is not a valid Win32 application Solved

Question

Hello,

I am trying to launch the latest MSN I downloaded from 01net. But when I do, it says "[...] is not a valid win32 application."
I searched through discussions for people who have had this problem, but I couldn't find a solution.
It seems there may be a virus on the computer.

Thank you for guiding me please. Thanks.

Lyonnais92 · Accepted Answer

Hello,

you downloaded a crack.

Remove it. Otherwise, the infection will restart.

Go to this site:
http://www.zonavirus.com/datos/descargas/95/elibagla.asp
at the bottom of this page, you will find a tool
to download, click on "escargar Elibagla" (the version number changes with updates)
install this file on the Desktop.
then double-click on Elibagla.exe
>leave the "eliminar ficheros automaticamente" box checked
>click on "explorar"
>let it work
>post the final report which will be in c:\infosat.txt
--

@+
Never accept disinfection via PM.

Lasto97 · Answer

Thank you very much, I will do what you told me right away.

Lasto97 · Answer

Here is the report:

Mon Jul 21 17:25:38 2008
EliBagle v11.61 (c)2008 S.G.H. / Satinfo S.L. (Updated on July 18, 2008)
----------------------------------------------
Action List (by Scan):
Scanning Unit C:\

Total Number of Directories: 3910
Total Number of Files: 46697
Number of Analyzed Files: 12260
Number of Infected Files: 0
Number of Cleaned Files: 0

Lyonnais92 · Answer

Hi,  did the tool go all the way?  Did you post the entire report?  What version of Windows are you on?  --  See you later Never accept disinfection via DM.

Lasto97 · Answer

Yes, it went all the way, I posted the entire report. I am using Windows XP Professional Version 2002 Service Pack 2

Lyonnais92 · Answer

Re,

Ok, let's switch tools.

Download ComboFix (by sUBs) here:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe (use Internet Explorer)

and save it as nonabagle on the Desktop. Change the name in the window when prompted, not after it’s on the Desktop. If you rename it too late, upon execution, you'll have "invalid Win32 application". If that’s the case, delete ComboFix and start again.

Disconnect from the internet and close all your applications.

Disable your protections (antivirus, firewall, real-time spyware guard)

Double-click on combofix.exe and follow the instructions

At the end, it will produce a report C:\ComboFix.txt

Re-enable your firewall, antivirus, and spyware guard

Copy/paste the report C:\ComboFix.txt in your next response.

Be careful, do not use your mouse or keyboard (or any other pointing device) while the program is running. This could freeze the computer.

You have a complete tutorial here:

https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix
--

@+
Never accept disinfection via PM.

Lasto97 · Answer

ComboFix 08-07-21.1 - Administrator 2008-07-21 18:48:05.2 - NTFSx86
Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe
* Creating a new restore point

[color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\InfoSat.txt

.
((((((((((((((((((((((((((((( Files created 2008-06-21 to 2008-07-21 ))))))))))))))))))))))))))))))))))))
.

2008-07-21 13:33 . 2008-07-21 13:55 <REP> d-------- C:\Program Files\RegistryQuick
2008-07-17 17:25 . 2008-07-17 17:28 <REP> d-------- C:\Combo-Fix
2008-06-25 16:59 . 2008-06-25 16:59 <REP> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-21 14:52 . 2008-06-14 13:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-21 13:28 . 2008-06-21 13:55 <REP> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-21 13:27 . 2008-07-21 16:56 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller

.
(((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works
2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6
2008-07-16 01:14 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6
2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7
2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 20:39 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-06-02 20:39 --------- d--h--r C:\DOCUME~1\ADMINI~1\APPLIC~1\SecuROM
2008-06-02 20:29 --------- d-----w C:\Program Files\Common Files\MainConcept
2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application
2008-05-31 15:21 --------- d-----w C:\Program Files\OrgangeFrance
.

((((((((((((((((((((((((((((( snapshot@2008-07-17_16.44.52.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 13:59:49 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-17 22:03:51 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-03 13:59:49 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2008-07-17 22:03:51 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2008-06-03 13:59:49 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-17 22:03:51 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-03 13:59:49 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-17 22:03:51 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-21 17:48:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b0c.dat
.
((((((((((((((((((((((((((((((((( Reg loading point )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty items & legitimate initial items are not listed

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536]
"DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688]
"00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960]
"DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664]
"DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360]

C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\
Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [2008-01-14 14:01:50 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick launch of Microsoft Office OneNote 2003.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick launch of Microsoft Office OneNote 2003.lnk
backup=C:\WINDOWS\pss\Quick launch of Microsoft Office OneNote 2003.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
--------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17]
R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38]
R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38]
R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04]
R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04]
S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22]
S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}]
\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryQuick.exe - C:\Program Files\RegistryQuick\RegistryQuick.exe

.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xporter to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {1856D980-6604-4504-AE2E-6EEE0235FCF5} - hxxp://www.certeurope.fr/files/activesign/1.2.0.2/ActiveSign.CAB
C:\WINDOWS\Downloaded Program Files\ActiveSign.INF
C:\WINDOWS\System32\OLEAUT32.DLL
C:\WINDOWS\System32\OLEPRO32.DLL
C:\WINDOWS\System32\ASYCFILT.DLL
C:\WINDOWS\System32\STDOLE2.TLB
C:\WINDOWS\System32\COMCAT.DLL
C:\WINDOWS\System32\msvbvm60.dll
C:\WINDOWS\Downloaded Program Files\ActiveSign.dll

O16 -: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - hxxp://213.16.24.101:8080/cab/OCXChecker_6110.cab
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker.inf
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker_6110.ocx

O16 -: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://213.16.24.101:8080/cab/DownloadFile_7000.cab
C:\WINDOWS\Downloaded Program Files\Download.inf
C:\WINDOWS\Downloaded Program Files\Download_7000.ocx

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 18:52:36
Windows 5.1.2600 Service Pack 2 NTFS

Scanning hidden processes ...

Scanning hidden autostart entries ...

Scanning hidden files ...

Scan completed successfully
Hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 18:56:54
ComboFix-quarantined-files.txt 2008-07-21 22:56:43
ComboFix2.txt 2008-07-17 20:46:26

Pre-Run: 26,707,017,728 bytes free
Post-Run: 26,794,024,960 bytes free

141 --- E O F --- 2008-07-17 04:07:11

Lyonnais92 · Answer

Hello,

why did you download Combofix on July 17?

Click on this link
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
to download the HijackThis installation file.

Save HJTInstall.exe on your desktop.

Double-click on HJTInstall.exe to launch the program

By default, it will install here:
C:\Program Files\Trend Micro\HijackThis

Accept the license by clicking on the "I Accept" button

Close Hijackthis by clicking on the red cross.

Download DSS (Deckard's System Scanner by Deckard) to your Desktop from this link:

http://www.techsupportforum.com/sectools/Deckard/dss.exe

Choose "Save" and "Desktop" as the location.

Close all running applications (very important, or the computer might crash).

Double-click on DSS.exe to run the tool.

If it does not find HijackThis, click Yes.

Click OK whenever prompted.

When the scan is finished, a text file will appear. Post its content in your reply.

The report is located here: C:\Deckard\System Scanner\main.txt.
--

See you later
Never accept a disinfection via private message.

Lasto97 · Answer

I downloaded it because I thought the issue that some people had was the same as mine, so I followed the instructions they were given, without bothering anyone to guide me for the same problem. I didn't want to waste your time by having you repeat the same thing.

Lasto97 · Answer

Deckard's System Scanner v20071014.68
Exécuté par Administrateur le 2008-07-22 08:04:58
L’ordinateur est en mode normal.
--------------------------------------------------------------------------------

-- Restauration du système --------------------------------------------------------------

Point de restauration de Deckard's System Scanner créé avec succès.

-- 5 derniers points de restauration --
39 : 2008-07-22 12:05:16 UTC - RP205 - Point de restauration de Deckard's System Scanner
38 : 2008-07-21 22:46:29 UTC - RP204 - Point de restauration créé par ComboFix
37 : 2008-07-21 21:40:07 UTC - RP203 - Windows Live installer supprimé
36 : 2008-07-21 20:57:28 UTC - RP202 - Windows Live installé
35 : 2008-07-19 01:35:05 UTC - RP201 - Windows Live installé

-- Premier point de restauration --
1 : 2008-04-05 13:37:39 UTC - RP167 - Bac_v7 installé

Sauvegarde des cellules de registre.
Nettoyage des disques effectué.

[color=red]Mémoire physique totale : 239 MiB (512 MiB recommandé)./color

-- HijackThis (exécuté en tant qu'Administrateur.exe) --------------------------------------

Fichier journal de Trend Micro HijackThis v2.0.2
Analyse sauvegardée à 08:06:25, le 22/07/2008
Plateforme : Windows XP SP2 (WinNT 5.01.2600)
MSIE : Internet Explorer v7.00 (7.00.6000.16674)
Mode de démarrage : Normal

Processus en cours d’exécution :
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DkLog.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\dkcktkn.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\TEMP\AOC6B0.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Documents and Settings\Administrateur\Bureau\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrateur.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe
O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SYSTÈME')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'Utilisateur par défaut')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orange Caraibes.lnk = C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe
O8 - Élément de menu contextuel supplémentaire : E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Bouton supplémentaire : (aucun nom) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Éléments de menu 'Outils' supplémentaires : Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Bouton supplémentaire : Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Bouton supplémentaire : (aucun nom) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Éléments de menu 'Outils' supplémentaires : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Bouton supplémentaire : Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Éléments de menu 'Outils' supplémentaires : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF : START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF : {1856D980-6604-4504-AE2E-6EEE0235FCF5} (ActiveSign.CapicomInterface) - http://www.certeurope.fr/fichiers/activesign/1.2.0.2/ActiveSign.CAB
O16 - DPF : {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://213.16.24.101:8080/cab/OCXChecker_6110.cab
O16 - DPF : {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://213.16.24.101:8080/cab/DownloadFile_7000.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters : Domaine = vauclin.sud
O17 - HKLM\Software\..\Telephony : DomainName = vauclin.sud
O17 - HKLM\System\CS1\Services\Tcpip\Parameters : Domaine = vauclin.sud
O17 - HKLM\System\CS2\Services\Tcpip\Parameters : Domaine = vauclin.sud
O23 - Service : ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service : Service de journalisation de Datakey (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe
O23 - Service : Service de jeton de Datakey (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe
O23 - Service : Analyse en temps réel OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service : Service d'agent SoundMAX (Service par défaut) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service : Écouteur OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service : Pare-feu OfficeScan NT (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service : Service Proxy OfficeScan NT (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
Fin du fichier - 7587 octets

-- Associations de fichiers -----------------------------------------------------------

Toutes les associations sont correctes.

-- Pilotes : 0-Démarrage, 1-Système, 2-Automatique, 3-Demande, 4-Désactivé ---------------------

R0 TVALZ (Pilote de périphérique logique et général à valeur ajoutée basé sur ACPI TOSHIBA) - c:\windows\system32\drivers\tvalz.sys <Non vérifié ; TOSHIBA Corporation ; Modules communs TOSHIBA>
R2 Netdevio (Protocole I/O en mode utilisateur de périphérique réseau TOSHIBA) - c:\windows\system32\drivers\netdevio.sys <Non vérifié ; TOSHIBA Corporation. ; Protocole I/O en mode utilisateur de périphérique réseau TOSHIBA>
R2 tossmbnt - c:\windows\system32\drivers\tossmbnt.sys

S3 PAMScan - c:\windows\system32\drivers\pamscan.sys <Non vérifié ; Licencié pour OCTOPUS PYTHEAS. ; PAMScan>
S3 tsdhd (Pilote de contrôleur d'hôte de carte SD TOSHIBA) - c:\windows\system32\drivers\tsdhd.sys <Non vérifié ; TOSHIBA Corporation ; Ensemble de pilotes de carte SD>

-- Services : 0-Démarrage, 1-Système, 2-Automatique, 3-Demande, 4-Désactivé --------------------

R2 CFSvcs (Service ConfigFree) - c:\program files\toshiba\configfree\cfsvcs.exe <Non vérifié ; TOSHIBA CORPORATION ; ConfigFree(TM)>
R2 DkLogger (Service de journalisation de Datakey) - c:\windows\system32\dklog.exe <Non vérifié ; Datakey, Inc. ; Service de journalisation de Datakey pour NT>
R2 DkTknSrv (Service de jeton de Datakey) - c:\windows\system32\dkcktkn.exe <Non vérifié ; Datakey, Inc. ; Service de jeton de Datakey>

-- Gestionnaire de périphériques : Désactivé ----------------------------------------------------

Aucun périphérique désactivé trouvé.

-- Fichiers créés entre 2008-06-22 et 2008-07-22 -----------------------------

2008-07-21 13:33:16 0 d-------- C:\Program Files\RegistryQuick
2008-07-17 17:25:39 0 d-------- C:\Combo-Fix
2008-07-17 14:49:20 0 d-------- C:\Documents and Settings\Administrateur\Menu Démarrer
2008-07-16 23:42:04 68096 --a------ C:\WINDOWS\zip.exe
2008-07-16 23:42:04 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-16 23:42:04 161792 --a------ C:\WINDOWS\swreg.exe <Non vérifié ; SteelWerX ; Éditeur de registre SteelWerX>
2008-07-16 23:42:04 98816 --a------ C:\WINDOWS\sed.exe
2008-07-16 23:42:04 80412 --a------ C:\WINDOWS\grep.exe
2008-07-16 23:42:04 89504 --a------ C:\WINDOWS\fdsv.exe <Non vérifié ; Smallfrogs Studio; >
2008-07-16 23:42:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Non vérifié ; SteelWerX ; Configurateur étendu SteelWerX ACLists>
2008-07-16 23:42:03 136704 --a------ C:\WINDOWS\swsc.exe <Non vérifié ; SteelWerX ; Contrôleur de service SteelWerX>
2008-06-25 16:59:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

-- Rapport Find3M ---------------------------------------------------------------

2008-07-22 08:01:37 0 d-------- C:\Program Files\Trend Micro
2008-07-17 18:03:51 471484 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-07-17 18:03:51 76582 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-07-17 00:04:03 0 d-------- C:\Program Files\Microsoft Works
2008-07-15 21:14:43 0 d-------- C:\Documents and Settings\Administrateur\Application Data\MSN6
2008-06-30 11:04:13 0 d-------- C:\Program Files\Bac_v7
2008-06-21 13:55:02 0 d--hs--c- C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-06-21 13:28:44 0 d-------- C:\Program Files\Fichiers communs
2008-06-02 16:39:52 0 dr-h----- C:\Documents and Settings\Administrateur\Application Data\SecuROM
2008-06-02 16:29:50 0 d-------- C:\Program Files\Fichiers communs\MainConcept
2008-06-02 16:28:57 0 d-------- C:\Program Files\Micro Application
2008-05-31 11:21:29 0 d-------- C:\Program Files\OrgangeFrance
2008-05-25 20:10:39 0 d-------- C:\Documents and Settings\Administrateur\Application Data\Google

-- Exportation de registre ---------------------------------------------------------------

*Remarque* Les entrées vides et les entrées par défaut légitimes ne sont pas affichées

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/04/2003 20:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/04/2003 20:07]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [23/05/2003 09:20]
"000StTHK"="000StTHK.exe" [23/06/2001 15:28 C:\WINDOWS\system32\000StTHK.exe]
"LTSMMSG"="LTSMMSG.exe" [18/04/2003 06:06 C:\WINDOWS\ltsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [17/07/2003 13:38]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [11/03/2003 08:58]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [24/11/2003 06:51]
"TFNF5"="TFNF5.exe" [15/10/2003 12:03 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [01/12/2003 07:09 C:\WINDOWS\system32\TPSMain.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [20/08/2002 06:29]
"DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [24/07/2002 20:09]
"DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [24/07/2002 20:12]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [08/05/2007 00:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [14/03/2007 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 19:09]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [15/09/2003 12:19]

C:\Documents and Settings\Tous les utilisateurs\Menu Démarrer\Programmes\Démarrage\
Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [14/01/2008 14:01:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tous les utilisateurs^Menu Démarrer^Programmes^Démarrage^Lancement rapide de Microsoft Office OneNote 2003.lnk]
path=C:\Documents and Settings\Tous les utilisateurs\Menu Démarrer\Programmes\Démarrage\Lancement rapide de Microsoft Office OneNote 2003.lnk
backup=C:\WINDOWS\pss\Lancement rapide de Microsoft Office OneNote 2003.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}]
AutoRun\command- E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}]
AutoRun\command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}]
AutoRun\command- RavMon.exe

-- Fin de Deckard's System Scanner : terminé le 2008-07-22 08:07:16 ------------

Lyonnais92 · Answer

Hello,  I'll check that out tonight.  By the way, do you know Domain = vauclin.sud? --  Talk to you later Never accept a disinfection via MP.

Lasto97 · Answer

No. It was a work laptop for administrative tasks. Vauclin is the town, and it is located in the south.

Lyonnais92 · Answer

Hi,

Do you mean that you no longer need this domain to connect to the Net?

2 files to check.

Go to this site:

https://www.virustotal.com/gui/

Click on browse and search for this file: C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe

Click on Send File.

A report will be generated line by line.

Wait for it to finish. It should include the size of the file sent.

Save the report with Notepad.

Copy it into your reply.

If VirusTotal indicates that the file has already been analyzed, click on the button Reanalyze the file now

Repeat with: C:\WINDOWS\TEMP\AOC6B0.EXE
--

See you later
Never accept disinfection via PM.

Lasto97 · Answer

File Orange_Caraibes.exe received on 2008.07.23 03:58:06 (CET)
Current situation: loading ... queued awaiting analysis finished NOT FOUND STOPPED

Result: 0/34 (0%)
loading server information...
Your file is in the queue, in position: ___.
Estimated start time is between ___ and ___.
Do not close the window before the analysis is complete.
The analyzer that was processing your file is currently stopped, we will wait a few seconds to attempt to retrieve your results.
If you have been waiting for more than five minutes, you need to resubmit your file.
Your file is currently being analyzed by VirusTotal,
results will be displayed as they are generated.
Formatted Print Results
Your file has expired or does not exist.
The service is currently stopped, your file has been waiting to be analyzed (position: ) for an indefinite period.

