Virus Dr Guard on my PC
Solved
Mike
-
Mike -
Mike -
Hello,
I have this Dr Guard virus on my PC, what should I do? Thanks everyone for your help.
Mike
I have this Dr Guard virus on my PC, what should I do? Thanks everyone for your help.
Mike
Configuration: Windows Vista / Firefox 3.5.8
30 answers
- 1
- 2
Next
-
well ...
do as follows in order:
1- protocol to follow for Windows Vista:
*Disable User Account Control or UAC (reactivate it only at the end of the cleanup):
Go to “start” then “control panel”:
--->On the right side of the window, click on “classic view”
--->Double-click on the “User Accounts” icon
--->Then click on “Turn User Account Control on or off.”
--->Uncheck the box “use User Account Control...” and click OK.
--->Restart the PC!
Tutorials:
http://pagesperso-orange.fr/NosTools/uac_vista.html
https://forum.malekal.com/viewtopic.php?f=59&t=6517
* Important:
To install or launch the tools you will use during the cleanup, always do this: right-click (on the installer setup or the tool) -> choose “Run as administrator.”
Do this systematically!...
once this is done and taken into account, continue:
========================
2- Properly uninstall Spybot S&D from the control panel / “programs and features.”
It is useless, heavy for the system, and will greatly hinder us during the cleanup...
Once uninstalled (and not before!), proceed...
========================
3- Use the ZHPFix tool:
> Launch ZHPFix from the desktop shortcut.
* Once the ZHPFix tool is open, click on the [ H ] button (“paste helper lines”).
* In the main box (which is blank), copy/paste all the text on this page (and nothing else!):
> http://www.cijoint.fr/cj201003/cijqEDfVM6.txt
Check:
- that all the lines I asked you to copy (and only those) are in the window.
- that the lines are arranged one below the other like on this page when you copy them into ZHPFix.
* Then click the [ OK ] button.
> at this point, a small empty box will appear at the beginning of each line. Don’t touch anything else!
!! Log off, disable your defenses (anti-virus, anti-spyware) and close all other applications (including browsers) !!
* Click the [ All ] button. Check that all the lines are checked.
* Finally, click the [ Clean ] button.
-> allow the tool to work and don’t touch anything...
-> If you are asked to restart the PC to complete the cleaning, do it!
Once finished, a new report will display: post the content of it in your next response...
( this report is also saved in this folder > C:\Program files\ZHPDiag\ZHPFixReport.txt )
Remember to reactivate your defenses!...
============================
4- Download Malwarebytes':
here https://www.commentcamarche.net/telecharger/securite/14361-malwarebytes-anti-malware/
or here: http://www.malwarebytes.org/mbam.php
or here: http://www.malwarebytes.org/mbam/program/mbam-setup.exe
* Install it (choose “French”; do not change the installation settings) and update it.
(NB: If you lack “COMCTL32.OCX” during installation, then download it here: https://www.malekal.com/tutorial-aboutbuster/)
* Study the tutorial to familiarize yourself with the program:
https://forum.pcastuces.com/sujet.asp?f=31&s=3
(that said, it is very user-friendly).
! Log off and close all running applications!
* Launch Malwarebytes'.
Perform a so-called “QUICK” scan.
--> Let the program work (and do nothing else with the PC during the scan).
--> at the end, click on “results.”
--> Check that all infected items are validated, then click on “remove.”
Note: if you need to restart your PC to finish the cleaning, do it!
Post the saved report after removing infected items (in the “report/log” tab of Malwarebytes', the latest one) for analysis...
==============================
5- Perform another ZHPDiag scan, check all options (except 045 and 061), post the new report obtained (via Cijoint) for analysis and wait for the next steps...
--
“Baby, I'm going on an airplane, And I don't know if I'll be back again”
IMPORTANT: do not think you are out of trouble until we
tell you so!-
I'm sorry, sKe69,
I'm reporting back a part of your instructions because I'm not sure if I should check the empty boxes or not?
> at that moment, a small empty box will appear at the beginning of each line. Don't touch anything else!
!! Disconnect, disable your defenses (anti-virus, anti-spyware) and make sure to close all other applications (including browsers)!!
* Click the [All] button. Check that all lines are checked.
Thanks for letting me know. -
Hi sKe69,
Now I understand!
And here's the ZPHFix report
ZHPFix v1.12.307 by Nicolas Coolman - Removal report from 03/05/2010 13:27:48
Registry export file: C:\ZHPExportRegistry-03-05-2010-13.27.48.txt
Web site: http://www.premiumorange.com/zeb-help-process/zhpfix.html
Memory processes:
C:\Users\michel\AppData\Local\Temp\asr64_ldm.exe => Removed and quarantined
C:\Users\michel\AppData\Roaming\Dr. Guard\drguard.exe => Removed and quarantined
Memory modules:
(None)
Registry keys:
(None)
Registry values:
O4 - HKCU\..\Run: [asr64_ldm.exe] . (.Microsoft Corp. - Logical Disk Manager ASR Utility.) -- C:\Users\michel\AppData\Local\Temp\asr64_ldm.exe => Value successfully removed
O4 - HKCU\..\Run: [Dr. Guard] . (.No owner - No description.) -- C:\Users\michel\AppData\Roaming\Dr. Guard\drguard.exe => Value successfully removed
Registry data items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.esnips.com => Data successfully removed
Folders:
(None)
Files:
c:\users\michel\appdata\local\temp\asr64_ldm.exe => File not found
c:\users\michel\appdata\roaming\dr. guard\drguard.exe => File not found
Software:
(None)
Registry scripts:
(None)
Other:
(None)
Summary:
Memory processes: 2
Memory modules: 0
Registry keys: 0
Registry values: 2
Registry data items: 1
Folders: 0
Files: 2
Software: 0
Other: 0
End of the scan
It seems that Dr. Guard has disappeared!!!
If I were you, I would have learned Chinese sooner than this gibberish. Well done! You're a champ against viruses! Please let me know after analyzing the report if there's anything else to do.
Please, what would be the best defenses to protect the computer?
I have Avast, Spybot, CCleaner, and Hijackthis. I have the latter, but I don't know how to make it work!!!
What do you think? Should I add anything else?
I await your response and thanks again, well done!!!
-
-
re,
Let's not exaggerate ... ;p
I'm waiting for the AD-Remover report so ...
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: don't think you're out of the woods until we
tell you so!-
-
Hi sKe69,
I don't understand, but I feel like Ad-remover hasn't done anything. After four hours, nothing has changed!!! I did what you told me and which was also the instruction:
First, I selected the letter S and then pressed enter. Since then, a small blinking cursor started working, and after almost four hours, nothing had changed!!! When I pressed enter, the selection of the letter S was removed, and aside from the small blinking cursor after the letters, nothing indicated whether the scan was running. Yet, at the top, there was the date and the start of the scan!!! I went to check if there was still a report, but there was nothing!
I thought I would rest for 10 minutes, but I fell asleep and after four hours I found that nothing had changed...weird.
-
-
Hello,
well infected ... ^^
/!\ For the smooth running of the disinfection:- Do not use this PC for anything other than coming here to continue the disinfection.
- Do not do anything with the PC without my permission and follow the procedures that will follow to the letter.
- Make sure you understand all of these procedures before you start.
- If you have any issues, do not hesitate to let me know (avoid making hasty decisions).
Start by doing this if possible:
Download ZHPDiag (from Nicolas Coolman) to your desktop:
-> https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
!! disconnect and close all your running applications !!
> Right-click / "run as admin..." on "ZHPDiag.exe" to start the installation of the tool and follow the instructions (do not change the installation settings and make sure to check the box "create a desktop icon" to have the shortcuts "ZHPDiag" and "ZHPFix").
> Launch ZHPDiag from the desktop shortcut.
> Once ZHPDiag is open, click on the "option" button at the top right.
(the one with the screwdriver)
A list will appear in the main box > check that all lines are checked except for 045 and 061 (important!).
> Then click on the "magnifying glass" button (at the top left) to start the scan.
Let the tool work ...
> Once finished, the report will be displayed: click on the "floppy disk" button to save the report obtained ...
Make sure to save ZHPDiag.txt so that you can easily find it (on the desktop for example).
(Otherwise, the report will also be saved in this folder > C:\Program files\ZHPDiag)
Then close the program ...
> Then go to this site: http://www.cijoint.fr/
Click on "browse" and go to the report you saved.
