07 ----D---- C:\rsit
2010-01-20 21:11:07 ----D---- C:\Program Files\trend micro
2010-01-20 20:49:01 ----A---- C:\UsbFix.txt
2010-01-20 20:48:09 ----D---- C:\UsbFix

======List of files/folders modified in the last 1 months======

2010-01-20 21:11:07 ----RD---- C:\Program Files
2010-01-20 21:11:05 ----D---- C:\WINDOWS\Prefetch
2010-01-20 20:53:39 ----D---- C:\WINDOWS\Temp
2010-01-20 20:49:42 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-01-20 20:49:30 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-20 20:05:47 ----D---- C:\Program Files\Mozilla Firefox
2010-01-20 19:11:32 ----SHD---- C:\WINDOWS\Installer
2010-01-20 19:11:29 ----D---- C:\Program Files\Microsoft Silverlight
2010-01-20 18:37:24 ----D---- C:\WINDOWS
2010-01-19 23:06:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-17 18:05:07 ----D---- C:\WINDOWS\system32\LogFiles
2010-01-17 18:05:07 ----D---- C:\WINDOWS\Debug
2010-01-17 18:05:06 ----D---- C:\WINDOWS\Minidump
2010-01-17 18:04:25 ----D---- C:\Program Files\Microsoft Money
2010-01-15 20:03:01 ----D---- C:\WINDOWS\AppPatch
2010-01-13 19:33:47 ----HD---- C:\WINDOWS\inf
2010-01-13 19:33:45 ----D---- C:\WINDOWS\system32
2010-01-13 19:33:42 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-05 01:17:46 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40576]
R1 kbdhid;HID Keyboard Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720]
R1 PCLEPCI;PCLEPCI; \??\C:\WINDOWS\system32\drivers\pclepci.sys []
R1 sonypvf3;sonypvf3; C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 619390]
R1 sonypvt3;sonypvt3; C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 423454]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R3 Arp1394;ARP 1394 Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ASAPIW2k;ASAPIW2K; C:\WINDOWS\System32\Drivers\ASAPIW2K.sys [2004-03-10 11264]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2005-01-10 138752]
R3 CTUSFSYN;Creative SoundFont Synthesizer; C:\WINDOWS\system32\drivers\ctusfsyn.sys [2005-05-25 158464]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-04-01 180736]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-07-13 171008]
R3 MODEMCSA;Unimodem Stream Filtering Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;HID Mouse Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12288]
R3 NAVAP;NAVAP; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20100119.008\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\FICHIE~1\SYMANT~1\VIRUSD~1\20100119.008\NAVEX15.sys []
R3 NIC1394;1394 Network Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
0
Réponse 7 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Ok.
You can proceed with option 2 of USBFix.
Then:

Download Ad-Remover (from Cyrildu17 / C_XX) to your desktop:
= = = =>>> Click here <<<= = = =

/!\ Disconnect and close all running applications, disable your antivirus during the process /!\

* Double-click the executable to launch it.
* When the warning message appears, select ‘Yes’.
* In the main menu, choose the option “S” and then press the Enter key.
* Post the report that appears at the end of the analysis, which may take some time.

(The report is also saved under C:\Ad-report(date).log)
(CTRL+A to select all, CTRL+C to copy, and CTRL+V to paste)

Note:
“Process.exe”, a component of the tool, is detected by some antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility designed to terminate processes.

--
Got a problem? Visit CCM!
There is no problem without a solution.
0
Réponse 8 / 47
Elo
 
Here is the report from USB fix after option 2:

############################## | UsbFix V6.075 |

User : Elodie LEFIL (Administrators) # ELOFLO
Update on 01/19/2010 by El Desaparecido, C_XX & Chimay8
Start at: 21:27:26 | 01/20/2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : FindyKill.Contact@gmail.com

Intel(R) Pentium(R) 4 CPU 3.20GHz
Microsoft Windows XP Home Edition (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 7.0.5730.11
Windows Firewall Status : Enabled