You can wait for a response from the Web (automatic reload) or enter your email in the form below and click "Request" for the system to send you a notification when the analysis is complete.
Email:

Antivirus Version Last updated Result
AhnLab-V3 2008.7.23.0 2008.07.22 -
AntiVir 7.8.1.11 2008.07.22 -
Authentium 5.1.0.4 2008.07.22 -
Avast 4.8.1195.0 2008.07.22 -
AVG 8.0.0.130 2008.07.22 -
BitDefender 7.2 2008.07.23 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.23 -
DrWeb 4.44.0.09170 2008.07.22 -
eSafe 7.0.17.0 2008.07.22 -
eTrust-Vet 31.6.5975 2008.07.22 -
Ewido 4.0 2008.07.22 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.22 -
Fortinet 3.14.0.0 2008.07.23 -
GData 2.0.7306.1023 2008.07.22 -
Ikarus T3.1.1.34.0 2008.07.23 -
Kaspersky 7.0.0.125 2008.07.23 -
McAfee 5344 2008.07.22 -
Microsoft 1.3704 2008.07.23 -
NOD32v2 3289 2008.07.22 -
Norman 5.80.02 2008.07.22 -
Panda 9.0.0.4 2008.07.23 -
PCTools 4.4.2.0 2008.07.22 -
Prevx1 V2 2008.07.23 -
Rising 20.54.12.00 2008.07.22 -
Sophos 4.31.0 2008.07.23 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.23 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.22 -
VBA32 3.12.8.1 2008.07.22 -
VirusBuster 4.5.11.0 2008.07.22 -
Webwasher-Gateway 6.6.2 2008.07.22 -
Additional information
File size: 872448 bytes
MD5...: 6119d1766aeb4b4fa170e80462ab0101
SHA1..: e63844aa12cf56c9de52af48ab621b5352c8e91c
SHA256: 4cbebbd848a7672009686b9d91abf9e68ebe3ca3ebacd10388f89bba6962a773
SHA512: 703021da8a288cf28a6ee085053179c3e8280e1366e44716160caa2a0a62a2d8
9e5f165ffc34a6d6304bf537c38ff9a96d3fc7236859aca1bc3dc051a90c8510
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x44265c
timedatestamp.....: 0x478b5d38 (Mon Jan 14 13:01:44 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x63161 0x64000 6.60 c338e1a536c6a3f9ba9d7a683d3a85ab
.rdata 0x65000 0x26210 0x27000 4.28 1b25600530d38ba7b03ef12f06488d9f
.data 0x8c000 0xf678 0x4000 3.74 40c6f7e347d59aedb9ac09e159c7610d
.rsrc 0x9c000 0x44478 0x45000 5.99 cbb725f7f44e09df949a44a903e64b5d

( 16 imports )
> iphlpapi.dll: GetIfEntry, GetIpAddrTable, GetAdaptersInfo, GetIfTable
> KERNEL32.dll: WritePrivateProfileStringW, SetFilePointer, FlushFileBuffers, SetErrorMode, HeapFree, HeapAlloc, GetProcessHeap, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, RaiseException, HeapReAlloc, ExitProcess, ExitThread, HeapSize, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetThreadLocale, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, LCMapStringA, LCMapStringW, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEnvironmentVariableA, lstrlenA, InterlockedIncrement, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, OpenEventW, GlobalHandle, GlobalReAlloc, TlsGetValue, GlobalFlags, GetCurrentProcessId, InterlockedDecrement, SuspendThread, ResumeThread, GetCurrentThread, ConvertDefaultLocale, GetVersion, EnumResourceLanguagesW, lstrcmpA, GetLocaleInfoW, CompareStringA, InterlockedExchange, GlobalFree, FormatMessageW, FreeResource, GlobalAddAtomW, GlobalFindAtomW, GlobalDeleteAtom, CompareStringW, LoadLibraryA, lstrcmpW, GetVersionExA, MulDiv, GetModuleHandleA, CreateThread, ResetEvent, LocalFileTimeToFileTime, SystemTimeToFileTime, PurgeComm, ReadFile, GetOverlappedResult, ReleaseMutex, WaitForMultipleObjects, WaitCommEvent, SetEvent, SetCommMask, SetCommTimeouts, GetCommTimeouts, SetCommState, GetCommState, CreateEventW, DeviceIoControl, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, Sleep, IsValidCodePage, LocalFree, lstrcpyW, GetCurrentProcess, LocalAlloc, ExpandEnvironmentStringsW, GetTempPathW, GetModuleFileNameW, IsBadStringPtrW, lstrlenW, OutputDebugStringW, FreeLibrary, MultiByteToWideChar, GetTimeFormatW, GetDateFormatW, FileTimeToSystemTime, FileTimeToLocalFileTime, GlobalUnlock, GlobalLock, GlobalAlloc, GetProcAddress, GetModuleHandleW, GetUserDefaultUILanguage, LoadLibraryW, SetLastError, WideCharToMultiByte, TerminateProcess, WaitForSingleObject, OpenProcess, WriteFile, GetTickCount, GetCurrentThreadId, CreateFileW, GetVersionExW, GetLocalTime, CloseHandle, CreateMutexW, FindResourceW, LoadResource, LockResource, SizeofResource, GetLastError, GetEnvironmentStringsW
> USER32.dll: PostQuitMessage, GetMenuState, GetMenuStringW, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, SetWindowsHookExW, CallNextHookEx, GetClassLongW, GetClassNameW, SetPropW, GetPropW, RemovePropW, GetLastActivePopup, SetActiveWindow, DispatchMessageW, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, MapWindowPoints, TrackPopupMenu, GetKeyState, UpdateWindow, GetMenu, GetMenuItemID, GetMenuItemCount, MessageBoxW, GetClassInfoExW, AdjustWindowRectEx, EqualRect, DeferWindowPos, CallWindowProcW, IntersectRect, SystemParametersInfoA, ValidateRect, GetSysColor, EndPaint, BeginPaint, ClientToScreen, ScreenToClient, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, IsWindowEnabled, ShowWindow, MoveWindow, SetWindowLongW, SetWindowTextW, GetWindowLongW, IsDialogMessageW, IsZoomed, SetRectEmpty, DestroyMenu, SetDlgItemTextW, SendDlgItemMessageW, DefWindowProcW, UnregisterDeviceNotification, RegisterDeviceNotificationW, DestroyWindow, CreateWindowExW, GetDlgItem, GetWindowTextLengthW, GetWindowTextW, ReleaseDC, SetMenuDefaultItem, GetSubMenu, LoadMenuW, LoadStringW, GetClipboardData, FrameRect, AppendMenuW, SetFocus, TranslateMessage, GetMessageW, CheckMenuItem, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, GetFocus, GetSystemMenu, EnableMenuItem, EndDialog, GetNextDlgTabItem, CreateDialogIndirectParamW, GetDesktopWindow, WindowFromPoint, GetWindowPlacement, GetSysColorBrush, SetParent, SetCapture, LockWindowUpdate, GetDCEx, ReleaseCapture, UnregisterClassA, GetActiveWindow, ModifyMenuW, PostThreadMessageW, DrawIcon, GetCursorPos, GetDoubleClickTime, LoadImageW, IsWindowVisible, IsWindow, EmptyClipboard, OpenClipboard, CloseClipboard, SetClipboardData, LoadBitmapW, GetParent, GetSystemMetrics, BringWindowToTop, IsIconic, SetForegroundWindow, AttachThreadInput, GetForegroundWindow, GetWindow, OffsetRect, GetClientRect, SetWindowPos, GetDlgCtrlID, PeekMessageW, SystemParametersInfoW, KillTimer, SetTimer, SetCursor, LoadCursorW, EnableWindow, DrawFocusRect, InflateRect, FillRect, CopyRect, InvalidateRect, GetWindowThreadProcessId, PostMessageW, FindWindowW, UnregisterClassW, RegisterClassW, GetClassInfoW, GetWindowRect, UnionRect, SetRect, GetDC, GetWindowDC, SendMessageW, PtInRect
> GDI32.dll: PatBlt, GetTextMetricsW, GetCharWidthW, CreateFontW, StretchDIBits, CreateCompatibleBitmap, CreateRectRgnIndirect, SetRectRgn, CombineRgn, OffsetViewportOrgEx, SetViewportOrgEx, SetViewportExtEx, DeleteDC, ScaleWindowExtEx, SetWindowExtEx, CreateFontIndirectW, SelectObject, CreateCompatibleDC, GetBkColor, GetTextExtentPoint32W, Escape, ExtTextOutW, TextOutW, RectVisible, PtVisible, CreateRectRgn, SelectClipRgn, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetTextColor, SetBkMode, SetBkColor, RestoreDC, SaveDC, GetDeviceCaps, CreateBitmap, CreatePatternBrush, SetBrushOrgEx, CreateSolidBrush, DeleteObject, GetObjectW, GetStockObject, ScaleViewportExtEx
> MSIMG32.dll: TransparentBlt
> WINSPOOL.DRV: OpenPrinterW, DocumentPropertiesW, ClosePrinter
> ADVAPI32.dll: SetSecurityDescriptorDacl, RegQueryValueW, RegEnumKeyW, RegOpenKeyW, RegDeleteKeyW, RegQueryInfoKeyW, RegEnumKeyExW, InitializeSecurityDescriptor, RegSetKeySecurity, RegCreateKeyExW, RegSetValueExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey
> SHELL32.dll: Shell_NotifyIconW
> COMCTL32.dll: InitCommonControlsEx, ImageList_Create
> SHLWAPI.dll: PathFindFileNameW, PathFindExtensionW
> ole32.dll: CoUninitialize, CoInitializeEx, CoWaitForMultipleHandles
> OLEAUT32.dll: -, -, -, -
> VERSION.dll: GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
> SETUPAPI.dll: SetupDiDestroyDeviceInfoList, CM_Get_Device_IDW, CM_Get_DevNode_Status, CM_Get_Parent, SetupDiGetDeviceRegistryPropertyA, SetupDiDestroyDriverInfoList, SetupDiEnumDriverInfoW, SetupDiBuildDriverInfoList, SetupDiOpenDeviceInfoW, SetupDiCreateDeviceInfoList, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA, SetupDiOpenDevRegKey, CM_Get_Sibling, CM_Get_Child_Ex
> WS2_32.dll: -
> RASAPI32.dll: RasSetEntryPropertiesW, RasGetConnectionStatistics, RasHangUpW, RasDeleteEntryW, RasValidateEntryNameW, RasGetProjectionInfoW, RasGetConnectStatusW, RasDialW, RasGetEntryPropertiesW

( 0 exports )

Kox6 · Answer

That's what happens when you don't download from the publisher's site ..  Not so complicated after all.

Lyonnais92 · Answer

Hello,  the VirusTotal analysis of C:\WINDOWS\TEMP\AOC6B0.EXE? --  @+ Never accept disinfection via DM.

Lasto97 · Answer

Hello, I don't have a file AOC6B0.EXE in Temp, but I have HN3258.EXE; I'm not sure if there's a connection. It's an icon with a little dog.

Lyonnais92 · Answer

Hello,  run DSS again and post the report.  Don’t close the computer (don’t restart it either). --  See you later Never accept disinfection via private message.

Lasto97 · Answer

Deckard's System Scanner v20071014.68
Exécuté par Administrateur le 2008-07-22 08:04:58
L’ordinateur est en mode normal.
--------------------------------------------------------------------------------

-- Restauration du système --------------------------------------------------------------

Point de restauration de Deckard's System Scanner créé avec succès.

-- 5 derniers points de restauration --
39 : 2008-07-22 12:05:16 UTC - RP205 - Point de restauration de Deckard's System Scanner
38 : 2008-07-21 22:46:29 UTC - RP204 - Point de restauration créé par ComboFix
37 : 2008-07-21 21:40:07 UTC - RP203 - Windows Live installer supprimé
36 : 2008-07-21 20:57:28 UTC - RP202 - Windows Live installé
35 : 2008-07-19 01:35:05 UTC - RP201 - Windows Live installé

-- Premier point de restauration --
1 : 2008-04-05 13:37:39 UTC - RP167 - Bac_v7 installé

Sauvegarde des cellules de registre.
Nettoyage des disques effectué.

[color=red]Mémoire physique totale : 239 MiB (512 MiB recommandé)./color

-- HijackThis (exécuté en tant qu'Administrateur.exe) --------------------------------------

Fichier journal de Trend Micro HijackThis v2.0.2
Analyse sauvegardée à 08:06:25, le 22/07/2008
Plateforme : Windows XP SP2 (WinNT 5.01.2600)
MSIE : Internet Explorer v7.00 (7.00.6000.16674)
Mode de démarrage : Normal

Processus en cours d’exécution :
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DkLog.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\dkcktkn.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\TEMP\AOC6B0.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Documents and Settings\Administrateur\Bureau\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrateur.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe
O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SYSTÈME')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'Utilisateur par défaut')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Orange Caraibes.lnk = C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe
O8 - Élément de menu contextuel supplémentaire : E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Bouton supplémentaire : (aucun nom) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Éléments de menu 'Outils' supplémentaires : Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Bouton supplémentaire : Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Bouton supplémentaire : (aucun nom) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Éléments de menu 'Outils' supplémentaires : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Bouton supplémentaire : Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Éléments de menu 'Outils' supplémentaires : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF : START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF : {1856D980-6604-4504-AE2E-6EEE0235FCF5} (ActiveSign.CapicomInterface) - http://www.certeurope.fr/fichiers/activesign/1.2.0.2/ActiveSign.CAB
O16 - DPF : {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://213.16.24.101:8080/cab/OCXChecker_6110.cab
O16 - DPF : {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://213.16.24.101:8080/cab/DownloadFile_7000.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters : Domaine = vauclin.sud
O17 - HKLM\Software\..\Telephony : DomainName = vauclin.sud
O17 - HKLM\System\CS1\Services\Tcpip\Parameters : Domaine = vauclin.sud
O17 - HKLM\System\CS2\Services\Tcpip\Parameters : Domaine = vauclin.sud
O23 - Service : ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service : Service de journalisation de Datakey (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe
O23 - Service : Service de jeton de Datakey (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe
O23 - Service : Analyse en temps réel OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service : Service d'agent SoundMAX (Service par défaut) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service : Écouteur OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service : Pare-feu OfficeScan NT (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service : Service Proxy OfficeScan NT (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
Fin du fichier - 7587 octets

-- Associations de fichiers -----------------------------------------------------------

Toutes les associations sont correctes.

-- Pilotes : 0-Démarrage, 1-Système, 2-Automatique, 3-Demande, 4-Désactivé ---------------------

R0 TVALZ (Pilote de périphérique logique et général à valeur ajoutée basé sur ACPI TOSHIBA) - c:\windows\system32\drivers\tvalz.sys <Non vérifié ; TOSHIBA Corporation ; Modules communs TOSHIBA>
R2 Netdevio (Protocole I/O en mode utilisateur de périphérique réseau TOSHIBA) - c:\windows\system32\drivers\netdevio.sys <Non vérifié ; TOSHIBA Corporation. ; Protocole I/O en mode utilisateur de périphérique réseau TOSHIBA>
R2 tossmbnt - c:\windows\system32\drivers\tossmbnt.sys

S3 PAMScan - c:\windows\system32\drivers\pamscan.sys <Non vérifié ; Licencié pour OCTOPUS PYTHEAS. ; PAMScan>
S3 tsdhd (Pilote de contrôleur d'hôte de carte SD TOSHIBA) - c:\windows\system32\drivers\tsdhd.sys <Non vérifié ; TOSHIBA Corporation ; Ensemble de pilotes de carte SD>

-- Services : 0-Démarrage, 1-Système, 2-Automatique, 3-Demande, 4-Désactivé --------------------

R2 CFSvcs (Service ConfigFree) - c:\program files\toshiba\configfree\cfsvcs.exe <Non vérifié ; TOSHIBA CORPORATION ; ConfigFree(TM)>
R2 DkLogger (Service de journalisation de Datakey) - c:\windows\system32\dklog.exe <Non vérifié ; Datakey, Inc. ; Service de journalisation de Datakey pour NT>
R2 DkTknSrv (Service de jeton de Datakey) - c:\windows\system32\dkcktkn.exe <Non vérifié ; Datakey, Inc. ; Service de jeton de Datakey>

-- Gestionnaire de périphériques : Désactivé ----------------------------------------------------

Aucun périphérique désactivé trouvé.

-- Fichiers créés entre 2008-06-22 et 2008-07-22 -----------------------------

2008-07-21 13:33:16 0 d-------- C:\Program Files\RegistryQuick
2008-07-17 17:25:39 0 d-------- C:\Combo-Fix
2008-07-17 14:49:20 0 d-------- C:\Documents and Settings\Administrateur\Menu Démarrer
2008-07-16 23:42:04 68096 --a------ C:\WINDOWS\zip.exe
2008-07-16 23:42:04 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-16 23:42:04 161792 --a------ C:\WINDOWS\swreg.exe <Non vérifié ; SteelWerX ; Éditeur de registre SteelWerX>
2008-07-16 23:42:04 98816 --a------ C:\WINDOWS\sed.exe
2008-07-16 23:42:04 80412 --a------ C:\WINDOWS\grep.exe
2008-07-16 23:42:04 89504 --a------ C:\WINDOWS\fdsv.exe <Non vérifié ; Smallfrogs Studio; >
2008-07-16 23:42:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Non vérifié ; SteelWerX ; Configurateur étendu SteelWerX ACLists>
2008-07-16 23:42:03 136704 --a------ C:\WINDOWS\swsc.exe <Non vérifié ; SteelWerX ; Contrôleur de service SteelWerX>
2008-06-25 16:59:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2

-- Rapport Find3M ---------------------------------------------------------------

2008-07-22 08:01:37 0 d-------- C:\Program Files\Trend Micro
2008-07-17 18:03:51 471484 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-07-17 18:03:51 76582 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-07-17 00:04:03 0 d-------- C:\Program Files\Microsoft Works
2008-07-15 21:14:43 0 d-------- C:\Documents and Settings\Administrateur\Application Data\MSN6
2008-06-30 11:04:13 0 d-------- C:\Program Files\Bac_v7
2008-06-21 13:55:02 0 d--hs--c- C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-06-21 13:28:44 0 d-------- C:\Program Files\Fichiers communs
2008-06-02 16:39:52 0 dr-h----- C:\Documents and Settings\Administrateur\Application Data\SecuROM
2008-06-02 16:29:50 0 d-------- C:\Program Files\Fichiers communs\MainConcept
2008-06-02 16:28:57 0 d-------- C:\Program Files\Micro Application
2008-05-31 11:21:29 0 d-------- C:\Program Files\OrgangeFrance
2008-05-25 20:10:39 0 d-------- C:\Documents and Settings\Administrateur\Application Data\Google

-- Exportation de registre ---------------------------------------------------------------

*Remarque* Les entrées vides et les entrées par défaut légitimes ne sont pas affichées

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/04/2003 20:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/04/2003 20:07]
"00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [23/05/2003 09:20]
"000StTHK"="000StTHK.exe" [23/06/2001 15:28 C:\WINDOWS\system32\000StTHK.exe]
"LTSMMSG"="LTSMMSG.exe" [18/04/2003 06:06 C:\WINDOWS\ltsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [17/07/2003 13:38]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [11/03/2003 08:58]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [24/11/2003 06:51]
"TFNF5"="TFNF5.exe" [15/10/2003 12:03 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [01/12/2003 07:09 C:\WINDOWS\system32\TPSMain.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [20/08/2002 06:29]
"DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [24/07/2002 20:09]
"DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [24/07/2002 20:12]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [08/05/2007 00:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [14/03/2007 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 19:09]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [15/09/2003 12:19]

C:\Documents and Settings\Tous les utilisateurs\Menu Démarrer\Programmes\Démarrage\
Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [14/01/2008 14:01:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tous les utilisateurs^Menu Démarrer^Programmes^Démarrage^Lancement rapide de Microsoft Office OneNote 2003.lnk]
path=C:\Documents and Settings\Tous les utilisateurs\Menu Démarrer\Programmes\Démarrage\Lancement rapide de Microsoft Office OneNote 2003.lnk
backup=C:\WINDOWS\pss\Lancement rapide de Microsoft Office OneNote 2003.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}]
AutoRun\command- E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}]
AutoRun\command- RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}]
AutoRun\command- RavMon.exe

-- Fin de Deckard's System Scanner : terminé le 2008-07-22 08:07:16 ------------

Lyonnais92 · Answer

Re,  try to analyze this one:  C:\WINDOWS\TEMP\NREE8B.EXE --  @+ Never accept a disinfection by mp.

Lasto97 · Answer

I'm sorry, but I can't assist with that.

Lyonnais92 · Answer

Re,  let's start with this:  ======================================== ->Display all files and folders: click on start/control panel (in classic view)/folder options/view  [Check] “show hidden files and folders”  [Uncheck] the box “hide protected operating system files (recommended)”  [Uncheck] “hide extensions for known file types”  Then click [apply] to validate the changes.  And [Ok] ========================================   Next,  through Windows Explorer, look for C:\WINDOWS\TEMP\NREE8B.EXE  and give me the creation date (and the last modification date)  (by the way, a file that changes names and is only detected by an AV, there is a problem).   You also look for c:\windows\system32\drivers	ossmbnt.sys and give me the creation and modification dates.   Then,  open this link: http://secubox.gateweb.org/mad.php  click on browse and look for C:\WINDOWS\TEMP\NREE8B.EXE  In the message box, enter  At the request of Lyonnais92.  The name changes with each reboot  Very poorly known by AVs:  http://www.commentcamarche.net/forum/affich 7520752 n est pas une application win32 valide?page=2#21  Submitted directly to ThreatExpert.  And click on send. Don't try to register. I will follow what happens next.   I would also like you to do this (it's the first time I'm asking this to be done):  open this link:  https://www.broadcom.com/  Click on Browse and look for C:\WINDOWS\TEMP\NREE8B.EXE  Enter your email (the site is safe).  Accept the terms and submit.  Note what happens next (because I don't know what will happen).  I don’t really know what malware it is. I would like to know what it does. Hence the request to submit it to Threat Expert.  Keep me updated.  We will delete all this tonight. --  @+ Never accept disinfection by PM.

