Detection of Win32.Malware.gen virus
Solved
Frya
-
Anonymous user -
Anonymous user -
Hello,
I've been getting a virus detected by my AVAST! antivirus called WIN32:Malware-gen found in iexplorer.exe for about two days now.
Honestly, I've had people tell me that this virus is dangerous. I've reformatted my computer twice already and it's 5 years old, poor thing. Especially the thought of losing all my data.
I've seen that I'm not the only one experiencing this kind of issue, so I created my own message to avoid duplicates on the old ones.
I hope you can help me.
Have a good evening.
I've been getting a virus detected by my AVAST! antivirus called WIN32:Malware-gen found in iexplorer.exe for about two days now.
Honestly, I've had people tell me that this virus is dangerous. I've reformatted my computer twice already and it's 5 years old, poor thing. Especially the thought of losing all my data.
I've seen that I'm not the only one experiencing this kind of issue, so I created my own message to avoid duplicates on the old ones.
I hope you can help me.
Have a good evening.
Configuration: Windows XP Firefox 3.0.16
20 réponses
All viruses are dangerous. For your information, a simple format does not remove all viruses; some, like VIRUT, resist it. So do not decide to format before discussing it with us.
To learn more about your infection, download RSIT (from random/random) to your desktop here:
http://images.malwareremoval.com/random/RSIT.exe
- Double click on RSIT.exe on your desktop
- Click on Continue in the window
- RSIT will download HijackThis if it's not present or detected, so you will need to accept the license
- Post the contents of the two reports, log.txt and info.txt (minimized in the taskbar) at the end of the analysis
The reports are in the folder here C:\rsit
To learn more about your infection, download RSIT (from random/random) to your desktop here:
http://images.malwareremoval.com/random/RSIT.exe
- Double click on RSIT.exe on your desktop
- Click on Continue in the window
- RSIT will download HijackThis if it's not present or detected, so you will need to accept the license
- Post the contents of the two reports, log.txt and info.txt (minimized in the taskbar) at the end of the analysis
The reports are in the folder here C:\rsit
Scan with this antispyware:
Malwarebytes + tutorial
Install it; update it...(update tab)
Now click on the scan tab and check the box:
"Run a full scan".
Then click on "scan".
Let it scan the PC...
At the end of the scan, click on Show results
If any items were found:
> click on remove selected. If it's asked to restart > click on "yes".
At the end, a report will open;
save it in a way that you can find it to post it on the forum.
Please copy and paste the report.
See you later
Malwarebytes + tutorial
Install it; update it...(update tab)
Now click on the scan tab and check the box:
"Run a full scan".
Then click on "scan".
Let it scan the PC...
At the end of the scan, click on Show results
If any items were found:
> click on remove selected. If it's asked to restart > click on "yes".
At the end, a report will open;
save it in a way that you can find it to post it on the forum.
Please copy and paste the report.
See you later
Here is the analysis report:
Malwarebytes' Anti-Malware 1.44
Database version: 3673
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
01/02/2010 21:14:55
mbam-log-2010-02-01 (21-14-40).txt
Scan type: Full scan (C:\|)
Items scanned: 188427
Elapsed time: 1 hour(s), 37 minute(s), 43 second(s)
Infected memory process(es): 0
Infected memory module(s): 0
Infected Registry key(s): 0
Infected Registry value(s): 0
Infected Registry data item(s): 0
Infected folder(s): 0
Infected file(s): 2
Infected memory process(es):
(No harmful items detected)
Infected memory module(s):
(No harmful items detected)
Infected Registry key(s):
(No harmful items detected)
Infected Registry value(s):
(No harmful items detected)
Infected Registry data item(s):
(No harmful items detected)
Infected folder(s):
(No harmful items detected)
Infected file(s):
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LORENZATI\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (Trojan.Agent) -> No action taken.
Malwarebytes' Anti-Malware 1.44
Database version: 3673
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
01/02/2010 21:14:55
mbam-log-2010-02-01 (21-14-40).txt
Scan type: Full scan (C:\|)
Items scanned: 188427
Elapsed time: 1 hour(s), 37 minute(s), 43 second(s)
Infected memory process(es): 0
Infected memory module(s): 0
Infected Registry key(s): 0
Infected Registry value(s): 0
Infected Registry data item(s): 0
Infected folder(s): 0
Infected file(s): 2
Infected memory process(es):
(No harmful items detected)
Infected memory module(s):
(No harmful items detected)
Infected Registry key(s):
(No harmful items detected)
Infected Registry value(s):
(No harmful items detected)
Infected Registry data item(s):
(No harmful items detected)
Infected folder(s):
(No harmful items detected)
Infected file(s):
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LORENZATI\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (Trojan.Agent) -> No action taken.
▶ Download Dr.Web CureIt! to your Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
▶ Double-click on drweb-cureit.exe and click on Start scan.
▶ This quick scan analyzes the processes loaded in memory; if it finds infected processes, click Yes to All at the prompt.
▶ When the quick scan is finished, click Options > Change configuration.
▶ Select the Scanner tab, and uncheck Heuristic analysis.
▶ Back in the main window: choose Full analysis.
▶ Click the green arrow on the right and the scan will begin. An advertisement may appear sometimes, close it.
▶ Click Yes to All if a file is detected.
▶ At the end of the scan, if infections are found, click Select All, then click Disinfect. If disinfection is impossible, click Quarantine.
▶ In the main menu of the tool, at the top left, click on the File menu and choose Save report.
▶ Save the report to your Desktop. It will be named DrWeb.csv.
▶ Close Dr.Web CureIt!
▶ Restart your computer (very important) because some files may be moved/fixed upon restart.
▶ Post (Copy/Paste) the content of the Dr.Web tool report into a notepad.
Then:
▶ Go to this free hosting address: http://www.cijoint.fr/
▶ Click on browse, find the DrWeb.txt report then click here to upload the file.
▶ Once the link is created, right-click on it and copy the link address to paste it into your response.
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
▶ Double-click on drweb-cureit.exe and click on Start scan.
▶ This quick scan analyzes the processes loaded in memory; if it finds infected processes, click Yes to All at the prompt.
▶ When the quick scan is finished, click Options > Change configuration.
▶ Select the Scanner tab, and uncheck Heuristic analysis.
▶ Back in the main window: choose Full analysis.
▶ Click the green arrow on the right and the scan will begin. An advertisement may appear sometimes, close it.
▶ Click Yes to All if a file is detected.
▶ At the end of the scan, if infections are found, click Select All, then click Disinfect. If disinfection is impossible, click Quarantine.
▶ In the main menu of the tool, at the top left, click on the File menu and choose Save report.
▶ Save the report to your Desktop. It will be named DrWeb.csv.
▶ Close Dr.Web CureIt!
▶ Restart your computer (very important) because some files may be moved/fixed upon restart.
▶ Post (Copy/Paste) the content of the Dr.Web tool report into a notepad.
Then:
▶ Go to this free hosting address: http://www.cijoint.fr/
▶ Click on browse, find the DrWeb.txt report then click here to upload the file.
▶ Once the link is created, right-click on it and copy the link address to paste it into your response.
Just another little problem :s it seems I keep collecting them... During the quick scan, I get an error message:
dwwin.exe - Entry point not found
The procedure entry point [gibberish then coded] could not be located in the dynamic link library GDI32.dll
No matter how many times I click ok, the window keeps coming back.
dwwin.exe - Entry point not found
The procedure entry point [gibberish then coded] could not be located in the dynamic link library GDI32.dll
No matter how many times I click ok, the window keeps coming back.
Let’s forget about this scan; Avast always issues alerts about other problems besides that?
• Download USBFIX
http://pagesperso-orange.fr/NosTools/Chiquitine29/UsbFix.exe
<bold> (!) Connect your external data sources to your PC (USB flash drive, external hard drive, etc.) that may have been infected without opening them
• Double click on the UsbFix shortcut on your desktop.
• In the main menu, choose option " F " for French and hit [enter].
• In the second menu, choose option " 2 " (deletion) and hit [enter]
• Let the tool work.
• Then post the UsbFix.txt report that will appear.
• Note: The UsbFix.txt report is saved at the root of the disk. ( C:\UsbFix.txt )
( CTRL+A to select all, CTRL+C to copy and CTRL+V to paste )
• Note: "Process.exe", a component of the tool, is detected by some antivirus software (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility designed to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) hence the alert issued by these antivirus programs.
Sorry for the inconvenience!
• Download USBFIX
http://pagesperso-orange.fr/NosTools/Chiquitine29/UsbFix.exe
<bold> (!) Connect your external data sources to your PC (USB flash drive, external hard drive, etc.) that may have been infected without opening them
• Double click on the UsbFix shortcut on your desktop.
• In the main menu, choose option " F " for French and hit [enter].
• In the second menu, choose option " 2 " (deletion) and hit [enter]
• Let the tool work.
• Then post the UsbFix.txt report that will appear.
• Note: The UsbFix.txt report is saved at the root of the disk. ( C:\UsbFix.txt )
( CTRL+A to select all, CTRL+C to copy and CTRL+V to paste )
• Note: "Process.exe", a component of the tool, is detected by some antivirus software (AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility designed to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) hence the alert issued by these antivirus programs.
Sorry for the inconvenience!
Thank you very much. It's done except that Internet Explorer, which opens by default, blocked my access to send the file and I saw another link here on this forum to send it to Chiquitines, I hope I didn't make any mistakes :s
Otherwise, Avast! hasn't reappeared since the malwarebytes scan. On one hand, I had the warning that twice during the day, compared to this weekend.
Anyway, I'm going to bed, tomorrow is a long day and I won't be able to connect. So I will only be able to see the responses to this topic by Wednesday late afternoon.
Thank you for everything and especially for dedicating your precious time ^^
On that note, have a good evening. I will be there Wednesday at 5 p.m. without fail.
Otherwise, Avast! hasn't reappeared since the malwarebytes scan. On one hand, I had the warning that twice during the day, compared to this weekend.
Anyway, I'm going to bed, tomorrow is a long day and I won't be able to connect. So I will only be able to see the responses to this topic by Wednesday late afternoon.
Thank you for everything and especially for dedicating your precious time ^^
On that note, have a good evening. I will be there Wednesday at 5 p.m. without fail.
1- ! Disconnect from the internet and close all running applications!
Imperative:
Connect all your external units to your PC (USB key, external hard drive, flash disk, MP3 player, SD card, etc...) that may have been infected (but do not open them!).
# Double-click on UsbFix.exe on your desktop to launch the tool.
# This time, choose option 2 (Removal).
> Your desktop will disappear and the PC will restart (that's normal).
# Upon restarting, UsbFix will scan your PC, let the tool work and do not touch anything.
# Once finished, post the new UsbFix.txt report that will appear with the desktop.
(The report is also saved at the root of the master disk > C:\UsbFix.txt).
/!\ If the desktop does not reappear, press Ctrl + Alt + Delete to open the Task Manager > Tab "File", "New Task", type explorer.exe and confirm) /!\
Imperative:
Connect all your external units to your PC (USB key, external hard drive, flash disk, MP3 player, SD card, etc...) that may have been infected (but do not open them!).
# Double-click on UsbFix.exe on your desktop to launch the tool.
# This time, choose option 2 (Removal).
> Your desktop will disappear and the PC will restart (that's normal).
# Upon restarting, UsbFix will scan your PC, let the tool work and do not touch anything.
# Once finished, post the new UsbFix.txt report that will appear with the desktop.
(The report is also saved at the root of the master disk > C:\UsbFix.txt).
/!\ If the desktop does not reappear, press Ctrl + Alt + Delete to open the Task Manager > Tab "File", "New Task", type explorer.exe and confirm) /!\
Thank you, here is the new UsbFix report:
############################## | UsbFix V6.084 |
User: LORENZATI (Administrators) # LORENZATI150919
Update on 01/02/2010 by El Desaparecido, C_XX & Chimay8
Start at: 19:50:02 | 02/02/2010
Website: http://pagesperso-orange.fr/NosTools/index.html
Contact: FindyKill.Contact@gmail.com
AMD Sempron(tm) Processor 2600+
Microsoft Windows XP Home Edition (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 8.0.6001.18702
Windows Firewall Status: Enabled
AV: avast! antivirus 4.8.1368 [VPS 100202-0] 4.8.1368 [ Enabled | Updated ]
A:\ -> 3.5-inch Floppy Drive
C:\ -> Local Fixed Drive # 76.33 GB (34.09 GB free) # NTFS
D:\ -> CD-ROM Drive
E:\ -> Removable Drive # 7.47 GB (2.83 GB free) [MALLAURY1] # FAT32
F:\ -> Removable Drive # 7.45 GB (721.88 MB free) [MALLAURY] # FAT32
############################## | Active Processes |
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
################## | Infectious Elements |
Deleted! C:\Recycler\S-1-5-21-1409082233-515967899-1417001333-1004
################## | Registry |
################## | Mountpoints2 |
################## | Listing of Present Files |
[13/08/2008 17:11|--a------|0] C:\AUTOEXEC.BAT
[20/09/2009 14:33|---hs----|216] C:\boot.ini
[14/04/2008 13:00|-rahs----|4952] C:\Bootfont.bin
[13/08/2008 17:11|--a------|0] C:\CONFIG.SYS
[13/08/2008 17:11|-rahs----|0] C:\IO.SYS
[13/08/2008 17:11|-rahs----|0] C:\MSDOS.SYS
[14/04/2008 13:00|-rahs----|47564] C:\NTDETECT.COM
[14/04/2008 13:00|-rahs----|252240] C:\ntldr
[?|?|?] C:\pagefile.sys
[04/01/2009 12:24|--a------|156061] C:\playground.log
[02/02/2010 19:54|--a------|2627] C:\UsbFix.txt
[01/02/2010 22:40|--a------|562753] C:\UsbFix_Upload_Me_LORENZATI150919.zip
[06/07/2008 18:16|--a------|257755136] F:\sensitive_pornograph_vosta_nocens.avi
################## | Vaccination |
# C:\autorun.inf -> Folder created by UsbFix.
# E:\autorun.inf -> Folder created by UsbFix.
# F:\autorun.inf -> Folder created by UsbFix.
################## | Upload |
Please send the file: C:\UsbFix_Upload_Me_LORENZATI150919.zip : https://www.ionos.fr/?affiliate_id=77097
Thank you for your contribution.