Then click on "click here to upload the file" and wait ...
Once the upload is finished, a link will appear > please copy/paste it into your next response .... -
re,
launch ZHPFix 'as admin...'.
( if you don't have a shortcut on your desktop, ZHPFix.exe is located in this folder D:\Program files\ZHPDiag )
A- click on the H button
B- paste the script from this page > http://www.cijoint.fr/cj201003/cijqEDfVM6.txt
in the tool's window as shown here > http://www.cijoint.fr/cj201003/cijOCJaz4V.jpg
and click on "OK"
C- you will then see the lines appear in the new window and in front of the empty boxes> http://www.cijoint.fr/cj201003/cijS3jpdNH.jpg
> click on "all"
continue as I instructed you in the procedure....
I am therefore waiting for the requested reports ...
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT : do not think you are off the hook until
someone has told you so! -
Re,
I just saw that our messages crossed paths! ... ^^'
I think that Dr Guard has disappeared!!!
-> "think" yes ... but it's far from over! ...
So I am waiting for the reports of steps 4 and 5 of the procedure I gave you here > https://forums.commentcamarche.net/forum/affich-16879878-virus-dr-guard-sur-mon-pc#3
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: don't think you're out of the woods until we
tell you so!-
Hi sKe69,
I had already posted the ZHPFix report to you.
Now I've downloaded Malwarebytes. I understood that I need to run a scan with it.
For the second "comctl32(2)" I have a problem: it asks me to place it in one of my programs and I put it in Word. But it gives me a very long script. But without doing anything, just to download it! What is that and what should I do with it?
-
-
re,
forget about comctl32 if Malwarebytes doesn't ask you for it during installation ... ^^
send me the reports as requested and I will analyze them tomorrow ...
good night to you ... ;)
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT : do not think you're out of the woods until we
tell you so!-
-
I am sending you the Malwarebytes report for now, and tomorrow I will redo the one with ZHPDiag
Malwarebytes' Anti-Malware 1.44
Database version: 3827
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882
06/03/2010 1:17:16
mbam-log-2010-03-06 (01-17-16).txt
Scan type: Quick scan
Items scanned: 99794
Time elapsed: 4 minute(s), 0 second(s)
Infected memory processes: 0
Infected memory modules: 0
Infected registry keys: 5
Infected registry values: 0
Infected registry data items: 0
Infected folders: 0
Infected files: 7
Infected memory processes:
(No harmful items detected)
Infected memory modules:
(No harmful items detected)
Infected registry keys:
HKEY_CURRENT_USER\SOFTWARE\4VDD85L8NF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Zeldar (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard (Rogue.DrGuard) -> Quarantined and deleted successfully.
Infected registry values:
(No harmful items detected)
Infected registry data items:
(No harmful items detected)
Infected folders:
(No harmful items detected)
Infected files:
C:\Users\Public\Desktop\spam001.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\michel\AppData\Local\Temp\SPAM.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\michel\AppData\Local\Temp\dhdhtrdhdrtr5y (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\michel\AppData\Local\Temp\TMP1.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\michel\downloads\SmileyCentralPFSetup2.3.50.57.SA.HP.ZNfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\michel\downloads\setup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Users\michel\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Dr. Guard.lnk (Rogue.DrGuard) -> Quarantined and deleted successfully.
-
-
-
hello Mike,
well, TDSS rootkit on top of that... it was to be expected... ^^
delete everything in the quarantine of Malwarebytes...
so I'm waiting for the report from ZHPDiag...
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: don't think you're in the clear until
someone has told you so! -
well .... we're not out of the woods yet ... -_-
1- MBAM is Malwarebytes! So send me the latest report you have ....
======================
2- and there, for ZHPDiag, everything is said:
Redo a ZHPDiag scan ("as admin..."), make sure to check all options (except 045 and 061), post the new report obtained (via Cijoint) for analysis and wait for the next steps ...
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: do not think you're out of trouble until we
tell you so!-
But I already sent you the MBAM report last night. Please take a look, it's in the response given at 1:34 AM last night. That's why I didn't understand.
But you didn't confirm for ZHPdiag: should I do the first procedure with the OPTION-TOUT COCHER EXCEPT 45 AND 61... or should I just click on the magnifying glass to do the scan directly?
-
-
Re,
I have to do the first process with OPTION-ALL CHECKED EXCEPT 45 AND 61
> it's like port salut, it's written on it! (you have to read) ... so it's YES! ....
For the MBAM report, it was you who told me here:
"12 items removed again with Malwarebite!!!"
I understood that you ran a new scan this morning ...
anyway,
do ZHPDiag so we can move forward ... ^^"
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: don't think you're in the clear until
someone tells you so!-
ZHPDiag/MD5 v1.25.1282 report by Nicolas Coolman
Run by michel at 06/03/2010 11:44:56
Web site: http://www.premiumorange.com/zeb-help-process/zhpdiag.html
---\\ Web Browser
MSIE: Internet Explorer v8.0.6001.18882
MFIE: Mozilla Firefox (3.5.3)
---\\ System Information
Platform: Windows Vista (TM) Home Premium (6.0.6002) Service Pack 2
Processor: x86 Family 15 Model 95 Stepping 2, AuthenticAMD
Operating System: 32 Bits
Boot mode: Normal (Normal boot)
Total RAM: 2045 MB (61% free)
System drive C: has 58 GB (71%) free of 80 GB
---\\ DOS/Devices
A:\ Floppy drive, Flash card reader, USB Key (Not Inserted)
C:\ Hard drive, Flash drive, Thumb drive (Free 58 Go of 80 Go)
D:\ Hard drive, Flash drive, Thumb drive (Free 110 Go of 110 Go)
E:\ CD-ROM drive (Not Inserted)
F:\ CD-ROM drive (Not Inserted)
---\\ Running Processes
[MD5.0D392EDE3B97E0B3131B2F63EF1DB94E] - (.Microsoft Corporation - Windows Defender User Interface.) -- C:\Program Files\Windows Defender\MSASCui.exe
[MD5.3A0647BDED81DBE0BCBB51D70B22C9E0] - (.Sun Microsystems, Inc. - Java(TM) Platform SE binary.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[MD5.0A7E9FDF3BF1980CA09FEEAC7F52EFBC] - (.ALWIL Software - avast! service GUI component.) -- C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[MD5.8CA340A0929B4595BF7A75E45CF90F84] - (.Malwarebytes Corporation - Malwarebytes' Anti-Malware.) -- C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
[MD5.9E35FF7F943AE0FB89192BFE058B7FD4] - (.Microsoft Corporation - Windows Sidebar.) -- C:\Program Files\Windows Sidebar\sidebar.exe