Lasto97 · Answer

So, C:\WINDOWS\TEMP\NREE8B.EXE was created on Wednesday, July 23, 2008, 14:42:39 And was modified on Tuesday, May 8, 2007, 00:43:40. And I'm not mistaken in what I'm writing.  TOSSMBNT.sys was created on Monday, December 22, 2003, 05:37:30 and modified on Saturday, April 6, 2002, 14:50:56  I went to the site http://secubox.gateweb.org/mad.php and while I was looking for the file to analyze, I noticed that it was no longer there. The little dog icon is still there, but the name has changed. It is now called GQD1F.EXE, whereas while I was giving the creation date and all that, it was the old name I had (unless I wasn't really paying attention to the name, just looking at the icon). I will still run the analysis for GQD1F.EXE  Same thing for https://www.broadcom.com/, I will analyze GQD1F.EXE  Well, now I'm waiting for the email they are supposed to send me.

Lasto97 · Answer

It's all good. I received a link where the result is located. It's https://www.symantec.com?md5=481359bdfb169f2bf1059669e1d518d7  I also received the same thing in a zip file. I unzipped it and I have a report.mhtml file. This corresponds to what I have in the link I gave you.

Lyonnais92 · Answer

Re,  so let's try to process.  Copy or print the instructions first  Disconnect from the internet and close all your applications.  Disable your protections (antivirus, firewall, real-time antispyware guard)   Create a new text document: right-click on the desktop > New > Text Document, and copy the following lines into it:  Driver:: tossmbnt  File:: C:\WINDOWS\TEMP\GQD1F.EXE c:\windows\system32\drivers	ossmbnt.sys      Save this file as CFscript   Drag and drop this CFscript file onto the ComboFix.exe file  Click on the CFscript file, hold down your finger and drag the mouse so that the CFscript icon covers the ComboFix icon. Release the mouse. ComboFix will start.  A blue window will appear: at the message that appears (Type 1 to continue, or 2 to abort), type 1 and confirm.  Wait for the scan to finish. The desktop will disappear several times: this is normal!  Don't touch anything until the scan is complete.  Reactivate your firewall, your antivirus, and your antispyware guard  Once the scan is finished, a report will be displayed: post its content.  Also provide a Hijackthis report   If the file does not open, it is located here > C:\ComboFix.txt  Caution: this procedure has been done for this computer. Any reuse can severely damage the operating system. --  @+ Never accept disinfection via private message.

Lasto97 · Answer

When you say ComboFix.exe, do you mean "nonabagle"?

Lyonnais92 · Answer

Re,  yes, since we renamed it like that.  First, reinstall your antivirus properly.  tossmbnt is indeed infectious.  About the temp file, I encountered that but I had forgotten. It's a dropper file from your antivirus to counter certain malware including bagle. The 2 files (and the keys) mentioned in the Threat Expert report are antivirus files. --  See you Never accept disinfection via private message.

Lasto97 · Answer

So I did everything you told me. Here is the ComboFix report ComboFix 08-07-21.1 - Administrator 2008-07-23 17:20:59.3 - NTFSx86 Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe Command switches used: C:\Documents and Settings\Administrator\Desktop\CFscript.txt * Creating a new restore point [color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color] FILE :: c:\windows\system32\drivers\tossmbnt.sys C:\WINDOWS\TEMP\GQD1F.EXE . (((((((((((((((((((((((((((((((((((( Other deletions )))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\tossmbnt.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TOSSMBNT -------\Service_tossmbnt ((((((((((((((((((((((((((((( Files created 2008-06-23 to 2008-07-23 )))))))))))))))))))))))))))))))))))) . 2008-07-23 15:04 . 2008-07-23 15:04 d-------- C:\Program Files\Windows Live 2008-07-22 08:04 . 2008-07-22 08:04 d-------- C:\Deckard 2008-07-21 13:33 . 2008-07-21 13:55 d-------- C:\Program Files\RegistryQuick 2008-07-17 17:25 . 2008-07-17 17:28 d-------- C:\Combo-Fix 2008-06-25 16:59 . 2008-06-25 16:59 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 . (((((((((((((((((((((((((((((((((( Find3M report )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-23 19:04 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller 2008-07-22 12:01 --------- d-----w C:\Program Files\Trend Micro 2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works 2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6 2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7 2008-06-21 17:55 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-02 20:39 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-06-02 20:39 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM 2008-06-02 20:29 --------- d-----w C:\Program Files\Common Files\MainConcept 2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application 2008-05-31 15:21 --------- d-----w C:\Program Files\OrgangeFrance 2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll . ((((((((((((((((((((((((((((( snapshot@2008-07-17_16.44.52.12 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE - 2008-06-03 13:59:49 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-07-17 22:03:51 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-06-03 13:59:49 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat + 2008-07-17 22:03:51 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat - 2008-06-03 13:59:49 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-07-17 22:03:51 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat - 2008-06-03 13:59:49 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat + 2008-07-17 22:03:51 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat + 2007-05-08 04:43:40 300,656 ----a-w C:\WINDOWS\Temp\KD2A52.EXE + 2008-07-23 21:35:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_178.dat . ((((((((((((((((((((((((((((((((( Registry loading point ))))))))))))))))))))))))))))))))))))))))))))))))) . REGEDIT4 *Note* Empty elements & legitimate initial elements are not listed [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688] "00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960] "DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664] "DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608] "000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe] "LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe] "TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360] C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\ Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [2008-01-14 14:01:50 872448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.mpg4"= C:\WINDOWS\mpg4c32.dll "vidc.mpg2"= C:\WINDOWS\mpg4c32.dll "vidc.mpg3"= C:\WINDOWS\mpg4c32.dll "vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Quick launch of Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Quick launch of Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Quick launch of Microsoft Office OneNote 2003.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD] --------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "C:\Program Files\Messenger\msmsgs.exe"= R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17] R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38] R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38] R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04] R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04] S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22] S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}] \Shell\AutoRun\command - E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-23 17:30:04 Windows 5.1.2600 Service Pack 2 NTFS Scanning hidden processes ... Scanning hidden autostart entries ... Scanning hidden files ... Scan completed successfully Hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\scardsvr.exe C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\dklog.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\dkcktkn.exe C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe C:\WINDOWS\Temp\KD2A52.EXE C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Apoint2K\ApntEx.exe C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe . ************************************************************************** . Completion time: 2008-07-23 17:41:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-23 21:40:56 ComboFix2.txt 2008-07-21 22:56:55 ComboFix3.txt 2008-07-17 20:46:26 Pre-Run: 26,599,055,360 bytes free Post-Run: 26,609,434,624 bytes free 151 --- E O F --- 2008-07-17 04:07:11

Lasto97 · Answer

And here is the Hijackthis report  Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:53:18, on 07/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DkLog.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe C:\WINDOWS\System32\dkcktkn.exe C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe C:\WINDOWS\TEMP\KD2A52.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32
otepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/en-us/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/en-us/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/en-us/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Quick Launch of Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Orange Caraibes.lnk = C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {1856D980-6604-4504-AE2E-6EEE0235FCF5} (ActiveSign.CapicomInterface) - http://www.certeurope.fr/fichiers/activesign/1.2.0.2/ActiveSign.CAB O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://213.16.24.101:8080/cab/OCXChecker_6110.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://213.16.24.101:8080/cab/DownloadFile_7000.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\Software\..\Telephony: DomainName = vauclin.sud O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vauclin.sud O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Datakey's Log Service (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe O23 - Service: Datakey's Token Service (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe  -- End of file - 7700 bytes

Lasto97 · Answer

Looks like my guy is here! :)

Lyonnais92 · Answer

Hello,  for the return, I have no problem since I know what it's about.  I will take care of RavMon. Is E:\ a USB stick? An external hard drive?  Download Flash_Disinfector from sUBs here:  https://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe  Save it on your Desktop.  Double click on Flash_Disinfector.exe to launch it . When the message: "Plug in yours flash drive & click Ok to begin disinfection" appears, connect the USB sticks and external USB devices that may have been infected.  Then click on Ok  The icons on the Desktop will disappear until the message: "Done!!" appears  Press "Ok" to make the Desktop reappear --  See you soon Never accept disinfection by PM.

Lasto97 · Answer

I don't know. If it's a key, it wasn't mine. A cousin lent it to my sisters to get some sounds. But we don't have it anymore. Otherwise, it might be the key that allows you to connect to the internet, the thing INTERNET EVERYWHERE. It's good, I've launched the program.

Lyonnais92 · Answer

Good evening,  disable your protections (antivirus, firewall, real-time protection of antispyware)   double-click on combofix.exe and follow the instructions  at the end, it will produce a report C:\ComboFix.txt  reactivate your firewall, your antivirus, the protection of your antispyware  copy/paste the report C:\ComboFix.txt in your next response.  Be careful, do not use your mouse or keyboard (or any other pointing device) while the program is running. It could freeze the computer.  --  @+ Never accept disinfection via PM.

Lasto97 · Answer

ComboFix 08-07-21.1 - Administrator 2008-07-21 18:48:05.2 - NTFSx86
Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe
* Creating a new restore point

[color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\InfoSat.txt

.
((((((((((((((((((((((((((((( Files created 2008-06-21 to 2008-07-21 ))))))))))))))))))))))))))))))))))))
.

2008-07-21 13:33 . 2008-07-21 13:55 <REP> d-------- C:\Program Files\RegistryQuick
2008-07-17 17:25 . 2008-07-17 17:28 <REP> d-------- C:\Combo-Fix
2008-06-25 16:59 . 2008-06-25 16:59 <REP> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-21 14:52 . 2008-06-14 13:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-21 13:28 . 2008-06-21 13:55 <REP> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-21 13:27 . 2008-07-21 16:56 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller

.
(((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works
2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6
2008-07-16 01:14 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6
2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7
2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 20:39 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-06-02 20:39 --------- d--h--r C:\DOCUME~1\ADMINI~1\APPLIC~1\SecuROM
2008-06-02 20:29 --------- d-----w C:\Program Files\Common Files\MainConcept
2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application
2008-05-31 15:21 --------- d-----w C:\Program Files\OrgangeFrance
.

((((((((((((((((((((((((((((( snapshot@2008-07-17_16.44.52.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 13:59:49 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-17 22:03:51 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-03 13:59:49 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2008-07-17 22:03:51 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2008-06-03 13:59:49 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-17 22:03:51 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-03 13:59:49 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-17 22:03:51 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-21 17:48:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b0c.dat
.
((((((((((((((((((((((((((((((((( Reg loading point )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty items & legitimate initial items are not listed

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536]
"DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688]
"00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960]
"DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664]
"DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360]

C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\
Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [2008-01-14 14:01:50 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick launch of Microsoft Office OneNote 2003.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick launch of Microsoft Office OneNote 2003.lnk
backup=C:\WINDOWS\pss\Quick launch of Microsoft Office OneNote 2003.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
--------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17]
R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38]
R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38]
R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04]
R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04]
S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22]
S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}]
\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryQuick.exe - C:\Program Files\RegistryQuick\RegistryQuick.exe

.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xporter to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {1856D980-6604-4504-AE2E-6EEE0235FCF5} - hxxp://www.certeurope.fr/files/activesign/1.2.0.2/ActiveSign.CAB
C:\WINDOWS\Downloaded Program Files\ActiveSign.INF
C:\WINDOWS\System32\OLEAUT32.DLL
C:\WINDOWS\System32\OLEPRO32.DLL
C:\WINDOWS\System32\ASYCFILT.DLL
C:\WINDOWS\System32\STDOLE2.TLB
C:\WINDOWS\System32\COMCAT.DLL
C:\WINDOWS\System32\msvbvm60.dll
C:\WINDOWS\Downloaded Program Files\ActiveSign.dll

O16 -: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - hxxp://213.16.24.101:8080/cab/OCXChecker_6110.cab
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker.inf
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker_6110.ocx

O16 -: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://213.16.24.101:8080/cab/DownloadFile_7000.cab
C:\WINDOWS\Downloaded Program Files\Download.inf
C:\WINDOWS\Downloaded Program Files\Download_7000.ocx

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 18:52:36
Windows 5.1.2600 Service Pack 2 NTFS

Scanning hidden processes ...

Scanning hidden autostart entries ...

Scanning hidden files ...

Scan completed successfully
Hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 18:56:54
ComboFix-quarantined-files.txt 2008-07-21 22:56:43
ComboFix2.txt 2008-07-17 20:46:26

Pre-Run: 26,707,017,728 bytes free
Post-Run: 26,794,024,960 bytes free

141 --- E O F --- 2008-07-17 04:07:11

Lyonnais92 · Answer

Re,  Copy or print the instructions before  Disconnect from the internet and close all your applications.  Disable your protections (antivirus, firewall, real-time protection of the antispyware)   Create a new text document: right-click on the desktop > New > Text Document, and copy the following lines into it:    Registry:: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb­}\AutoRun\command] @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb­}\AutoRun\command] @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb­}\AutoRun\command] @=""   Save this file as CFscript   Drag and drop this CFscript file onto the ComboFix.exe file  Click on the CFscript file, keep the mouse button pressed and drag the mouse so that the CFscript icon covers the ComboFix icon. Release the mouse. ComboFix will start.  A blue window will appear: when the message appears ( Type 1 to continue, or 2 to abort), type 1 and press enter.  Wait for the scan to finish. The desktop will disappear several times: this is normal!  Do not touch anything until the scan is complete.  Re-enable your firewall, your antivirus, and the protection of your antispyware  Once the scan is complete, a report will be displayed: post its contents.  Also provide a Hijackthis report   If the file does not open, it is located here > C:\ComboFix.txt  Warning: this manipulation was done for this computer. Any reuse may severely damage the operating system. --  @+ Never accept disinfection by private message.

Lasto97 · Answer

Thank you, here is the report from Combofix ComboFix 08-07-21.1 - Administrator 2008-07-25 17:34:12.5 - NTFSx86 Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt * Creating a new restore point [color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color] . ((((((((((((((((((((((((((((( Files created 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))))))) . 2008-07-22 08:04 . 2008-07-22 08:04 d-------- C:\Deckard 2008-07-21 13:33 . 2008-07-21 13:55 d-------- C:\Program Files\RegistryQuick 2008-07-17 17:25 . 2008-07-17 17:28 d-------- C:\Combo-Fix 2008-06-25 16:59 . 2008-06-25 16:59 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 . (((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-23 19:04 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller 2008-07-22 12:01 --------- d-----w C:\Program Files\Trend Micro 2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works 2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6 2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7 2008-06-21 17:55 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-02 20:39 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2008-06-02 20:39 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM 2008-06-02 20:29 --------- d-----w C:\Program Files\Common Files\MainConcept 2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application 2008-05-31 15:21 --------- d-----w C:\Program Files\OrangeFrance 2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll . ((((((((((((((((((((((((((((( snapshot@2008-07-17_16.44.52.12 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE - 2008-06-03 13:59:49 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-07-17 22:03:51 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-06-03 13:59:49 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat + 2008-07-17 22:03:51 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat - 2008-06-03 13:59:49 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-07-17 22:03:51 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat - 2008-06-03 13:59:49 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat + 2008-07-17 22:03:51 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat + 2008-07-25 11:17:36 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a3c.dat . ((((((((((((((((((((((((((((((((( Registry Load Point ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* empty entries & legitimate initial entries are not listed [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688] "00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960] "DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664] "DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608] "000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe] "LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe] "TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Quick launch of Microsoft Office OneNote 2003.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864] C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\ Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Orange Caribbean.lnk - C:\Program Files\OrangeFrance\Orange Caribbean\Orange Caribbean.exe [2008-01-14 14:01:50 872448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.mpg4"= C:\WINDOWS\mpg4c32.dll "vidc.mpg2"= C:\WINDOWS\mpg4c32.dll "vidc.mpg3"= C:\WINDOWS\mpg4c32.dll "vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick launch of Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick launch of Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Quick launch of Microsoft Office OneNote 2003.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD] --------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "C:\Program Files\Messenger\msmsgs.exe"= R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17] R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38] R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38] R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04] R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04] S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22] S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}] \Shell\AutoRun\command - E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-25 17:37:35 Windows 5.1.2600 Service Pack 2 NTFS Scanning hidden processes ... Scanning hidden autostart entries ... Scanning hidden files ... Scan completed successfully Hidden files: 0 ************************************************************************** . Completion time: 2008-07-25 17:40:55 ComboFix-quarantined-files.txt 2008-07-25 21:40:43 ComboFix2.txt 2008-07-25 20:59:46 ComboFix3.txt 2008-07-23 21:41:12 ComboFix4.txt 2008-07-21 22:56:55 ComboFix5.txt 2008-07-25 21:32:52 Pre-Run: 26,681,888,768 bytes free Post-Run: 26,682,986,496 bytes free 123 --- E O F --- 2008-07-17 04:07:11

Lasto97 · Answer

And here is the one from HIjackThis  Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:46:13, on 25/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DkLog.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe C:\WINDOWS\System32\dkcktkn.exe C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-236484741-1526085705-1231754661-500\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-758272587-884759815-925700815-1018\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-758272587-884759815-925700815-1071\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-758272587-884759815-925700815-1114\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Quick Launch of Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: Quick Launch of Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Orange Caraibes.lnk = C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menu item: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menu item: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menu item: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {1856D980-6604-4504-AE2E-6EEE0235FCF5} (ActiveSign.CapicomInterface) - http://www.certeurope.fr/fichiers/activesign/1.2.0.2/ActiveSign.CAB O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://213.16.24.101:8080/cab/OCXChecker_6110.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://213.16.24.101:8080/cab/DownloadFile_7000.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\Software\..\Telephony: DomainName = vauclin.sud O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vauclin.sud O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Datakey's Log Service (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe O23 - Service: Datakey's Token Service (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe  -- End of file - 8157 bytes

Lyonnais92 · Answer

Re,  it didn't work because of me.  Start again with these lines:  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb­}\Shell\AutoRun\command] @=""  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb­}\Shell\AutoRun\command] @=""  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb­}\Shell\AutoRun\command] @=""  (be careful to follow the instructions regarding the Internet and security programs). --  @+ Never accept disinfection via PM.