################## | ! End of report # UsbFix V6.084 ! |
############################## | UsbFix V6.084 |
User: LORENZATI (Administrators) # LORENZATI150919
Update on 01/02/2010 by El Desaparecido, C_XX & Chimay8
Start at: 19:50:02 | 02/02/2010
Website: http://pagesperso-orange.fr/NosTools/index.html
Contact: FindyKill.Contact@gmail.com
AMD Sempron(tm) Processor 2600+
Microsoft Windows XP Home Edition (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 8.0.6001.18702
Windows Firewall Status: Enabled
AV: avast! antivirus 4.8.1368 [VPS 100202-0] 4.8.1368 [ Enabled | Updated ]
A:\ -> 3.5-inch Floppy Drive
C:\ -> Local Fixed Drive # 76.33 GB (34.09 GB free) # NTFS
D:\ -> CD-ROM Drive
E:\ -> Removable Drive # 7.47 GB (2.83 GB free) [MALLAURY1] # FAT32
F:\ -> Removable Drive # 7.45 GB (721.88 MB free) [MALLAURY] # FAT32
############################## | Active Processes |
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
################## | Infectious Elements |
Deleted! C:\Recycler\S-1-5-21-1409082233-515967899-1417001333-1004
################## | Registry |
################## | Mountpoints2 |
################## | Listing of Present Files |
[13/08/2008 17:11|--a------|0] C:\AUTOEXEC.BAT
[20/09/2009 14:33|---hs----|216] C:\boot.ini
[14/04/2008 13:00|-rahs----|4952] C:\Bootfont.bin
[13/08/2008 17:11|--a------|0] C:\CONFIG.SYS
[13/08/2008 17:11|-rahs----|0] C:\IO.SYS
[13/08/2008 17:11|-rahs----|0] C:\MSDOS.SYS
[14/04/2008 13:00|-rahs----|47564] C:\NTDETECT.COM
[14/04/2008 13:00|-rahs----|252240] C:\ntldr
[?|?|?] C:\pagefile.sys
[04/01/2009 12:24|--a------|156061] C:\playground.log
[02/02/2010 19:54|--a------|2627] C:\UsbFix.txt
[01/02/2010 22:40|--a------|562753] C:\UsbFix_Upload_Me_LORENZATI150919.zip
[06/07/2008 18:16|--a------|257755136] F:\sensitive_pornograph_vosta_nocens.avi
################## | Vaccination |
# C:\autorun.inf -> Folder created by UsbFix.
# E:\autorun.inf -> Folder created by UsbFix.
# F:\autorun.inf -> Folder created by UsbFix.
################## | Upload |
Please send the file: C:\UsbFix_Upload_Me_LORENZATI150919.zip : https://www.ionos.fr/?affiliate_id=77097
Thank you for your contribution.
################## | ! End of report # UsbFix V6.084 ! |
we continue then :
1- If you haven't already done so, go to this page:
> https://www.ionos.fr/?affiliate_id=77097
* click on "browse" and navigate to the file UsbFix_Upload_Me_CELINE.zip that is on your desktop.
* then click on "send file" ... wait for the transfer to complete ...
* Once finished, you can delete the file UsbFix_Upload_Me_CELINE.zip
thank you for making this report which will allow the authors of the tool to work on this type of infection and help UsbFix become more and more effective ... ^^
2- Download Ad-remover (from C_XX) to your desktop:
here http://pagesperso-orange.fr/NosTools/C_XX/AD-R.exe
or here https://www.androidworld.fr/
! Disconnect and close all running applications (including your browser)!
• Double-click on Ad-remover.exe on your desktop to launch the tool.
• In the main menu, choose the option "S" and press [enter].
• the scan starts, let the tool run and don’t touch anything ...
/!\ the tool may appear to have frozen and nothing seems to be happening, but that's not the case! (the scan is very discreet and quite long, so be patient ...)
--> Post the report that appears at the end in your next message for analysis ...
( The report is also saved under C:\Ad-report-SCAN.log )
( CTRL+A to select all, CTRL+C to copy and CTRL+V to paste )
Note: "Process.exe," a component of the tool, is detected by certain antivirus programs:
(AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus but a utility designed to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) which is why these antivirus programs issue an alert.
Image help (Installation): http://pagesperso-orange.fr/NosTools/tuto_ad_r1.html
Image help (Search): http://pagesperso-orange.fr/NosTools/tuto_ad_r2.html
1- If you haven't already done so, go to this page:
> https://www.ionos.fr/?affiliate_id=77097
* click on "browse" and navigate to the file UsbFix_Upload_Me_CELINE.zip that is on your desktop.
* then click on "send file" ... wait for the transfer to complete ...
* Once finished, you can delete the file UsbFix_Upload_Me_CELINE.zip
thank you for making this report which will allow the authors of the tool to work on this type of infection and help UsbFix become more and more effective ... ^^
2- Download Ad-remover (from C_XX) to your desktop:
here http://pagesperso-orange.fr/NosTools/C_XX/AD-R.exe
or here https://www.androidworld.fr/
! Disconnect and close all running applications (including your browser)!
• Double-click on Ad-remover.exe on your desktop to launch the tool.
• In the main menu, choose the option "S" and press [enter].
• the scan starts, let the tool run and don’t touch anything ...
/!\ the tool may appear to have frozen and nothing seems to be happening, but that's not the case! (the scan is very discreet and quite long, so be patient ...)
--> Post the report that appears at the end in your next message for analysis ...
( The report is also saved under C:\Ad-report-SCAN.log )
( CTRL+A to select all, CTRL+C to copy and CTRL+V to paste )
Note: "Process.exe," a component of the tool, is detected by certain antivirus programs:
(AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus but a utility designed to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) which is why these antivirus programs issue an alert.
Image help (Installation): http://pagesperso-orange.fr/NosTools/tuto_ad_r1.html
Image help (Search): http://pagesperso-orange.fr/NosTools/tuto_ad_r2.html
Thank you. Here is the Ad-Report:
.
======= AD-REMOVER REPORT 1.1.4.6_J | WINDOWS XP/VISTA/7 ONLY =======
.
Updated by C_XX on 29.01.2010 at 16:43
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Launched at: 20:11:36, 02/02/2010 | Normal Mode | Option: SCAN
Executed from: C:\Ad-Remover\
Operating System: Microsoft® Windows XP™ Service Pack 3 v5.1.2600
PC Name: LORENZATI150919 | Current User: LORENZATI
.
============== ELEMENT(S) FOUND ==============
.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
HKLM\software\Trymedia Systems
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 3.0.16 [en] *
.
Profile name: e7uq0sne.default (LORENZATI)
.
(LORENZ~1, prefs.js) Browser.download.lastDir, C:\Documents and Settings\LORENZATI\Desktop
(LORENZ~1, prefs.js) Browser.startup.homepage, hxxp://www.bbox.bouyguestelecom.fr/pid10/mon-portail.html
(LORENZ~1, prefs.js) Extensions.enabledItems, {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.16
.
.
* Internet Explorer Version 8.0.6001.18702 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Do404Search: 01000000
Local Page: C:\WINDOWS\system32\blank.htm
Show_ToolBar: yes
Start Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Search Page: hxxp://www.google.com
Use Search Asst: no
Enable Browser Extensions: yes
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Start Page Redirect Cache: hxxp://fr.msn.com/?ocid=iehp
Start Page Redirect Cache_TIMESTAMP: 262e36ce85bac901
Start Page Redirect Cache AcceptLangs: en
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Delete_Temp_Files_On_Exit: yes
Local Page: C:\WINDOWS\system32\blank.htm
Start Page: hxxp://fr.msn.com/
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
============== Suspect (Cracks, Serials, ...) ==============
.
C:\Documents and Settings\LORENZATI\Application Data\Azureus\torrents\SpinTop Games - Mystery P.I. - The New York Fortune + Adnan_Boy 2008 + Precracked.torrent
C:\Documents and Settings\LORENZATI\My Documents\Azureus Downloads\SpinTop Games - Mystery P.I. - The New York Fortune + Adnan_Boy 2008 + Precracked\Mystery P.I. - The New York Fortune.exe
C:\Documents and Settings\LORENZATI\My Documents\programs and installations\Keygen Nero 8.0.3\KeyGen.exe
C:\Documents and Settings\LORENZATI\My Documents\Torrents\The_Nightshift_Code_Precracked.torrent
.
===================================
.
2975 Byte(s) - C:\Ad-Report-SCAN[1].log
.
3036 File(s) - C:\DOCUME~1\LORENZ~1\LOCALS~1\Temp
79 File(s) - C:\WINDOWS\Temp
129 File(s) - C:\WINDOWS\Prefetch
.
2 File(s) - C:\Ad-Remover\BACKUP
0 File(s) - C:\Ad-Remover\QUARANTINE
.
End at: 20:15:12 | 02/02/2010 - SCAN[1]
.
============== E.O.F ==============
.
.
======= AD-REMOVER REPORT 1.1.4.6_J | WINDOWS XP/VISTA/7 ONLY =======
.
Updated by C_XX on 29.01.2010 at 16:43
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Launched at: 20:11:36, 02/02/2010 | Normal Mode | Option: SCAN
Executed from: C:\Ad-Remover\
Operating System: Microsoft® Windows XP™ Service Pack 3 v5.1.2600
PC Name: LORENZATI150919 | Current User: LORENZATI
.
============== ELEMENT(S) FOUND ==============
.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
HKLM\software\Trymedia Systems
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 3.0.16 [en] *
.
Profile name: e7uq0sne.default (LORENZATI)
.
(LORENZ~1, prefs.js) Browser.download.lastDir, C:\Documents and Settings\LORENZATI\Desktop
(LORENZ~1, prefs.js) Browser.startup.homepage, hxxp://www.bbox.bouyguestelecom.fr/pid10/mon-portail.html
(LORENZ~1, prefs.js) Extensions.enabledItems, {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.16
.
.
* Internet Explorer Version 8.0.6001.18702 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Do404Search: 01000000
Local Page: C:\WINDOWS\system32\blank.htm
Show_ToolBar: yes
Start Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Search Page: hxxp://www.google.com
Use Search Asst: no
Enable Browser Extensions: yes
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Start Page Redirect Cache: hxxp://fr.msn.com/?ocid=iehp
Start Page Redirect Cache_TIMESTAMP: 262e36ce85bac901
Start Page Redirect Cache AcceptLangs: en
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Delete_Temp_Files_On_Exit: yes
Local Page: C:\WINDOWS\system32\blank.htm
Start Page: hxxp://fr.msn.com/
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
============== Suspect (Cracks, Serials, ...) ==============
.
C:\Documents and Settings\LORENZATI\Application Data\Azureus\torrents\SpinTop Games - Mystery P.I. - The New York Fortune + Adnan_Boy 2008 + Precracked.torrent
C:\Documents and Settings\LORENZATI\My Documents\Azureus Downloads\SpinTop Games - Mystery P.I. - The New York Fortune + Adnan_Boy 2008 + Precracked\Mystery P.I. - The New York Fortune.exe
C:\Documents and Settings\LORENZATI\My Documents\programs and installations\Keygen Nero 8.0.3\KeyGen.exe
C:\Documents and Settings\LORENZATI\My Documents\Torrents\The_Nightshift_Code_Precracked.torrent
.
===================================
.
2975 Byte(s) - C:\Ad-Report-SCAN[1].log
.
3036 File(s) - C:\DOCUME~1\LORENZ~1\LOCALS~1\Temp
79 File(s) - C:\WINDOWS\Temp
129 File(s) - C:\WINDOWS\Prefetch
.
2 File(s) - C:\Ad-Remover\BACKUP
0 File(s) - C:\Ad-Remover\QUARANTINE
.
End at: 20:15:12 | 02/02/2010 - SCAN[1]
.
============== E.O.F ==============
.
Remove all your cracks, they are sources of infection. You complain about being infected and having to format, yet you do everything to get infected by a virus!!
How is your PC?
The next steps:
1- ! Disconnect and close all running applications (including the browser)!
• Double click on Ad-remover.exe on your desktop to launch the tool.
• In the main menu, choose this time option "L" and press [enter].
• The cleaning starts > Let the tool work and don’t touch anything!...
/!\ the tool may seem like it has crashed and that nothing is happening, but that’s not the case! (the scan is very discreet and quite long, so be patient...)
--> Post the report that appears at the end in your next response for analysis...
(The report is also saved under C:\Ad-Report-CLEAN.log)
(CTRL+A to select all, CTRL+C to copy and CTRL+V to paste)
How is your PC?
The next steps:
1- ! Disconnect and close all running applications (including the browser)!
• Double click on Ad-remover.exe on your desktop to launch the tool.