[MD5.18B4B12358EFCF68D76812058A26181F] - (.Microsoft Corporation - Windows Live Messenger.) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
[MD5.35937EAD711207544E219C2A19A78A7D] - (.Microsoft Corporation - Par Service Configuration Application.) -- C:\Program Files\Windows Media Player\WMPNSCFG.exe
---\\ Mozilla Firefox Search Pages (M1)
---\\ Internet Explorer URLSearchHook (R3)
[MD5.2267A6D54949CADF37B3E2A4691D472B] - (.Microsoft Corporation - Internet Explorer.) -- C:\Windows\system32\ieframe.dll
---\\ Browser Helper Objects (O2)
[MD5.B7899C3E21B299D7A3C0DA96CAE340BD] - (.Microsoft Corporation - WindowsLiveLogin.dll.) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
[MD5.C9EDE29F223A27873E187D9FB6045EA6] - (.Sun Microsystems, Inc. - Java(TM) Platform SE binary.) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll
---\\ Applications Automatically Started by the Registry (O4)
[MD5.B05059253D65CC8970D9AFA757A54BAD] - (.Microsoft Corporation - Microsoft Office 2000 component.) -- C:\Program Files\Microsoft Office\Office\OSA9.EXE
[MD5.C047C9C6CD8E134AFDFDB374E80547E5] - (.No Owner - No Description.) -- C:\Program Files\OpenOffice.org 3\program\quickstart.exe
---\\ Registry Autorun ShellServiceObjectDelayLoad (SSODL) (O21)
[MD5.CC8915DB4E33E8FB29CA0D2DBF75306E] - (.Microsoft Corporation - Web Site Controller.) -- C:\Windows\System32\webcheck.dll
---\\ Registry Autorun SharedTaskScheduler (STS) (O22)
[MD5.4504819D18FAC09B6108D8728467E5B2] - (.Microsoft Corporation - Library of the UI.) -- C:\Windows\system32\browseui.dll
---\\ Scheduled Tasks Automatically (O39)
[MD5.310352677798328ABFFAEAE57A345D61] - (.No Owner - No Description.) -- C:\Windows\Tasks\User_Feed_Synchronization-{2B4D3674-DE85-4C86-A6CB-97BEB8D9B392}.job
---\\ Installed Components (ActiveSetup Installed Components) (O40)
[MD5.E36A9CD11E12C348E167064E89926B9A] - (.Sun Microsystems, Inc. - Java(TM) Platform SE binary.) -- C:\Program Files\Java\jre6\bin\regutils.dll
---\\ Last Modified or Created Files under Windows and System32 (O44)
O44 - LFC:[MD5.654A3F014903DC62CAF5E037F3D316D2] - 06/03/2010 - 0.45.57 ---A- . (.Malwarebytes Corporation - Malwarebytes' Anti-Malware.) -- C:\Windows\System32\drivers\mbam.sys
O44 - LFC:[MD5.C0D40BEAA6DFC05602FC8F484696F7F5] - 06/03/2010 - 0.46.01 ---A- . (.Malwarebytes Corporation - Malwarebytes' Anti-Malware.) -- C:\Windows\System32\drivers\mbamswissarmy.sys
O44 - LFC:[MD5.CC36169B4581466EF83B5C761A7695C3] - 07/02/2010 - 4.56.40 ---A- . (.No Owner - No Description.) -- C:\Windows\BHS+.bblx
O44 - LFC:[MD5.2D64A0D98D626FFA7E5D646065EA843B] - 06/03/2010 - 10.39.11 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\PerfStringBackup.INI
O44 - LFC:[MD5.654A4D55A68BB2688209178A328BA52A] - 06/03/2010 - 10.39.11 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\perfc009.dat
O44 - LFC:[MD5.FB04FA52911D9D08898407DC6D7EFB87] - 06/03/2010 - 10.39.11 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\perfc00C.dat
O44 - LFC:[MD5.93480F09985F0CDA49D9EEF3DF182115] - 06/03/2010 - 10.39.11 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\perfh009.dat
O44 - LFC:[MD5.C0ECF3BA0E6EE5D402CB64E457373225] - 06/03/2010 - 10.39.11 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\perfh00C.dat
O44 - LFC:[MD5.00000000000000000000000000000000] - 06/03/2010 - 10.38.18 ---A- . (.No Owner - No Description.) -- C:\Windows\WindowsUpdate.log
O44 - LFC:[MD5.EDDB92C3F7CD631B1C7DCC7025BF740A] - 06/03/2010 - 10.34.34 ---A- . (.No Owner - No Description.) -- C:\Windows\error.log
O44 - LFC:[MD5.F573A44E08745CAAF8C28EDA3F425A8C] - 06/03/2010 - 10.34.03 -S-A- . (.No Owner - No Description.) -- C:\Windows\bootstat.dat
O44 - LFC:[MD5.5CFB30C3A0D4A26CADC257B16BBE3F13] - 06/03/2010 - 10.33.56 ---A- . (.No Owner - No Description.) -- C:\Windows\errord.log
O44 - LFC:[MD5.90A644DD27463595E07C51399AF1798D] - 05/03/2010 - 13.27.49 ---A- . (.No Owner - No Description.) -- C:\ZHPExportRegistry-05-03-2010-13.27.48.txt
O44 - LFC:[MD5.E2606C393B893A3E2CFA18CAE873F763] - 24/02/2010 - 17.53.09 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\FNTCACHE.DAT
O44 - LFC:[MD5.7EE94754C9AF5B8A4A97E620C4C07541] - 24/02/2010 - 10.35.43 ---A- . (.Microsoft - Legacy GDF resource DLL.) -- C:\Windows\System32\GameUXLegacyGDFs.dll
O44 - LFC:[MD5.A6D28943A33DC7E717795AF68581C624] - 17/02/2010 - 16.44.26 ---A- . (.TechSmith Corporation - TechSmith Screen Capture Codec.) -- C:\Windows\System32\tsccvid.dll
O44 - LFC:[MD5.20BC79C59331740B750795921D77F35F] - 08/02/2010 - 23.45.53 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\esnecil.ind
O44 - LFC:[MD5.D8900B4673F8DC4B5BFA3C61F66A464A] - 08/02/2010 - 14.33.23 ---A- . (.No Owner - No Description.) -- C:\Windows\Crypkey.ini
O44 - LFC:[MD5.20BC79C59331740B750795921D77F35F] - 08/02/2010 - 14.23.29 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\esnecil.nlp
O44 - LFC:[MD5.8837F1B553AFCAD13B91A7413B85572B] - 08/02/2010 - 14.23.29 ---A- . (.No Owner - No Description.) -- C:\Windows\vx86036.dat
O44 - LFC:[MD5.130E63025284294BC200856BC058E4FD] - 08/02/2010 - 14.23.19 ---A- . (.No Owner - No Description.) -- C:\CKINFO.TXT
O44 - LFC:[MD5.133F82B6391F3390BECFA429C23FB2BE] - 08/02/2010 - 14.22.02 ---A- . (.CrypKey (Canada) Ltd. - CrypKey License Service.) -- C:\Windows\System32\Crypserv.exe
O44 - LFC:[MD5.D45FA1C1B94487D50DD06AC4628235D3] - 08/02/2010 - 14.22.02 ---A- . (.Kenonic Controls - CKCONFIG MFC Application.) -- C:\Windows\Ckconfig.exe
O44 - LFC:[MD5.8C8BEDB0CA134E791244BACB936E2FA5] - 08/02/2010 - 14.22.02 ---A- . (.No Owner - No Description.) -- C:\Windows\Ckrfresh.exe
O44 - LFC:[MD5.1DC81022E7605CE5FC7BF08ACFE5FD9C] - 08/02/2010 - 14.22.02 ---A- . (.No Owner - No Description.) -- C:\Windows\Setup_ck.dll
O44 - LFC:[MD5.5EF7DD401771693245D46F4B0B69FE2B] - 08/02/2010 - 14.22.02 ---A- . (.No Owner - No Description.) -- C:\Windows\System32\Ckldrv.sys
O44 - LFC:[MD5.178A4F6A92760DD8927B4B8C51E760DB] - 08/02/2010 - 14.22.02 R--A- . (.No Owner - No Description.) -- C:\Windows\Setup_ck.exe
---\\ MountPoints2 Shell Key (MPSK) (O51)
---\\ List of System Drivers (SDL) (O58)
O58 - SDL:[MD5.2EDC5BBAC6C651ECE337BDE8ED97C9FB] - 02/11/2006 - 10.51.38 ---A- . (.Adaptec, Inc. - Adaptec Windows SAS/SATA Storport Driver.) -- C:\Windows\system32\drivers\adp94xx.sys
O58 - SDL:[MD5.B84088CA3CDCA97DA44A984C6CE1CCAD] - 02/11/2006 - 10.51.32 ---A- . (.Adaptec, Inc. - Adaptec Windows SATA Storport Driver.) -- C:\Windows\system32\drivers\adpahci.sys
O58 - SDL:[MD5.7880C67BCCC27C86FD05AA2AFB5EA469] - 02/11/2006 - 10.50.35 ---A- . (.Adaptec, Inc. - Adaptec LH Ultra160 Driver (x86).) -- C:\Windows\system32\drivers\adpu160m.sys
O58 - SDL:[MD5.9AE713F8E30EFC2ABCCD84904333DF4D] - 02/11/2006 - 10.51.00 ---A- . (.Adaptec, Inc. - Adaptec StorPort Ultra320 SCSI Driver.) -- C:\Windows\system32\drivers\adpu320.sys
O58 - SDL:[MD5.90395B64600EBB4552E26E178C94B2E4] - 02/11/2006 - 10.49.20 ---A- . (.Acer Laboratories Inc. - ALi mini IDE Driver.) -- C:\Windows\system32\drivers\aliide.sys