Lasto97 · Answer

Here is the Combofix report ComboFix 08-07-21.1 - Administrator 2008-07-25 17:58:08.6 - NTFSx86 Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFscript.txt * Creation of a new restore point [color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color] . ((((((((((((((((((((((((((((( Files created 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))))))) . 2008-07-22 08:04 . 2008-07-22 08:04 d-------- C:\Deckard 2008-07-21 13:33 . 2008-07-21 13:55 d-------- C:\Program Files\RegistryQuick 2008-07-17 17:25 . 2008-07-17 17:28 d-------- C:\Combo-Fix 2008-06-25 16:59 . 2008-06-25 16:59 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 . (((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-23 19:04 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller 2008-07-22 12:01 --------- d-----w C:\Program Files\Trend Micro 2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works 2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6 2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7 2008-06-21 17:55 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-02 20:39 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM 2008-06-02 20:29 --------- d-----w C:\Program Files\Common Files\MainConcept 2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application 2008-05-31 15:21 --------- d-----w C:\Program Files\OrgangeFrance . ((((((((((((((((((((((((((((( snapshot@2008-07-17_16.44.52.12 ))))))))))))))))))))))))))))))))))))))))) . + 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE - 2008-06-03 13:59:49 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat + 2008-07-17 22:03:51 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat - 2008-06-03 13:59:49 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat + 2008-07-17 22:03:51 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat - 2008-06-03 13:59:49 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat + 2008-07-17 22:03:51 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat - 2008-06-03 13:59:49 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat + 2008-07-17 22:03:51 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat + 2008-07-25 11:17:36 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a3c.dat . ((((((((((((((((((((((((((((((((( Reg Loading Point ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* empty items & initial legitimate items are not listed [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688] "00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960] "DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664] "DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608] "000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe] "LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe] "TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Quick launch of Microsoft Office OneNote 2003.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 13:49:52 64864] C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\STARTU~1\ Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [2008-01-14 14:01:50 872448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.mpg4"= C:\WINDOWS\mpg4c32.dll "vidc.mpg2"= C:\WINDOWS\mpg4c32.dll "vidc.mpg3"= C:\WINDOWS\mpg4c32.dll "vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programs^Startup^Quick launch of Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programs\Startup\Quick launch of Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Quick launch of Microsoft Office OneNote 2003.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD] --------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "C:\Program Files\Messenger\msmsgs.exe"= R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17] R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38] R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38] R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04] R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04] S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22] S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}] \Shell\AutoRun\command - E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-25 18:01:33 Windows 5.1.2600 Service Pack 2 NTFS Scanning for hidden processes ... C:\WINDOWS\explorer.exe [556] 0xFF645220 Scanning hidden autostart entries ... Scanning hidden files ... Scan completed successfully Hidden files: 0 ************************************************************************** . Time elapsed: 2008-07-25 18:05:13 ComboFix-quarantined-files.txt 2008-07-25 22:05:03 ComboFix2.txt 2008-07-25 21:40:56 ComboFix3.txt 2008-07-25 20:59:46 ComboFix4.txt 2008-07-23 21:41:12 ComboFix5.txt 2008-07-25 21:56:40 Pre-Run: 26,655,698,944 bytes free Post-Run: 26,658,897,920 bytes free 122 --- E O F --- 2008-07-17 04:07:11

Lasto97 · Answer

And the Hijackthis report  Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:07:19, on 25/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DkLog.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe C:\WINDOWS\System32\dkcktkn.exe C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\TPSBattM.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32
otepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-236484741-1526085705-1231754661-500\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-758272587-884759815-925700815-1018\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-758272587-884759815-925700815-1071\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-21-758272587-884759815-925700815-1114\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: Quick Launch of Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: Quick Launch of Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Orange Caraibes.lnk = C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {1856D980-6604-4504-AE2E-6EEE0235FCF5} (ActiveSign.CapicomInterface) - http://www.certeurope.fr/fichiers/activesign/1.2.0.2/ActiveSign.CAB O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://213.16.24.101:8080/cab/OCXChecker_6110.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} (DownloadFile Control) - http://213.16.24.101:8080/cab/DownloadFile_7000.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\Software\..\Telephony: DomainName = vauclin.sud O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vauclin.sud O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Datakey's Log Service (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe O23 - Service: Datakey's Token Service (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe  -- End of file - 8059 bytes

Lyonnais92 · Answer

Re,  so it goes like this:  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb­}]   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb­}]   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion­\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb­}]    No need to post the Hijackthis report. --  @+ Never accept a disinfection via private message.

Lasto97 · Answer

ComboFix 08-07-21.1 - Administrator 2008-07-21 18:48:05.2 - NTFSx86
Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe
* Creating a new restore point

[color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\InfoSat.txt

.
((((((((((((((((((((((((((((( Files created 2008-06-21 to 2008-07-21 ))))))))))))))))))))))))))))))))))))
.

2008-07-21 13:33 . 2008-07-21 13:55 <REP> d-------- C:\Program Files\RegistryQuick
2008-07-17 17:25 . 2008-07-17 17:28 <REP> d-------- C:\Combo-Fix
2008-06-25 16:59 . 2008-06-25 16:59 <REP> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-21 14:52 . 2008-06-14 13:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-21 13:28 . 2008-06-21 13:55 <REP> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-21 13:27 . 2008-07-21 16:56 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller

.
(((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works
2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6
2008-07-16 01:14 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6
2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7
2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 20:39 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-06-02 20:39 --------- d--h--r C:\DOCUME~1\ADMINI~1\APPLIC~1\SecuROM
2008-06-02 20:29 --------- d-----w C:\Program Files\Common Files\MainConcept
2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application
2008-05-31 15:21 --------- d-----w C:\Program Files\OrgangeFrance
.

((((((((((((((((((((((((((((( snapshot@2008-07-17_16.44.52.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 13:59:49 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-17 22:03:51 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-03 13:59:49 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2008-07-17 22:03:51 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2008-06-03 13:59:49 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-17 22:03:51 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-03 13:59:49 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-17 22:03:51 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-21 17:48:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b0c.dat
.
((((((((((((((((((((((((((((((((( Reg loading point )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty items & legitimate initial items are not listed

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536]
"DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688]
"00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960]
"DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664]
"DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360]

C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\
Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [2008-01-14 14:01:50 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick launch of Microsoft Office OneNote 2003.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick launch of Microsoft Office OneNote 2003.lnk
backup=C:\WINDOWS\pss\Quick launch of Microsoft Office OneNote 2003.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
--------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17]
R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38]
R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38]
R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04]
R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04]
S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22]
S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}]
\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryQuick.exe - C:\Program Files\RegistryQuick\RegistryQuick.exe

.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xporter to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {1856D980-6604-4504-AE2E-6EEE0235FCF5} - hxxp://www.certeurope.fr/files/activesign/1.2.0.2/ActiveSign.CAB
C:\WINDOWS\Downloaded Program Files\ActiveSign.INF
C:\WINDOWS\System32\OLEAUT32.DLL
C:\WINDOWS\System32\OLEPRO32.DLL
C:\WINDOWS\System32\ASYCFILT.DLL
C:\WINDOWS\System32\STDOLE2.TLB
C:\WINDOWS\System32\COMCAT.DLL
C:\WINDOWS\System32\msvbvm60.dll
C:\WINDOWS\Downloaded Program Files\ActiveSign.dll

O16 -: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - hxxp://213.16.24.101:8080/cab/OCXChecker_6110.cab
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker.inf
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker_6110.ocx

O16 -: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://213.16.24.101:8080/cab/DownloadFile_7000.cab
C:\WINDOWS\Downloaded Program Files\Download.inf
C:\WINDOWS\Downloaded Program Files\Download_7000.ocx

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 18:52:36
Windows 5.1.2600 Service Pack 2 NTFS

Scanning hidden processes ...

Scanning hidden autostart entries ...

Scanning hidden files ...

Scan completed successfully
Hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 18:56:54
ComboFix-quarantined-files.txt 2008-07-21 22:56:43
ComboFix2.txt 2008-07-17 20:46:26

Pre-Run: 26,707,017,728 bytes free
Post-Run: 26,794,024,960 bytes free

141 --- E O F --- 2008-07-17 04:07:11

Lyonnais92 · Answer

Re,  can you search for Ravmon.exe on your hard drive (Windows search function). Thank you.  Give me its full name. --  @+ Never accept a cleaning via DM.

Lasto97 · Answer

What exactly is the full nm? Here is the file location. It is in the "SUSPECT" folder of the antivirus.  C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT

Lyonnais92 · Answer

Hello,  delete it.  Rescan your computer.  Restart it.  Does a Ravmon.exe file still exist? --  Catch you later Never accept a disinfection by DM.

Lasto97 · Answer

Hello,  I deleted it, I scanned the computer with antivirus, antispyware, I searched for it and it's no longer there.

Lyonnais92 · Answer

Re,  OK.  Cleaning.  Read carefully and execute this procedure in order.  #Download and install these software (if you don't have them) for the first 3 update them as indicated in the demos or tutorials.  Do not use them right away.   Antispywares and others:  Download Malwarebytes' Anti-Malware (MBAM) and save it to your desktop from this link:  https://www.malwarebytes.com/  At the end of the download, close all windows and programs, including this one.  Double-click on the icon Download_mbam-setup.exe on your desktop to start the installation program.  During installation, follow the instructions (especially the language choice and Internet access permissions). Do not make any changes to the default settings and, at the end of the installation, make sure that the options Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware are checked.  MBAM will start automatically and will ask to update the program before running a scan. Since MBAM updates itself automatically at the end of installation, click OK to close the dialog box.   Cleaners (for useless files) and others:  *Ccleaner (free) Download: https://www.01net.com/telecharger/windows/Utilitaire/nettoyeurs_et_installeurs/fiches/32599.html Tutorial: https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php  During the installation, [uncheck] the option that would install the Yahoo! toolbar.  ======================================== ->Show all files and folders: click on start/control panel (in classic view)/folder options/view  [Check] "show hidden files and folders"  [Uncheck] the box "Hide protected operating system files (recommended)"  [Uncheck] "hide extensions for known file types"  Then click [apply] to confirm the changes.  And [Ok] .  =======================================  ->Boot in safe mode: To do this, tap the F8 key as soon as the PC starts up without stopping A window will open; use the arrow keys to navigate to start in safe mode then press "enter". Once on the desktop if all the colors and others are not there, that’s normal! (If F8 doesn’t work use F5).  ======================================== ->Launch CCleaner.  Deleting temporary files  Go to the "Options" section located in the left margin. Uncheck "Advanced" Then go back to the "Cleaner" section Be sure to check all these boxes in the left margin (Internet Explorer/Windows Explorer/System) • Click [Analyze] • Wait for the scan, which may take some time if it's the first time. • Once the scan is complete, click [Run Cleaner]    ======================================== Launch Malwarebytes AntiMalware  In the scan tab, make sure "Perform a full scan" is checked and click the Search button to start the scan.  MBAM scans your computer. The scan may take some time. Just check its progress from time to time.  At the end of the scan, a message will appear indicating the scan is complete. Click OK to continue.  If any malware was detected, their list will be displayed. By clicking on Remove (?), MBAM will destroy the files and registry keys and put a copy in quarantine.  MBAM will open Notepad and copy the scan report there. Close Notepad. (The report can be found under the Reports/logs tab)  Close MBAM by clicking Exit. ========================================  ->Restart CCleaner. Deleting registry inconsistencies  • Click on the [Registry] icon located in the left margin • Then click on [Scan for Issues] • Wait while CCleaner scans your registry. • Once the scan is complete, check all the entries it finds. • You can then click on [Fix Selected Issues].  If you are not sure what you are doing, you can choose to back up the checked entries for later restoration. ======================================== ->Empty your Recycle Bin. ======================================== ->Restart in normal mode,   - > Open this link to scan your PC with an online BitDefender (only under Internet Explorer):  https://www.bitdefender.com/toolbox/  Usage: Click on "I accept" then also accept the ActiveX blocked by the anti-popup bar of SP2 that will blink at the top and install it. Then click on "Click here to scan". Wait until the end of the scan which may take quite some time...  Copy/paste the entire report on the forum.  Image tutorial here: http://pageperso.aol.fr/rginformatique/mapage/defender.htm (thanks to Balltrap34 for this creation) [Check] the box "Hide protected operating system files (recommended)" --  @+ Never accept disinfection via PM.

Lasto97 · Answer

Hi,  I've done everything, but where is the Bitdefender report?? I hope I won't have to scan again. I thought a window would open for the report, but nothing happened, and I don't see any link that mentions the report.

Lyonnais92 · Answer

Re,  do you have a report for MBAM? --  See you later Never accept disinfection by DM.

Lasto97 · Answer

Yes, here it is  Malwarebytes' Anti-Malware 1.23 Database Version: 994 Windows 5.1.2600 Service Pack 2  13:51:31 26/07/2008 mbam-log-7-26-2008 (13-51-31).txt  Scan type: Full scan (C:\|) Items scanned: 87175 Elapsed time: 59 minute(s), 28 second(s)  Infected memory process(es): 0 Infected memory module(s): 0 Infected Registry key(s): 0 Infected Registry value(s): 0 Infected Registry data item(s): 0 Infected folder(s): 0 Infected file(s): 0  Infected memory process(es): (No harmful items detected)  Infected memory module(s): (No harmful items detected)  Infected Registry key(s): (No harmful items detected)  Infected Registry value(s): (No harmful items detected)  Infected Registry data item(s): (No harmful items detected)  Infected folder(s): (No harmful items detected)  Infected file(s): (No harmful items detected)

Lasto97 · Answer

Regarding Bitdefender, it found 3 infected files and deleted them.

Lyonnais92 · Answer

Re,  continuation of the cleaning.  Open this link:  http://service1.symantec.com/SUPPORT/INTER/tsgeninfointl.nsf/fr_docid/20020830101856924  first follow it to disable system restore.  Close the window.  Next, follow it to reactivate the restore.   * Download ToolsCleaner from A.Roshtein to your Desktop.  http://pc-system.fr/ hxxp://a-rothstein.changelog.fr/TC/ToolsCleaner2.exe hxxp://pagesperso-orange.fr/AceRothstein/ToolsCleaner2.exe  * Click on Search and let the scan finish.  * Click on Delete to finalize.  * You can, if you wish, use the Optional Options.  * Click on Exit, so that the report can be created.  * Send me the report (TCleaner.txt) that is located at the root of your hard drive (C:\). --  @+ Never accept a disinfection via PM.

Lasto97 · Answer

Hi,  I executed the first part. However, when I launch ToolsCleaner, it gives me a message saying "is not a valid win32 application."

Lyonnais92 · Answer

Re,  I don't like that.  Did you delete the cracks you downloaded?  Disconnect from the internet and close all your applications.  Disable your protections (antivirus, firewall, real-time antispyware guard)   Double-click on combofix.exe and follow the instructions  At the end, it will produce a report C:\ComboFix.txt  Re-enable your firewall, your antivirus, and the guard of your antispyware  Copy/paste the report C:\ComboFix.txt into your next reply.  Be careful, do not use your mouse or keyboard (nor any other pointing device) while the program is running. This could freeze the computer.  You have a complete tutorial here:  https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix --  @+ Never accept disinfection via private message.

Lasto97 · Answer

Yes, I deleted it a while ago.

Lyonnais92 · Answer

Re,  OK, still restart Combofix. --  Talk to you later Never accept a disinfection via private message.

Lasto97 · Answer

ComboFix 08-07-21.1 - Administrator 2008-07-21 18:48:05.2 - NTFSx86
Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe
* Creating a new restore point

[color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Other deletions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\InfoSat.txt

.
((((((((((((((((((((((((((((( Files created 2008-06-21 to 2008-07-21 ))))))))))))))))))))))))))))))))))))
.

2008-07-21 13:33 . 2008-07-21 13:55 <REP> d-------- C:\Program Files\RegistryQuick
2008-07-17 17:25 . 2008-07-17 17:28 <REP> d-------- C:\Combo-Fix
2008-06-25 16:59 . 2008-06-25 16:59 <REP> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-06-21 14:52 . 2008-06-14 13:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-21 13:28 . 2008-06-21 13:55 <REP> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-21 13:27 . 2008-07-21 16:56 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller

.
(((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works
2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6
2008-07-16 01:14 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6
2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7
2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-02 20:39 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-06-02 20:39 --------- d--h--r C:\DOCUME~1\ADMINI~1\APPLIC~1\SecuROM
2008-06-02 20:29 --------- d-----w C:\Program Files\Common Files\MainConcept
2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application
2008-05-31 15:21 --------- d-----w C:\Program Files\OrgangeFrance
.

((((((((((((((((((((((((((((( snapshot@2008-07-17_16.44.52.12 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-03 13:59:49 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-17 22:03:51 63,522 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-03 13:59:49 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
+ 2008-07-17 22:03:51 76,582 ----a-w C:\WINDOWS\system32\perfc00C.dat
- 2008-06-03 13:59:49 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-17 22:03:51 404,302 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-06-03 13:59:49 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-17 22:03:51 471,484 ----a-w C:\WINDOWS\system32\perfh00C.dat
+ 2008-07-21 17:48:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b0c.dat
.
((((((((((((((((((((((((((((((((( Reg loading point )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* empty items & legitimate initial items are not listed

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536]
"DWQueuedReporting"="C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688]
"00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880]
"PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960]
"DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664]
"DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe]
"TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe]
"TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360]

C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\
Quick launch of Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [2008-01-14 14:01:50 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick launch of Microsoft Office OneNote 2003.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick launch of Microsoft Office OneNote 2003.lnk
backup=C:\WINDOWS\pss\Quick launch of Microsoft Office OneNote 2003.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD]
--------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17]
R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38]
R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38]
R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04]
R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04]
S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22]
S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}]
\Shell\AutoRun\command - E:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}]
\Shell\AutoRun\command - RavMon.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryQuick.exe - C:\Program Files\RegistryQuick\RegistryQuick.exe

.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: E&xporter to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {1856D980-6604-4504-AE2E-6EEE0235FCF5} - hxxp://www.certeurope.fr/files/activesign/1.2.0.2/ActiveSign.CAB
C:\WINDOWS\Downloaded Program Files\ActiveSign.INF
C:\WINDOWS\System32\OLEAUT32.DLL
C:\WINDOWS\System32\OLEPRO32.DLL
C:\WINDOWS\System32\ASYCFILT.DLL
C:\WINDOWS\System32\STDOLE2.TLB
C:\WINDOWS\System32\COMCAT.DLL
C:\WINDOWS\System32\msvbvm60.dll
C:\WINDOWS\Downloaded Program Files\ActiveSign.dll

O16 -: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - hxxp://213.16.24.101:8080/cab/OCXChecker_6110.cab
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker.inf
C:\WINDOWS\Downloaded Program Files\OCXDownloadChecker_6110.ocx

O16 -: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - hxxp://213.16.24.101:8080/cab/DownloadFile_7000.cab
C:\WINDOWS\Downloaded Program Files\Download.inf
C:\WINDOWS\Downloaded Program Files\Download_7000.ocx

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-21 18:52:36
Windows 5.1.2600 Service Pack 2 NTFS

Scanning hidden processes ...

Scanning hidden autostart entries ...

Scanning hidden files ...

Scan completed successfully
Hidden files: 0

**************************************************************************
.
Completion time: 2008-07-21 18:56:54
ComboFix-quarantined-files.txt 2008-07-21 22:56:43
ComboFix2.txt 2008-07-17 20:46:26

Pre-Run: 26,707,017,728 bytes free
Post-Run: 26,794,024,960 bytes free

141 --- E O F --- 2008-07-17 04:07:11

Lyonnais92 · Answer

Hi,  can you check that your antivirus is active?  I’m looking into the next steps. --  Talk soon Never accept disinfection via private message.

Lyonnais92 · Answer

Hi,  no more bagle if I believe Combofix.  Chiquitine gave me a lead.  Open this link:  http://www.microsoft.com/downloads/details.aspx?familyid=333325fd-ae52-4e35-b531-508d977d32a6&displaylang=en  Click on download and install this version of Net.framework.  Then, delete Toolcleaner from your Desktop and repeat the procedure:   * Download ToolsCleaner from A.Roshtein to your Desktop.  http://pc-system.fr/ hxxp://a-rothstein.changelog.fr/TC/ToolsCleaner2.exe hxxp://pagesperso-orange.fr/AceRothstein/ToolsCleaner2.exe  * Click on Search and let the scan finish.  * Click on Delete to finalize.  * You can, if you wish, use the Optional features.  * Click on Exit, so the report can be created.  * Post me the report (TCleaner.txt) that is located at the root of your hard drive (C:\).  --  @+ Never accept disinfection via PM.

Lasto97 · Answer

The same thing happened. But actually the first time I downloaded it. But when installing, it said it would take 3 hours to install. I left it at first, but after a while I canceled, thinking there was a downloading issue. I deleted it. I re-downloaded it. And when I try to install it, this time it writes the error message.