• In the main menu, choose this time option "L" and press [enter].
• The cleaning starts > Let the tool work and don’t touch anything!...
/!\ the tool may seem like it has crashed and that nothing is happening, but that’s not the case! (the scan is very discreet and quite long, so be patient...)
--> Post the report that appears at the end in your next response for analysis...
(The report is also saved under C:\Ad-Report-CLEAN.log)
(CTRL+A to select all, CTRL+C to copy and CTRL+V to paste)
I deleted all the cracks, but apparently one persists, even though I emptied the trash.
Otherwise, my PC itself was not lagging at all. In fact, the Avast! warning about malware-gen appeared when I opened my MMORPG. When the game fully opened and I could play, I received the warning. I haven't tried again since, but I can do so just in case.
Here is report number 2:
.
======= AD-REMOVER REPORT 1.1.4.6_J | WINDOWS XP/VISTA/7 ONLY =======
.
Updated by C_XX on 29.01.2010 at 16:43
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Run at: 20:24:09, 02/02/2010 | Normal Mode | Option: SCAN
Executed from: C:\Ad-Remover\
Operating System: Microsoft® Windows XP™ Service Pack 3 v5.1.2600
Computer Name: LORENZATI150919 | Current User: LORENZATI
.
============== ITEM(S) FOUND ==============
.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
HKLM\software\Trymedia Systems
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 3.0.16 [fr] *
.
Profile Name: e7uq0sne.default (LORENZATI)
.
(LORENZ~1, prefs.js) Browser.download.lastDir, C:\Documents and Settings\LORENZATI\Desktop
(LORENZ~1, prefs.js) Browser.startup.homepage, hxxp://www.bbox.bouyguestelecom.fr/pid10/mon-portail.html
(LORENZ~1, prefs.js) Extensions.enabledItems, {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.16
.
.
* Internet Explorer Version 8.0.6001.18702 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Do404Search: 01000000
Local Page: C:\WINDOWS\system32\blank.htm
Show_ToolBar: yes
Start Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Search Page: hxxp://www.google.com
Use Search Asst: no
Enable Browser Extensions: yes
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Start Page Redirect Cache: hxxp://fr.msn.com/?ocid=iehp
Start Page Redirect Cache_TIMESTAMP: 262e36ce85bac901
Start Page Redirect Cache AcceptLangs: fr
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Delete_Temp_Files_On_Exit: yes
Local Page: C:\WINDOWS\system32\blank.htm
Start Page: hxxp://fr.msn.com/
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
============== Suspect (Cracks, Serials, ...) ==============
.
C:\Documents and Settings\LORENZATI\Application Data\Azureus\torrents\SpinTop Games - Mystery P.I. - The New York Fortune + Adnan_Boy 2008 + Precracked.torrent
.
===================================
.
3316 Bytes - C:\Ad-Report-SCAN[1].log
2620 Bytes - C:\Ad-Report-SCAN[2].log
.
3036 Files - C:\DOCUME~1\LORENZ~1\LOCALS~1\Temp
79 Files - C:\WINDOWS\Temp
129 Files - C:\WINDOWS\Prefetch
.
3 Files - C:\Ad-Remover\BACKUP
0 Files - C:\Ad-Remover\QUARANTINE
.
End at: 20:27:11 | 02/02/2010 - SCAN[2]
.
============== E.O.F ==============
.
Otherwise, my PC itself was not lagging at all. In fact, the Avast! warning about malware-gen appeared when I opened my MMORPG. When the game fully opened and I could play, I received the warning. I haven't tried again since, but I can do so just in case.
Here is report number 2:
.
======= AD-REMOVER REPORT 1.1.4.6_J | WINDOWS XP/VISTA/7 ONLY =======
.
Updated by C_XX on 29.01.2010 at 16:43
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Run at: 20:24:09, 02/02/2010 | Normal Mode | Option: SCAN
Executed from: C:\Ad-Remover\
Operating System: Microsoft® Windows XP™ Service Pack 3 v5.1.2600
Computer Name: LORENZATI150919 | Current User: LORENZATI
.
============== ITEM(S) FOUND ==============
.
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
HKLM\software\Trymedia Systems
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 3.0.16 [fr] *
.
Profile Name: e7uq0sne.default (LORENZATI)
.
(LORENZ~1, prefs.js) Browser.download.lastDir, C:\Documents and Settings\LORENZATI\Desktop
(LORENZ~1, prefs.js) Browser.startup.homepage, hxxp://www.bbox.bouyguestelecom.fr/pid10/mon-portail.html
(LORENZ~1, prefs.js) Extensions.enabledItems, {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.16
.
.
* Internet Explorer Version 8.0.6001.18702 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Do404Search: 01000000
Local Page: C:\WINDOWS\system32\blank.htm
Show_ToolBar: yes
Start Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Search Page: hxxp://www.google.com
Use Search Asst: no
Enable Browser Extensions: yes
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Start Page Redirect Cache: hxxp://fr.msn.com/?ocid=iehp
Start Page Redirect Cache_TIMESTAMP: 262e36ce85bac901
Start Page Redirect Cache AcceptLangs: fr
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Delete_Temp_Files_On_Exit: yes
Local Page: C:\WINDOWS\system32\blank.htm
Start Page: hxxp://fr.msn.com/
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
============== Suspect (Cracks, Serials, ...) ==============
.
C:\Documents and Settings\LORENZATI\Application Data\Azureus\torrents\SpinTop Games - Mystery P.I. - The New York Fortune + Adnan_Boy 2008 + Precracked.torrent
.
===================================
.
3316 Bytes - C:\Ad-Report-SCAN[1].log
2620 Bytes - C:\Ad-Report-SCAN[2].log
.
3036 Files - C:\DOCUME~1\LORENZ~1\LOCALS~1\Temp
79 Files - C:\WINDOWS\Temp
129 Files - C:\WINDOWS\Prefetch
.
3 Files - C:\Ad-Remover\BACKUP
0 Files - C:\Ad-Remover\QUARANTINE
.
End at: 20:27:11 | 02/02/2010 - SCAN[2]
.
============== E.O.F ==============
.
Download gmer to the desktop:
> https://www.cjoint.com/?bBkSH6OR7n
!! Disconnect, disable your defenses (anti-virus, anti-spyware) and make sure to close all your applications during the process (including browsers)!!
* Double-click on "..._gmer.exe" on the desktop.
* Click on the "rootkit" tab, then click on scan.
* At the end of the scan, click on the copy button.
* In start>programs>accessories: open Notepad and click on CTRL+V to paste the report into this Notepad.
> please post the report ...
> https://www.cjoint.com/?bBkSH6OR7n
!! Disconnect, disable your defenses (anti-virus, anti-spyware) and make sure to close all your applications during the process (including browsers)!!
* Double-click on "..._gmer.exe" on the desktop.
* Click on the "rootkit" tab, then click on scan.
* At the end of the scan, click on the copy button.
* In start>programs>accessories: open Notepad and click on CTRL+V to paste the report into this Notepad.
> please post the report ...
Then download ComboFix (by sUBs) to your Desktop (and not elsewhere!):
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
--------------------------------- [ ! WARNING ! ] ------------------------------------------
!! Disconnect, close your running applications (as well as your browser) and DISABLE ALL YOUR DEFENSES (anti-virus, anti-spyware guard, firewall) during the process:
Indeed, if they are enabled, they could severely hinder the searching and cleaning procedure of the tool (possibly crashing the PC)... You will reactivate them afterwards!!
---> Important: if you encounter any difficulties at this level, let me know before proceeding...
Tutorial (help) here: https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix
Note: for XP, it is MANDATORY to install the Windows Recovery Console if the tool requests it (see the tutorial above).
--------------------------------------------------------------------------------------------
Then:
> Double-click on the "Combofix.exe" icon to launch the tool.
> In the "DISCLAIMER..." window, click "yes" and let it work...
-- For XP, the installation of the Recovery Console will be requested:
* Follow the instructions and install the "recovery console" (in English, "Windows Recovery Console") when the tool asks you to (important!).
image > http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
* Reconnect before clicking "yes," and only during this manipulation.
* Once the console is installed,
image > http://img.photobucket.com/albums/v706/ried7/whatnext.png
disconnect again before clicking "yes" to start the scan --
Important notes:
-> Do not use your mouse or keyboard (or any other pointing device) while the program is running. This could freeze the computer.
-> The PC may restart by itself (to complete the cleaning); let it happen.
-> If the tool informs you: "combofix has detected the presence of a rootkit and needs to restart your machine," you accept...
-> If a Windows error message appears at any moment: click the red cross at the top right of the window to close it (and not on anything else! Otherwise, no report...)
The report will be created here: C:\Combofix.txt
Make sure to reactivate your defenses.
Post the Combofix report for analysis and wait for further instructions...
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
--------------------------------- [ ! WARNING ! ] ------------------------------------------
!! Disconnect, close your running applications (as well as your browser) and DISABLE ALL YOUR DEFENSES (anti-virus, anti-spyware guard, firewall) during the process:
Indeed, if they are enabled, they could severely hinder the searching and cleaning procedure of the tool (possibly crashing the PC)... You will reactivate them afterwards!!
---> Important: if you encounter any difficulties at this level, let me know before proceeding...
Tutorial (help) here: https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix
Note: for XP, it is MANDATORY to install the Windows Recovery Console if the tool requests it (see the tutorial above).
--------------------------------------------------------------------------------------------
Then:
> Double-click on the "Combofix.exe" icon to launch the tool.
> In the "DISCLAIMER..." window, click "yes" and let it work...
-- For XP, the installation of the Recovery Console will be requested:
* Follow the instructions and install the "recovery console" (in English, "Windows Recovery Console") when the tool asks you to (important!).
image > http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
* Reconnect before clicking "yes," and only during this manipulation.
* Once the console is installed,
image > http://img.photobucket.com/albums/v706/ried7/whatnext.png
disconnect again before clicking "yes" to start the scan --
Important notes:
-> Do not use your mouse or keyboard (or any other pointing device) while the program is running. This could freeze the computer.
-> The PC may restart by itself (to complete the cleaning); let it happen.
-> If the tool informs you: "combofix has detected the presence of a rootkit and needs to restart your machine," you accept...
-> If a Windows error message appears at any moment: click the red cross at the top right of the window to close it (and not on anything else! Otherwise, no report...)
The report will be created here: C:\Combofix.txt
Make sure to reactivate your defenses.
Post the Combofix report for analysis and wait for further instructions...
I have indeed disabled Avast! I am posting the first report and I will take care of the following one that was posted just before:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-02 21:21:51
Windows 5.1.2600 Service Pack 3
Running: bBkSH6OR7n_gmer.exe; Driver: C:\DOCUME~1\LORENZ~1\LOCALS~1\Temp\pgkoypoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5CAC6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5CAC574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5CACA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5CAC14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5CAC64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5CAC08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5CAC0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5CAC76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5CAC72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5CAC8AE]
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7091F80]
.text C:\WINDOWS\system32\drivers\SSHDRV85.sys section is writeable [0xF5E85000, 0x24A24, 0xE8000020]
.pklstb C:\WINDOWS\system32\drivers\SSHDRV85.sys entry point in ".pklstb" section [0xF5EB8000]
.relo2 C:\WINDOWS\system32\drivers\SSHDRV85.sys unknown last section [0xF5ECE000, 0x8E, 0x42000040]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[660] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[660] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-02 21:21:51
Windows 5.1.2600 Service Pack 3
Running: bBkSH6OR7n_gmer.exe; Driver: C:\DOCUME~1\LORENZ~1\LOCALS~1\Temp\pgkoypoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5CAC6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5CAC574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5CACA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5CAC14C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5CAC64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5CAC08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5CAC0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5CAC76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5CAC72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5CAC8AE]
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7091F80]
.text C:\WINDOWS\system32\drivers\SSHDRV85.sys section is writeable [0xF5E85000, 0x24A24, 0xE8000020]
.pklstb C:\WINDOWS\system32\drivers\SSHDRV85.sys entry point in ".pklstb" section [0xF5EB8000]
.relo2 C:\WINDOWS\system32\drivers\SSHDRV85.sys unknown last section [0xF5ECE000, 0x8E, 0x42000040]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[660] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[660] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
---- EOF - GMER 1.0.15 ----
No, no, if you look at the tutorial, it takes time to load, but in the middle of the page, it explains how to use it
then post the report.
then post the report.
And here is the report:
ComboFix 10-02-01.05 - LORENZATI 02/02/2010 21:34:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.33.1036.18.447.143 [GMT 1:00]
Started from: c:\documents and settings\LORENZATI\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100202-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\icon.ico
c:\windows\system32\SIntf16.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games
((((((((((((((((((((((((((((( Files created from 2010-01-02 to 2010-02-02 ))))))))))))))))))))))))))))))))))))
.