O58 - SDL:[MD5.5F673180268BB1FDB69C99B6619FE379] - 02/11/2006 - 10.50.09 ---A- . (.Adaptec, Inc. - Adaptec RAID Storport Driver.) -- C:\Windows\system32\drivers\arc.sys
O58 - SDL:[MD5.957F7540B5E7F602E44648C7DE5A1C05] - 02/11/2006 - 10.50.10 ---A- . (.Adaptec, Inc. - Adaptec SAS RAID WS03 Driver.) -- C:\Windows\system32\drivers\arcsas.sys
O58 - SDL:[MD5.D48659BB24C48345D926ECB45C1EBDF5] - 13/08/2004 - 8.56.20 ---A- . (.No Owner - ATK0110 ACPI Utility.) -- C:\Windows\system32\drivers\ASACPI.sys
O58 - SDL:[MD5.B4079A98F294A3E262872CB76F4849F0] - 25/11/2009 - 0.50.00 ---A- . (.ALWIL Software - avast! File System Access Blocking Driver.) -- C:\Windows\system32\drivers\aswFsBlk.sys
O58 - SDL:[MD5.E2851CB7DBB831888EAEA46C55C05E44] - 25/11/2009 - 0.49.48 ---A- . (.ALWIL Software - avast! File System Minifilter for Windows 2003/Vista.) -- C:\Windows\system32\drivers\aswMonFlt.sys
O58 - SDL:[MD5.8080D683489C99CBACE813F6FA4069CC] - 25/11/2009 - 0.48.57 ---A- . (.ALWIL Software - avast! TDI RDR Driver.) -- C:\Windows\system32\drivers\aswRdr.sys
O58 - SDL:[MD5.2E5A2AD5004B55DF39B7606130A88142] - 25/11/2009 - 0.50.12 ---A- . (.ALWIL Software - avast! self protection module.) -- C:\Windows\system32\drivers\aswSP.sys
O58 - SDL:[MD5.D4C83A37EFADFA2C398362E0776E3773] - 25/11/2009 - 0.49.07 ---A- . (.ALWIL Software - avast! TDI Filter Driver.) -- C:\Windows\system32\drivers\aswTdi.sys
O58 - SDL:[MD5.14FE36D8F2C6A2435275338D061A0B66] - 10/12/2009 - 11.24.43 ---A- . (.Avira GmbH - Avira Minifilter Driver.) -- C:\Windows\system32\drivers\avgntflt.sys
O58 - SDL:[MD5.9F9ACC7F7CCDE8A15C282D3F88B43309] - 02/11/2006 - 9.24.45 ---A- . (.Brother Industries, Ltd. - Windows ME USB Mass-Storage Bulk-Only Lower Filter Driver.) -- C:\Windows\system32\drivers\BrFiltLo.sys
O58 - SDL:[MD5.56801AD62213A41F6497F96DEE83755A] - 02/11/2006 - 9.24.46 ---A- . (.Brother Industries, Ltd. - Windows ME USB Mass-Storage Bulk-Only Upper Filter Driver.) -- C:\Windows\system32\drivers\BrFiltUp.sys
O58 - SDL:[MD5.B304E75CFF293029EDDF094246747113] - 02/11/2006 - 9.25.24 ---A- . (.Brother Industries Ltd. - Brother Series I/F Driver (WDM).) -- C:\Windows\system32\drivers\BrSerId.sys
O58 - SDL:[MD5.203F0B1E73ADADBBB7B7B1FABD901F6B] - 02/11/2006 - 9.24.44 ---A- . (.Brother Industries Ltd. - Brother Serial driver (WDM version).) -- C:\Windows\system32\drivers\BrSerWdm.sys
O58 - SDL:[MD5.BD456606156BA17E60A04E18016AE54B] - 02/11/2006 - 9.24.44 ---A- . (.Brother Industries Ltd. - Brother USB MDM Driver.) -- C:\Windows\system32\drivers\BrUsbMdm.sys
O58 - SDL:[MD5.AF72ED54503F717A43268B3CC5FAEC2E] - 02/11/2006 - 9.24.47 ---A- . (.Brother Industries Ltd. - Brother USB Serial Driver.) -- C:\Windows\system32\drivers\BrUsbSer.sys
O58 - SDL:[MD5.45201046C776FFDAF3FC8A0029C581C8] - 02/11/2006 - 10.49.28 ---A- . (.CMD Technology, Inc. - CMD PCI IDE Bus Driver.) -- C:\Windows\system32\drivers\cmdide.sys
O58 - SDL:[MD5.AE1FDF7BF7BB6C6A70F67699D880592A] - 02/11/2006 - 10.50.11 ---A- . (.Adaptec, Inc. - Adaptec Ultra SCSI miniport.) -- C:\Windows\system32\drivers\djsvs.sys
O58 - SDL:[MD5.F88FB26547FD2CE6D0A5AF2985892C48] - 02/11/2006 - 8.30.54 ---A- . (.Intel Corporation - Intel(R) PRO/1000 Adapter NDIS 6 deserialized driver.) -- C:\Windows\system32\drivers\E1G60I32.sys
O58 - SDL:[MD5.E8F3F21A71720C84BCF423B80028359F] - 02/11/2006 - 10.51.34 ---A- . (.Emulex - Storport Miniport Driver for LightPulse HBAs.) -- C:\Windows\system32\drivers\elxstor.sys
O58 - SDL:[MD5.DF353B401001246853763C4B7AAA6F50] - 02/11/2006 - 10.50.10 ---A- . (.Hewlett-Packard Company - Smart Array Storport Driver.) -- C:\Windows\system32\drivers\HpCISSs.sys
O58 - SDL:[MD5.C957BF4B5D80B46C5017BF0101E6C906] - 02/11/2006 - 10.51.25 ---A- . (.Intel Corporation - Intel Matrix Storage Manager driver (base).) -- C:\Windows\system32\drivers\iaStorV.sys
O58 - SDL:[MD5.2D077BF86E843F901D8DB709C95B49A5] - 02/11/2006 - 10.50.17 ---A- . (.Intel Corp./ICP vortex GmbH - Intel/ICP Raid Storport Driver.) -- C:\Windows\system32\drivers\iirsp.sys
O58 - SDL:[MD5.BCED60D16156E428F8DF8CF27B0DF150] - 02/11/2006 - 10.50.07 ---A- . (.Integrated Technology Express, Inc. - ITE IT8211 ATA/ATAPI SCSI miniport.) -- C:\Windows\system32\drivers\iteatapi.sys
O58 - SDL:[MD5.06FA654504A498C30ADCA8BEC4E87E7E] - 02/11/2006 - 10.50.09 ---A- . (.Integrated Technology Express, Inc. - ITE IT8212 ATA RAID SCSI miniport.) -- C:\Windows\system32\drivers\iteraid.sys
O58 - SDL:[MD5.A2262FB9F28935E862B4DB46438C80D2] - 02/11/2006 - 10.50.04 ---A- . (.LSI Logic - LSI Logic Fusion-MPT FC Driver (StorPort).) -- C:\Windows\system32\drivers\lsi_fc.sys
O58 - SDL:[MD5.30D73327D390F72A62F32C103DAF1D6D] - 02/11/2006 - 10.50.05 ---A- . (.LSI Logic - LSI Logic Fusion-MPT SAS Driver (StorPort).) -- C:\Windows\system32\drivers\lsi_sas.sys
O58 - SDL:[MD5.E1E36FEFD45849A95F1AB81DE0159FE3] - 02/11/2006 - 10.50.10 ---A- . (.LSI Logic - LSI Logic Fusion-MPT SCSI Driver (StorPort).) -- C:\Windows\system32\drivers\lsi_scsi.sys
O58 - SDL:[MD5.654A3F014903DC62CAF5E037F3D316D2] - 07/01/2010 - 16.07.04 ---A- . (.Malwarebytes Corporation - Malwarebytes' Anti-Malware.) -- C:\Windows\system32\drivers\mbam.sys
O58 - SDL:[MD5.C0D40BEAA6DFC05602FC8F484696F7F5] - 07/01/2010 - 16.07.14 ---A- . (.Malwarebytes Corporation - Malwarebytes' Anti-Malware.) -- C:\Windows\system32\drivers\mbamswissarmy.sys
O58 - SDL:[MD5.D153B14FC6598EAE8422A2037553ADCE] - 02/11/2006 - 10.49.53 ---A- . (.LSI Logic Corporation - MEGASAS RAID Controller Driver for Windows Vista/Longhorn for x.) -- C:\Windows\system32\drivers\megasas.sys
O58 - SDL:[MD5.4FBBB70D30FD20EC51F80061703B001E] - 02/11/2006 - 10.49.59 ---A- . (.LSI Logic Corporation - MegaRAID RAID Controller Driver for Windows Vista/Longhorn for.) -- C:\Windows\system32\drivers\Mraid35x.sys
O58 - SDL:[MD5.2E7FB731D4790A1BC6270ACCEFACB36E] - 02/11/2006 - 10.50.19 ---A- . (.IBM Corporation - IBM ServeRAID Controller Driver.) -- C:\Windows\system32\drivers\nfrd960.sys
O58 - SDL:[MD5.E875C093AEC0C978A90F30C9E0DFBB72] - 02/11/2006 - 8.36.50 ---A- . (.N-trig Innovative Technologies - Integrated Tablet Digitizer Driver.) -- C:\Windows\system32\drivers\ntrigdigi.sys
O58 - SDL:[MD5.CFDDEDC1151839DD71F78472645214A5] - 14/10/2006 - 4.04.33 ---A- . (.NVIDIA Corporation - NVIDIA Compatible Windows 2000 Miniport Driver, Version 96.86.) -- C:\Windows\system32\drivers\nvlddmkm.sys
O58 - SDL:[MD5.1657F3FBD9061526C14FF37E79306F98] - 02/11/2006 - 8.30.56 ---A- . (.NVIDIA Corporation - NVIDIA MCP Networking Function Driver..) -- C:\Windows\system32\drivers\nvm60x32.sys
O58 - SDL:[MD5.E69E946F80C1C31C53003BFBF50CBB7C] - 02/11/2006 - 10.50.24 ---A- . (.NVIDIA Corporation - NVIDIA® nForce(TM) RAID Driver.) -- C:\Windows\system32\drivers\nvraid.sys
O58 - SDL:[MD5.4A5FCAB82D9BF6AF8A023A66802FE9E9] - 05/01/2007 - 20.59.42 ---A- . (.NVIDIA Corporation - NVIDIA® nForce(TM) Sata Performance Driver.) --
-
-
good ...