C:\ -> Local disk # 145.95 GB (58.33 GB free) [Elodie C] # NTFS
D:\ -> CD-ROM drive
E:\ -> Local disk # 279.47 GB (38.95 GB free) # NTFS
F:\ -> Removable disk
G:\ -> Removable disk
H:\ -> Removable disk
I:\ -> CD-ROM drive
J:\ -> Removable disk # 1.92 GB (1.92 GB free) # FAT
K:\ -> Removable disk # 981.05 MB (865.78 MB free) [ I-ZI-I] # FAT32
L:\ -> Removable disk

############################## | Active Processes |

C:\WINDOWS\System32\smss.exe 732
C:\WINDOWS\system32\csrss.exe 788
C:\WINDOWS\system32\winlogon.exe 820
C:\WINDOWS\system32\services.exe 864
C:\WINDOWS\system32\lsass.exe 876
C:\WINDOWS\system32\Ati2evxx.exe 1048
C:\WINDOWS\system32\svchost.exe 1068
C:\WINDOWS\system32\svchost.exe 1144
C:\WINDOWS\System32\svchost.exe 1244
C:\WINDOWS\system32\svchost.exe 1336
C:\WINDOWS\system32\svchost.exe 1436
C:\WINDOWS\system32\spoolsv.exe 1612
C:\WINDOWS\Explorer.EXE 1864
C:\WINDOWS\system32\svchost.exe 332
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 396
C:\Program Files\Bonjour\mDNSResponder.exe 408
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe 496
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe 536
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe 564
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe 780
C:\WINDOWS\System32\snmp.exe 840
C:\WINDOWS\system32\svchost.exe 1100
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe 1988
C:\WINDOWS\system32\wuauclt.exe 220
C:\WINDOWS\system32\wbem\wmiprvse.exe 2172
C:\WINDOWS\System32\alg.exe 2208

################## | Infectious Elements |

Deleted! C:\Documents and Settings\Elodie LEFIL\new.txt
Deleted! C:\Install\Ghost.exe
Deleted! C:\Recycler\S-1-5-21-2560142587-3095655939-1312782708-1006
Deleted! C:\Recycler\S-1-5-21-2560142587-3095655939-1312782708-500
Deleted! E:\Recycler\S-1-5-21-2560142587-3095655939-1312782708-1006
Deleted! E:\Recycler\S-1-5-21-283835879-4070534013-2259644570-1006
Deleted! E:\Recycler\S-1-5-21-3128282763-2889933275-2716769872-1006
Deleted! E:\Recycler\S-1-5-21-583907252-2052111302-725345543-500