2010-02-02 19:11 . 2010-02-02 19:27 -------- d-----w- C:\Ad-Remover
2010-02-01 21:40 . 2010-02-02 18:56 562552 ----a-w- C:\UsbFix_Upload_Me_LORENZATI150919.zip
2010-02-01 21:37 . 2008-04-14 12:00 23040 -c--a-w- c:\windows\system32\dllcache\setup.exe
2010-02-01 21:37 . 2008-04-14 12:00 23040 ----a-w- c:\windows\system32\setup.exe
2010-02-01 21:21 . 2010-02-02 18:56 -------- d-----w- C:\UsbFix
2010-02-01 20:51 . 2010-02-01 20:51 -------- d-----w- c:\documents and settings\LORENZATI\DoctorWeb
2010-02-01 18:35 . 2010-02-01 18:35 -------- d-----w- c:\documents and settings\LORENZATI\Application Data\Malwarebytes
2010-02-01 18:35 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 18:35 . 2010-02-01 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 18:35 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 18:35 . 2010-02-01 18:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 18:17 . 2010-02-01 18:23 -------- d-----w- c:\program files\trend micro
2010-02-01 18:16 . 2010-02-01 18:23 -------- d-----w- C:\rsit
2010-01-25 10:33 . 2010-01-25 10:33 -------- d-----w- C:\gPotato.eu
.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 10:10 . 2008-08-14 15:59 -------- d-----w- c:\documents and settings\LORENZATI\Application Data\Azureus
2010-01-25 09:34 . 2008-08-13 18:46 -------- d-----w- c:\program files\Azureus
2010-01-22 11:56 . 2008-09-19 12:58 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 16:35 . 2008-08-16 11:44 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-21 19:07 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-13 18:57 . 2009-12-13 18:57 -------- d-----w- c:\program files\QuickTime
2009-12-11 12:07 . 2009-09-20 11:28 -------- d-----w- c:\program files\Wireless 802.11g Monitor
2009-12-10 15:30 . 2008-04-14 12:00 80508 ----a-w- c:\windows\system32\perfc00C.dat
2009-12-10 15:30 . 2008-04-14 12:00 500482 ----a-w- c:\windows\system32\perfh00C.dat
2009-11-24 23:54 . 2008-08-13 17:49 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-08-13 17:49 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-08-13 17:49 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-08-13 17:49 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-08-13 17:49 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-08-13 17:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-08-13 17:49 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-08-13 17:49 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-08-13 17:49 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-23 16:51 . 2008-08-13 16:19 22624 ----a-w- c:\documents and settings\LORENZATI\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:58 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 13:32 . 2009-01-04 10:09 1 ----a-w- c:\documents and settings\LORENZATI\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((( Registry Load Points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty items & legitimate initial items are not listed
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-04-27 589824]
"VTTrayp"="VTtrayp.exe" [2005-03-12 147456]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"WireLessKeyboard"="c:\program files\Trust\Trust Keyboard 15036\StartAutorun.exe" [2005-11-30 94208]
"BboxUpdate"="c:\program files\BboxUpdate\BTLiveUpdate.exe" [2008-08-06 103936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPro620.lnk - c:\windows\VPro620.exe [2008-9-4 61440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 14:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 10:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 03:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-21 11:59 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-08 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bbox\\eSKernel.exe"=
"c:\\Program Files\\BboxUpdate\\BTLiveUpdate.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13/08/2008 18:49 114768]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [26/04/2009 08:41 78848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13/08/2008 18:49 20560]
R3 SPC620;Philips SPC620NC PC Camera;c:\windows\system32\drivers\SPC620.sys [04/09/2008 15:52 484352]
R3 SPC620m;Philips SPC620NC PC Cameram;c:\windows\system32\drivers\SPC620m.sys [04/09/2008 15:52 7680]
S3 KEYBOARDWDFilter;KEYBOARDWDFilter;c:\windows\system32\drivers\KEYBOARDWD.SYS [04/09/2008 15:41 6528]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [01/02/2010 19:35 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder
2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
2010-02-02 c:\windows\Tasks\User_Feed_Synchronization-{D74FC634-DF4E-4886-ACC5-00795F14FD45}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Additional examination -------
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.aliceadsl.fr
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
IE: Easy-WebPrint Add to Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Quick Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game12.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\LORENZATI\Application Data\Mozilla\Firefox\Profiles\e7uq0sne.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbox.bouyguestelecom.fr/pid10/mon-portail.html
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS DELETED - - - -
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-Microsoft .NET Framework 3.5 Language Pack SP1 - fra - c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - fra\setup.exe
AddRemove-Microsoft .NET Framework 3.5 SP1 - c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 21:49
Windows 5.1.2600 Service Pack 3 NTFS
Searching for hidden processes ...
Searching for hidden auto start items ...
Searching for hidden files ...
Scan completed successfully
Hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- BLOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1409082233-515967899-1417001333-1004\Software\SecuROM\License information*]
"datasecu"=hex:3a,f1,3f,2b,55,c4,14,02,e0,ba,2e,e4,fa,04,83,ab,11,dc,2d,08,74,
d5,cf,f7,02,d3,a4,1e,44,7c,19,d0,cd,3b,60,83,8a,f4,9e,d3,00,6a,eb,ea,f6,24,\
"rkeysecu"=hex:94,14,7f,2d,43,cf,2c,c6,dc,1e,39,f3,97,60,57,32
.
--------------------- DLLs loaded in active processes ---------------------
- - - - - - - > 'explorer.exe'(3256)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other active processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\VTtrayp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trust\Trust Keyboard 15036\PS2USBKbdDrv.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
End time: 2010-02-02 21:56:44 - The machine rebooted
ComboFix-quarantined-files.txt 2010-02-02 20:56
Before-CF: 36,741,210,112 bytes free
After-CF: 41,418,874,880 bytes free
- - End Of File - - 63A6E87FF4334451D4799C11B6F86239
ComboFix 10-02-01.05 - LORENZATI 02/02/2010 21:34:24.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.33.1036.18.447.143 [GMT 1:00]
Started from: c:\documents and settings\LORENZATI\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100202-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\icon.ico
c:\windows\system32\SIntf16.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games
((((((((((((((((((((((((((((( Files created from 2010-01-02 to 2010-02-02 ))))))))))))))))))))))))))))))))))))
.
2010-02-02 19:11 . 2010-02-02 19:27 -------- d-----w- C:\Ad-Remover
2010-02-01 21:40 . 2010-02-02 18:56 562552 ----a-w- C:\UsbFix_Upload_Me_LORENZATI150919.zip
2010-02-01 21:37 . 2008-04-14 12:00 23040 -c--a-w- c:\windows\system32\dllcache\setup.exe
2010-02-01 21:37 . 2008-04-14 12:00 23040 ----a-w- c:\windows\system32\setup.exe
2010-02-01 21:21 . 2010-02-02 18:56 -------- d-----w- C:\UsbFix
2010-02-01 20:51 . 2010-02-01 20:51 -------- d-----w- c:\documents and settings\LORENZATI\DoctorWeb
2010-02-01 18:35 . 2010-02-01 18:35 -------- d-----w- c:\documents and settings\LORENZATI\Application Data\Malwarebytes
2010-02-01 18:35 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 18:35 . 2010-02-01 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-01 18:35 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 18:35 . 2010-02-01 18:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 18:17 . 2010-02-01 18:23 -------- d-----w- c:\program files\trend micro
2010-02-01 18:16 . 2010-02-01 18:23 -------- d-----w- C:\rsit
2010-01-25 10:33 . 2010-01-25 10:33 -------- d-----w- C:\gPotato.eu
.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 10:10 . 2008-08-14 15:59 -------- d-----w- c:\documents and settings\LORENZATI\Application Data\Azureus
2010-01-25 09:34 . 2008-08-13 18:46 -------- d-----w- c:\program files\Azureus
2010-01-22 11:56 . 2008-09-19 12:58 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-20 16:35 . 2008-08-16 11:44 -------- d-----w- c:\program files\Windows Live Safety Center
2009-12-21 19:07 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-13 18:57 . 2009-12-13 18:57 -------- d-----w- c:\program files\QuickTime
2009-12-11 12:07 . 2009-09-20 11:28 -------- d-----w- c:\program files\Wireless 802.11g Monitor
2009-12-10 15:30 . 2008-04-14 12:00 80508 ----a-w- c:\windows\system32\perfc00C.dat
2009-12-10 15:30 . 2008-04-14 12:00 500482 ----a-w- c:\windows\system32\perfh00C.dat
2009-11-24 23:54 . 2008-08-13 17:49 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2008-08-13 17:49 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2008-08-13 17:49 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-08-13 17:49 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-08-13 17:49 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-08-13 17:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-08-13 17:49 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-08-13 17:49 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2008-08-13 17:49 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-23 16:51 . 2008-08-13 16:19 22624 ----a-w- c:\documents and settings\LORENZATI\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-21 15:58 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-13 13:32 . 2009-01-04 10:09 1 ----a-w- c:\documents and settings\LORENZATI\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((( Registry Load Points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty items & legitimate initial items are not listed
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-04-27 589824]
"VTTrayp"="VTtrayp.exe" [2005-03-12 147456]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"WireLessKeyboard"="c:\program files\Trust\Trust Keyboard 15036\StartAutorun.exe" [2005-11-30 94208]
"BboxUpdate"="c:\program files\BboxUpdate\BTLiveUpdate.exe" [2008-08-06 103936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPro620.lnk - c:\windows\VPro620.exe [2008-9-4 61440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 14:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 10:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-25 03:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-21 11:59 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-08 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bbox\\eSKernel.exe"=
"c:\\Program Files\\BboxUpdate\\BTLiveUpdate.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13/08/2008 18:49 114768]
R1 SSHDRV85;SSHDRV85;c:\windows\system32\drivers\SSHDRV85.sys [26/04/2009 08:41 78848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13/08/2008 18:49 20560]
R3 SPC620;Philips SPC620NC PC Camera;c:\windows\system32\drivers\SPC620.sys [04/09/2008 15:52 484352]
R3 SPC620m;Philips SPC620NC PC Cameram;c:\windows\system32\drivers\SPC620m.sys [04/09/2008 15:52 7680]
S3 KEYBOARDWDFilter;KEYBOARDWDFilter;c:\windows\system32\drivers\KEYBOARDWD.SYS [04/09/2008 15:41 6528]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [01/02/2010 19:35 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
.
Contents of the 'Scheduled Tasks' folder
2009-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
2010-02-02 c:\windows\Tasks\User_Feed_Synchronization-{D74FC634-DF4E-4886-ACC5-00795F14FD45}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Additional examination -------
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.aliceadsl.fr
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
IE: Easy-WebPrint Add to Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Quick Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game12.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\documents and settings\LORENZATI\Application Data\Mozilla\Firefox\Profiles\e7uq0sne.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bbox.bouyguestelecom.fr/pid10/mon-portail.html
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS DELETED - - - -
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-Microsoft .NET Framework 3.5 Language Pack SP1 - fra - c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - fra\setup.exe
AddRemove-Microsoft .NET Framework 3.5 SP1 - c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 21:49
Windows 5.1.2600 Service Pack 3 NTFS
Searching for hidden processes ...
Searching for hidden auto start items ...
Searching for hidden files ...
Scan completed successfully
Hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- BLOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1409082233-515967899-1417001333-1004\Software\SecuROM\License information*]
"datasecu"=hex:3a,f1,3f,2b,55,c4,14,02,e0,ba,2e,e4,fa,04,83,ab,11,dc,2d,08,74,
d5,cf,f7,02,d3,a4,1e,44,7c,19,d0,cd,3b,60,83,8a,f4,9e,d3,00,6a,eb,ea,f6,24,\
"rkeysecu"=hex:94,14,7f,2d,43,cf,2c,c6,dc,1e,39,f3,97,60,57,32
.
--------------------- DLLs loaded in active processes ---------------------
- - - - - - - > 'explorer.exe'(3256)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other active processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\VTtrayp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Trust\Trust Keyboard 15036\PS2USBKbdDrv.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
End time: 2010-02-02 21:56:44 - The machine rebooted
ComboFix-quarantined-files.txt 2010-02-02 20:56
Before-CF: 36,741,210,112 bytes free
After-CF: 41,418,874,880 bytes free
- - End Of File - - 63A6E87FF4334451D4799C11B6F86239
Disable your antivirus during the process as well as your firewall if present (as it is mistakenly detected as an infection)
▶ Download and install List&Kill'em and save it on your desktop
http://sd-1.archive-host.com/membres/up/829108531491024/List_Killem_Install.exe
Double click (right click "run as administrator" for Vista/7) on the shortcut on your desktop to start the installation
Check the box "create a desktop icon"
Once finished, click on "finish" and the program will launch automatically
Choose the language then select option 1 = Search Mode
▶ Let the tool work
When the white window appears, it takes a while, it's normal, the program is not blocked.
A report named catchme appears on your desktop, ignore it, do not post it, but do not delete it for now, the scan is not finished.
▶ Post the content of the report that opens at 100% of the scan on the "COMPLETED" screen
You can now delete the catchme.log report from your desktop.
THEN
Download Lop S&D.exe to the Desktop
https://77b4795d-a-62cb3a1a-s-sites.googlegroups.com/site/eric71mespages/LopSD.exe?attachauth=ANoY7co3ntqUavpZ3q1BG-h4pc13vqDZmhcNeEPChtsyrgAykRbhE8bZzhk979EfQD4AgwtQUHCaQ7ZQwNYMo3_0kA8htAspckDJtu2K5t6J9z6dLW4fpZyH4FpFL1tVMBZ8H-KnN7afZ5vt-WxZRpnynk-a0XmV_Y0C0q6DxGEDKie1TnPT7gFoZnoCnspzBmbW6ZzxA4fNr3oEDlbelNZON-LjF8nOmQ%3D%3D&attredirects=2
Some infections block the downloading of disinfection tools use this alternative link:
http://ww38.toofiles.com/fr/oip/documents/exe/yop4.html
Lop S&D is detected by some antivirus: it is not a virus (false positive), but a utility designed to terminate processes. In case of an alert from your antivirus, please disable your antivirus during the procedure
* Double-click on it to start the installation
* Then double-click the Lop S&D shortcut on the Desktop
* Select the desired language, then choose option 1 (Search)
* Wait until the scan is complete
* Post the generated report on a forum (C:\lopR.txt)
and after
you should download navilog1 to the desktop:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Some infections block the downloading of disinfection tools use this alternative link:
http://ww38.toofiles.com/fr/oip/documents/exe/yop3.html
1° Double-click on navilog1.exe on your desktop
2° Select the desired language in the menu and confirm the choice by pressing the "enter" key
3° A small warning message, press a key to move to the next step
4° A new warning, press a key to continue
5° Checking Navilog1 installation: if everything is fine, press a key to continue
6° Choose option 1: automatic search/disinfection
7° The search will start automatically and may take a few minutes, please be patient
8° Once the analysis is complete, close and save your current work, then press a key for your PC to restart
9° Upon rebooting the PC, Navilog will delete what it found, please wait a moment.