the continuation:
Download ComboFix (from sUBs) to your Desktop (and not elsewhere!):
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
--------------------------------- [ ! WARNING ! ] ------------------------------------------
• Close your running applications (as well as your browser).
• DISABLE ALL YOUR PROTECTIONS (anti-virus, anti-spyware guard, firewall) while you are doing this.
Indeed, if left active, they could greatly hinder the search and cleaning procedure of the tool (even crash the PC)... You will reactivate them afterwards !
->Important: if you encounter difficulties at this stage, let me know before continuing...
• Tutorial (help) here: https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix
• Note: for XP, it is IMPERATIVE to install the Recovery Console of Windows if the tool asks for it (see the tutorial above).
--------------------------------- [ ! WARNING ! ] ------------------------------------------
Then:
> Right-click / "run as admin..." on the "Combofix.exe" icon to launch the tool.
> In the "DISCLAIMER..." window, click on "yes" and let it work...
Important notes:
-> do not use your mouse or keyboard (nor any other pointing device) while the program is running. This could freeze the computer.
-> The PC may restart by itself (to finalize the cleaning), let it do so.
-> If the tool tells you this: "combofix has detected the presence of a rootkit and needs to restart your machine", you accept...
-> If a Windows error message appears at some point: click the red cross at the top right of the window to close it (and not on anything else! otherwise no report...)
The report will be created here: C:\Combofix.txt
Make sure to reactivate your protections.
Post the Combofix report for analysis and wait for further instructions...
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: do not think you are out of the woods until you are told so!-
I had to completely remove Avast
COMBOFIX gave me no opportunity to choose: it did everything by itself without giving me any chance to choose! After that, it just provided the report, that's all!!! I did not encounter any problems
and here's the report:
ComboFix 10-03-05.03 - michel 06/03/2010 12.20.50.1.1 - x86
Microsoft® Windows Vista™ Home Premium Edition 6.0.6002.2.1252.33.1036.18.2046.1333 [GMT 1:00]
Started from: c:\users\michel\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
.
((((((((((((((((((((((((((((( Files created from 2010-02-06 to 2010-03-06 ))))))))))))))))))))))))))))))))))))
.
2010-03-05 23:46 . 2010-03-05 23:46 -------- d-----w- c:\users\michel\AppData\Roaming\Malwarebytes
2010-03-05 23:46 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 23:45 . 2010-03-05 23:45 -------- d-----w- c:\programdata\Malwarebytes
2010-03-05 23:45 . 2010-03-06 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 23:45 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 10:00 . 2010-03-05 12:27 -------- d-----w- c:\program files\ZHPDiag
2010-03-04 23:36 . 2010-03-05 12:45 3144 ----a-w- c:\programdata\fiosejgfse.dll
2010-03-04 23:32 . 2010-03-04 23:32 53248 ----a-w- c:\users\michel\AppData\Roaming\Dr. Guard\uninstall.exe
2010-03-04 23:32 . 2010-03-04 23:32 39936 ----a-w- c:\users\michel\AppData\Roaming\Dr. Guard\drgext.dll
2010-03-04 23:32 . 2010-03-04 23:32 20480 ----a-w- c:\users\michel\AppData\Roaming\Dr. Guard\drghook.dll
2010-03-04 23:32 . 2010-03-05 12:27 -------- d-----w- c:\users\michel\AppData\Roaming\Dr. Guard
2010-03-04 19:51 . 2010-03-04 23:18 -------- d-----w- c:\program files\DivX
2010-02-24 09:36 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 09:35 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 09:35 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 09:35 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 09:35 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 09:35 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 09:35 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 09:35 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 09:35 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 09:35 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 09:35 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 09:35 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 09:35 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-22 20:28 . 2010-02-22 20:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-18 18:44 . 2010-02-18 21:35 -------- d-----w- c:\program files\ISA2
2010-02-17 15:44 . 2010-02-17 15:44 -------- d-----w- c:\users\michel\AppData\Local\WSStepImport
2010-02-17 15:44 . 2005-06-15 02:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2010-02-17 15:43 . 2010-02-17 15:43 -------- dc-h--w- c:\programdata\{428BA3F5-8003-46AA-9B5C-D7496CECEB41}
2010-02-17 15:43 . 2009-07-10 20:04 2959604 -c--a-w- c:\programdata\{428BA3F5-8003-46AA-9B5C-D7496CECEB41}\Setup.exe
2010-02-17 15:43 . 2010-02-17 15:51 -------- d-----w- c:\users\michel\AppData\Local\Bible Explorer 4
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\program files\Bible Explorer 4
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\programdata\wsc
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\programdata\WORDsearch
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\program files\Common Files\WORDsearch
2010-02-17 15:42 . 2010-02-17 15:42 -------- d-----w- c:\users\michel\AppData\Local\PackageAware
2010-02-17 11:33 . 2010-02-17 12:36 -------- d-----w- c:\program files\Bible
2010-02-12 20:30 . 2010-03-04 23:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-10 08:47 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 08:47 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-08 13:23 . 2010-02-08 13:23 4 ----a-w- c:\windows\vx86036.dat
2010-02-08 13:23 . 2010-02-08 13:23 -------- d-----w- c:\programdata\CrypKey
2010-02-08 13:22 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2010-02-08 13:22 . 2008-03-17 16:45 19584 ----a-w- c:\windows\system32\Ckldrv.sys
2010-02-08 13:22 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2010-02-08 13:22 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2010-02-08 13:22 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2010-02-08 13:22 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2010-02-08 13:21 . 2010-02-08 13:33 -------- d-----w- c:\program files\Stellar Phoenix Outlook PST Repair
.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 11:18 . 2006-11-02 15:48 669328 ----a-w- c:\windows\system32\perfh00C.dat
2010-03-06 11:18 . 2006-11-02 15:48 123350 ----a-w- c:\windows\system32\perfc00C.dat
2010-03-06 09:46 . 2009-10-15 02:27 1 ----a-w- c:\users\michel\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-05 11:14 . 2009-10-14 10:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-05 11:13 . 2009-10-14 10:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-05 02:13 . 2009-11-04 19:54 -------- d-----w- c:\program files\Google
2010-02-25 14:26 . 2009-10-14 11:08 -------- d-----w- c:\program files\CCleaner
2010-02-24 16:54 . 2009-10-14 09:04 59008 ----a-w- c:\users\michel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 08:16 . 2009-10-14 11:13 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 09:48 . 2009-10-15 17:59 -------- d-----w- c:\program files\e-Sword
2010-02-11 02:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-07 18:42 . 2010-02-01 13:40 -------- d-----w- c:\program files\eSword9Converter
2010-01-25 17:30 . 2010-01-25 17:30 -------- d-----w- c:\users\michel\AppData\Roaming\Babylon
2010-01-25 17:30 . 2010-01-25 17:30 -------- d-----w- c:\programdata\Babylon
2010-01-25 02:09 . 2010-01-25 02:09 -------- d-----w- c:\program files\Windows Portable Devices
2010-01-25 02:09 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-25 02:09 . 2010-01-25 02:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-21 03:50 . 2010-01-21 03:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-01-15 18:11 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-01-15 18:11 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-01-08 03:07 . 2009-10-14 09:38 -------- d-----w- c:\programdata\Kaspersky Lab
2010-01-08 02:13 . 2010-01-08 02:13 -------- d-----w- c:\program files\Alwil Software
2010-01-08 02:08 . 2009-11-04 19:56 -------- d-----w- c:\program files\Common Files\Real
2010-01-08 02:04 . 2009-12-31 19:58 -------- d-----w- c:\program files\Graboid
2010-01-06 15:38 . 2010-02-24 09:35 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 09:35 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 09:35 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 09:35 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-02 06:38 . 2010-01-22 10:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 10:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 10:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-10 10:24 . 2009-11-08 14:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-08 20:01 . 2010-02-10 08:46 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 08:46 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 08:46 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 08:46 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
((((((((((((((((((((((((((((((((( Registry Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty items & legitimate initial items are not listed
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
c:\users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):15,87,5a,20,06,9d,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of 'Scheduled Tasks' folder
2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{2B4D3674-DE85-4C86-A6CB-97BEB8D9B392}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Additional Examination -------
.