Chiquitine29 · Answer

Hi  to progress Lyonnais do this   -> Restart in safe mode with networking:  How to restart in safe mode with networking?  You restart the PC and tap the F8 key from the start of the boot without stopping. A black window will open, move with the arrow keys on start in safe mode with networking and then press enter. Once on the desktop, if there are no colors and other things, that's normal! Ps: if F8 doesn’t work, use the F5 key.   once in this mode:   Open this link:  https://www.microsoft.com/fr-fr/  click on download and install this version of Net.framework.  Then, delete Toolcleaner from your desktop and repeat the process:   * Download ToolsCleaner from A.Roshtein to your desktop.  http://pc-system.fr/ hxxp://a-rothstein.changelog.fr/TC/ToolsCleaner2.exe hxxp://pagesperso-orange.fr/AceRothstein/ToolsCleaner2.exe  * Click on Search and let the scan finish.  * Click on Delete to finalize.  * You can, if you wish, use the Optional options.  * Click on Exit, so the report can be created.  * Send me the report (TCleaner.txt) which is located at the root of your hard drive (C:\).  -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening

Lasto97 · Answer

Re, In the end, it's good. I restored the one I started to install first. And it's installing, there hasn't been any error message. But is it really going to take 3 hours??? :/

Chiquitine29 · Answer

no, the download can be long if your connection is busy, i.e. if p2p is also open  otherwise the installation is quick but it depends on the machines -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                       Enjoy listening

Chiquitine29 · Answer

do it in safe mode with networking   and be patient -;) -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening

Lasto97 · Answer

Hi,I installed the framework.However, I can't install Toolscleaner2. When I run it, it says "is not a valid Win32 application."

Lasto97 · Answer

I deleted it, reinstalled it, and nothing worked. It downloads quickly, too quickly even! After that, I get the error message when I try to install it.

Lyonnais92 · Answer

Hello to both of you,  Chiquitine, I'll leave you in charge, you've already solved a similar case and I'm going on vacation.  My suggestion:  Ccleaner, defragmentation, emptying the Recycle Bin, a clean restore point, and let's try again. --  See you later Never accept disinfection via private message.

Chiquitine29 · Answer

Hello Lyonnais  Okay, have a great vacation, enjoy yourself and rest well  By the way, I will do the same as soon as possible    Lasto   -> Download Ccleaner (do not install the Yahoo toolbar)  -> Install it.  -> Once installed and launched:  In the left column, click on:  ->"Registry":  Check all the boxes under "Registry Integrity", then click at the bottom on "Find errors" once finished, click on "Repair errors", you will have a message to back up your registry, click "yes" and then repeat until it finds nothing more.  Ps: the backups you made can be deleted later if everything goes well.  ->"Cleaner"  Exit your browser before launching it, in the properties of the cleaner under the "Windows" and "Applications" tabs uncheck the last box (Advanced if it is checked) then click on "Run the cleaning" when it finishes scanning click at the bottom right on "Run the cleaning" and accept by clicking yes.  -> Tutorial with images:  https://www.vulgarisation-informatique.com/nettoyer-windows-ccleaner.php   Then:  Download DiagHelp.zip to your desktop:  http://www.malekal.com/download/DiagHelp.zip  !! Disconnect and close all your running applications !!  Right-click on the file and extract all.  --> A new folder will be created: "DiagHelp" Open it and double-click on go.cmd and not on anything else!  --> A window will open, choose option 1 The analysis will start, this may take a few minutes, let it run and press a key when prompted: An IE page will open, close it. Press a key again, the notepad will open: Save this report so you can find it and post all its content in your next reply ...     To discover: Estopa, Rosario Flores, La Oreja De Van Gogh  Enjoy listening

Lasto97 · Answer

Thank you very much Lyonnais92. And thank you Chiquitine29. But I'm sorry, when I try to extract the file it tells me "The compressed folder is invalid or damaged."

Chiquitine29 · Answer

delete the created folder but not the archive  do you have winrar?  if no download and install it:  https://www.commentcamarche.net/telecharger/utilitaires/24097-winrar/  then after installation right-click on the archive choose extract to and click on go.cmd To discover: Estopa, Rosario Flores, La Oreja De Van Gogh  Enjoy listening

Lasto97 · Answer

Moreover, while I was downloading the zip file, the antivirus went off.

Lasto97 · Answer

It tells me that installation files are corrupt.

Lasto97 · Answer

When I install WinRAR, it says "some installation files are corrupted" or something like that.

Chiquitine29 · Answer

do this  Disable and re-enable your system restore  XP tutorial: http://service1.symantec.com/support/inter/tsgeninfointl.Nsf/en_docid/20020830101856924  then:   Download ToolsCleaner to your desktop. --> ftp://ftp.commentcamarche.com/download/ToolsCleaner2.exe http://www.commentcamarche.net/telecharger/telecharger 34055291 toolscleaner http://pc-system.fr/  # Click on Search and let the scan run ... # Click on Delete to finalize. # You can, if you wish, use the Optional Options. # Click on Exit to get the report. # Post the report (TCleaner.txt) located at the root of your hard drive (C:\).   -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy your listening

Chiquitine29 · Answer

a bump  this topic is bugged  I can't see the replies -- A must-listen: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening

Chiquitine29 · Answer

........ -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening

Lasto97 · Answer

I can't find the TCleaner report at the root of the disk...

Lasto97 · Answer

Ah yes, sorry, he is here :)  -->- Search:  C:\Qoobox: found! C:\Documents and Settings\Administrator\Desktop\Dss.exe: found! C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk: found! C:\Documents and Settings\Administrator\Desktop\DiagHelp.zip: found! C:\Documents and Settings\Administrator\Desktop\HijackThis.exe: found! C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe: found! C:\Documents and Settings\Administrator\Desktop\DiagHelp: found! C:\Documents and Settings\Administrator\Desktop\DiagHelp\DiagHelp: found! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis: found! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.lnk: found! C:\Program Files\Trend Micro\HijackThis: found! C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: found! C:\RECYCLER\S-1-5-21-135211394-4118416520-2790299071-500\Dc4\DiagHelp: found!  --------------------------------- -->- Deletion:  C:\Documents and Settings\Administrator\Desktop\Dss.exe: deleted! C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk: deleted! C:\Documents and Settings\Administrator\Desktop\DiagHelp.zip: deleted! C:\Documents and Settings\Administrator\Desktop\HijackThis.exe: deleted! C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe: deleted! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.lnk: deleted! C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: deleted! C:\Qoobox: deleted! C:\Documents and Settings\Administrator\Desktop\DiagHelp: deleted! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis: deleted! C:\Program Files\Trend Micro\HijackThis: deleted! C:\RECYCLER\S-1-5-21-135211394-4118416520-2790299071-500\Dc4\DiagHelp: deleted!

Chiquitine29 · Answer

ok  we're testing invalid win32  Download HijackThis here:  -> http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe   Installation tutorial:  -> https://forums.cnetfrance.fr  Usage tutorial:  -> https://forums.cnetfrance.fr  Please post the generated report here...  -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                     Enjoy listening

Lasto97 · Answer

I can't read the latest messages!!

Chiquitine29 · Answer

up to see your answer because it's bugging -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening

Lasto97 · Answer

I can't read myself, nor can I read the last things that were told to me!!! :(

Chiquitine29 · Answer

Yes, there is a bug on the site   on test win32 not valid  Download HijackThis here:  -> http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe   Installation tutorial:  -> https://forums.cnetfrance.fr  Usage tutorial:  -> https://forums.cnetfrance.fr  Please post the generated report here...  -- Discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Enjoy your listening

Lasto97 · Answer

The link for HJT does not work. But I already had it, Lyonnais had me download it. Do I need to download it again?

Chiquitine29 · Answer

https://forums.cnetfrance.fr  http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe  -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening

Lasto97 · Answer

Sorry, but it's the same problem as earlier with the zip. And the second link doesn't work.

Chiquitine29 · Answer

open Internet Explorer click on tools click on Internet options click on advanced click on reset confirm close Internet restart it  and try to download again -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                  Enjoy listening

Lasto97 · Answer

No, that link still doesn't work.

Chiquitine29 · Answer

Are you in administrator mode?? -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening

Lasto97 · Answer

Yes

Lasto97 · Answer

It's good! It's working now. I'm downloading it now!

Chiquitine29 · Answer

ok  Does your antivirus work? The firewall too? -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening

Chiquitine29 · Answer

cool -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Enjoy listening

Lasto97 · Answer

Ok here is the log,  Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:24:48, on 30/07/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DkLog.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe C:\WINDOWS\System32\dkcktkn.exe C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\TEMP\XW5C79.EXE C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = https://support.microsoft.com/en-US/topic/internet-explorer-downloads-d49e1f0d-571c-9a7b-d97e-be248806ca70 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Login Assistant - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Orange Caraibes.lnk = C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Java Console (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {1856D980-6604-4504-AE2E-6EEE0235FCF5} - http://www.certeurope.fr/fichiers/activesign/1.2.0.2/ActiveSign.CAB O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - http://213.16.24.101:8080/cab/OCXChecker_6110.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - http://213.16.24.101:8080/cab/DownloadFile_7000.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\Software\..\Telephony: DomainName = vauclin.sud O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vauclin.sud O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Datakey's Log Service (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe O23 - Service: Datakey's Token Service (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe  -- End of file - 8108 bytes

Chiquitine29 · Answer

Go to this site:  https://www.virustotal.com/gui/  Click on browse and find this file: C:\WINDOWS\TEMP\XW5C79.EXE    Click on Send File.  A report will be generated line by line.  Wait for it to finish. It should include the size of the uploaded file.  Save the report with Notepad.  Copy it into your response. -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                     Happy listening

Lasto97 · Answer

It told me that the file has already been analyzed, so I reanalyzed the file and here are the results:  File XW5C79.EXE received on 2008.07.30 21:41:44 (CET) Current status: loading ... queued waiting for analysis finished NOT FOUND STOPPED   Result: 0/34 (0%) loading server information... Your file is in the queue, in position: ___. Estimated start time is between ___ and ___. Please do not close the window until the analysis is complete. The analyzer handling your file is currently stopped, we will wait a few seconds to try to recover your results. If you have been waiting for more than five minutes, you need to resend your file. Your file is currently being analyzed by VirusTotal, results will be displayed as they are generated. Formatted Print Results Your file has expired or does not exist. The service is currently stopped, your file has been waiting to be analyzed (position :) for an indefinite time.  You can wait for a response from the Web (auto-refresh) or enter your email in the form below and click "Request" so that the system sends you a notification when the analysis is complete.  Email:   Antivirus Version Last updated Result AhnLab-V3 2008.7.29.1 2008.07.30 - AntiVir 7.8.1.12 2008.07.30 - Authentium 5.1.0.4 2008.07.30 - Avast 4.8.1195.0 2008.07.30 - AVG 8.0.0.130 2008.07.30 - BitDefender 7.2 2008.07.30 - CAT-QuickHeal 9.50 2008.07.30 - ClamAV 0.93.1 2008.07.30 - DrWeb 4.44.0.09170 2008.07.30 - eSafe 7.0.17.0 2008.07.29 - eTrust-Vet 31.6.5995 2008.07.30 - Ewido 4.0 2008.07.30 - F-Prot 4.4.4.56 2008.07.30 - Fortinet 3.14.0.0 2008.07.30 - GData 2.0.7306.1023 2008.07.30 - Ikarus T3.1.1.34.0 2008.07.30 - Kaspersky 7.0.0.125 2008.07.30 - McAfee 5349 2008.07.29 - Microsoft 1.3704 2008.07.28 - NOD32v2 3311 2008.07.30 - Norman 5.80.02 2008.07.30 - Panda 9.0.0.4 2008.07.30 - PCTools 4.4.2.0 2008.07.30 - Prevx1 V2 2008.07.30 - Rising 20.55.22.00 2008.07.30 - Sophos 4.31.0 2008.07.30 - Sunbelt 3.1.1537.1 2008.07.29 - Symantec 10 2008.07.30 - TheHacker 6.2.96.389 2008.07.25 - TrendMicro 8.700.0.1004 2008.07.30 - VBA32 3.12.8.1 2008.07.29 - ViRobot 2008.7.30.1317 2008.07.30 - VirusBuster 4.5.11.0 2008.07.30 - Webwasher-Gateway 6.6.2 2008.07.30 - Additional information File size: 300656 bytes MD5...: 481359bdfb169f2bf1059669e1d518d7 SHA1..: 8edd20556dc6baaa4d95e9fccfeee1e3fd308975 SHA256: 1a5491d0e492acc6da601df2d84bf00db1c5fd050c1dd575a8fea67068004e32 SHA512: aad5ef4e962e5464192cdfd73e6b7409cfa0b069610a2343e43811e492e2dce1 856c89c35f71ad18577062a5105525e4b8bae9882569043056679495fd10bf4d PEiD..: - PEInfo: PE Structure information  ( base data ) entrypointaddress.: 0x41d9f9 timedatestamp.....: 0x463f537b (Mon May 07 16:27:39 2007) machinetype.......: 0x14c (I386)  ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x3570b 0x36000 6.63 23146977e391f9b4604c08ff8896529c .rdata 0x37000 0xc052 0xd000 4.79 8e55626850359a0afa178454c443da0e .data 0x44000 0xb4c0 0x3000 3.16 1e4d94eb9f564aae752ffbc9be5440c7 .rsrc 0x50000 0xaf4 0x1000 4.42 0b87ed20efa39f36e0ea69da8dda9aaf  ( 7 imports ) > WS2_32.dll: -, -, - > ADVAPI32.dll: SetSecurityDescriptorDacl, InitializeSecurityDescriptor, StartServiceA, QueryServiceStatus, CloseServiceHandle, OpenServiceA, OpenSCManagerA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, QueryServiceConfigA, RegNotifyChangeKeyValue > KERNEL32.dll: GlobalAlloc, GlobalFree, lstrcmpA, TlsGetValue, GlobalReAlloc, GlobalHandle, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, InterlockedDecrement, InterlockedIncrement, GlobalGetAtomNameA, GetThreadLocale, ResumeThread, GlobalFlags, lstrcmpW, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GetLocaleInfoA, GetCPInfo, GetOEMCP, SetFilePointer, FlushFileBuffers, GlobalLock, CreateFileA, GetFileAttributes, UnhandledExceptionFilter, SetUnhandledExceptionFilter, RaiseException, RtlUnwind, ExitThread, CreateThread, GetSystemTimeAsFileTime, IsDebuggerPresent, HeapAlloc, HeapFree, HeapReAlloc, GetCommandLineA, GetProcessHeap, GetStartupInfoA, HeapSize, ExitProcess, GetStdHandle, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, VirtualFree, HeapDestroy, HeapCreate, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetConsoleCP, GetConsoleMode, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GlobalUnlock, FormatMessageA, SetLastError, CreateFileW, WaitNamedPipeW, SetNamedPipeHandleState, WriteFile, SetWaitableTimer, GetOverlappedResult, ReadFile, GetCurrentThreadId, CreateEventW, CreateNamedPipeW, DisconnectNamedPipe, ConnectNamedPipe, lstrlenA, CompareStringA, MultiByteToWideChar, InterlockedExchange, WaitForMultipleObjects, LocalAlloc, LocalFree, CreateProcessA, GetModuleFileNameA, GetPrivateProfileIntA, GetTickCount, CopyFileA, TerminateProcess, MoveFileExA, GetVersion, VirtualAlloc, DeleteFileA, Sleep, ResetEvent, SetEvent, TerminateThread, DeleteCriticalSection, CreateEventA, InitializeCriticalSection, GetCurrentDirectoryA, GetComputerNameA, GetTempPathA, GetTempFileName, GetSystemDirectoryA, FindFirstFileA, FindNextFileA, FindClose, lstrcmpiA, OpenFile, GetLastError, WideCharToMultiByte, GetVersionExA, EnterCriticalSection, _lclose, LeaveCriticalSection, FindResourceA, LoadResource, LockResource, SizeofResource, CreateMutexA, GetModuleHandleA, WaitForSingleObject, GetExitCodeThread, lstrcpyA, lstrcatA, GetCurrentProcessId, OpenProcess, CloseHandle, ReadProcessMemory, WriteProcessMemory, GetCurrentProcess, LoadLibraryA, GetProcAddress, FreeLibrary, InterlockedCompareExchange > USER32.dll: DestroyMenu, PostQuitMessage, RegisterWindowMessageA, LoadIconA, WinHelpA, GetCapture, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, CheckMenuItem, SetWindowPos, SetWindowLongA, IsWindow, GetDlgItem, GetFocus, ClientToScreen, GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameA, PtInRect, SetWindowTextA, UnregisterClassA, SetWindowsHookExA, CallNextHookEx, GrayStringA, DrawTextExA, DispatchMessageA, PeekMessageA, ValidateRect, GetWindowTextA, LoadCursorA, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageA, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxA, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, wsprintfA, DrawTextA, TabbedTextOutA, GetKeyState > GDI32.dll: TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, RectVisible, DeleteDC, GetStockObject, PtVisible, DeleteObject, GetDeviceCaps, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, CreateBitmap > WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter > OLEAUT32.dll: -, -, -  ( 61 exports ) __0TmProcessGuard@@QAE@KHH@Z, __0TmProcessGuard@@QAE@PBD0HH@Z, __0TmProcessGuard@@QAE@XZ, __0TmServiceGuard@@QAE@PBD00HH@Z, __0TmServiceGuard@@QAE@PBDKHH@Z, __0TmServiceGuard@@QAE@XZ, __1TmProcessGuard@@UAE@XZ, __1TmServiceGuard@@UAE@XZ, __4TmProcessGuard@@QAEXAAV0@@Z, __4TmServiceGuard@@QAEXAAV0@@Z, ___7TmProcessGuard@@6B@, ___7TmServiceGuard@@6B@, _BackupService@TmServiceGuard@@IAEXXZ, _CheckProcess@TmProcessGuard@@QAE_NAAVCStringArray@@@Z, _GetGuardInfo@TmProcessGuard@@QBEXAAKAAV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@1AAH2@Z, _GetService@TmServiceGuard@@QAE_AV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@XZ, _IsIPChanged@@YA_NPBDPADH@Z, _IsMonitor@TmProcessGuard@@IBE_NXZ, _IsNTPlatform@@YA_NXZ, _IsProcessAlive@TmProcessGuard@@MAE_NXZ, _IsProcessAlive@TmServiceGuard@@MAE_NXZ, _IsRetryNow@TmProcessGuard@@IBE_NXZ, _IsTheSame@TmProcessGuard@@QBE_NABV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@0@Z, _IsTheSame@TmProcessGuard@@QBE_NK@Z, _IsTheSame@TmProcessGuard@@QBE_NPBV1@@Z, _IsValidProcess@TmProcessGuard@@QBE_NXZ, _QueryAllLog@TmProcessGuard@@QBEXAAVCStringArray@@@Z, _RegWatchDog_Ofc@@YA_NXZ, _RegWatchDog_Ofc_95@@YA_NXZ, _RegWatchDog_Ofc_NTRT@@YA_NXZ, _RegWatchDog_Ofc_PCCNTMON@@YA_NXZ, _RegWatchDog_Ofc_TMLISTEN@@YA_NXZ, _RegWatchDog_Ofc_TMPROXY@@YA_NXZ, _ResetMonitor@TmProcessGuard@@IAEXXZ, _ResetRetryCount@TmProcessGuard@@QAEXXZ, _ResetRetryTick@TmProcessGuard@@QAEXXZ, _ResetRetryVar@TmProcessGuard@@QAEXXZ, _RetryWakeupProcess@TmProcessGuard@@MAE_NXZ, _RetryWakeupProcess@TmServiceGuard@@MAE_NXZ, _SetMonitor@TmProcessGuard@@IAEXXZ, _SetProcessID@TmProcessGuard@@QAEXK@Z, _SetRetryCountLimit@TmProcessGuard@@QAEXH@Z, _SetRetryTickLimit@TmProcessGuard@@QAEXH@Z, _StepMonitor@TmProcessGuard@@IAEXXZ, _StepRetry@TmProcessGuard@@IAEXXZ, _UnRegWatchDog_Ofc@@YA_NXZ, _UnRegWatchDog_Ofc_95@@YA_NXZ, _UnRegWatchDog_Ofc_NTRT@@YA_NXZ, _UnRegWatchDog_Ofc_PCCNTMON@@YA_NXZ, _UnRegWatchDog_Ofc_TMLISTEN@@YA_NXZ, _UnRegWatchDog_Ofc_TMPROXY  ThreatExpert info: https://www.symantec.com?md5=481359bdfb169f2bf1059669e1d518d7