A report is generated by the tool. It is located at this location:
XP: start/My Computer/c:/cleannavi.txt
HOW IS YOUR PC DOING?
▶ Download and install List&Kill'em and save it on your desktop
http://sd-1.archive-host.com/membres/up/829108531491024/List_Killem_Install.exe
Double click (right click "run as administrator" for Vista/7) on the shortcut on your desktop to start the installation
Check the box "create a desktop icon"
Once finished, click on "finish" and the program will launch automatically
Choose the language then select option 1 = Search Mode
▶ Let the tool work
When the white window appears, it takes a while, it's normal, the program is not blocked.
A report named catchme appears on your desktop, ignore it, do not post it, but do not delete it for now, the scan is not finished.
▶ Post the content of the report that opens at 100% of the scan on the "COMPLETED" screen
You can now delete the catchme.log report from your desktop.
THEN
Download Lop S&D.exe to the Desktop
https://77b4795d-a-62cb3a1a-s-sites.googlegroups.com/site/eric71mespages/LopSD.exe?attachauth=ANoY7co3ntqUavpZ3q1BG-h4pc13vqDZmhcNeEPChtsyrgAykRbhE8bZzhk979EfQD4AgwtQUHCaQ7ZQwNYMo3_0kA8htAspckDJtu2K5t6J9z6dLW4fpZyH4FpFL1tVMBZ8H-KnN7afZ5vt-WxZRpnynk-a0XmV_Y0C0q6DxGEDKie1TnPT7gFoZnoCnspzBmbW6ZzxA4fNr3oEDlbelNZON-LjF8nOmQ%3D%3D&attredirects=2
Some infections block the downloading of disinfection tools use this alternative link:
http://ww38.toofiles.com/fr/oip/documents/exe/yop4.html
Lop S&D is detected by some antivirus: it is not a virus (false positive), but a utility designed to terminate processes. In case of an alert from your antivirus, please disable your antivirus during the procedure
* Double-click on it to start the installation
* Then double-click the Lop S&D shortcut on the Desktop
* Select the desired language, then choose option 1 (Search)
* Wait until the scan is complete
* Post the generated report on a forum (C:\lopR.txt)
and after
you should download navilog1 to the desktop:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Some infections block the downloading of disinfection tools use this alternative link:
http://ww38.toofiles.com/fr/oip/documents/exe/yop3.html
1° Double-click on navilog1.exe on your desktop
2° Select the desired language in the menu and confirm the choice by pressing the "enter" key
3° A small warning message, press a key to move to the next step
4° A new warning, press a key to continue
5° Checking Navilog1 installation: if everything is fine, press a key to continue
6° Choose option 1: automatic search/disinfection
7° The search will start automatically and may take a few minutes, please be patient
8° Once the analysis is complete, close and save your current work, then press a key for your PC to restart
9° Upon rebooting the PC, Navilog will delete what it found, please wait a moment.
A report is generated by the tool. It is located at this location:
XP: start/My Computer/c:/cleannavi.txt
HOW IS YOUR PC DOING?
I no longer know if I had to do it... but here is a copy of the lopR:
--------------------\\ Lop S&D 4.2.5-0 XP/Vista
Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Uniprocessor Free: AMD Sempron(tm) Processor 2600+)
BIOS: BIOS Date: 07/18/05 10:30:22 Ver: 08.00.09
USER: LORENZATI (Administrator)
BOOT: Normal boot
Antivirus: avast! antivirus 4.8.1368 [VPS 100202-0] 4.8.1368 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total: 76 Go (Free: 38 Go)
D:\ (CD or DVD) - CDFS - Total: 0 Go (Free: 0 Go)
"C:\Lop SD" (LAST UPDATE: 19-12-2008|23:40)
Option: [1] (02/02/2010|22:21)
--------------------\\ Listing of folders in APPLIC~1
[16/05/2009|10:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[12/11/2009|17:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[16/05/2009|10:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
[16/05/2009|10:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[14/08/2008|16:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
[16/01/2009|16:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOONTY
[15/08/2008|08:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[22/01/2009|09:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Fugazo
[20/12/2008|13:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameHouse
[27/02/2009|14:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gogii
[16/01/2009|16:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[23/01/2009|17:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HipSoft
[15/08/2008|08:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
[22/01/2009|16:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
[01/02/2010|19:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[22/12/2008|19:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[27/02/2009|13:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
[24/02/2009|18:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NannyMania
[16/09/2008|15:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[16/08/2008|12:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PhotoStitch
[04/04/2009|13:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
[15/08/2008|08:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
[04/04/2009|14:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
[22/03/2009|10:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
[18/04/2009|13:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[24/01/2009|09:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
[14/08/2008|15:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[21/09/2008|10:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[16/08/2008|11:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZoomBrowser
[24/12/2008|19:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
[13/08/2008|17:11] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[13/08/2008|17:11] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[11/10/2008|12:49] C:\DOCUME~1\LORENZ~1\APPLIC~1\Adobe
[05/10/2008|16:39] C:\DOCUME~1\LORENZ~1\APPLIC~1\Anuman Interactive
[17/05/2009|13:07] C:\DOCUME~1\LORENZ~1\APPLIC~1\Apple Computer
[04/09/2008|16:15] C:\DOCUME~1\LORENZ~1\APPLIC~1\ArcSoft
[25/01/2010|11:10] C:\DOCUME~1\LORENZ~1\APPLIC~1\Azureus
[10/01/2009|13:46] C:\DOCUME~1\LORENZ~1\APPLIC~1\BloodTies
[18/07/2009|17:55] C:\DOCUME~1\LORENZ~1\APPLIC~1\CameraWindowDC
[16/08/2008|14:01] C:\DOCUME~1\LORENZ~1\APPLIC~1\Canon
[16/08/2008|11:45] C:\DOCUME~1\LORENZ~1\APPLIC~1\CANON INC
[24/12/2008|11:25] C:\DOCUME~1\LORENZ~1\APPLIC~1\DivX
[05/10/2008|17:37] C:\DOCUME~1\LORENZ~1\APPLIC~1\eTeks
[27/02/2009|13:36] C:\DOCUME~1\LORENZ~1\APPLIC~1\GameHouse
[14/08/2008|15:51] C:\DOCUME~1\LORENZ~1\APPLIC~1\Google
[18/10/2009|10:02] C:\DOCUME~1\LORENZ~1\APPLIC~1\Help
[01/05/2009|16:44] C:\DOCUME~1\LORENZ~1\APPLIC~1\Identities
[20/08/2008|16:37] C:\DOCUME~1\LORENZ~1\APPLIC~1\InstallShield
[16/01/2009|16:41] C:\DOCUME~1\LORENZ~1\APPLIC~1\Macromedia
[01/02/2010|19:35] C:\DOCUME~1\LORENZ~1\APPLIC~1\Malwarebytes
[17/12/2008|20:35] C:\DOCUME~1\LORENZ~1\APPLIC~1\Microsoft
[13/08/2008|20:01] C:\DOCUME~1\LORENZ~1\APPLIC~1\mIRC
[14/03/2009|08:22] C:\DOCUME~1\LORENZ~1\APPLIC~1\Mozilla
[26/12/2008|13:19] C:\DOCUME~1\LORENZ~1\APPLIC~1\My Games
[14/08/2008|18:52] C:\DOCUME~1\LORENZ~1\APPLIC~1\Nero
[04/01/2009|11:09] C:\DOCUME~1\LORENZ~1\APPLIC~1\OpenOffice.org
[04/01/2009|09:54] C:\DOCUME~1\LORENZ~1\APPLIC~1\OpenOffice.org2
[14/08/2008|21:24] C:\DOCUME~1\LORENZ~1\APPLIC~1\Opera
[04/04/2009|13:14] C:\DOCUME~1\LORENZ~1\APPLIC~1\PlayFirst
[15/08/2008|08:48] C:\DOCUME~1\LORENZ~1\APPLIC~1\ScanSoft
[08/05/2009|17:00] C:\DOCUME~1\LORENZ~1\APPLIC~1\SecuROM
[04/04/2009|07:26] C:\DOCUME~1\LORENZ~1\APPLIC~1\skypePM
[15/01/2009|18:24] C:\DOCUME~1\LORENZ~1\APPLIC~1\SpinTop Games
[22/01/2009|12:18] C:\DOCUME~1\LORENZ~1\APPLIC~1\SprillBermudeEng
[14/08/2008|15:17] C:\DOCUME~1\LORENZ~1\APPLIC~1\Sun
[10/01/2009|16:11] C:\DOCUME~1\LORENZ~1\APPLIC~1\ViquaSoft
[16/08/2008|09:02] C:\DOCUME~1\LORENZ~1\APPLIC~1\vlc
[14/08/2008|18:34] C:\DOCUME~1\LORENZ~1\APPLIC~1\WinRAR
[18/07/2009|17:58] C:\DOCUME~1\LORENZ~1\APPLIC~1\ZoomBrowser EX
[01/05/2009|16:44] C:\DOCUME~1\LORENZ~1\APPLIC~1\Zylom
[13/08/2008|17:11] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
--------------------\\ Scheduled Tasks in C:\WINDOWS\tasks
[31/12/2009 23:34][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[02/02/2010 19:31][--ah-----] C:\WINDOWS\tasks\User_Feed_Synchronization-{D74FC634-DF4E-4886-ACC5-00795F14FD45}.job
[02/02/2010 21:46][--ah-----] C:\WINDOWS\tasks\SA.DAT
[14/04/2008 13:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini
--------------------\\ Listing of folders in C:\Program Files
[12/11/2009|17:15] C:\Program Files\Adobe
[08/05/2009|21:46] C:\Program Files\AGEIA Technologies
[06/12/2008|12:33] C:\Program Files\Ahead
[04/12/2008|08:47] C:\Program Files\Alice SSID
[13/08/2008|18:49] C:\Program Files\Alwil Software
[13/08/2008|17:25] C:\Program Files\AMD
[13/08/2008|17:34] C:\Program Files\Analog Devices
[18/10/2009|09:38] C:\Program Files\Anuman Interactive
[16/05/2009|10:44] C:\Program Files\Apple Software Update
[15/08/2008|08:46] C:\Program Files\ArcSoft
[08/05/2009|11:15] C:\Program Files\Ascaron Entertainment
[25/01/2010|10:34] C:\Program Files\Azureus
[12/11/2009|17:03] C:\Program Files\Bbox
[12/11/2009|17:04] C:\Program Files\BboxUpdate
[16/05/2009|10:47] C:\Program Files\Bonjour
[16/01/2009|16:35] C:\Program Files\Boonty
[16/01/2009|17:24] C:\Program Files\BoontyGames
[16/08/2008|11:39] C:\Program Files\Canon
[25/01/2009|17:38] C:\Program Files\Common Files
[13/08/2008|17:08] C:\Program Files\ComPlus Applications
[08/05/2009|16:26] C:\Program Files\Deep Silver
[04/09/2008|15:49] C:\Program Files\DIFX
[21/08/2009|10:23] C:\Program Files\DivX
[05/04/2009|12:00] C:\Program Files\eMule
[02/02/2010|21:39] C:\Program Files\Common Files
[16/01/2009|22:37] C:\Program Files\Google
[21/11/2009|09:18] C:\Program Files\Gpotato.eu
[18/10/2009|09:34] C:\Program Files\InstallShield Installation Information
[16/09/2008|15:58] C:\Program Files\InterActual
[23/01/2010|09:09] C:\Program Files\Internet Explorer
[16/05/2009|10:48] C:\Program Files\iPod
[16/05/2009|10:49] C:\Program Files\iTunes
[09/08/2009|08:32] C:\Program Files\Java
[17/07/2009|14:31] C:\Program Files\JRE
[16/09/2008|16:43] C:\Program Files\K-Lite Codec Pack
[01/02/2010|19:35] C:\Program Files\Malwarebytes' Anti-Malware
[14/08/2008|21:38] C:\Program Files\Messenger
[03/10/2009|08:18] C:\Program Files\Microsoft
[16/08/2008|18:56] C:\Program Files\Microsoft CAPICOM 2.1.0.2
[13/08/2008|17:11] C:\Program Files\microsoft frontpage
[22/01/2010|12:56] C:\Program Files\Microsoft Silverlight
[13/08/2008|18:41] C:\Program Files\Microsoft SQL Server Compact Edition
[13/08/2008|17:09] C:\Program Files\Movie Maker
[02/02/2010|22:15] C:\Program Files\Mozilla Firefox
[11/04/2009|09:25] C:\Program Files\MSBuild
[13/08/2008|17:07] C:\Program Files\MSN
[13/08/2008|17:07] C:\Program Files\MSN Gaming Zone
[15/08/2008|21:32] C:\Program Files\MSXML 4.0
[14/08/2008|18:48] C:\Program Files\Nero
[10/10/2008|17:46] C:\Program Files\NetMeeting
[13/08/2008|17:07] C:\Program Files\Online Services
[17/07/2009|14:31] C:\Program Files\OpenOffice.org 3
[12/03/2009|17:57] C:\Program Files\Opera
[13/08/2009|22:56] C:\Program Files\Outlook Express
[04/09/2008|15:48] C:\Program Files\Philips
[04/09/2008|15:50] C:\Program Files\Philips_VLounge
[16/08/2008|12:22] C:\Program Files\PhotoFiltre
[13/12/2009|19:57] C:\Program Files\QuickTime
[12/03/2009|18:10] C:\Program Files\RealArcade
[11/04/2009|09:25] C:\Program Files\Reference Assemblies
[15/08/2008|08:47] C:\Program Files\ScanSoft
[13/08/2008|17:10] C:\Program Files\Online Services
[12/11/2009|16:39] C:\Program Files\Techcity
[01/02/2010|19:23] C:\Program Files\trend micro
[04/09/2008|15:39] C:\Program Files\Trust
[13/08/2008|17:19] C:\Program Files\Uninstall Information
[13/08/2008|17:22] C:\Program Files\VIA
[13/08/2008|20:01] C:\Program Files\VideoLAN
[03/10/2009|08:22] C:\Program Files\Windows Live
[13/08/2008|18:46] C:\Program Files\Windows Live Favorites
[20/01/2010|17:35] C:\Program Files\Windows Live Safety Center
[22/12/2008|19:43] C:\Program Files\Windows Live SkyDrive
[20/09/2008|14:51] C:\Program Files\Windows Live Toolbar
[16/09/2008|16:16] C:\Program Files\Windows Media Connect 2
[16/09/2008|16:16] C:\Program Files\Windows Media Player
[13/08/2008|17:07] C:\Program Files\Windows NT
[13/08/2008|17:10] C:\Program Files\WindowsUpdate
[13/08/2008|19:43] C:\Program Files\WinRAR
[11/12/2009|13:07] C:\Program Files\Wireless 802.11g Monitor
[13/08/2008|17:11] C:\Program Files\xerox
[01/05/2009|17:46] C:\Program Files\Zylom Games
--------------------\\ Listing of folders in C:\Program Files\Common Files
[12/11/2009|17:19] C:\Program Files\Common Files\Adobe
[06/12/2008|12:33] C:\Program Files\Common Files\Ahead
[16/05/2009|10:48] C:\Program Files\Common Files\Apple
[04/09/2008|15:50] C:\Program Files\Common Files\ArcSoft
[16/01/2009|16:40] C:\Program Files\Common Files\BOONTY Shared
[16/08/2008|11:35] C:\Program Files\Common Files\Canon
[21/08/2009|10:21] C:\Program Files\Common Files\DivX Shared
[15/08/2008|08:48] C:\Program Files\Common Files\InstallShield
[14/08/2008|15:17] C:\Program Files\Common Files\Java
[22/02/2009|11:21] C:\Program Files\Common Files\Microsoft Shared
[13/08/2008|17:09] C:\Program Files\Common Files\MSSoap
[13/08/2008|18:48] C:\Program Files\Common Files\ODBC
[15/08/2008|08:48] C:\Program Files\Common Files\ScanSoft Shared
[13/08/2008|17:09] C:\Program Files\Common Files\Services
[04/09/2008|15:48] C:\Program Files\Common Files\SPC620NC
[13/08/2008|18:47] C:\Program Files\Common Files\SpeechEngines
[13/08/2008|17:09] C:\Program Files\Common Files\System
[20/09/2008|14:46] C:\Program Files\Common Files\Windows Live
[13/08/2008|18:40] C:\Program Files\Common Files\WindowsLiveInstaller
[08/05/2009|21:46] C:\Program Files\Common Files\Wise Installation Wizard
--------------------\\ Process
(36 Processes)
... OK!