################## | Registry |

################## | Mountpoints2 |

################## | Listing of present files |

[03/18/2007 17:25|--a------|389] C:\AUTOEXEC.BAT
[01/16/2006 11:50|-rahs----|216] C:\boot.ini
[08/05/2004 13:00|-rahs----|4952] C:\Bootfont.bin
[08/20/2004 11:37|--a------|0] C:\CONFIG.SYS
[03/30/2007 18:19|--a------|0] C:\conmgr.log
[01/11/2006 19:39|-rah-----|5389] C:\dell.sdr
[01/16/2006 13:35|--a------|4128] C:\INFCACHE.1
[08/20/2004 11:37|--ah-----|0] C:\IO.SYS
[01/11/2006 20:00|--ah-----|840] C:\IPH.PH
[08/20/2004 11:37|--ah-----|0] C:\MSDOS.SYS
[08/05/2004 13:00|-rahs----|47564] C:\NTDETECT.COM
[10/21/2008 21:08|-rahs----|252240] C:\ntldr
[?|?|?] C:\pagefile.sys
[06/23/2007 19:20|--a------|17590] C:\PkgClnup.log
[01/20/2010 21:34|--a------|3552] C:\UsbFix.txt
[05/21/2006 11:00|--a------|16821112] C:\Video.mpg
[06/23/2007 19:21|--ah-----|23400] C:\_NavCClt.Log
[01/05/2010 15:03|--a------|1215858] K:\SNC17885.JPG
[09/02/2007 01:04|--a------|1352525] K:\SNC10932.JPG
[05/13/2008 13:29|--a------|2482046] K:\SNC12325.JPG
[12/12/2009 12:17|--a------|2334068] K:\SNC12903.JPG
[08/20/2008 10:10|--a------|2482997] K:\SNC12906.JPG
[08/30/2008 15:04|--a------|2324961] K:\SNC12956.JPG
[08/30/2008 10:27|--a------|2399729] K:\SNC12958.JPG
[08/30/2008 10:27|--a------|2251323] K:\SNC12959.JPG
[03/23/2009 11:42|--a------|2326716] K:\SNC15389.JPG
[03/23/2009 11:43|--a------|2226980] K:\SNC15406.JPG
[03/24/2006 02:25|--a------|1372460] K:\SNC17865.JPG
[03/24/2006 02:25|--a------|1399173] K:\SNC17866.JPG
[03/24/2006 02:25|--a------|1396968] K:\SNC17867.JPG
[05/13/2006 02:45|--a------|1320183] K:\SNC17882.JPG
[05/13/2006 02:46|--a------|1331906] K:\SNC17884.JPG
[05/31/2008 21:10|--a------|2485294] K:\SNC12425.JPG
[05/31/2008 19:19|--a------|2495145] K:\SNC12405.JPG
[05/31/2008 21:09|--a------|2504688] K:\SNC12421.JPG
[12/19/2006 10:36|--a------|835001] K:\ssm10499.jpg
[02/25/2006 05:20|--a------|1358435] K:\SNC17827.JPG
[02/25/2006 04:26|--a------|1319985] K:\SNC17810.JPG
[02/25/2006 04:31|--a------|1385129] K:\SNC17814.JPG
[02/25/2006 04:34|--a------|1344339] K:\SNC17816.JPG
[02/25/2006 04:34|--a------|1302700] K:\SNC17818.JPG
[02/25/2006 05:20|--a------|1296127] K:\SNC17826 - Copy.JPG
[08/07/2006 06:00|---------|819649] K:\dsc07550.jpg
[01/13/2010 15:17|--ah-----|296] K:\WMPInfo.xml

################## | Vaccination |

# C:\autorun.inf -> Folder created by UsbFix.
# E:\autorun.inf -> Folder created by UsbFix.
# J:\autorun.inf -> Folder created by UsbFix.
# K:\autorun.inf -> Folder created by UsbFix.

################## | Upload |

Please send the file: C:\DOCUME~1\ELODIE~1\Bureau\UsbFix_Upload_Me_ELOFLO.zip : https://www.ionos.fr/?affiliate_id=77097
Thank you for your contribution.

################## | ! End of report # UsbFix V6.075 ! |

Should I continue?
0
Réponse 9 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Yes, you can continue.
--
Got a problem? Head over to CCM!
There’s no problem without a solution.
0
Réponse 10 / 47
Elo
 
Here is the Ad remover report:
.
======= AD-REMOVER REPORT 1.1.4.6_I | WINDOWS XP/VISTA/7 ONLY =======
.
Updated by C_XX on 19.01.2010 at 21:16
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Started at: 21:56:10, 20/01/2010 | Normal Mode | Option: SCAN
Executed from: C:\Ad-Remover\
Operating System: Microsoft® Windows XP™ Service Pack 3 v5.1.2600
Computer Name: ELOFLO | Current User: Elodie LEFIL
.
============== ITEM(S) FOUND ==============
.