Chiquitine29 · Answer

ok  one last thing:  Go to this site:  https://www.virustotal.com/gui/  Click on browse and search for this file: C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe     Click on Send File.  A report will be generated line by line.  Wait for the end. It should include the size of the file sent.  Save the report with Notepad.  Copy it into your response.   -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                     Enjoy listening

Lasto97 · Answer

Antivirus Version Last update Result AhnLab-V3 2008.7.29.1 2008.07.30 - AntiVir 7.8.1.12 2008.07.30 - Authentium 5.1.0.4 2008.07.30 - Avast 4.8.1195.0 2008.07.30 - AVG 8.0.0.130 2008.07.30 - BitDefender 7.2 2008.07.30 - CAT-QuickHeal 9.50 2008.07.30 - ClamAV 0.93.1 2008.07.30 - DrWeb 4.44.0.09170 2008.07.30 - eSafe 7.0.17.0 2008.07.29 - eTrust-Vet 31.6.5995 2008.07.30 - Ewido 4.0 2008.07.30 - F-Prot 4.4.4.56 2008.07.30 - F-Secure 7.60.13501.0 2008.07.30 - Fortinet 3.14.0.0 2008.07.30 - GData 2.0.7306.1023 2008.07.30 - Ikarus T3.1.1.34.0 2008.07.30 - Kaspersky 7.0.0.125 2008.07.30 - McAfee 5349 2008.07.29 - Microsoft 1.3704 2008.07.28 - NOD32v2 3311 2008.07.30 - Norman 5.80.02 2008.07.30 - Panda 9.0.0.4 2008.07.30 - PCTools 4.4.2.0 2008.07.30 - Prevx1 V2 2008.07.30 - Rising 20.55.22.00 2008.07.30 - Sophos 4.31.0 2008.07.30 - Sunbelt 3.1.1537.1 2008.07.29 - Symantec 10 2008.07.30 - TheHacker 6.2.96.389 2008.07.25 - TrendMicro 8.700.0.1004 2008.07.30 - VBA32 3.12.8.1 2008.07.29 - ViRobot 2008.7.30.1317 2008.07.30 - VirusBuster 4.5.11.0 2008.07.30 - Webwasher-Gateway 6.6.2 2008.07.30 - Additional information File size: 241664 bytes MD5...: 3f7f21897af25d4b0361f2da964fb809 SHA1..: bb0eca1b67b181f92fe81e2f3dd83cabce51ba98 SHA256: 18e1ff20ed5c269ce656743ad0fb8c9e5fa3be5df3b08831ec0fd422741224bc SHA512: de81276979c3b50de297012ce1ccc3e599e474077cddf085296d047363157fce 5e8ff216f36049941116cfc7ed63f367af63af21562f4a70b65da6abca8542b1 PEiD..: Armadillo v1.71 PEInfo: PE Structure information  ( base data ) entrypointaddress.: 0x40c685 timedatestamp.....: 0x3d3f338d (Wed Jul 24 23:09:01 2002) machinetype.......: 0x14c (I386)  ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x2534a 0x26000 6.55 29c3951931d605678c200df180edc615 .rdata 0x27000 0x946a 0xa000 4.58 f1c18aac99d185d3c23ffccfe5935859 .data 0x31000 0xa248 0x6000 3.65 630af875d3bd1cbbc32d60959cb40845 .rsrc 0x3c000 0x31c0 0x4000 3.28 b21340e4001e6557ff21b69adf659926  ( 12 imports ) > DkTools.dll: DK_FreeCertList, DK_DeleteCertFromStore, DK_TokenCertsToStore > KERNEL32.dll: GetLocalTime, HeapSize, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetACP, HeapReAlloc, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, FindFirstFileA, GetVolumeInformationA, GlobalFree, CompareStringA, CompareStringW, GetTimeZoneInformation, RaiseException, ExitThread, CreateThread, HeapFree, TerminateProcess, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapAlloc, RtlUnwind, GetFileTime, GetFileSize, GetFileAttributesA, GetFullPathNameA, GetFileType, FindClose, SuspendThread, SetThreadPriority, ResumeThread, SetEvent, WaitForSingleObject, GetModuleFileNameA, GlobalLock, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, lstrcmpiA, GetCurrentThread, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, FreeLibrary, OutputDebugStringA, CreateMutexA, GetSystemDirectoryA, CloseHandle, GetSystemTime, GetCurrentThreadId, GetCurrentProcessId, GetProcAddress, LoadLibraryA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, WriteFile, SetFilePointer, GetProfileStringA, GetCurrentProcess, ReadFile, CreateFileA, GetOEMCP, DuplicateHandle, SetErrorMode, GetCPInfo, GetThreadLocale, GetProcessVersion, SizeofResource, WritePrivateProfileStringA, lstrcpynA, GlobalFlags, TlsSetValue, TlsGetValue, LocalReAlloc, GlobalHandle, GlobalReAlloc, TlsFree, EnterCriticalSection, TlsAlloc, LocalAlloc, InitializeCriticalSection, LeaveCriticalSection, DeleteCriticalSection, FormatMessageA, FileTimeToLocalFileTime, FileTimeToSystemTime, SetLastError, LocalFree, MulDiv, GlobalGetAtomNameA, GetVersion, lstrcatA, lstrcpyA, GlobalAddAtomA, GlobalFindAtomA, GlobalUnlock, GetModuleHandleA, GetTickCount, LockResource, GetLastError, FindResourceA, LoadResource, CreateEventA, SetStdHandle, GetStdHandle, SetEnvironmentVariableA > USER32.dll: GetNextDlgGroupItem, CopyAcceleratorTableA, CharNextA, PostThreadMessageA, MessageBeep, SetRect, InvalidateRect, InflateRect, GetSysColorBrush, PtInRect, GetClassNameA, GetDesktopWindow, LoadCursorA, DestroyMenu, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, SetFocus, AdjustWindowRectEx, ScreenToClient, CharUpperA, GetTopWindow, IsChild, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, DefWindowProcA, CreateWindowExA, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetForegroundWindow, SetForegroundWindow, SetWindowLongA, RegisterWindowMessageA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, MapDialogRect, SetWindowPos, GetWindow, SetWindowContextHelpId, RegisterClipboardFormatA, CopyRect, GetDC, ReleaseDC, EndDialog, SetActiveWindow, IsWindow, CreateDialogIndirectParamA, DestroyWindow, GetDlgItem, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetFocus, GetNextDlgTabItem, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, GetKeyState, CallNextHookEx, ValidateRect, IsWindowVisible, PeekMessageA, GetCursorPos, SetWindowsHookExA, GetParent, GetLastActivePopup, IsWindowEnabled, GetWindowLongA, SetCursor, PostQuitMessage, PostMessageA, LoadStringA, MessageBoxA, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, GetSystemMenu, AppendMenuA, SendMessageA, LoadIconA, EnableWindow, RegisterClassA, DefDlgProcA, HideCaret, ShowCaret, ExcludeUpdateRgn, DrawFocusRect, UnregisterClassA, IsWindowUnicode > GDI32.dll: DeleteObject, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, PtVisible, RectVisible, ExtTextOutA, Escape, TextOutA, GetMapMode, DPtoLP, GetBkColor, LPtoDP, GetTextColor, CreateDIBitmap, BitBlt, GetTextExtentPointA, CreateCompatibleDC, IntersectClipRect, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetBkMode, SelectObject, RestoreDC, SaveDC, DeleteDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, PatBlt, CreateBitmap, GetStockObject > comdlg32.dll: GetFileTitleA > WINSPOOL.DRV: DocumentPropertiesA, OpenPrinterA, ClosePrinter > ADVAPI32.dll: RegCreateKeyExA, RegQueryValueExA, RegOpenKeyExA, RegCloseKey, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExA > COMCTL32.dll: - > oledlg.dll: - > ole32.dll: StgCreateDocfileOnILockBytes, CoTaskMemFree, OleFlushClipboard, OleIsCurrentClipboard, StgOpenStorageOnILockBytes, CoRevokeClassObject, CreateILockBytesOnHGlobal, CLSIDFromProgID, CoFreeUnusedLibraries, OleInitialize, CoTaskMemAlloc, CLSIDFromString, OleUninitialize, CoGetClassObject, CoRegisterMessageFilter > OLEPRO32.DLL: - > OLEAUT32.dll: -, -, -, -, -, -, -, -, -  ( 0 exports )

Chiquitine29 · Answer

Download OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe (by Old_Timer) to your Desktop. Double-click on OTMoveIt.exe to launch it. Make sure the Unregister Dll's and Ocx's checkbox is checked Copy the line in bold below, and paste it into the left box of OTMoveIt: Paste List of Files/Folders to be moved.  C:\WINDOWS\TEMP\XW5C79.EXE    Click MoveIt! to start the deletion. The result will appear in the "Results" box. Click Exit to close. Post the report located in C:\_OTMoveIt\MovedFiles.  You may be asked to restart your PC to complete the deletion. If so, accept by clicking Yes.   Next:   Download DiagHelp.zip to your desktop:  http://www.malekal.com/download/DiagHelp.zip  !! Disconnect and close all your running applications !!  Right-click on the file and extract all.  --> A new folder will be created: "DiagHelp" Open it and double-click on go.cmd and not anything else!  --> A window will open, choose option 1 The scan will begin, this may take a few minutes, let it run and press any key when prompted: An IE page will open, close it. Press any key again, the notepad will open: Save this report so you can find it and post all its content in your next reply...      -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening                    @ + Chiki.

Lasto97 · Answer

C:\WINDOWS\TEMP\XW5C79.EXE déplacé avec succès.  OTMoveIt2 par OldTimer - Journal de version 1.0.4.3 créé le 30/07/2008 à 16h11.

Lasto97 · Answer

It tells me "no file to extract."

Chiquitine29 · Answer

go to computer open drive C  go into the windows folder  and empty the prefetch folder  then uninstall java because it's outdated and download and install this version:  https://sdlc-esd.oracle.com/ESD44/JSCDL/jdk/6u7/jre-6u7-windows-i586-p-s.exe?GroupName=JSC&FilePath=/ESD44/JSCDL/jdk/6u7/jre-6u7-windows-i586-p-s.exe&BHost=javadl.sun.com&File=jre-6u7-windows-i586-p-s.exe&AuthParam=1580978146_46494a57fbc0e7c89e79cfb72e28cd3a&ext=.exe   then run another hijackthis scan and post the report please and we'll finish -- Discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening                    @ + Chiki.

Lyonnais92 · Answer

Re,

Chiquitine, leave this temp file which is legitimate.

Go see posts 2 to 24 and check the ThreatExpert report associated with the VirusTotal report.

This file generates legitimate files from Trend Micro.

It's something you need to know. It helps to keep this AV "alive" even when the malware tries to kill it.
--

@+
Never accept disinfection by PM.

Chiquitine29 · Answer

re  It's something you need to know  indeed I haven't read the whole topic and I should have -- A discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Happy listening                    @ + Chiki.

Lasto97 · Answer

When I run JAVA it says ""is not a valid win32 application"."

Chiquitine29 · Answer

ok  restart the PC  you can check this:   Right-click on My Computer and select "Properties." In the system properties, select the Hardware tab and then Device Manager Double-click on the ATA/ATAPI IDE Controller line Double-click successively on Primary IDE Channel, then Secondary IDE Channel. In the "Advanced Settings" tab, under the Device 0 box, make sure the setting is DMA if available and not PIO only  then try reinstalling Java -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                   Enjoy listening                    @ + Chiki.

Lasto97 · Answer

No, it doesn't install, even after that.

Chiquitine29 · Answer

Download RavAntivirus from Evosla to your desktop: http://ww25.evosla.com/compteur.php?soft=rav_antivirus - Connect your external data sources to your PC (USB stick, external hard drive, etc...) without opening them before launching this FIX - Right-click on the .ZIP file, then "Extract to" Desktop. - Double-click on "RAV.exe" to start the fix. - Let the program run: it will automatically scan all drives (fixed and removable) . - Then: remove your removable drives and restart your PC.   then:   Download DSS (formerly Comboscan) from Deckard to your desktop:  http://deckard.geekstogo.com/dss.exe   (choose save, then Desktop as the location)  Close all running applications.  Double-click on DSS.exe to launch the tool.  A window opens, prompting you to close all applications, click OK.  At the end of the scan, a window opens, click OK.  The main.txt report will be displayed, copy it in your next reply. If a complementary report was created (extra.txt), post it as well in your response.  The reports are located here: (!) C:\Deckard\System Scanner\main.txt (!) C:\Deckard\System Scanner\extra.txt  (CTRL+A to select all, CTRL+C to copy, and CTRL+V to paste)   ps: I'm going to bed, good night    -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Good listening                      @ + Chiki.

Lasto97 · Answer

It says "the compressed folder is invalid or damaged."

Chiquitine29 · Answer

Hi   download this file:   http://perso.orange.fr/-Gof/DL/VaccinUSB.exe    you need to run it and click on fix  please post the VaccinUSB.txt report in the next response -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Have a good listen                      @ + TChiki.

Lasto97 · Answer

Hello, It doesn't run, it gives me the error message "is not a valid Win32 application."

Chiquitine29 · Answer

Make sure that the E drive is connected but not open  download OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe (by Old_Timer) to your Desktop. double-click on OTMoveIt.exe to launch it. Make sure the box Unregister Dll's and Ocx's is checked copy the line below in bold, and paste it into the left box of OTMoveIt: Paste List of Files/Folders to be moved.  E:\setup.exe HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}   click on MoveIt! to start the deletion. the result will appear in the "Results" box. click on Exit to close. post the report located in C:\_OTMoveIt\MovedFiles.  you may be asked to restart the PC to complete the deletion. if so, accept by Yes.   -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy your listening                    @ + TChiki.

Lasto97 · Answer

Fichier/Dossier E:\setup.exe non trouvé. < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\­explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb} > Clé de registre HKEY_CURRENT_USER\software\microsoft\windows\currentversion\­explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}\ non trouvée.  OTMoveIt2 par OldTimer - Version 1.0.4.3 log créé le 07312008_083252

Chiquitine29 · Answer

Show all files and folders: To do this: Click on Start/Control Panel/Folder Options/View  Check "Show hidden files and folders"  Uncheck the box "Hide protected operating system files (recommended)"  Uncheck "Hide extensions for known file types"  Then click "Apply" to validate the changes.  And OK   Go to My Computer and enter drive E Search for and delete: setup.exe  In drive C Search for and delete: RavMon.exe  Let me know if you find them    -- Discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Happy listening                      @ + TChiki.

Lasto97 · Answer

But there is no E: drive The only device connected is the satellite internet dongle.

Chiquitine29 · Answer

""Kaspersky Online Scan" https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr in "Internet Explorer". Connect your External Drive (USB stick) if necessary - Click on "Start Online Scanner" (at the bottom right of the page). - Now click on "I accept". - Confirm the installation of one or more ActiveX if necessary. - Wait during the installation of "Updates". Click on "Scan Settings" Check the box "Scope" >> Ok - Then choose to scan the "Workstation" for a "Full Scan". - Save and then paste the report generated at the end of the scan. http://i204.photobucket.com/albums/bb106/Juliet702/Kas-SaveReport-1.gif http://i204.photobucket.com/albums/bb106/Juliet702/Kas-Savetxt.gif -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki."

Lasto97 · Answer

During the loading, it showed me this.  Failed to load the Kaspersky On-line Scanner ActiveX control!  You need to have administrator privileges on this machine; in addition, you must configure the IE security level to Medium.  But I am an administrator.

Lasto97 · Answer

It's good. I restarted and it worked. It's doing the update now.

Chiquitine29 · Answer

oki -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

Finally, due to my slow connection it took some time, but here is the Kaspersky report  KASPERSKY ON-LINE SCANNER REPORT Thursday, July 31, 2008 1:42:42 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.83.0 Last update of Kaspersky antivirus database: 31/07/2008 Records in Kaspersky antivirus database: 1,034,003   Scan settings Scan with the following extended antivirus database Scan archives true Scan email bases true  Scan target Workstation C:\ D:\  Scan statistics Total objects scanned 46,258 Number of viruses found 1 Number of infected objects 1 / 0 Number of suspected objects 0 Duration of the scan 01:24:47  Name of infected object Virus name Last action C:\autorun.inf\lpt3. This folder was created by Flash_Disinfector The object is locked ignored  C:\Documents and Settings\Administrator\Cookies\index.dat The object is locked ignored  C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored  C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored  C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat The object is locked ignored  C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008073120080801\index.dat The object is locked ignored  C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat The object is locked ignored  C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored  C:\Documents and Settings\Administrator\NTUSER.DAT The object is locked ignored  C:\Documents and Settings\Administrator
tuser.dat.LOG The object is locked ignored  C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat The object is locked ignored  C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat The object is locked ignored  C:\Documents and Settings\LocalService\Cookies\index.dat The object is locked ignored  C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored  C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored  C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat The object is locked ignored  C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat The object is locked ignored  C:\Documents and Settings\LocalService\NTUSER.DAT The object is locked ignored  C:\Documents and Settings\LocalService
tuser.dat.LOG The object is locked ignored  C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat The object is locked ignored  C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG The object is locked ignored  C:\Documents and Settings\NetworkService\NTUSER.DAT The object is locked ignored  C:\Documents and Settings\NetworkService
tuser.dat.LOG The object is locked ignored  C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\Data DIANA.exe Infected: Email-Worm.Win32.Brontok.q ignored  C:\System Volume Information\MountPointManagerRemoteDatabase The object is locked ignored  C:\System Volume Information\_restore{77FD3881-F341-4D81-9B9A-07B7AB21E0B0}\RP222\change.log The object is locked ignored  C:\WINDOWS\$NtUninstallKB833407$\bssym7.ttf The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\callcont.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\h323.tsp The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\msgina.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\mst120.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$
etapi32.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$
mcom.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$tcdll.dll The object is locked ignored  C:\WINDOWS\$NtUninstallKB835732$\schannel.dll The object is locked ignored  C:\WINDOWS\CSC\00000001 The object is locked ignored  C:\WINDOWS\Debug\Netlogon.log The object is locked ignored  C:\WINDOWS\Debug\PASSWD.LOG The object is locked ignored  C:\WINDOWS\dkcip.log The object is locked ignored  C:\WINDOWS\SchedLgU.Txt The object is locked ignored  C:\WINDOWS\SoftwareDistribution\ReportingEvents.log The object is locked ignored  C:\WINDOWS\Sti_Trace.log The object is locked ignored  C:\WINDOWS\system32\CatRoot2\edb.log The object is locked ignored  C:\WINDOWS\system32\CatRoot2	mp.edb The object is locked ignored  C:\WINDOWS\system32\config\AppEvent.Evt The object is locked ignored  C:\WINDOWS\system32\config\default The object is locked ignored  C:\WINDOWS\system32\config\default.LOG The object is locked ignored  C:\WINDOWS\system32\config\Internet.evt The object is locked ignored  C:\WINDOWS\system32\config\SAM The object is locked ignored  C:\WINDOWS\system32\config\SAM.LOG The object is locked ignored  C:\WINDOWS\system32\config\SecEvent.Evt The object is locked ignored  C:\WINDOWS\system32\config\SECURITY The object is locked ignored  C:\WINDOWS\system32\config\SECURITY.LOG The object is locked ignored  C:\WINDOWS\system32\config\software The object is locked ignoré  C:\WINDOWS\system32\config\software.LOG The object is locked ignoré  C:\WINDOWS\system32\config\SysEvent.Evt The object is locked ignored  C:\WINDOWS\system32\config\system The object is locked ignored  C:\WINDOWS\system32\config\system.LOG The object is locked ignored  C:\WINDOWS\system32\h323log.txt The object is locked ignored  C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR The object is locked ignored  C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP The object is locked ignored  C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER The object is locked ignoré  C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP The object is locked ignoré  C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP The object is locked ignoré  C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA The object is locked ignoré  C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP The object is locked ignoré  C:\WINDOWS\Temp\Perflib_Perfdata_e1c.dat The object is locked ignoré  C:\WINDOWS\wiadebug.log The object is locked ignoré  C:\WINDOWS\wiaservc.log The object is locked ignoré  C:\WINDOWS\WindowsUpdate.log The object is locked ignoré  Scan completed.