--------------------\\ Search with S_Lop
No Lop files/folders found!
--------------------\\ Search for Lop Files/Folders
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@advertising[2].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@adin.bigpoint[1].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@adopt.euroclick[1].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@euroclick[2].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@partypoker[1].txt
--------------------\\ Registry Check
..... OK!
--------------------\\ Hosts file check
Hosts file CLEAN
--------------------\\ Search for files with Catchme
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 22:22:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes...
scanning hidden files...
scan completed successfully
hidden processes: 0
hidden files: 133
--------------------\\ Search for other infections
No other infections found!
[F:357][D:0]-> C:\DOCUME~1\LORENZ~1\Cookies
[F:2][D:0]-> C:\DOCUME~1\LORENZ~1\LOCALS~1\TEMPOR~1\content.IE5
1 - "C:\Lop SD\LopR_1.txt" - 02/02/2010|22:24 - Option: [1]
--------------------\\ End of report at 22:24:58
--------------------\\ Lop S&D 4.2.5-0 XP/Vista
Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Uniprocessor Free: AMD Sempron(tm) Processor 2600+)
BIOS: BIOS Date: 07/18/05 10:30:22 Ver: 08.00.09
USER: LORENZATI (Administrator)
BOOT: Normal boot
Antivirus: avast! antivirus 4.8.1368 [VPS 100202-0] 4.8.1368 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total: 76 Go (Free: 38 Go)
D:\ (CD or DVD) - CDFS - Total: 0 Go (Free: 0 Go)
"C:\Lop SD" (LAST UPDATE: 19-12-2008|23:40)
Option: [1] (02/02/2010|22:21)
--------------------\\ Listing of folders in APPLIC~1
[16/05/2009|10:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[12/11/2009|17:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
[16/05/2009|10:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
[16/05/2009|10:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
[14/08/2008|16:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
[16/01/2009|16:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOONTY
[15/08/2008|08:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\CanonBJ
[22/01/2009|09:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Fugazo
[20/12/2008|13:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameHouse
[27/02/2009|14:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gogii
[16/01/2009|16:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
[23/01/2009|17:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\HipSoft
[15/08/2008|08:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
[22/01/2009|16:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\JollyBear
[01/02/2010|19:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes
[22/12/2008|19:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft
[27/02/2009|13:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\n7-89-o9-3r-4t-r9
[24/02/2009|18:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\NannyMania
[16/09/2008|15:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
[16/08/2008|12:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PhotoStitch
[04/04/2009|13:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
[15/08/2008|08:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
[04/04/2009|14:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
[22/03/2009|10:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\SpinTop Games
[18/04/2009|13:49] C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
[24/01/2009|09:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
[14/08/2008|15:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
[21/09/2008|10:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller
[16/08/2008|11:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZoomBrowser
[24/12/2008|19:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
[13/08/2008|17:11] C:\DOCUME~1\DEFAUL~1\APPLIC~1\Microsoft
[13/08/2008|17:11] C:\DOCUME~1\LOCALS~1\APPLIC~1\Microsoft
[11/10/2008|12:49] C:\DOCUME~1\LORENZ~1\APPLIC~1\Adobe
[05/10/2008|16:39] C:\DOCUME~1\LORENZ~1\APPLIC~1\Anuman Interactive
[17/05/2009|13:07] C:\DOCUME~1\LORENZ~1\APPLIC~1\Apple Computer
[04/09/2008|16:15] C:\DOCUME~1\LORENZ~1\APPLIC~1\ArcSoft
[25/01/2010|11:10] C:\DOCUME~1\LORENZ~1\APPLIC~1\Azureus
[10/01/2009|13:46] C:\DOCUME~1\LORENZ~1\APPLIC~1\BloodTies
[18/07/2009|17:55] C:\DOCUME~1\LORENZ~1\APPLIC~1\CameraWindowDC
[16/08/2008|14:01] C:\DOCUME~1\LORENZ~1\APPLIC~1\Canon
[16/08/2008|11:45] C:\DOCUME~1\LORENZ~1\APPLIC~1\CANON INC
[24/12/2008|11:25] C:\DOCUME~1\LORENZ~1\APPLIC~1\DivX
[05/10/2008|17:37] C:\DOCUME~1\LORENZ~1\APPLIC~1\eTeks
[27/02/2009|13:36] C:\DOCUME~1\LORENZ~1\APPLIC~1\GameHouse
[14/08/2008|15:51] C:\DOCUME~1\LORENZ~1\APPLIC~1\Google
[18/10/2009|10:02] C:\DOCUME~1\LORENZ~1\APPLIC~1\Help
[01/05/2009|16:44] C:\DOCUME~1\LORENZ~1\APPLIC~1\Identities
[20/08/2008|16:37] C:\DOCUME~1\LORENZ~1\APPLIC~1\InstallShield
[16/01/2009|16:41] C:\DOCUME~1\LORENZ~1\APPLIC~1\Macromedia
[01/02/2010|19:35] C:\DOCUME~1\LORENZ~1\APPLIC~1\Malwarebytes
[17/12/2008|20:35] C:\DOCUME~1\LORENZ~1\APPLIC~1\Microsoft
[13/08/2008|20:01] C:\DOCUME~1\LORENZ~1\APPLIC~1\mIRC
[14/03/2009|08:22] C:\DOCUME~1\LORENZ~1\APPLIC~1\Mozilla
[26/12/2008|13:19] C:\DOCUME~1\LORENZ~1\APPLIC~1\My Games
[14/08/2008|18:52] C:\DOCUME~1\LORENZ~1\APPLIC~1\Nero
[04/01/2009|11:09] C:\DOCUME~1\LORENZ~1\APPLIC~1\OpenOffice.org
[04/01/2009|09:54] C:\DOCUME~1\LORENZ~1\APPLIC~1\OpenOffice.org2
[14/08/2008|21:24] C:\DOCUME~1\LORENZ~1\APPLIC~1\Opera
[04/04/2009|13:14] C:\DOCUME~1\LORENZ~1\APPLIC~1\PlayFirst
[15/08/2008|08:48] C:\DOCUME~1\LORENZ~1\APPLIC~1\ScanSoft
[08/05/2009|17:00] C:\DOCUME~1\LORENZ~1\APPLIC~1\SecuROM
[04/04/2009|07:26] C:\DOCUME~1\LORENZ~1\APPLIC~1\skypePM
[15/01/2009|18:24] C:\DOCUME~1\LORENZ~1\APPLIC~1\SpinTop Games
[22/01/2009|12:18] C:\DOCUME~1\LORENZ~1\APPLIC~1\SprillBermudeEng
[14/08/2008|15:17] C:\DOCUME~1\LORENZ~1\APPLIC~1\Sun
[10/01/2009|16:11] C:\DOCUME~1\LORENZ~1\APPLIC~1\ViquaSoft
[16/08/2008|09:02] C:\DOCUME~1\LORENZ~1\APPLIC~1\vlc
[14/08/2008|18:34] C:\DOCUME~1\LORENZ~1\APPLIC~1\WinRAR
[18/07/2009|17:58] C:\DOCUME~1\LORENZ~1\APPLIC~1\ZoomBrowser EX
[01/05/2009|16:44] C:\DOCUME~1\LORENZ~1\APPLIC~1\Zylom
[13/08/2008|17:11] C:\DOCUME~1\NETWOR~1\APPLIC~1\Microsoft
--------------------\\ Scheduled Tasks in C:\WINDOWS\tasks
[31/12/2009 23:34][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[02/02/2010 19:31][--ah-----] C:\WINDOWS\tasks\User_Feed_Synchronization-{D74FC634-DF4E-4886-ACC5-00795F14FD45}.job
[02/02/2010 21:46][--ah-----] C:\WINDOWS\tasks\SA.DAT
[14/04/2008 13:00][-r-h-----] C:\WINDOWS\tasks\desktop.ini
--------------------\\ Listing of folders in C:\Program Files
[12/11/2009|17:15] C:\Program Files\Adobe
[08/05/2009|21:46] C:\Program Files\AGEIA Technologies
[06/12/2008|12:33] C:\Program Files\Ahead
[04/12/2008|08:47] C:\Program Files\Alice SSID
[13/08/2008|18:49] C:\Program Files\Alwil Software
[13/08/2008|17:25] C:\Program Files\AMD
[13/08/2008|17:34] C:\Program Files\Analog Devices
[18/10/2009|09:38] C:\Program Files\Anuman Interactive
[16/05/2009|10:44] C:\Program Files\Apple Software Update
[15/08/2008|08:46] C:\Program Files\ArcSoft
[08/05/2009|11:15] C:\Program Files\Ascaron Entertainment
[25/01/2010|10:34] C:\Program Files\Azureus
[12/11/2009|17:03] C:\Program Files\Bbox
[12/11/2009|17:04] C:\Program Files\BboxUpdate
[16/05/2009|10:47] C:\Program Files\Bonjour
[16/01/2009|16:35] C:\Program Files\Boonty
[16/01/2009|17:24] C:\Program Files\BoontyGames
[16/08/2008|11:39] C:\Program Files\Canon
[25/01/2009|17:38] C:\Program Files\Common Files
[13/08/2008|17:08] C:\Program Files\ComPlus Applications
[08/05/2009|16:26] C:\Program Files\Deep Silver
[04/09/2008|15:49] C:\Program Files\DIFX
[21/08/2009|10:23] C:\Program Files\DivX
[05/04/2009|12:00] C:\Program Files\eMule
[02/02/2010|21:39] C:\Program Files\Common Files
[16/01/2009|22:37] C:\Program Files\Google
[21/11/2009|09:18] C:\Program Files\Gpotato.eu
[18/10/2009|09:34] C:\Program Files\InstallShield Installation Information
[16/09/2008|15:58] C:\Program Files\InterActual
[23/01/2010|09:09] C:\Program Files\Internet Explorer
[16/05/2009|10:48] C:\Program Files\iPod
[16/05/2009|10:49] C:\Program Files\iTunes
[09/08/2009|08:32] C:\Program Files\Java
[17/07/2009|14:31] C:\Program Files\JRE
[16/09/2008|16:43] C:\Program Files\K-Lite Codec Pack
[01/02/2010|19:35] C:\Program Files\Malwarebytes' Anti-Malware
[14/08/2008|21:38] C:\Program Files\Messenger
[03/10/2009|08:18] C:\Program Files\Microsoft
[16/08/2008|18:56] C:\Program Files\Microsoft CAPICOM 2.1.0.2
[13/08/2008|17:11] C:\Program Files\microsoft frontpage
[22/01/2010|12:56] C:\Program Files\Microsoft Silverlight
[13/08/2008|18:41] C:\Program Files\Microsoft SQL Server Compact Edition
[13/08/2008|17:09] C:\Program Files\Movie Maker
[02/02/2010|22:15] C:\Program Files\Mozilla Firefox
[11/04/2009|09:25] C:\Program Files\MSBuild
[13/08/2008|17:07] C:\Program Files\MSN
[13/08/2008|17:07] C:\Program Files\MSN Gaming Zone
[15/08/2008|21:32] C:\Program Files\MSXML 4.0
[14/08/2008|18:48] C:\Program Files\Nero
[10/10/2008|17:46] C:\Program Files\NetMeeting
[13/08/2008|17:07] C:\Program Files\Online Services
[17/07/2009|14:31] C:\Program Files\OpenOffice.org 3
[12/03/2009|17:57] C:\Program Files\Opera
[13/08/2009|22:56] C:\Program Files\Outlook Express
[04/09/2008|15:48] C:\Program Files\Philips
[04/09/2008|15:50] C:\Program Files\Philips_VLounge
[16/08/2008|12:22] C:\Program Files\PhotoFiltre
[13/12/2009|19:57] C:\Program Files\QuickTime
[12/03/2009|18:10] C:\Program Files\RealArcade
[11/04/2009|09:25] C:\Program Files\Reference Assemblies
[15/08/2008|08:47] C:\Program Files\ScanSoft
[13/08/2008|17:10] C:\Program Files\Online Services
[12/11/2009|16:39] C:\Program Files\Techcity
[01/02/2010|19:23] C:\Program Files\trend micro
[04/09/2008|15:39] C:\Program Files\Trust
[13/08/2008|17:19] C:\Program Files\Uninstall Information
[13/08/2008|17:22] C:\Program Files\VIA
[13/08/2008|20:01] C:\Program Files\VideoLAN
[03/10/2009|08:22] C:\Program Files\Windows Live
[13/08/2008|18:46] C:\Program Files\Windows Live Favorites
[20/01/2010|17:35] C:\Program Files\Windows Live Safety Center
[22/12/2008|19:43] C:\Program Files\Windows Live SkyDrive