C:\WINDOWS\System32\nvs2.inf
C:\WINDOWS\pack.epk
C:\Program Files\MyWaySA
C:\Program Files\Viewpoint
C:\DOCUME~1\ELODIE~1\APPLIC~1\Viewpoint
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
C:\WINDOWS\System32\ehvrpj.dat
C:\WINDOWS\System32\ehvrpj_nav.dat
C:\WINDOWS\System32\ehvrpj_navps.dat
C:\WINDOWS\System32\ehvrpj_navup.dat
.
HKCU\software\LanConfig
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKLM\software\classes\AxMetaStream.MetaStreamCtl
HKLM\software\classes\AxMetaStream.MetaStreamCtl.1
HKLM\software\classes\AxMetaStream.MetaStreamCtlSecondary
HKLM\software\classes\AxMetaStream.MetaStreamCtlSecondary.1
HKLM\Software\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
HKLM\Software\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
HKLM\Software\Classes\CLSID\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}
HKLM\Software\Classes\TypeLib\{4D25F920-B9FE-4682-BF72-8AB8210D6D75}
HKLM\software\MetaStream
HKLM\Software\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
HKLM\Software\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
HKLM\software\microsoft\windows\currentversion\uninstall\ViewpointMediaPlayer
HKLM\software\Viewpoint
HKU\s-1-5-21-2560142587-3095655939-1312782708-1006\software\LanConfig
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 3.5.7 [en] *
.
Profile Name: o1mnwj35.default (Elodie LEFIL)
.
(ELODIE~1, prefs.js) Browser.download.lastDir, C:\Documents and Settings\Elodie LEFIL\Desktop
(ELODIE~1, prefs.js) Extensions.enabledItems, {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.2,{20a82645-c095-46ed-80e3-08825760534b}:0.0.0,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.7
(ELODIE~1, prefs.js) Keyword.URL, hxxp://xeoo.com/?p=url&a=firefox&k=
.
.
* Internet Explorer Version 7.0.5730.11 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Do404Search: 01000000
Local Page: C:\WINDOWS\system32\blank.htm
Show_ToolBar: yes
Start Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Search Page: hxxp://www.google.com
Use Search Asst: no
Default_Page_URL: hxxp://www.dell.fr/myway
Search Bar: hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DR
Use Custom Search URL: 01000000
Enable Browser Extensions: yes
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Search Page: hxxp://www.google.com
Delete_Temp_Files_On_Exit: yes
Start Page: hxxp://fr.msn.com/
Search Bar: hxxp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Local Page: %SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\Start Page
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
===================================
.
3816 Bytes - C:\Ad-Report-SCAN[1].log
3520 Bytes - C:\Ad-Report-SCAN[2].log
.
18 File(s) - C:\DOCUME~1\ELODIE~1\LOCALS~1\Temp
11 File(s) - C:\WINDOWS\Temp
123 File(s) - C:\WINDOWS\Prefetch
.
2 File(s) - C:\Ad-Remover\BACKUP
0 File(s) - C:\Ad-Remover\QUARANTINE
.
Finished at: 22:00:05 | 20/01/2010 - SCAN[2]
.
============== E.O.F ==============
.
0
Réponse 11 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Cleaning with Ad-Remover:

/!\ Disconnect and close all running applications, disable your antivirus for the duration of the operation/!\

* Double click on the executable to launch it.
* When the warning message appears, select ‘Yes’.
* In the main menu, choose the option "L" and then press the Enter key.
* Post the report that appears at the end of the analysis, which may take some time.

(The report is also saved under C:\Ad-report(date).log)
(CTRL+A to select all, CTRL+C to copy, and CTRL+V to paste)

Note:
"Process.exe", a component of the tool, is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility intended to terminate processes.

--
Got a problem? Visit CCM!
There is no problem without a solution.
0
Réponse 12 / 47
Elo
 
Here is the report:
.
======= AD-REMOVER REPORT 1.1.4.6_I | WINDOWS XP/VISTA/7 ONLY =======
.
Updated by C_XX on January 19, 2010 at 21:16
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Scan started at: 22:36:03, January 20, 2010 | Normal Mode | Option: CLEAN
Executed from: C:\Ad-Remover\
Operating System: Microsoft® Windows XP™ Service Pack 3 v5.1.2600
PC Name: ELOFLO | Current User: Elodie LEFIL
.
============== NEUTRALIZED ITEM(S) ==============
.

C:\WINDOWS\System32\nvs2.inf
C:\WINDOWS\pack.epk
C:\Program Files\MyWaySA
C:\Program Files\Viewpoint
C:\DOCUME~1\ELODIE~1\APPLIC~1\Viewpoint
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
C:\WINDOWS\System32\ehvrpj.dat
C:\WINDOWS\System32\ehvrpj_nav.dat
C:\WINDOWS\System32\ehvrpj_navps.dat
C:\WINDOWS\System32\ehvrpj_navup.dat

(!) -- Temporary files deleted.