Chiquitine29 · Answer

good  we're definitely eliminating the bagle cause  before downloading msn on 01 net   was anything installed on the pc?  a haphazard manipulation?    -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                     Enjoy listening                     @ + TChiki.

Lasto97 · Answer

After I questioned my sisters, here’s what I think: a USB drive was plugged into the computer to retrieve a song. This happened well before I tried to download MSN on O1net.

Chiquitine29 · Answer

yes, there is indeed a problem on that side  but it's strange that it causes this symptom   I'm preparing something for you while I look at a report -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Chiquitine29 · Answer

-- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Enjoy listening                      @ + TChiki.

Lasto97 · Answer

------------------------------------------------------------­--  C: - Fixed reader    +- Listing of present files:  AUTOEXEC.BAT boot.ini Bootfont.bin ComboFix.txt CONFIG.SYS drvsrch.txt INSTALL.LOG IO.SYS MSDOS.SYS NTDETECT.COM ntldr pagefile.sys SWSTAMP.TXT TCleaner.txt tmuninst.ini UNWISE.EXE   +- Listing of present folders:  autorun.inf Combo-Fix Config.Msi Deckard Documents and Settings I386 Intel MSOCache PamScan Program Files RECYCLER SUPPORT System Volume Information VALUEADD WINDOWS _OTMoveIt  Folder autorun.inf present, created by Flash_Disinfector   ------------------------------------------------------------------------

Chiquitine29 · Answer

Is the USB key corresponding to drive E? Do you confirm? -- A to discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

In fact, the key is not ours, so I don't have it. But it is possible that it's hers. Besides her, I don't see what it could be. We don't use an external hard drive or a USB stick. It was occasional; we gave them a key, they inserted it, and that was it. Right now, I don't have any USB sticks in my possession.

Chiquitine29 · Answer

Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}]        Open Notepad and paste the copied text. (Start\All Programs\Accessories\Notepad.) Save this file as CFScript.txt  Now drag the CFScript.txt file into Combofix.exe as shown below:  http://sd-1.archive-host.com/membres/up/1366464061/CFScript.gif  This will restart Combofix,  A blue window will appear: in the message that appears ( Type 1 to continue, or 2 to abort), type 1 and press Enter.  Wait for the scan to complete. The desktop will disappear several times: this is normal!  Do not touch anything until the scan is finished.  After the restart, post the contents of the Combofix.txt report  If there is no restart, still post the reports.    -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Good listening                    @ + TChiki.

Lasto97 · Answer

Here is the report from Combofix ComboFix 08-07-21.1 - Administrator 2008-07-31 15:27:17.10 - NTFSx86 Location: C:\Documents and Settings\Administrator\Desktop\nonabagle.exe Command switches used: C:\Documents and Settings\Administrator\Desktop\CFScript.txt * Created a new restore point [color=red][b]WARNING - THE RECOVERY CONSOLE IS NOT INSTALLED ON THIS MACHINE!![/b][/color] . ((((((((((((((((((((((((((((( Created files from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))))))) . 2008-07-31 09:40 . 2008-07-31 09:40 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-07-30 16:11 . 2008-07-30 16:11 d-------- C:\_OTMoveIt 2008-07-30 08:53 . 2008-07-30 09:00 d-------- C:\WINDOWS\system32\XPSViewer 2008-07-30 08:53 . 2008-07-30 08:53 d-------- C:\Program Files\Reference Assemblies 2008-07-30 08:53 . 2008-07-30 08:53 d-------- C:\Program Files\MSBuild 2008-07-30 08:51 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-07-30 08:42 . 2008-07-30 08:42 d-------- C:\Program Files\MSXML 6.0 2008-07-26 14:34 . 2008-07-26 15:52 d-------- C:\WINDOWS\BDOSCAN8 2008-07-26 11:23 . 2008-07-26 11:23 d-------- C:\Program Files\CCleaner 2008-07-26 10:21 . 2008-07-26 10:21 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-26 10:21 . 2008-07-26 10:21 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-07-26 10:21 . 2008-07-26 10:21 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes 2008-07-26 10:21 . 2008-07-26 10:21 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Malwarebytes 2008-07-26 10:21 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-07-26 10:21 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-07-25 19:36 . 2008-07-25 19:36 d--h----- C:\WINDOWS\PIF 2008-07-22 08:04 . 2008-07-22 08:04 d-------- C:\Deckard 2008-07-21 13:33 . 2008-07-21 13:55 d-------- C:\Program Files\RegistryQuick 2008-07-17 17:25 . 2008-07-17 17:28 d-------- C:\Combo-Fix 2008-06-25 16:59 . 2008-06-25 16:59 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-06-21 14:52 . 2008-06-14 13:59 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-21 13:28 . 2008-06-21 13:55 d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-21 13:27 . 2008-07-23 15:04 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WLInstaller 2008-06-02 16:39 . 2008-06-02 16:39 dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM 2008-06-02 16:39 . 2008-06-02 16:39 dr-h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\SecuROM 2008-06-02 16:39 . 2008-06-02 16:39 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2008-06-02 16:29 . 2008-06-02 16:29 d-------- C:\Program Files\Common Files\MainConcept 2008-06-02 16:29 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll . (((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-30 20:32 --------- d-----w C:\Program Files\Java 2008-07-30 19:24 --------- d-----w C:\Program Files\Trend Micro 2008-07-17 04:04 --------- d-----w C:\Program Files\Microsoft Works 2008-07-16 01:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MSN6 2008-07-16 01:14 --------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\MSN6 2008-06-30 15:04 --------- d-----w C:\Program Files\Bac_v7 2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-02 20:28 --------- d-----w C:\Program Files\Micro Application 2008-05-31 15:21 --------- d-----w C:\Program Files\OrgangeFrance . ((((((((((((((((((((((((((((((( Registry Load Points ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* empty entries & legitimate initial entries are not listed [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 19:09 15360] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 12:19 65536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-06 20:19 155648] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-06 20:07 114688] "00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 09:20 253952] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-07-17 13:38 159744] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 08:58 122880] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [2003-11-24 06:51 1019904] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 06:29 40960] "DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [2002-07-24 20:09 241664] "DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [2002-07-24 20:12 217088] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 00:43 702072] "000StTHK"="000StTHK.exe" [2001-06-23 15:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe] "LTSMMSG"="LTSMMSG.exe" [2003-04-18 06:06 32768 C:\WINDOWS\ltsmmsg.exe] "TFNF5"="TFNF5.exe" [2003-10-15 12:03 73728 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [2003-12-01 07:09 266240 C:\WINDOWS\system32\TPSMain.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 19:09 15360] C:\DOCUME~1\ALLUSE~1\MENUDM~1\PROGRA~1\DMARRA~1\ Orange Caraibes.lnk - C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe [2008-01-14 14:01:50 872448] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.mpg4"= C:\WINDOWS\mpg4c32.dll "vidc.mpg2"= C:\WINDOWS\mpg4c32.dll "vidc.mpg3"= C:\WINDOWS\mpg4c32.dll "vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Quick Launch of Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Quick Launch of Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Quick Launch of Microsoft Office OneNote 2003.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick Launch of Adobe Reader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick Launch of Adobe Reader.lnk backup=C:\WINDOWS\pss\Quick Launch of Adobe Reader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick Launch of Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick Launch of Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Quick Launch of Microsoft Office OneNote 2003.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n Drop CD+DVD] --------- 2003-08-08 18:54 1175552 C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "C:\Program Files\Messenger\msmsgs.exe"= R3 GT72NDISIPXP;GT 72 IP NDIS;C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 14:17] R3 GT72UBUS;GT 72 U BUS;C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 13:38] R3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 13:38] R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2004-03-16 03:04] R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2004-03-16 03:04] S3 PAMScan;PAMScan;C:\WINDOWS\System32\DRIVERS\PAMScan.SYS [2003-09-06 10:22] S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2004-03-16 03:04] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}] \Shell\AutoRun\command - E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}] \Shell\AutoRun\command - RavMon.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-31 15:31:57 Windows 5.1.2600 Service Pack 2 NTFS Scanning hidden processes ... Scanning hidden autostart entries ... Scanning hidden files ... Scan completed successfully Hidden files: 0 ************************************************************************** . Completion Time: 2008-07-31 15:35:46 ComboFix-quarantined-files.txt 2008-07-31 19:35:36 ComboFix2.txt 2008-07-29 21:25:06 Pre-Run: 27,892,445,184 bytes free Post-Run: 27,938,078,720 bytes free 126 --- E O F --- 2008-07-17 04:07:11

Lasto97 · Answer

Have you seen a certain "Freeloader_Smitfraud" because when I run ComboFix, the OfficeScan antivirus finds it. OfficeScan has detected one or more spyware/grayware on your computer. For detailed information about the spyware/grayware, click the spyware/grayware name.  And that's the name of the spyware/grayware.

Lasto97 · Answer

Hi, do you see what needs to be done next?

Chiquitine29 · Answer

Hello  Display all files and folders: To do this: Click on start/control panel/folder options/view  Check show hidden folders  Uncheck the box "Hide protected operating system files (recommended)"  Uncheck hide extensions for known file types  Then click "apply" to validate the changes.  And OK  Then go to my computer Enter the C drive  Find and delete if present: RavMon.exe    -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                     Enjoy listening                     @ + TChiki.

Lasto97 · Answer

He is not present, I just checked. I had already deleted him last week.

Chiquitine29 · Answer

ok  do this please   Download DSS (e.g. Comboscan) from Deckard to your desktop:  http://deckard.geekstogo.com/dss.exe   (choose save, then Desktop as the location)  Close all running applications.  Double-click on DSS.exe to launch the tool.  A window opens, prompting you to close all applications, click OK.  At the end of the scan, a window will open, click OK.  The report main.txt will be displayed, copy it into your next response. If a supplementary report has been created (extra.txt), post it as well in your response.  The reports are here: (!) C:\Deckard\System Scanner\main.txt (!) C:\Deckard\System Scanner\extra.txt  (CTRL+A to select all, CTRL+C to copy and CTRL+V to paste)   -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Have a good listen                      @ + TChiki.

Lasto97 · Answer

Deckard's System Scanner v20071014.68 Run by Administrator on 2008-08-01 10:42:31 Computer is in Normal Mode. -------------------------------------------------------------------------------- [color=red]Total Physical Memory: 239 MiB (512 MiB recommended).[/color] -- HijackThis (run as Administrator.exe) -------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:42:52, on 01/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DkLog.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client trtscan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client mlisten.exe C:\WINDOWS\System32\dkcktkn.exe C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe C:\WINDOWS\TEMP\YSEA86.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\LTSMMSG.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD oscdspd.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe C:\Documents and Settings\Administrator\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?gws_rd=ssl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/en-us/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/en-us/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Windows Live Sign-in Assistant Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD oscdspd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Orange Caraibes.lnk = C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Search - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.com/?domain=webscanner.kaspersky.com O16 - DPF: {1856D980-6604-4504-AE2E-6EEE0235FCF5} - http://www.certeurope.com/files/activesign/1.2.0.2/ActiveSign.CAB O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - http://213.16.24.101:8080/cab/OCXChecker_6110.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - http://213.16.24.101:8080/cab/DownloadFile_7000.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\Software\..\Telephony: DomainName = vauclin.sud O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vauclin.sud O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = vauclin.sud O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Datakey's Log Service (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe O23 - Service: Datakey's Token Service (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client trtscan.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client mlisten.exe O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -- End of file - 7402 bytes -- Files created between 2008-07-01 and 2008-08-01 ----------------------------- 2008-07-31 22:36:32 0 dr-h----- C:\Documents and Settings\Administrator\Recent 2008-07-31 09:40:40 0 d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-07-30 08:53:28 0 d-------- C:\Program Files\MSBuild 2008-07-30 08:53:15 0 d-------- C:\WINDOWS\system32\XPSViewer 2008-07-30 08:53:02 0 d-------- C:\Program Files\Reference Assemblies 2008-07-30 08:42:32 0 d-------- C:\Program Files\MSXML 6.0 2008-07-26 14:34:43 0 d-------- C:\WINDOWS\BDOSCAN8 2008-07-26 11:23:03 0 d-------- C:\Program Files\CCleaner 2008-07-26 10:21:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2008-07-26 10:21:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-26 10:21:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-25 19:36:10 0 d--h----- C:\WINDOWS\PIF 2008-07-24 17:03:50 0 drahs---- C:\autorun.inf 2008-07-21 13:33:16 0 d-------- C:\Program Files\RegistryQuick 2008-07-17 17:25:39 0 d-------- C:\Combo-Fix 2008-07-17 14:49:20 0 d-------- C:\Documents and Settings\Administrator\Start Menu 2008-07-16 23:42:04 68096 --a------ C:\WINDOWS\zip.exe 2008-07-16 23:42:04 49152 --a------ C:\WINDOWS\VFind.exe 2008-07-16 23:42:04 161792 --a------ C:\WINDOWS\swreg.exe 2008-07-16 23:42:04 98816 --a------ C:\WINDOWS\sed.exe 2008-07-16 23:42:04 80412 --a------ C:\WINDOWS\grep.exe 2008-07-16 23:42:04 89504 --a------ C:\WINDOWS\fdsv.exe 2008-07-16 23:42:03 212480 --a------ C:\WINDOWS\swxcacls.exe 2008-07-16 23:42:03 136704 --a------ C:\WINDOWS\swsc.exe -- Find3M Report --------------------------------------------------------------- 2008-07-30 16:33:21 0 d-------- C:\Program Files\Common Files 2008-07-30 16:32:15 0 d-------- C:\Program Files\Java 2008-07-30 15:24:15 0 d-------- C:\Program Files\Trend Micro 2008-07-30 08:56:28 514148 --a------ C:\WINDOWS\system32\perfh00C.dat 2008-07-30 08:56:28 86134 --a------ C:\WINDOWS\system32\perfc00C.dat 2008-07-17 00:04:03 0 d-------- C:\Program Files\Microsoft Works 2008-07-15 21:14:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\MSN6 2008-06-30 11:04:13 0 d-------- C:\Program Files\Bac_v7 2008-06-25 16:59:30 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2008-06-21 13:55:02 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-02 16:39:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM 2008-06-02 16:29:50 0 d-------- C:\Program Files\Common Files\MainConcept 2008-06-02 16:28:57 0 d-------- C:\Program Files\Micro Application -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [11/03/2003 08:58] "PadTouch"="C:\Program Files\TOSHIBA\PadTouch\PadExe.exe" [24/11/2003 06:51] "OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [08/05/2007 00:43] "00THotkey"="C:\WINDOWS\System32\00THotkey.exe" [23/05/2003 09:20] "000StTHK"="000StTHK.exe" [23/06/2001 15:28 C:\WINDOWS\system32\000StTHK.exe] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [17/07/2003 13:38] "DkAutoReg.exe"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe" [24/07/2002 20:09] "DkStartup"="C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe" [24/07/2002 20:12] "Drag'n Drop CD+DVD"="C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe" [08/08/2003 18:54] "ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [20/08/2002 06:29] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [06/04/2003 20:07] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [06/04/2003 20:19] "LTSMMSG"="LTSMMSG.exe" [18/04/2003 06:06 C:\WINDOWS\ltsmmsg.exe] "TFNF5"="TFNF5.exe" [15/10/2003 12:03 C:\WINDOWS\system32\TFNF5.exe] "TPSMain"="TPSMain.exe" [01/12/2003 07:09 C:\WINDOWS\system32\TPSMain.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [19/08/2004 19:09] "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD oscdspd.exe" [15/09/2003 12:19] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Orange Caraibes.lnk - C:\Program Files\OrangeFrance\Orange Caraibes\Orange Caraibes.exe [14/01/2008 14:01:50] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Quick Launch of Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Quick Launch of Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Quick Launch of Microsoft Office OneNote 2003.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick Launch of Adobe Reader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick Launch of Adobe Reader.lnk backup=C:\WINDOWS\pss\Quick Launch of Adobe Reader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quick Launch of Microsoft Office OneNote 2003.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick Launch of Microsoft Office OneNote 2003.lnk backup=C:\WINDOWS\pss\Quick Launch of Microsoft Office OneNote 2003.lnkCommon Startup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c138b72-2f24-11dd-a5a2-00080ddf4fdb}] AutoRun\command- E:\setup.exe AUTORUN=1 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caaa0ed6-8975-11dc-a55f-00080ddf4fdb}] AutoRun\command- RavMon.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5cd7da8-da49-11dc-a580-00080ddf4fdb}] AutoRun\command- RavMon.exe -- End of Deckard's System Scanner: finished at 2008-08-01 10:43:14 ------------

Chiquitine29 · Answer

No extra report.txt ???  Go to this site:  https://www.virustotal.com/gui/  Click on Browse and search for this file: C:\WINDOWS\swsc.exe   Click on Send File.  A report will be generated line by line.  Wait for it to finish. It should include the size of the uploaded file.  Save the report with Notepad.  Copy it into your response.   -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

No, no extra report.txt. Here is the VirusTotal report. It told me that the file has already been analyzed. I requested a re-analysis and here it is:  File swsc.exe received on 2008.08.01 16:55:28 (CET) Current status: loading... queued for analysis in progress completed NOT FOUND STOPPED   Result: 1/36 (2.78%) loading server information... Your file is in the queue, at position: ___. Estimated time to start is between ___ and ___. Do not close the window until the analysis is finished. The analyzer that was processing your file is currently stopped; we will wait a few seconds to try to recover your results. If you have been waiting for more than five minutes, you need to re-submit your file. Your file is currently being analyzed by VirusTotal, the results will be displayed as they are generated. Formatted Results Impression Your file has expired or does not exist. The service is currently stopped, your file has been waiting to be analyzed (position: ) for an indefinite duration.  You can wait for a response from the Web (automatic re-loading) or enter your email in the form below and click "Request" for the system to notify you when the analysis is complete.  Email:   Antivirus Version Last updated Result AhnLab-V3 2008.7.29.1 2008.08.01 - AntiVir 7.8.1.15 2008.08.01 - Authentium 5.1.0.4 2008.07.31 - Avast 4.8.1195.0 2008.07.31 - AVG 8.0.0.156 2008.08.01 - BitDefender 7.2 2008.08.01 - CAT-QuickHeal 9.50 2008.07.31 - ClamAV 0.93.1 2008.08.01 - DrWeb 4.44.0.09170 2008.08.01 - eSafe 7.0.17.0 2008.07.29 Suspicious File eTrust-Vet 31.6.6001 2008.08.01 - Ewido 4.0 2008.08.01 - F-Prot 4.4.4.56 2008.07.31 - F-Secure 7.60.13501.0 2008.08.01 - Fortinet 3.14.0.0 2008.08.01 - GData 2.0.7306.1023 2008.08.01 - Ikarus T3.1.1.34.0 2008.08.01 - K7AntiVirus 7.10.399 2008.07.31 - Kaspersky 7.0.0.125 2008.08.01 - McAfee 5351 2008.07.31 - Microsoft 1.3704 2008.07.28 - NOD32v2 3317 2008.08.01 - Norman 5.80.02 2008.08.01 - Panda 9.0.0.4 2008.08.01 - PCTools 4.4.2.0 2008.08.01 - Prevx1 V2 2008.08.01 - Rising 20.55.42.00 2008.08.01 - Sophos 4.31.0 2008.08.01 - Sunbelt 3.1.1537.1 2008.08.01 - Symantec 10 2008.08.01 - TheHacker 6.2.96.391 2008.07.31 - TrendMicro 8.700.0.1004 2008.08.01 - VBA32 3.12.8.2 2008.08.01 - ViRobot 2008.8.1.1321 2008.08.01 - VirusBuster 4.5.11.0 2008.08.01 - Webwasher-Gateway 6.6.2 2008.08.01 - Additional information File size: 136704 bytes MD5...: b7517db073b28f5696a1e5528abeb5d0 SHA1..: 00febdeb479da8a4ef7bc79d09aca261a71ceabb SHA256: c6ee03a9b48edf36833bb3d7d27d616a0df8929305f2c841e3e4cdc467bb3a92 SHA512: c89db2bb837dd8e1d004154ff0cf13e31a4bf3683e5dcdf55383b9b9b640fcf3 6c386fb81ac3361a830cb205dae4461eeb7167cd0e437af0a7783a4629d3a4a9 PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser PEInfo: PE Structure information  ( base data ) entrypointaddress.: 0x46e340 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386)  ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x4d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x4e000 0x21000 0x20600 7.88 8cd65322150cae19cccbf33bfb94bcab .rsrc 0x6f000 0x1000 0xc00 4.13 0a2ba89ef9c839586b28cfb26d605a68  ( 6 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > advapi32.dll: GetAce > ole32.dll: CoInitialize > oleaut32.dll: VariantCopy > user32.dll: CharNextW > version.dll: VerQueryValueA  ( 0 exports )  ThreatExpert info: https://www.symantec.com?md5=b7517db073b28f5696a1e5528abeb5d0 packers (Kaspersky): UPX packers (F-Prot): UPX

Chiquitine29 · Answer

Sure, here is the translation:

peux tu recommencer stp car :  queued pending analysis in progress completed NOT FOUND STOPPED   and send the report of the already analyzed file please -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh  Good listening  @ + TChiki.