[20/09/2008|14:51] C:\Program Files\Windows Live Toolbar
[16/09/2008|16:16] C:\Program Files\Windows Media Connect 2
[16/09/2008|16:16] C:\Program Files\Windows Media Player
[13/08/2008|17:07] C:\Program Files\Windows NT
[13/08/2008|17:10] C:\Program Files\WindowsUpdate
[13/08/2008|19:43] C:\Program Files\WinRAR
[11/12/2009|13:07] C:\Program Files\Wireless 802.11g Monitor
[13/08/2008|17:11] C:\Program Files\xerox
[01/05/2009|17:46] C:\Program Files\Zylom Games
--------------------\\ Listing of folders in C:\Program Files\Common Files
[12/11/2009|17:19] C:\Program Files\Common Files\Adobe
[06/12/2008|12:33] C:\Program Files\Common Files\Ahead
[16/05/2009|10:48] C:\Program Files\Common Files\Apple
[04/09/2008|15:50] C:\Program Files\Common Files\ArcSoft
[16/01/2009|16:40] C:\Program Files\Common Files\BOONTY Shared
[16/08/2008|11:35] C:\Program Files\Common Files\Canon
[21/08/2009|10:21] C:\Program Files\Common Files\DivX Shared
[15/08/2008|08:48] C:\Program Files\Common Files\InstallShield
[14/08/2008|15:17] C:\Program Files\Common Files\Java
[22/02/2009|11:21] C:\Program Files\Common Files\Microsoft Shared
[13/08/2008|17:09] C:\Program Files\Common Files\MSSoap
[13/08/2008|18:48] C:\Program Files\Common Files\ODBC
[15/08/2008|08:48] C:\Program Files\Common Files\ScanSoft Shared
[13/08/2008|17:09] C:\Program Files\Common Files\Services
[04/09/2008|15:48] C:\Program Files\Common Files\SPC620NC
[13/08/2008|18:47] C:\Program Files\Common Files\SpeechEngines
[13/08/2008|17:09] C:\Program Files\Common Files\System
[20/09/2008|14:46] C:\Program Files\Common Files\Windows Live
[13/08/2008|18:40] C:\Program Files\Common Files\WindowsLiveInstaller
[08/05/2009|21:46] C:\Program Files\Common Files\Wise Installation Wizard
--------------------\\ Process
(36 Processes)
... OK!
--------------------\\ Search with S_Lop
No Lop files/folders found!
--------------------\\ Search for Lop Files/Folders
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@advertising[2].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@adin.bigpoint[1].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@adopt.euroclick[1].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@euroclick[2].txt
C:\DOCUME~1\LORENZ~1\Cookies\lorenzati@partypoker[1].txt
--------------------\\ Registry Check
..... OK!
--------------------\\ Hosts file check
Hosts file CLEAN
--------------------\\ Search for files with Catchme
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 22:22:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes...
scanning hidden files...
scan completed successfully
hidden processes: 0
hidden files: 133
--------------------\\ Search for other infections
No other infections found!
[F:357][D:0]-> C:\DOCUME~1\LORENZ~1\Cookies
[F:2][D:0]-> C:\DOCUME~1\LORENZ~1\LOCALS~1\TEMPOR~1\content.IE5
1 - "C:\Lop SD\LopR_1.txt" - 02/02/2010|22:24 - Option: [1]
--------------------\\ End of report at 22:24:58
My PC is doing fine for now, no warnings upon restarting Avast!
Cleannavi report:
Fix Navipromo version 4.0.6 started on 02/02/2010 22:28:09,14
!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis!!!
Tool executed from C:\Program Files\navilog1
Updated on 03.01.2010 at 11:00 by IL-MAFIOSO
Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Uniprocessor Free: AMD Sempron(tm) Processor 2600+)
BIOS: BIOS Date: 07/18/05 10:30:22 Ver: 08.00.09
USER: LORENZATI (Administrator)
BOOT: Normal boot
Antivirus: avast! antivirus 4.8.1368 [VPS 100202-0] 4.8.1368 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total: 76 GB (Free: 38 GB)
D:\ (CD or DVD) - CDFS - Total: 0 GB (Free: 0 GB)
Scan performed in normal mode
Cleaning executed upon computer restart
C:\WINDOWS\prefetch\GAMEGUARD.DES-37DA4813.pf deleted!
C:\WINDOWS\prefetch\GAMEMON.DES-389587DE.pf deleted!
Cleaning of contents in C:\WINDOWS\Temp completed!
Cleaning of contents in C:\Documents and Settings\LORENZATI\locals~1\Temp completed!
*** Registry backup to Safebackup folder ***
Registry backup completed successfully!
*** Registry Cleaning ***
Registry cleaning OK
*** Scan completed on 02/02/2010 22:30:50,29 ***
Cleannavi report:
Fix Navipromo version 4.0.6 started on 02/02/2010 22:28:09,14
!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis!!!
Tool executed from C:\Program Files\navilog1
Updated on 03.01.2010 at 11:00 by IL-MAFIOSO
Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Uniprocessor Free: AMD Sempron(tm) Processor 2600+)
BIOS: BIOS Date: 07/18/05 10:30:22 Ver: 08.00.09
USER: LORENZATI (Administrator)
BOOT: Normal boot
Antivirus: avast! antivirus 4.8.1368 [VPS 100202-0] 4.8.1368 (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total: 76 GB (Free: 38 GB)
D:\ (CD or DVD) - CDFS - Total: 0 GB (Free: 0 GB)
Scan performed in normal mode
Cleaning executed upon computer restart
C:\WINDOWS\prefetch\GAMEGUARD.DES-37DA4813.pf deleted!
C:\WINDOWS\prefetch\GAMEMON.DES-389587DE.pf deleted!
Cleaning of contents in C:\WINDOWS\Temp completed!
Cleaning of contents in C:\Documents and Settings\LORENZATI\locals~1\Temp completed!
*** Registry backup to Safebackup folder ***
Registry backup completed successfully!
*** Registry Cleaning ***
Registry cleaning OK
*** Scan completed on 02/02/2010 22:30:50,29 ***
avast is crap, and that's putting it mildly !!
look at the https://forum.malekal.com/viewtopic.php?f=45&t=11659&p=89934#p89934
I advise you to switch to antivir, everything is explained here http://forum.malekal.com/ftopic4192.php
have you updated your PC, if so do it regularly ?
so let's get to the end, do an online scan HERE WITH INTERNET EXPLORER at the end it will ask you if you want a report, say yes and paste it in your next
then to clean the tools used
*Download ToolsCleaner
* Click on Search
* Click on Delete to finalize
* Post the report (TCleaner.txt) found at the root of your hard drive (C:\).
* The program may crash, let it run anyway
*Download: ATF Cleaner by Atribune
* Under the Main tab, choose: Select All
* Click on the Empty Selected button
You can keep ATF for future cleanings
Download and install CCleaner (Do not install the Yahoo Toolbar)
Go to Cleaner, choose Analyze Once finished, start the cleaning
choose Registry, then Find Errors. Once done, repair all errors
make sure the settings options are set to start with windows and configured for "secure deletion" 35 passes
(guttman)
defragment your disks as explained here
check for java updates
JavaRa
Unzip the file on the Desktop (Right-click > Extract All).
* Double-click on the JavaRa directory.
* Then double-click on the JavaRa.exe file (the exe may not display).
* Choose French then click on Select.
* Click on Check for updates.
* Select Update via jucheck.exe then click Search.
* Allow the process to connect if it asks, click Install and follow the installation instructions which take a few minutes.
* Once the installation is complete, return to the JavaRa screen and click on Remove old versions.
* Click Yes to confirm. Let it work and then click OK, then a second time on OK.
* A report will open. Post it in your next response.
* Close the application.
Note: the report is also located in C:\ under the name JavaRa.log.
Update Adobe Reader if it's not done (uninstall the previous version first)
we used MalwareByte's Anti-Malware, empty its quarantine:
* Launch the program then click on <quarantine>.
* Select all items then click on <delete>.
* Exit the program.
The same for your antivirus: empty its quarantine if you haven't already done so
do a quick scan from time to time
delete your restore points</delete></quarantine>
look at the https://forum.malekal.com/viewtopic.php?f=45&t=11659&p=89934#p89934
I advise you to switch to antivir, everything is explained here http://forum.malekal.com/ftopic4192.php
have you updated your PC, if so do it regularly ?
so let's get to the end, do an online scan HERE WITH INTERNET EXPLORER at the end it will ask you if you want a report, say yes and paste it in your next
then to clean the tools used
*Download ToolsCleaner
* Click on Search
* Click on Delete to finalize
* Post the report (TCleaner.txt) found at the root of your hard drive (C:\).
* The program may crash, let it run anyway
*Download: ATF Cleaner by Atribune
* Under the Main tab, choose: Select All
* Click on the Empty Selected button
You can keep ATF for future cleanings
Download and install CCleaner (Do not install the Yahoo Toolbar)
Go to Cleaner, choose Analyze Once finished, start the cleaning
choose Registry, then Find Errors. Once done, repair all errors
make sure the settings options are set to start with windows and configured for "secure deletion" 35 passes
(guttman)
defragment your disks as explained here
check for java updates
JavaRa
Unzip the file on the Desktop (Right-click > Extract All).
* Double-click on the JavaRa directory.
* Then double-click on the JavaRa.exe file (the exe may not display).
* Choose French then click on Select.
* Click on Check for updates.
* Select Update via jucheck.exe then click Search.
* Allow the process to connect if it asks, click Install and follow the installation instructions which take a few minutes.
* Once the installation is complete, return to the JavaRa screen and click on Remove old versions.
* Click Yes to confirm. Let it work and then click OK, then a second time on OK.
* A report will open. Post it in your next response.
* Close the application.
Note: the report is also located in C:\ under the name JavaRa.log.
Update Adobe Reader if it's not done (uninstall the previous version first)
we used MalwareByte's Anti-Malware, empty its quarantine:
* Launch the program then click on <quarantine>.
* Select all items then click on <delete>.
* Exit the program.
The same for your antivirus: empty its quarantine if you haven't already done so
do a quick scan from time to time
delete your restore points</delete></quarantine>
Hello,
Tonight, once I get back from work, I will get started. The longest part will anyway be the defragmentation of the disk.
However, I have another question, which I noticed while looking at the various scans: there are files on my computer that should normally no longer exist since I uninstalled them (like Opera, etc...). They do not appear in Add or Remove Programs. Is there a way to completely get rid of these tools? Unless Tools are meant for that, then never mind.