.
HKCU\software\LanConfig
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
HKLM\software\classes\AxMetaStream.MetaStreamCtl
HKLM\software\classes\AxMetaStream.MetaStreamCtl.1
HKLM\software\classes\AxMetaStream.MetaStreamCtlSecondary
HKLM\software\classes\AxMetaStream.MetaStreamCtlSecondary.1
HKLM\Software\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
HKLM\Software\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
HKLM\Software\Classes\CLSID\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}
HKLM\Software\Classes\TypeLib\{4D25F920-B9FE-4682-BF72-8AB8210D6D75}
HKLM\software\MetaStream
HKLM\Software\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
HKLM\Software\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
HKLM\software\microsoft\windows\currentversion\uninstall\ViewpointMediaPlayer
HKLM\software\Viewpoint
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 3.5.7 [fr] *
.
Profile Name: o1mnwj35.default (Elodie LEFIL)
.
(ELODIE~1, prefs.js) Browser.download.lastDir, C:\Documents and Settings\Elodie LEFIL\Desktop
(ELODIE~1, prefs.js) Extensions.enabledItems, {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.2,{20a82645-c095-46ed-80e3-08825760534b}:0.0.0,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.7
(ELODIE~1, prefs.js) Keyword.URL, hxxp://xeoo.com/?p=url&a=firefox&k=
.
.
* Internet Explorer Version 7.0.5730.11 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Do404Search: 01000000
Local Page: C:\WINDOWS\system32\blank.htm
Show_ToolBar: yes
Start Page: hxxp://fr.msn.com/
Use Search Asst: no
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Search Bar: hxxp://go.microsoft.com/fwlink/?linkid=54896
Use Custom Search URL: 01000000
Enable Browser Extensions: yes
Default_search_url: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Delete_Temp_Files_On_Exit: yes
Start Page: hxxp://fr.msn.com/
Search Bar: hxxp://search.msn.com/spbasic.htm
Local Page: %SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\main\Start Page
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
===================================
.
3537 Bytes - C:\Ad-Report-CLEAN[1].log
3816 Bytes - C:\Ad-Report-SCAN[1].log
3859 Bytes - C:\Ad-Report-SCAN[2].log
.
9 Files - C:\DOCUME~1\ELODIE~1\LOCALS~1\Temp
11 Files - C:\WINDOWS\Temp
5 Files - C:\WINDOWS\Prefetch
.
19 Files - C:\Ad-Remover\BACKUP
72 Files - C:\Ad-Remover\QUARANTINE
.
End at: 22:41:28 | January 20, 2010 - CLEAN[1]
.
============== E.O.F ==============
.
0
Réponse 13 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Very well.

You have an infection Navipromo / Magic control.
Download Navilog1 to your desktop (Thanks to IL-MAFIOSO)
= = = = >>> By clicking here <<< = = = =
* Disable your security software (antivirus, firewall, antispyware,...)
* Double click on "Navilog1" on your desktop that you just downloaded
* Press the number 1 on your keyboard and then the Enter key to select the French language.
* Press any key on your keyboard to continue... (You will be prompted to do this several times).
* Type 1, then press the Enter key on your keyboard to select the option "Automatic Search / Disinfection"
* Be patient, this may take several minutes or more.
* Navilog1 will inform you that the search is complete
* Press any key on your keyboard to display the report it generated
* The report will be saved in the following file: "cleannavi.txt" at the root of your hard drive (C:\cleannavi.txt).
* Post the generated report

********

Download Malwarebytes’ Anti-Malware
= = = = >>> By clicking here <<< = = = =

- Save it to the desktop
- Double click on the downloaded file to start the installation process
- When prompted, update Malwarebytes anti malware
- If the firewall requests permission to connect for Malwarebytes, accept
- Once the update is complete, close Malwarebytes
- Double-click on the Malwarebytes icon to relaunch it
- In the Scan tab, likely opened by default,
- Select Run a full scan
- Click on Scan
- The scan begins
- At the end of the analysis, a message appears: The scan has completed normally. Click on 'Show results' to display all the items found.
- Click on Ok to proceed.
- If any malware has been detected, click on Show results
- Select all (or leave checked) and click on Remove selected Malwarebytes will delete the files and registry keys and place a copy in quarantine.
- Malwarebytes will open Notepad and copy the scan report there.
- Go to the report/log tab
- Click on it to display it.
- Once displayed, click on edit at the top of Notepad, then on select all
- Click on edit again, then on copy and return to the forum and within your reply
- Right-click in the reply box and paste