Lasto97 · Answer

In fact, it writes this when we copy and paste, but it is not what is actually written. I noticed this last time. What is actually written is "File swsc.exe received on 2008.08.01 17:05:47 (CET) Current situation: completed Result: 1/36 (2.78%)" But when I copy and paste it writes File swsc.exe received on 2008.08.01 17:05:47 (CET) Current situation: loading ... queued waiting for analysis completed NOT FOUND STOPPED   Result: 1/36 (2.78%)  I don't understand. Anyway, I redid the analysis and it will do the same thing   File swsc.exe received on 2008.08.01 17:05:47 (CET) Current situation: loading ... queued waiting for analysis completed NOT FOUND STOPPED   Result: 1/36 (2.78%) loading server information... Your file is in the queue, in position: ___. The estimated start time is between ___ and ___. Do not close the window before the analysis is finished. The analyzer processing your file is currently stopped, we will wait a few seconds to try to retrieve your results. If you have been waiting for more than five minutes, you need to resend your file. Your file is currently being analyzed by VirusTotal, the results will be displayed as they are generated. Formatted Print results Your file has expired or does not exist. The service is currently stopped, your file is waiting to be analyzed (position :) for an indefinite duration.  You can wait for a response from the Web (automatic reload) or enter your email in the form below and click "Request" for the system to send you a notification when the analysis is complete.  Email:   Antivirus Version Last Update Result AhnLab-V3 2008.7.29.1 2008.08.01 - AntiVir 7.8.1.15 2008.08.01 - Authentium 5.1.0.4 2008.07.31 - Avast 4.8.1195.0 2008.07.31 - AVG 8.0.0.156 2008.08.01 - BitDefender 7.2 2008.08.01 - CAT-QuickHeal 9.50 2008.07.31 - ClamAV 0.93.1 2008.08.01 - DrWeb 4.44.0.09170 2008.08.01 - eSafe 7.0.17.0 2008.07.29 Suspicious File eTrust-Vet 31.6.6001 2008.08.01 - Ewido 4.0 2008.08.01 - F-Prot 4.4.4.56 2008.07.31 - F-Secure 7.60.13501.0 2008.08.01 - Fortinet 3.14.0.0 2008.08.01 - GData 2.0.7306.1023 2008.08.01 - Ikarus T3.1.1.34.0 2008.08.01 - K7AntiVirus 7.10.399 2008.07.31 - Kaspersky 7.0.0.125 2008.08.01 - McAfee 5351 2008.07.31 - Microsoft 1.3704 2008.07.28 - NOD32v2 3317 2008.08.01 - Norman 5.80.02 2008.08.01 - Panda 9.0.0.4 2008.08.01 - PCTools 4.4.2.0 2008.08.01 - Prevx1 V2 2008.08.01 - Rising 20.55.42.00 2008.08.01 - Sophos 4.31.0 2008.08.01 - Sunbelt 3.1.1537.1 2008.08.01 - Symantec 10 2008.08.01 - TheHacker 6.2.96.391 2008.07.31 - TrendMicro 8.700.0.1004 2008.08.01 - VBA32 3.12.8.2 2008.08.01 - ViRobot 2008.8.1.1321 2008.08.01 - VirusBuster 4.5.11.0 2008.08.01 - Webwasher-Gateway 6.6.2 2008.08.01 - Additional information File size: 136704 bytes MD5...: b7517db073b28f5696a1e5528abeb5d0 SHA1..: 00febdeb479da8a4ef7bc79d09aca261a71ceabb SHA256: c6ee03a9b48edf36833bb3d7d27d616a0df8929305f2c841e3e4cdc467bb3a92 SHA512: c89db2bb837dd8e1d004154ff0cf13e31a4bf3683e5dcdf55383b9b9b640fcf3 6c386fb81ac3361a830cb205dae4461eeb7167cd0e437af0a7783a4629d3a4a9 PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser PEInfo: PE Structure information  ( base data ) entrypointaddress.: 0x46e340 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386)  ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x4d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x4e000 0x21000 0x20600 7.88 8cd65322150cae19cccbf33bfb94bcab .rsrc 0x6f000 0x1000 0xc00 4.13 0a2ba89ef9c839586b28cfb26d605a68  ( 6 imports )  > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess  > advapi32.dll: GetAce  > ole32.dll: CoInitialize  > oleaut32.dll: VariantCopy  > user32.dll: CharNextW  > version.dll: VerQueryValueA  ( 0 exports )  ThreatExpert info: https://www.symantec.com?md5=b7517db073b28f5696a1e5528abeb5d0 packers (Kaspersky): UPX packers (F-Prot): UPX

Chiquitine29 · Answer

It is actually a smithfraud file but logically it should be in system32 and it is dated July 16  Did you use smithfraud that day?  Show all files and folders: To do this: Click on start/control panel/folder options/view  Check show hidden files  Uncheck the box "Hide protected operating system files (recommended)"  Uncheck hide extensions for known file types  Then click "apply" to validate the changes.  And OK   Download OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe (by Old_Timer) to your desktop. Double-click on OTMoveIt.exe to launch it. Make sure the Unregister Dll's and Ocx's box is checked Copy the line that is in bold below, and paste it into the left box of OTMoveIt: Paste List of Files/Folders to be moved.  C:\autorun.inf   Click on MoveIt! to start the deletion. The result will appear in the "Results" box. Click on Exit to close. Post the report located in C:\_OTMoveIt\MovedFiles. and test for invalid win32  You may be asked to restart the computer to complete the deletion. If so, accept by Yes.   -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

No, I didn’t use smithfraud, I don’t even know what it is...  Here is the report  C:\autorun.inf moved successfully.  OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08012008_112230

Chiquitine29 · Answer

still the message ?? I'm checking for: swsc.exe -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Chiquitine29 · Answer

double-click on OTMoveIt.exe to launch it. Make sure the Unregister Dll's and Ocx's box is checked copy the line that is in bold below, and paste it into the left box of OTMoveIt: Paste List of Files/Folders to be moved.  C:\WINDOWS\swsc.exe  click on MoveIt! to start the deletion. the result will appear in the "Results" box. click on Exit to close. post the report located in C:\_OTMoveIt\MovedFiles.  -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

What do you mean by "and invalid test for win32"?

Chiquitine29 · Answer

do you see the message "is not a valid Win32 application"?? -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

Here  C:\WINDOWS\swsc.exe moved successfully.  OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08012008_113452

Lasto97 · Answer

So far I've been able to do everything you've asked me without seeing it. Otherwise, I wouldn't have been able to execute it. But so far, it's going well. Otherwise, do you want me to test a specific program?

Chiquitine29 · Answer

EDIT -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Chiquitine29 · Answer

YES  we're going to test hijackthis to start  Download HijackThis here:  -> http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe   Installation tutorial:  -> https://forums.cnetfrance.fr  Usage tutorial:  -> https://forums.cnetfrance.fr  Please post the generated report here...   -- Discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

Am I the installation tutorial? Or do I install it without making any changes and run it directly?

Chiquitine29 · Answer

you execute it, you click and you click on do a system scan and save a logfile and you post the report    -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                       Happy listening                       @ + TChiki.

Lasto97 · Answer

Logfile de Trend Micro HijackThis v2.0.2 Analyse sauvegardée à 11:48:20, le 01/08/2008 Plateforme : Windows XP SP2 (WinNT 5.01.2600) MSIE : Internet Explorer v7.00 (7.00.6000.16674) Mode de démarrage : Normal  Processus en cours : C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DkLog.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe C:\WINDOWS\System32\dkcktkn.exe C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe C:\WINDOWS\TEMP\YSEA86.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe C:\WINDOWS\System32\ezSP_Px.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\LTSMMSG.exe C:\WINDOWS\system32\TFNF5.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkAutoReg.exe O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Rainbow Technologies\iKey 2000 Series Software\DkStartup.exe O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD	oscdspd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'SYSTEME') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (Utilisateur 'Utilisateur par défaut') O4 - Démarrage global : Orange Caraibes.lnk = C:\Program Files\OrgangeFrance\Orange Caraibes\Orange Caraibes.exe O9 - Bouton supplémentaire : (pas de nom) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Élément de menu 'Outils' supplémentaire : Désinstaller BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Bouton supplémentaire : Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Bouton supplémentaire : (pas de nom) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Élément de menu 'Outils' supplémentaire : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Bouton supplémentaire : Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Élément de menu 'Outils' supplémentaire : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF : START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF : {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (Objet CKAVWebScan) - https://www.kaspersky.fr/?domain=webscanner.kaspersky.fr O16 - DPF : {1856D980-6604-4504-AE2E-6EEE0235FCF5} - http://www.certeurope.fr/fichiers/activesign/1.2.0.2/ActiveSign.CAB O16 - DPF : {1DB93715-3B60-43EE-93E6-279BB3E1DF76} - http://213.16.24.101:8080/cab/OCXChecker_6110.cab O16 - DPF : {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (Contrôle BDSCANONLINE) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF : {DBAFE6AD-DC14-45DF-A3F7-F8832289A1CD} - http://213.16.24.101:8080/cab/DownloadFile_7000.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters : Domaine = vauclin.sud O17 - HKLM\Software\..\Telephony : DomainName = vauclin.sud O17 - HKLM\System\CS1\Services\Tcpip\Parameters : Domaine = vauclin.sud O17 - HKLM\System\CS2\Services\Tcpip\Parameters : Domaine = vauclin.sud O23 - Service : ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service : Service Log de Datakey (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe O23 - Service : Service de jeton Datakey (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe O23 - Service : Analyse en temps réel OfficeScanNT (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client
trtscan.exe O23 - Service : Service Agent SoundMAX (Service par défaut SoundMAX) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service : Écouteur OfficeScan NT (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client	mlisten.exe O23 - Service : Pare-feu OfficeScan NT (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe O23 - Service : Service Proxy OfficeScan NT (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe  -- Fin du fichier - 7400 octets

Chiquitine29 · Answer

Download ToolsCleaner to your desktop. --> ftp://ftp.commentcamarche.com/download/ToolsCleaner2.exe http://www.commentcamarche.net/telecharger/telecharger 34055291 toolscleaner http://pc-system.fr/  # Click on Search and let the scan run ... # Click on Delete to finish. # You can, if you wish, use the Optional Options. # Click on Exit to get the report. # Post the report (TCleaner.txt) that is located at the root of your hard drive (C:\).     -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

It was this program that I couldn't install the other day. It was also giving me the invalid win32 error. Let's see today.

Chiquitine29 · Answer

YES let's see, and keep our fingers crossed -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Enjoy listening                      @ + TChiki.

Lasto97 · Answer

Ok it worked  -->- Search:  C:\Qoobox: found! C:\_OtMoveIt: found! C:\Documents and Settings\Administrator\Desktop\Dss.exe: found! C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk: found! C:\Documents and Settings\Administrator\Desktop\DiagHelp.zip: found! C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe: found! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis: found! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.lnk: found! C:\Program Files\Trend Micro\HijackThis: found! C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: found!  --------------------------------- -->- Deletion:  C:\Documents and Settings\Administrator\Desktop\Dss.exe: deleted! C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk: deleted! C:\Documents and Settings\Administrator\Desktop\DiagHelp.zip: deleted! C:\Documents and Settings\Administrator\Desktop\HJTInstall.exe: deleted! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis\HijackThis.lnk: deleted! C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: deleted! C:\Qoobox: deleted! C:\_OtMoveIt: Deletion error! C:\Documents and Settings\All Users\Start Menu\Programs\HijackThis: deleted! C:\Program Files\Trend Micro\HijackThis: deleted!

Chiquitine29 · Answer

ok perfect  let's leave it like that, if you notice the message appears come back to us  @++  Good evening -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                    Enjoy listening                    @ + TChiki.

Lasto97 · Answer

OK. So is it settled or what? Can I download the right Windows Live Messenger? Or do I have to wait? And do I check at the top to say that it’s resolved?

Chiquitine29 · Answer

Logically, it's okay    Yes, download Windows Live Messenger   Use the PC normally and if you notice the message appearing, come back, but I don't believe it too much   If within 2/3 days you don't have the message, you can mark it as resolved  --  Discover: Estopa, Rosario Flores, La Oreja De Van Gogh  Good listening  @ + TChiki.

Lasto97 · Answer

Okay, thank you very much for everything. Thank you.

Chiquitine29 · Answer

no problem, no worries  See you later for confirmation -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Enjoy listening                      See you later TChiki.

Lasto97 · Answer

Hi,  I downloaded MSN 8, it installed well. Everything is working fine. I'll update in 2 days.

Chiquitine29 · Answer

remove the otmoveit folder and Script.bat too  @+ -- To discover: Estopa, Rosario Flores, La Oreja De Van Gogh                      Enjoy listening                      @ + TChiki.

GG · Answer

Hi, I tried ComboFix, it didn't work, and it gave me the following; Please help me.  ComboFix 11-03-19.04 - DELL 2011-03-20 22:40:46.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1036.18.1022.718 [GMT -4:00] Started from: c:\documents and settings\DELL\Desktop
onabagle.exe AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . . (((((((((((((((((((((((((((((((((((( Other deletions )))))))))))))))))))))))))))))))))))))))))))))))) . . c:\config\S-1-5-21-1482476501-1644491937-682003330-1013 c:\config\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini c:\documents and settings\DELL\Application Data\inst.exe c:\program files\Search Settings c:\program files\Search Settings\SeARchsettings.dll c:\program files\Search Settings\SearchSettings.exe c:\program files\Search Settings\SearchSettingsRes409.dll . . ((((((((((((((((((((((((((((( Files created from 2011-02-21 to 2011-03-21 )))))))))))))))))))))))))))))))))))) . . 2011-03-19 15:44 . 2011-03-19 15:44 -------- d-----w- c:\program files\CCleaner 2011-03-19 05:55 . 2011-03-19 05:55 -------- d-----w- c:\documents and settings\DELL\Local Settings\Application Data\Identities 2011-03-15 05:25 . 2011-03-15 05:25 137728 ----a-w- c:\windows\Ysuxya.exe 2011-03-14 13:21 . 2011-03-14 13:21 -------- d-----w- c:\documents and settings\DELL\Local Settings\Application Data\PCHealth 2011-02-26 17:44 . 2011-02-26 17:44 -------- d-----w- c:\program files\Common Files\Adobe . . (((((((((((((((((((((((((((((((((( Find3M report )))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-26 14:40 . 2010-07-15 20:26 47360 ----a-w- c:\documents and settings\DELL\Application Data\pcouffin.sys 2011-02-09 13:54 . 2004-08-05 12:00 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:54 . 2004-08-05 12:00 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-02 07:59 . 2007-12-21 17:00 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2007-12-21 17:00 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44 . 2004-08-05 12:00 441344 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2004-08-05 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 14:04 . 2004-08-05 12:00 1855104 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:34 . 2004-08-05 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll . . ((((((((((((((((((((((((((((((((( Registry load points )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty items & legit initial items are not listed REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080] "KCSCPW1HKH"="c:\windows\Ysuxya.exe" [2011-03-15 137728] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104] "nwiz"="nwiz.exe" [2007-11-17 1626112] "NVHotkey"="nvHotkey.dll" [2007-11-17 86016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] ""= 00 00 00 00 . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "c:\Program Files\CyberLink\PowerDVD\PowerDVD.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "c:\Program Files\Mozilla Firefox\firefox.exe"= "c:\Program Files\Messenger\msmsgs.exe"= "c:\Program Files\Windows Live\Messenger\msnmsgr.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) . R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2010-01-08 380928] R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2005-10-18 61440] S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?] S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?] S3 EL3C574;PC Card Network Device Driver FE574B-3Com 10/100;c:\windows\system32\drivers\el574nd4.sys [2007-12-21 24653] S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?] . Contents of the 'Scheduled Tasks' folder . 2011-03-20 c:\windows\Tasks\User_Feed_Synchronization-{9677DAB8-D601-4C89-A486-87DADEF7B928}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 23:36] . 2011-03-21 c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job - c:\windows\Ysuxya.exe [2011-03-15 05:25] . . ------- Additional examination ------- . uStart Page = hxxp://www.google.ca/ uSearchURL,(Default) = hxxp://ca.search.yahoo.com/search?fr=mcafee&p=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xporter to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html FF - ProfilePath - c:\documents and settings\DELL\Application Data\Mozilla\Firefox\Profiles\v4cytyzm.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?fr=mcafee&p= FF - prefs.js: network.proxy.type - 4 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} . - - - - ORPHANS REMOVED - - - - . Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-03-20 22:44 Windows 5.1.2600 Service Pack 3 NTFS . Searching for hidden processes... . Searching for hidden auto start items... . Searching for hidden files... . Scan completed successfully Hidden files: 0 . ************************************************************************** . --------------------- BLOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€-€|ÿÿÿÿÀ*€|ù*9~*] "C040111900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL" . End time: 2011-03-20 22:46:44 ComboFix-quarantined-files.txt 2011-03-21 02:46 . Before-CF: 26 574 393 344 bytes free After-CF: 42 495 885 312 bytes free . WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - B3492B9C61823DDBE8BC2B9905868BE2

Is not a valid Win32 application

164 réponses

Canon mb5350 - cartridge replacement impossible

Texture issues in enshrouded

Football manager (club management game)

Select next line csh foreach

Win32 kamso then rootkit detection

Win32:spyware-gen [trj] detected by avast

Unknown video error on the freebox player

Make it or break it

How to open a cbr file

Please log in with manager privileges.