uStart Page =
mStart Page = about:blank
FF - ProfilePath - c:\users\michel\AppData\Roaming\Mozilla\Firefox\Profiles\h0q73cac.default\
FF - prefs.js: browser.startup.homepage - hxxp://fr.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX SETTINGS ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANED ITEMS REMOVED - - - -
HKLM-Run-ClientGW - (no file)
HKLM-Run-eSnips - c:\program files\eSnips\ClientGW.exe
Notify-klogon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 12:25
Windows 6.0.6002 Service Pack 2 NTFS
Searching for hidden processes ...
Searching for hidden auto-start items ...
Searching for hidden files ...
Scan completed successfully
Hidden files: 0
**************************************************************************
.
End time: 2010-03-06 12:28:25
ComboFix-quarantined-files.txt 2010-03-06 11:28
Before-CF: 61,871,124,480 bytes free
After-CF: 61,802,905,600 bytes free
- - End Of File - - 4A0C359B07811AB282CB850593C87247
-
-
well ....
do this in order:
1- Create a text document on your desktop:
* Point your mouse at your desktop, right-click / go to "new" and choose "text document".
* Copy/paste all the text found below (and nothing else!) into the text file you just created:
File::
c:\programdata\fiosejgfse.dll
c:\users\michel\AppData\Roaming\Dr. Guard\uninstall.exe
c:\users\michel\AppData\Roaming\Dr. Guard\drgext.dll
c:\users\michel\AppData\Roaming\Dr. Guard\drghook.dll
Folder::
c:\users\michel\AppData\Roaming\Dr. Guard
* Save the file: go to "file" and choose "save as ..." and name it exactly like this:
CFScript then confirm ... (make sure to save it on the desktop)
2- Cleaning:
!! Log out, close all your applications and disable ALL YOUR PROTECTIONS (you will reactivate them afterwards) !!
-->On your desktop, drag the CFScript file onto the icon of ComboFix.exe.
(Look here: http://img.photobucket.com/albums/v666/sUBs/CFScript.gif )
This action will restart Combofix.
> Then wait for the scan to finish (the desktop will disappear several times: that's normal!).
! Do not touch anything until the scan is finished !
Note: at the end of the scan, it is possible that ComboFix will need to restart the PC to finalize the disinfection, let it do so.
> Once the scan is complete, a report will be displayed: post it for analysis ...
(Warning: this procedure was done for this PC. Any reuse may severely damage the operating system)
==========================
3- Download gmer to the desktop and unzip it (right-click and extract here):
http://www2.gmer.net/gmer.zip
!! Log out, disable your defenses (anti-virus, anti-spyware) and completely close all your applications during the process (including browsers) !!
* Right-click / "run as admin..." on gmer.exe
* Click on the "rootkit" tab, then click on scan.
* At the end of the scan, click on the copy button.
* In start > programs > accessories: open notepad and click CTRL+V to paste the report into this same notepad.
> please post the report ...
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: do not think you are in the clear until we
tell you so!-
I opened the new document: so I have this blank document on the desktop!
The problem is that I don't know where to go and how to find these files and folders... please be patient I'm really bad at computers
File::
c:\programdata\fiosejgfse.dll
c:\users\michel\AppData\Roaming\Dr. Guard\uninstall.exe
c:\users\michel\AppData\Roaming\Dr. Guard\drgext.dll
c:\users\michel\AppData\Roaming\Dr. Guard\drghook.dll
Folder::
c:\users\michel\AppData\Roaming\Dr. Guard start to do the rest:
-
-
-
I'm sorry, I didn't understand. Now I've copied and pasted it and saved it as CFScript!
The problem is that COMBOFIX, and I already told you this before, once launched it didn't give me any option to choose, like you were saying to be careful to put its icon on the desktop. So once I sent you the report and closed it, it didn't leave any icon on the desktop and I also checked in the START documents and there is no COMBOFIX...
So what to do? ...
-
-
....
it's here:
c:\users\michel\Downloads\ComboFix.exe
so you take it from there and put it on your desktop .... ^^'
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT : don't think you're in the clear until we've
told you so!-
ComboFix 10-03-05.03 - michel 06/03/2010 14.56.22.2.1 - x86
Microsoft® Windows Vista™ Home Premium Edition 6.0.6002.2.1252.33.1036.18.2046.1124 [GMT 1:00]
Started from: c:\users\michel\Downloads\ComboFix.exe
Switches used: :: c:\users\michel\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\programdata\fiosejgfse.dll"
"c:\users\michel\AppData\Roaming\Dr. Guard\drgext.dll"
"c:\users\michel\AppData\Roaming\Dr. Guard\drghook.dll"
"c:\users\michel\AppData\Roaming\Dr. Guard\uninstall.exe"
.
(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\fiosejgfse.dll
c:\users\michel\AppData\Roaming\Dr. Guard
c:\users\michel\AppData\Roaming\Dr. Guard\about.ico
c:\users\michel\AppData\Roaming\Dr. Guard\activate.ico
c:\users\michel\AppData\Roaming\Dr. Guard\buy.ico
c:\users\michel\AppData\Roaming\Dr. Guard\drg.db
c:\users\michel\AppData\Roaming\Dr. Guard\drgext.dll
c:\users\michel\AppData\Roaming\Dr. Guard\drghook.dll
c:\users\michel\AppData\Roaming\Dr. Guard\help.ico
c:\users\michel\AppData\Roaming\Dr. Guard\scan.ico
c:\users\michel\AppData\Roaming\Dr. Guard\settings.ico
c:\users\michel\AppData\Roaming\Dr. Guard\splash.mp3
c:\users\michel\AppData\Roaming\Dr. Guard\uninstall.exe
c:\users\michel\AppData\Roaming\Dr. Guard\update.ico
c:\users\michel\AppData\Roaming\Dr. Guard\virus.mp3
.
((((((((((((((((((((((((((((( Files created from 2010-02-06 to 2010-03-06 ))))))))))))))))))))))))))))))))))))
.