If you need help, check this tutorial HERE

--
Got a problem? Visit CCM!
There is no problem without a solution.
0
Réponse 14 / 47
Elo
 
and here is:
Fix Navipromo version 4.0.6 started on 01/20/2010 10:57:25.84

!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis!!!

Tool executed from C:\Program Files\navilog1

Updated on 01/03/2010 at 11:00 AM by IL-MAFIOSO

Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Multiprocessor Free: Intel(R) Pentium(R) 4 CPU 3.20GHz)
BIOS: Phoenix ROM BIOS PLUS Version 1.10 A02
USER: Elodie LEFIL (Administrator)
BOOT: Normal boot

C:\ (Local Disk) - NTFS - Total: 145 GB (Free: 58 GB)
D:\ (CD or DVD)
F:\ (USB)
G:\ (USB)
H:\ (USB)
I:\ (CD or DVD)
J:\ (USB) - FAT - Total: 1963 MB (Free: 1 GB)
K:\ (USB) - FAT32 - Total: 981 MB (Free: 0 GB)
L:\ (USB)

Search executed in normal mode

Cleaning executed on system reboot

Cleaning of C:\WINDOWS\Temp completed!
Cleaning of C:\Documents and Settings\Elodie LEFIL\locals~1\Temp completed!

*** Registry backup to folder Safebackup ***

Registry backup completed successfully!

*** Registry cleaning ***

Registry cleaning Ok

Egroup certificate removed!

*** Scan completed 01/20/2010 11:01:15.85 ***
0
Réponse 15 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Ok.
You can delete navilog.
Move on to the next (MBAM).
--
Got a problem? Check out CCM!
There is no problem without a solution.
0
Réponse 16 / 47
Elo
 
I ran it and it detected 7 issues, 3 files, and 4 registry keys. Apparently, it's fixed?
0
Réponse 17 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
You need to send me the report.
(Did you delete it properly?)
--
Got a problem? Check out CCM!
There's no problem without a solution.
0
Réponse 18 / 47
Elo
 
Malwarebytes' Anti-Malware 1.44
Database version: 3605
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

01/21/2010 00:18:25
mbam-log-2010-01-21 (00-18-25).txt

Scan type: Full scan (C:\|E:\|)
Items scanned: 224488
Elapsed time: 1 hour(s), 7 minute(s), 13 second(s)

Infected memory process(es): 0
Infected memory module(s): 0
Infected Registry key(s): 4
Infected Registry value(s): 0
Infected Registry data item(s): 0
Infected folder(s): 0
Infected file(s): 3

Infected memory process(es):
(No harmful items detected)

Infected memory module(s):
(No harmful items detected)

Infected Registry key(s):
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\IST (Adware.ISTBar) -> Quarantined and deleted successfully.

Infected Registry value(s):
(No harmful items detected)

Infected Registry data item(s):
(No harmful items detected)

Infected folder(s):
(No harmful items detected)

Infected file(s):
C:\Documents and Settings\Elodie LEFIL\My documents\Boulot\sap-tables.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
E:\données\Boulot\sap-tables.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\uwasfsd.sys (Rogue.PersonalAntiSpy) -> Quarantined and deleted successfully.
0
Réponse 19 / 47
crapoulou Posted messages 28002 Registration date   Status Modérateur, Contributeur sécurité Last intervention   8 046
 
Clear the quarantine of Malwarebytes' Anti Malware.
Generate a new RSIT report and post it here please.
I'll take a look at it tomorrow.
Good night.
--
Got a problem? Visit CCM!
There is no problem without a solution.
0
Réponse 20 / 47
Elo
 
Thank you very much and good night.
0
  • 1
  • 2
  • 3