As soon as I finish all these steps, I will repost to give the verdict. But I think it will be fine ^^
Have a good day and thank you.
Tonight, once I get back from work, I will get started. The longest part will anyway be the defragmentation of the disk.
However, I have another question, which I noticed while looking at the various scans: there are files on my computer that should normally no longer exist since I uninstalled them (like Opera, etc...). They do not appear in Add or Remove Programs. Is there a way to completely get rid of these tools? Unless Tools are meant for that, then never mind.
As soon as I finish all these steps, I will repost to give the verdict. But I think it will be fine ^^
Have a good day and thank you.
When you uninstall a program through the control panel, some files from the program remain, and you have to delete them manually.
To completely remove an application, use this software: https://www.clubic.com/telecharger-fiche39528-revouninstaller.html
To completely remove an application, use this software: https://www.clubic.com/telecharger-fiche39528-revouninstaller.html
Good evening,
Uninstalling Avast!: successful, no issues encountered.
Installing Anti Vir: successful, I followed the guide from the forum linked, and there were 3 positive results; however, the report indicates that no viruses were found.
As for the BitDefender link, it doesn't work despite installing the plug (if I'm not mistaken about the term), it tells me to contact the webmaster.
I will now take care of Tools.
Uninstalling Avast!: successful, no issues encountered.
Installing Anti Vir: successful, I followed the guide from the forum linked, and there were 3 positive results; however, the report indicates that no viruses were found.
As for the BitDefender link, it doesn't work despite installing the plug (if I'm not mistaken about the term), it tells me to contact the webmaster.
I will now take care of Tools.
And here is the ToolsCleaner2 report:
[ ToolsCleaner version 2.3.11 report (by A.Rothstein & dj QUIOU) ]
--> Search:
C:\Combofix.txt: found!
C:\cleannavi.txt: found!
C:\lopR.txt: found!
C:\UsbFix.txt: found!
C:\Lop SD: found!
C:\Qoobox: found!
C:\UsbFix: found!
C:\Rsit: found!
C:\Ad-remover: found!
C:\Documents and Settings\LORENZATI\Desktop\LopSD.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\Navilog1.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\ComboFix.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\UsbFix.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\Rsit.exe: found!
C:\Documents and Settings\LORENZATI\Recent\UsbFix.lnk: found!
C:\Lop SD\catchme.exe: found!
C:\Lop SD\catchme.log: found!
C:\Program Files\Navilog1: found!
C:\Program Files\Navilog1\Navilog1.bat: found!
C:\Program Files\trend micro\HijackThis.exe: found!
C:\Program Files\trend micro\hijackthis.log: found!
C:\Qoobox\Quarantine\catchme.log: found!
C:\WINDOWS\mbr.exe: found!
---------------------------------
--> Deletion:
C:\Documents and Settings\LORENZATI\Desktop\LopSD.exe: deleted!
C:\Documents and Settings\LORENZATI\Desktop\Navilog1.exe: deleted!
C:\Documents and Settings\LORENZATI\Desktop\ComboFix.exe: DELETION ERROR!!
C:\Lop SD\catchme.exe: deleted!
C:\Program Files\Navilog1\Navilog1.bat: deleted!
C:\Program Files\trend micro\HijackThis.exe: deleted!
C:\Combofix.txt: deleted!
C:\cleannavi.txt: deleted!
C:\lopR.txt: deleted!
C:\UsbFix.txt: deleted!
C:\Documents and Settings\LORENZATI\Desktop\UsbFix.exe: deleted!
C:\Documents and Settings\LORENZATI\Desktop\Rsit.exe: deleted!
C:\Documents and Settings\LORENZATI\Recent\UsbFix.lnk: deleted!
C:\Lop SD\catchme.log: deleted!
C:\Program Files\trend micro\hijackthis.log: deleted!
C:\Qoobox\Quarantine\catchme.log: deleted!
C:\WINDOWS\mbr.exe: deleted!
C:\Lop SD: deleted!
C:\Qoobox: deleted!
C:\UsbFix: deleted!
C:\Rsit: deleted!
C:\Ad-remover: deleted!
C:\Program Files\Navilog1: deleted!
[ ToolsCleaner version 2.3.11 report (by A.Rothstein & dj QUIOU) ]
--> Search:
C:\Combofix.txt: found!
C:\cleannavi.txt: found!
C:\lopR.txt: found!
C:\UsbFix.txt: found!
C:\Lop SD: found!
C:\Qoobox: found!
C:\UsbFix: found!
C:\Rsit: found!
C:\Ad-remover: found!
C:\Documents and Settings\LORENZATI\Desktop\LopSD.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\Navilog1.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\ComboFix.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\UsbFix.exe: found!
C:\Documents and Settings\LORENZATI\Desktop\Rsit.exe: found!
C:\Documents and Settings\LORENZATI\Recent\UsbFix.lnk: found!
C:\Lop SD\catchme.exe: found!
C:\Lop SD\catchme.log: found!
C:\Program Files\Navilog1: found!
C:\Program Files\Navilog1\Navilog1.bat: found!
C:\Program Files\trend micro\HijackThis.exe: found!
C:\Program Files\trend micro\hijackthis.log: found!
C:\Qoobox\Quarantine\catchme.log: found!
C:\WINDOWS\mbr.exe: found!
---------------------------------
--> Deletion:
C:\Documents and Settings\LORENZATI\Desktop\LopSD.exe: deleted!
C:\Documents and Settings\LORENZATI\Desktop\Navilog1.exe: deleted!
C:\Documents and Settings\LORENZATI\Desktop\ComboFix.exe: DELETION ERROR!!
C:\Lop SD\catchme.exe: deleted!
C:\Program Files\Navilog1\Navilog1.bat: deleted!
C:\Program Files\trend micro\HijackThis.exe: deleted!
C:\Combofix.txt: deleted!
C:\cleannavi.txt: deleted!
C:\lopR.txt: deleted!
C:\UsbFix.txt: deleted!
C:\Documents and Settings\LORENZATI\Desktop\UsbFix.exe: deleted!
C:\Documents and Settings\LORENZATI\Desktop\Rsit.exe: deleted!
C:\Documents and Settings\LORENZATI\Recent\UsbFix.lnk: deleted!
C:\Lop SD\catchme.log: deleted!
C:\Program Files\trend micro\hijackthis.log: deleted!
C:\Qoobox\Quarantine\catchme.log: deleted!
C:\WINDOWS\mbr.exe: deleted!
C:\Lop SD: deleted!
C:\Qoobox: deleted!
C:\UsbFix: deleted!
C:\Rsit: deleted!
C:\Ad-remover: deleted!
C:\Program Files\Navilog1: deleted!
For Ccleaner it's done, okay.
For the defragmentation, I admit that since it's going to take me several hours (I can imagine the mess on my computer now), I prefer to avoid doing it tonight. I'll take care of it quickly on Friday afternoon.
Is it a problem if I take care of the Java updates now? And also for malwarebytes?
Or should I wait?
Have a good evening ^^
For the defragmentation, I admit that since it's going to take me several hours (I can imagine the mess on my computer now), I prefer to avoid doing it tonight. I'll take care of it quickly on Friday afternoon.
Is it a problem if I take care of the Java updates now? And also for malwarebytes?
Or should I wait?
Have a good evening ^^
we change the online scan go here https://www.eset.com/int/home/online-scanner/ and click on eset online scanner and at the end post the report
do the updates now it's not a problem
do the updates now it's not a problem
Here are the copied texts.
The log:
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 35 GB (44%) free of 78 GB
Total RAM: 447 MB (26% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23:16, on 01/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\iexplore.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BboxUpdate\BTLiveUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\VPro620.exe
C:\Program Files\Trust\Trust Keyboard 15036\PS2USBKbdDrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LORENZATI\Desktop\RSIT.exe
C:\Program Files\trend micro\LORENZATI.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/en-us/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.bouyguestelecom.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/en-us/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/en-us/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://portail.free.fr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\iexplore.exe -start
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Windows Live Sign-in Assistant Help Program - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Program Files\Trust\Trust Keyboard 15036\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [BboxUpdate] C:\Program Files\BboxUpdate\BTLiveUpdate.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VPro620.lnk = C:\WINDOWS\VPro620.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
O8 - Extra context menu item: Easy-WebPrint Add to Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint Quick Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O9 - Extra button: Direct Add - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Direct Add in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylom.com/activex/zylomgamesplayer.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 9069 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{D74FC634-DF4E-4886-ACC5-00795F14FD45}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
Click-to-Call BHO - C:\Program Files\Windows Live\Messenger\wlchtc.dll [2009-02-06 73072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Assistant Help Program - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-01-20 263280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-12-02 764912]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-01-20 263280]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe [2005-04-27 589824]
"VTTrayp"=C:\WINDOWS\system32\VTtrayp.exe [2005-03-12 147456]
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-04-01 1368064]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2004-03-26 794624]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-11-25 81000]
"Easy-PrintToolBox"=C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE [2004-01-14 409600]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]
"WireLessKeyboard"=C:\Program Files\Trust\Trust Keyboard 15036\StartAutorun.exe [2005-11-30 94208]
"BboxUpdate"=C:\Program Files\BboxUpdate\BTLiveUpdate.exe [2008-08-06 103936]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-10 417792]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-09-21 68856]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft WinUpdate]
C:\WINDOWS\system32\msupdte.exe [2009-01-23 12633]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-11-10 417792]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-09-21 68856]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
C:\WINDOWS\system32\VTTimer.exe [2005-03-08 53248]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
VPro620.lnk - C:\WINDOWS\VPro620.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\WINDOWS\system32\rtcshare.exe"="C:\WINDOWS\system32\rtcshare.exe:*:Enabled:RTC Application Sharing"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Disabled:Java(TM) Platform SE binary"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare"
"D:\eSKernel.exe"="D:\eSKernel.exe:*:Enabled:Bbox installation assistance"
"C:\Program Files\Bbox\eSKernel.exe"="C:\Program Files\Bbox\eSKernel.exe:*:Enabled:Bbox installation assistance"
"C:\Program Files\BboxUpdate\BTLiveUpdate.exe"="C:\Program Files\BboxUpdate\BTLiveUpdate.exe:*:Enabled:Bbox - Bouygues Telecom - Update utility"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3946402-6b82-11dd-bad0-0013d456a52e}]
shell\AutoRun\command - .\Recycled\Driveinfo.exe
shell\Open\command - .\Recycled\Driveinfo.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3946403-6b82-11dd-bad0-0013d456a52e}]
shell\AutoRun\command - .\Recycled\Driveinfo.exe
shell\Open\command - .\Recycled\Driveinfo.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3946404-6b82-11dd-bad0-0013d456a52e}]
shell\AutoRun\command - .\Recycled\Driveinfo.exe
shell\Open\command - .\Recycled\Driveinfo.exe
======List of files/folders created in the last 1 months======
2010-02-01 19:17:03 ----D---- C:\Program Files\trend micro
2010-02-01 19:16:58 ----D---- C:\rsit
2010-01-25 11:33:53 ----D---- C:\gPotato.eu
2010-01-15 13:26:16 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-01-13 21:39:39 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
======List of files/folders modified in the last 1 months======
2010-02-01 19:17:06 ----D---- C:\WINDOWS\Prefetch
2010-02-01 19:17:03 ----RD---- C:\Program Files
2010-02-01 17:46:37 ----D---- C:\Program Files\Mozilla Firefox
2010-02-01 17:38:40 ----D---- C:\WINDOWS\Temp
2010-02-01 17:34:57 ----D---- C:\WINDOWS
2010-02-01 17:34:57 ----A---- C:\WINDOWS\log56.txt
2010-01-31 20:48:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-31 20:48:52 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-31 18:56:36 ----D---- C:\WINDOWS\system32\drivers
2010-01-25 11:10:59 ----D---- C:\Documents and Settings\LORENZATI\Application Data\Azureus
2010-01-25 10:34:07 ----D---- C:\Program Files\Azureus
2010-01-23 09:57:49 ----D---- C:\WINDOWS\system32
2010-01-23 09:10:29 ----HD---- C:\WINDOWS\inf
2010-01-23 09:09:20 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-23 09:09:13 ----D---- C:\Program Files\Internet Explorer
2010-01-23 09:07:40 ----D---- C:\WINDOWS\ie8updates
2010-01-23 09:05:19 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-22 12:56:02 ----D---- C:\Program Files\Microsoft Silverlight
2010-01-21 16:32:49 ----SHD---- C:\WINDOWS\Installer
2010-01-20 17:35:27 ----D---- C:\Program Files\Windows Live Safety Center
2010-01-15 13:26:30 ----A---- C:\WINDOWS\imsins.BAK
2010-01-14 16:38:25 ----D---- C:\WINDOWS\AppPatch
2010-01-05 01:17:46 ----A---- C:\WINDOWS\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-11-25 27408]
R1 AmdK8;AMD Athlon64 Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-05-08 38912]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-11-25 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-11-25 48560]
R1 kbdhid;HID Keyboard Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14720]
R1 SSHDRV85;SSHDRV85; \??\C:\WINDOWS\system32\drivers\SSHDRV85.sys []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-11-25 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-11-25 94160]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-04-08 116176]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-11-25 23120]
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5b.sys [2004-07-23 42496]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 mouhid;HID Mouse Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12288]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-14 5810]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-04-27 381056]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-06-07 266880]
R3 SPC620;Philips SPC620NC PC Camera; C:\WINDOWS\system32\drivers\SPC620.sys [2007-09-28 484352]