2010-03-06 14:01 . 2010-03-06 14:01 -------- d-----w- c:\users\michel\AppData\Local\temp
2010-03-06 14:01 . 2010-03-06 14:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-06 14:01 . 2010-03-06 14:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-06 11:49 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-06 11:49 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-06 11:49 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-06 11:49 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-06 11:49 . 2010-02-11 18:38 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-03-06 11:48 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-06 11:48 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-06 11:48 . 2010-03-06 11:48 -------- d-----w- c:\programdata\Alwil Software
2010-03-05 23:46 . 2010-03-05 23:46 -------- d-----w- c:\users\michel\AppData\Roaming\Malwarebytes
2010-03-05 23:46 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 23:45 . 2010-03-05 23:45 -------- d-----w- c:\programdata\Malwarebytes
2010-03-05 23:45 . 2010-03-06 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 23:45 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 10:00 . 2010-03-05 12:27 -------- d-----w- c:\program files\ZHPDiag
2010-03-04 19:51 . 2010-03-04 23:18 -------- d-----w- c:\program files\DivX
2010-02-24 09:36 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 09:35 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 09:35 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 09:35 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 09:35 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 09:35 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 09:35 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 09:35 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 09:35 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 09:35 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 09:35 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 09:35 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 09:35 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-22 20:28 . 2010-02-22 20:28 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-18 18:44 . 2010-02-18 21:35 -------- d-----w- c:\program files\ISA2
2010-02-17 15:44 . 2010-02-17 15:44 -------- d-----w- c:\users\michel\AppData\Local\WSStepImport
2010-02-17 15:44 . 2005-06-15 02:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2010-02-17 15:43 . 2010-02-17 15:43 -------- dc-h--w- c:\programdata\{428BA3F5-8003-46AA-9B5C-D7496CECEB41}
2010-02-17 15:43 . 2009-07-10 20:04 2959604 -c--a-w- c:\programdata\{428BA3F5-8003-46AA-9B5C-D7496CECEB41}\Setup.exe
2010-02-17 15:43 . 2010-02-17 15:51 -------- d-----w- c:\users\michel\AppData\Local\Bible Explorer 4
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\program files\Bible Explorer 4
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\programdata\wsc
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\programdata\WORDsearch
2010-02-17 15:43 . 2010-02-17 15:43 -------- d-----w- c:\program files\Common Files\WORDsearch
2010-02-17 15:42 . 2010-02-17 15:42 -------- d-----w- c:\users\michel\AppData\Local\PackageAware
2010-02-17 11:33 . 2010-02-17 12:36 -------- d-----w- c:\program files\Bible
2010-02-12 20:30 . 2010-03-04 23:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-10 08:47 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 08:47 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-08 13:23 . 2010-02-08 13:23 4 ----a-w- c:\windows\vx86036.dat
2010-02-08 13:23 . 2010-02-08 13:23 -------- d-----w- c:\programdata\CrypKey
2010-02-08 13:22 . 2008-05-07 23:29 122880 ----a-w- c:\windows\system32\Crypserv.exe
2010-02-08 13:22 . 2008-03-17 16:45 19584 ----a-w- c:\windows\system32\Ckldrv.sys
2010-02-08 13:22 . 1999-06-18 20:49 165888 ----a-w- c:\windows\Ckconfig.exe
2010-02-08 13:22 . 1996-05-03 16:21 27648 ----a-r- c:\windows\Setup_ck.exe
2010-02-08 13:22 . 1996-05-03 14:36 18432 ----a-w- c:\windows\Setup_ck.dll
2010-02-08 13:22 . 1995-07-04 17:33 11776 ----a-w- c:\windows\Ckrfresh.exe
2010-02-08 13:21 . 2010-02-08 13:33 -------- d-----w- c:\program files\Stellar Phoenix Outlook PST Repair
.
(((((((((((((((((((((((((((((((((( Find3M report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-06 11:48 . 2010-01-08 02:13 -------- d-----w- c:\program files\Alwil Software
2010-03-06 11:30 . 2009-10-15 02:27 1 ----a-w- c:\users\michel\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-03-06 11:18 . 2006-11-02 15:48 669328 ----a-w- c:\windows\system32\perfh00C.dat
2010-03-06 11:18 . 2006-11-02 15:48 123350 ----a-w- c:\windows\system32\perfc00C.dat
2010-03-05 11:14 . 2009-10-14 10:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-05 11:13 . 2009-10-14 10:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-03-05 02:13 . 2009-11-04 19:54 -------- d-----w- c:\program files\Google
2010-02-25 14:26 . 2009-10-14 11:08 -------- d-----w- c:\program files\CCleaner
2010-02-24 16:54 . 2009-10-14 09:04 59008 ----a-w- c:\users\michel\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 08:16 . 2009-10-14 11:13 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-17 09:48 . 2009-10-15 17:59 -------- d-----w- c:\program files\e-Sword
2010-02-11 02:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-07 18:42 . 2010-02-01 13:40 -------- d-----w- c:\program files\eSword9Converter
2010-01-25 17:30 . 2010-01-25 17:30 -------- d-----w- c:\users\michel\AppData\Roaming\Babylon
2010-01-25 17:30 . 2010-01-25 17:30 -------- d-----w- c:\programdata\Babylon
2010-01-25 02:09 . 2010-01-25 02:09 -------- d-----w- c:\program files\Windows Portable Devices
2010-01-25 02:09 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-25 02:09 . 2010-01-25 02:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-24 14:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-01-21 03:50 . 2010-01-21 03:50 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-01-15 18:11 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-01-15 18:11 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-01-08 03:07 . 2009-10-14 09:38 -------- d-----w- c:\programdata\Kaspersky Lab
2010-01-08 02:08 . 2009-11-04 19:56 -------- d-----w- c:\program files\Common Files\Real
2010-01-08 02:04 . 2009-12-31 19:58 -------- d-----w- c:\program files\Graboid
2010-01-06 15:38 . 2010-02-24 09:35 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 09:35 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 09:35 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 09:35 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-02 06:38 . 2010-01-22 10:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 10:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 10:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 10:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-10 10:24 . 2009-11-08 14:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-08 20:01 . 2010-02-10 08:46 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:01 . 2010-02-10 08:46 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:01 . 2010-02-10 08:46 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 17:26 . 2010-02-10 08:46 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
.
((((((((((((((((((((((((((((((((( Registry Load Points ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty items & legitimate initial entries are not listed
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
c:\users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):15,87,5a,20,06,9d,ca,01
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-02-11 51792]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Content of the 'Task Scheduler' folder
2010-03-05 c:\windows\Tasks\User_Feed_Synchronization-{2B4D3674-DE85-4C86-A6CB-97BEB8D9B392}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Additional examination -------
.
uStart Page =
mStart Page = about:blank
FF - ProfilePath - c:\users\michel\AppData\Roaming\Mozilla\Firefox\Profiles\h0q73cac.default\
FF - prefs.js: browser.startup.homepage - hxxp://fr.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX SETTINGS ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 15:01
Windows 6.0.6002 Service Pack 2 NTFS
Searching for hidden processes ...
Searching for hidden auto-start elements ...
Searching for hidden files ...
Scan completed successfully
Hidden files: 0
**************************************************************************
.
End time: 2010-03-06 15:05:41
ComboFix-quarantined-files.txt 2010-03-06 14:05
ComboFix2.txt 2010-03-06 11:28
Before-CF: 61,243,985,920 bytes free
After-CF: 61,209,313,280 bytes free
- - End Of File - - AE71DC4F91AE9456D697541A9B1DFAF0 -
I have the GMER report on Notepad, but I can't do a direct COPY/PASTE, only through Open/Office. However, in this way, the formatting is no longer respected! What should I do?
- re,
In that case,
you create a new "txt" document on your desktop, you copy/paste the report into it, you save it and you send it to me via "Cijoint ..."
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: do not think you're out of the woods until we've
told you so!
-
-
Re,
do you think it is necessary to scan with Hijackthis as well?
> uh ... no ... I didn't ask you to hijack for now ...
Tell me how the PC is doing now .... better? ...
Then do this:
Download Ad-remover (from C_XX) to your desktop:
here http://pagesperso-orange.fr/NosTools/C_XX/AD-R.exe
or here https://www.androidworld.fr/
! Disconnect and close all running applications (including browser) !
• Right-click / "run as admin..." on Ad-remover.exe on your desktop to launch the tool.
• In the main menu, choose the option "S" and press [enter].
• the scan begins, let the tool work and do not touch anything ...
/!\ the tool may seem like it has crashed and nothing is happening, but that's not the case! (the scan is very discreet and quite long, so be patient ...)
--> Post the report that appears at the end in your next message for analysis ...
(The report is also saved under C:\Ad-report-SCAN.log)
(CTRL+A to select all, CTRL+C to copy and CTRL+V to paste)
Note: "Process.exe", a component of the tool, is detected by some antivirus programs:
(AntiVir, Dr.Web, Kaspersky Anti-Virus) as a RiskTool.
It is not a virus, but a utility designed to terminate processes.
In the wrong hands, this utility could stop security software (Antivirus, Firewall...) hence the alert issued by these antivirus programs.
Image Help (Installation): http://pagesperso-orange.fr/NosTools/tuto_ad_r1.html
Image Help (Search): http://pagesperso-orange.fr/NosTools/tuto_ad_r2.html
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: do not think you are in the clear until
someone has told you so! -
Re,
did you right-click and "run as admin..." to launch it?
if not, try again ....
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: don't think you're in the clear until they tell you so!-
Hello sKe69,
I've understood my mistake; I was limiting myself to selecting the letter S, which should have been written . I thought about it this morning.
I'm sorry for this unforgivable error.
And here is the Ad-Remover report.
.
======= AD-REMOVER REPORT 1.1.4.6_J | WINDOWS XP/VISTA/7 ONLY =======
.
Updated by C_XX on 05.02.2010 at 17:34
Contact: AdRemover.contact@gmail.com
Website: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Launched at: 8:16:22, 07/03/2010 | Normal Mode | Option: SCAN
Executed from: C:\Ad-Remover\
Operating System: Microsoft® Windows Vista™ HomePremium Service Pack 2 v6.0.6002
PC Name: PC-DE-MICHEL | Current User: michel
.
============== ITEM(S) FOUND ==============
.
.
.
============== Additional Scan ==============
.
.
* Mozilla FireFox Version 3.5.3 [fr] *
.
Profile Name: h0q73cac.default (michel)
.
(michel, prefs.js) Browser.download.lastDir, C:\Users\michel\Downloads
(michel, prefs.js) Browser.startup.homepage, hxxp://fr.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
(michel, prefs.js) Extensions.enabledItems, {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16,{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17,linkfilter@kaspersky.ru:9.0.0.736,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.4.20081105,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.8
.
.
.
* Internet Explorer Version 8.0.6001.18882 *
.
[HKEY_CURRENT_USER\..\Internet Explorer\Main]
.
Do404Search: 01000000
Show_ToolBar: yes
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Enable Browser Extensions: yes
Start Page:
Start Page Restore: about:blank
Local Page: C:\Windows\system32\blank.htm
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]
.
Start Page: about:blank
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Search Page: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Delete_Temp_Files_On_Exit: yes
Local Page: C:\Windows\System32\blank.htm
.
[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
.
===================================
.
2012 Byte(s) - C:\Ad-Report-SCAN[1].log
.
6 File(s) - C:\Users\michel\AppData\Local\Temp
3 File(s) - C:\Windows\Temp
68 File(s) - C:\Windows\Prefetch
.
3 File(s) - C:\Ad-Remover\BACKUP
0 File(s) - C:\Ad-Remover\QUARANTINE
.
End at: 8:18:52 | 07/03/2010 - SCAN[1]
.
============== E.O.F ==============
.
-
-
re,
plus it's clean on that side ... ^^
do the following in order (if the last report is clean, we can finalize):
(do not skip any step! if you encounter an issue during this process, stop and let me know)
1- Use the ZHPFix tool:
> Launch ZHPFix ("as admin...") from the desktop shortcut.
* Once the ZHPFix tool is open:
!! close your other running applications !!
A- Click on the "Tool Cleaner" button (the big red A). Pre-checked lines will appear in the main box.
There you uncheck the box in front of ZHPDiag!
> Finally click at the bottom on "Clean".
let the tool work ... once finished, a new report will appear in the main box.
-> Copy/paste the content of this report for analysis ...
(it is also saved here: C:\Program files\ZHPFix\ZHPFixReport.txt)
Note: if you are asked to restart the PC to complete the cleaning, do it!
B- Click on the "Empty the quarantine" button at the top right (the empty trash can).
At the confirmation message, click "Ok".
Then close ZHPFix ...
=====================
2- Run a CCleaner again (including the registry).
=====================
3- Download and install the HijackThis software:
here https://www.commentcamarche.net/telecharger/securite/11747-hijackthis/
or here http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
or here https://www.clubic.com/telecharger-fiche17891-hijackthis.html
-> Click on the setup to start the installation: follow the prompts and do not change the installation settings. At the end of the installation, the program will launch automatically: close it by clicking on the red cross. In the end, you should have a shortcut on your desktop and also a path like:
"C:\ program files\Trend Micro\HijackThis\HijackThis.exe " .
(do not scan for now)
=====================
4- Important:
Purge the system restore
-> Disable your restore:
In start, right-click on computer/properties/system protection: uncheck the box in front of your main hard disk (for you -> C), confirm, apply, and OK
Restart your PC ...
-> Reactivate your restore:
Right-click on computer/properties/system protection: check the box in front of your main hard disk, confirm, apply, and OK
Restart your PC ...
(tutorial: https://www.commentcamarche.net/faq/13214-vista-desactiver-reactiver-la-restauration-systeme-de-vista)
=====================
5- Perform this online scan to check:
(do not do anything else with the PC during the scan!)
Perform an online antivirus scan, with Internet Explorer and accept ActiveX:
https://www.bitdefender.fr/
* Help:
- At the bottom, in the "Free online analysis" box, click on "analyze".
- In the new window, click on "I accept".
> you will be prompted to install a plug-in (ActiveX control) to perform the scan > accept!
- Then wait for the loading time.
- The window changes again, click on "start the analysis".
- The signatures load, etc… and the scan begins...
Let it work without using the PC.
* for the report: click on the "more details" tab. At the end of the scan, click on "problems detected".
-> just above the right side of the results window, you have "click here to export the report".
-> Click on it, and choose to save the report on your desktop.
--> Open the html document you just saved (the report),
copy/paste all its content and post it in your next response ...
Reminder: the online scan only works with Internet Explorer! (and not on FireFox or other browsers)
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT: do not think you are out of the woods until we tell you so!-
ZHPFix v1.12.307 by Nicolas Coolman - Deletion report of 07/03/2010 10:15:22
Registry file:
Web site: http://www.premiumorange.com/zeb-help-process/zhpfix.html
Memory processes:
(None)
Memory module:
(None)
Registry key:
(None)
Registry value:
(None)
Registry data element:
(None)
Folder:
(None)
File:
(None)
Software:
(None)
Registry script:
(None)
Other:
(None)
Summary:
Memory processes: 0
Memory module: 0
Registry key: 0
Registry value: 0
Registry data element: 0
Folder: 0
File: 0
Software: 0
Other: 0
End of the scan -
When I launched ZHPFix, there were four pre-checked lines and I unchecked the one for ZHPDiag as you indicated. When I clicked on clean, it told me to remove HijakThis which I had already had on my desktop for months. But once I uninstalled HijakThis, when I reopened ZHPFix and clicked on the tools cleaner again, only one line appeared: the one with ZHPDiag that I had unchecked, and I think that's why everything was clean in the report because in the end there was nothing to clean as the other three lines were missing the second time.
So how do I get all four reports back that were there at the beginning to start over? I hope I was clear in my explanation!!!
I think it is important to restore what was in ZHPFix because I certainly made a mistake because of HijakThis and for that reason everything was clean because ZHPFix cleaned what wasn't there.
When I installed HijakThis, only the main HijakThis icon is there and the path is missing:
"C:\ program files\Trend Micro\HijackThis\HijackThis.exe ". -
-
-
re,
moving on.... thanks ....
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT : don't think you're out of trouble until we've
told you so! -
re,
check "computer" ...
don't touch the UAC ... disable your antivirus, it's better ...
--
"Baby, I'm going on an airplane, And I don't know if I'll be back again"
IMPORTANT : don't think you're off the hook until we
tell you so! -
Arf ...
maybe it's the scanner that’s messing up ...
do this other online scan then:
Do an online scan with “Panda”:
> https://www.pandasecurity.com/en/homeusers/online-antivirus/?ref=activescan
( click on “scan your PC now” )
tutorial:
https://www.malekal.com/scan-antivirus-ligne-nod32/#mozTocId237368
post me the report obtained for analysis ...
--
“Baby, I'm going on an airplane, And I don't know if I'll be back again”
IMPORTANT: don’t think you’re in the clear until we tell you so!
- 1
- 2
Next