DD ne s ouvre pas + lenteur
Résolu
fdwrc
Messages postés
621
Statut
Membre
-
jlpjlp Messages postés 52399 Statut Contributeur sécurité -
jlpjlp Messages postés 52399 Statut Contributeur sécurité -
Bonjour,
Sqlutm voila je voulais un petit peu d aide car je suppsonne fortement un virus voici le rapport hijackthis merci d avance pour votre aide
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:44:00 م, on 08/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\NVATray.exe
D:\WINDOWS\ZSSnp211.exe
D:\WINDOWS\Domino.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\nouredine\سطح المكتب\eden.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
F2 - REG:system.ini: Shell=Explorer.exe "D:\DOCUME~1\NOURED~1\LOCALS~1\Temp\ry0K33bM.exe"
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [ZSSnp211] D:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] D:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WARN POP TRUST LIES] D:\Documents and Settings\All Users\Application Data\Camp Mess Warn Pop\funk test.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE D:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
Sqlutm voila je voulais un petit peu d aide car je suppsonne fortement un virus voici le rapport hijackthis merci d avance pour votre aide
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:44:00 م, on 08/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\NVATray.exe
D:\WINDOWS\ZSSnp211.exe
D:\WINDOWS\Domino.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\nouredine\سطح المكتب\eden.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
F2 - REG:system.ini: Shell=Explorer.exe "D:\DOCUME~1\NOURED~1\LOCALS~1\Temp\ry0K33bM.exe"
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [ZSSnp211] D:\WINDOWS\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] D:\WINDOWS\Domino.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WARN POP TRUST LIES] D:\Documents and Settings\All Users\Application Data\Camp Mess Warn Pop\funk test.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE D:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\Launcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
A voir également:
- DD ne s ouvre pas + lenteur
- Lenteur pc - Guide
- Windows ne s'ouvre pas - Guide
- Cloner un dd - Guide
- Test dd - Télécharger - Informations & Diagnostic
- Clé usb ne s'ouvre pas - Guide
66 réponses
----------------- FindyKill V3.O85 ------------------
* User : nouredine - LATANSALLAH
* Emplacement : D:\Program Files\FindyKill\FindyKill.cmd
* Outils Mis a jours le 02/10/08 par Chiquitine29
* Suppression effectuée à 21:03:03 le Wed 10/08/2008
* Windows XP - Internet Explorer 6.0.2900.2180
((((((((((((((( *** Suppression *** ))))))))))))))))))
»»»» Suppression des fichiers dans D:
»»»» Suppression des fichiers dans D:\WINDOWS
»»»» Suppression des fichiers dans D:\WINDOWS\Prefetch
»»»» Suppression des fichiers dans D:\WINDOWS\system32
»»»» Suppression des fichiers dans D:\WINDOWS\system32\drivers
»»»» Suppression des fichiers dans D:\Documents and Settings\nouredine\Application Data
»»»» Suppression des fichiers dans D:\DOCUME~1\NOURED~1\LOCALS~1\Temp
»»»» Suppression des clefs du registre..
Supprimé ! - HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_SROSA
»»»» Suppression des clefs du registre effectuée !
»»»» Mode sans echec restauré !
»»»» Services de securité Windows redemarré !
»»»» Suppression des fichiers dans Support amovible :
Echec de la supression !! - C:\autorun.inf
Supprimé ! - C:\jfvkcsy.bat
Echec de la supression !! - D:\autorun.inf
Echec de la supression !! - E:\autorun.inf
Supprimé ! - E:\jfvkcsy.bat
Echec de la supression !! - F:\autorun.inf
Supprimé ! - F:\jfvkcsy.bat
»»»» Necessite une interpretation :
»»»» Recherche Cracks Keygen... :
---------------- ! Fin du rapport ! ------------------
* User : nouredine - LATANSALLAH
* Emplacement : D:\Program Files\FindyKill\FindyKill.cmd
* Outils Mis a jours le 02/10/08 par Chiquitine29
* Suppression effectuée à 21:03:03 le Wed 10/08/2008
* Windows XP - Internet Explorer 6.0.2900.2180
((((((((((((((( *** Suppression *** ))))))))))))))))))
»»»» Suppression des fichiers dans D:
»»»» Suppression des fichiers dans D:\WINDOWS
»»»» Suppression des fichiers dans D:\WINDOWS\Prefetch
»»»» Suppression des fichiers dans D:\WINDOWS\system32
»»»» Suppression des fichiers dans D:\WINDOWS\system32\drivers
»»»» Suppression des fichiers dans D:\Documents and Settings\nouredine\Application Data
»»»» Suppression des fichiers dans D:\DOCUME~1\NOURED~1\LOCALS~1\Temp
»»»» Suppression des clefs du registre..
Supprimé ! - HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_SROSA
»»»» Suppression des clefs du registre effectuée !
»»»» Mode sans echec restauré !
»»»» Services de securité Windows redemarré !
»»»» Suppression des fichiers dans Support amovible :
Echec de la supression !! - C:\autorun.inf
Supprimé ! - C:\jfvkcsy.bat
Echec de la supression !! - D:\autorun.inf
Echec de la supression !! - E:\autorun.inf
Supprimé ! - E:\jfvkcsy.bat
Echec de la supression !! - F:\autorun.inf
Supprimé ! - F:\jfvkcsy.bat
»»»» Necessite une interpretation :
»»»» Recherche Cracks Keygen... :
---------------- ! Fin du rapport ! ------------------
Seul bitdefender s affiche et quand je clic sur j accepte ca rame ca se charge pas c est pareil chez toi ?
alors télécharge bitdefender free et colle un rapport avec
https://www.01net.com/telecharger/windows/Securite/antivirus-antitrojan/fiches/29063.html
https://www.01net.com/telecharger/windows/Securite/antivirus-antitrojan/fiches/29063.html
Resalut je comprend pas ca merde encore j arrive pas a telecharger completement le fichier il bloaue a la fin
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
si tu n'as pas d'antivirus alors essaye de mettre antivir:
https://www.malekal.com/avira-free-security-antivirus-gratuit/
https://www.malekal.com/avira-free-security-antivirus-gratuit/
Je l ai telecharge mais impossible de l executer je tente de telecharger avg ,ais la connection rame
Ca continue a merder a la fint de l installation d avg ya une erreur et ca s installe pas je vais essayer autre chose
Encore un nouvel echec j ai installe une version d essai de nod32 quand je l execute le pc redemarre j en ai plus que marre
J ai meme essayé dans xp en français c est pareil antivir veut pas s installer ca serait pas un virus qui me cause tout ces problremes ?
ComboFix 08-10-07.06 - nouredine 10/09/2008 17:00:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.81 [GMT 2:00]
Running from: D:\Documents and Settings\nouredine\??? ??????\ComboFix.exe
* Created a new restore point
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ranvrgn.exe
D:\ranvrgn.exe
D:\WINDOWS\IE4 Error Log.txt
E:\ranvrgn.exe
F:\ranvrgn.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 15:05 383,008 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-10-09 15:03 6,536 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-10-09 15:03 --------- d-----w D:\Program Files\Control Kids
2008-10-09 14:57 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-10-09 14:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webshots
2008-10-09 14:56 --------- d-----w D:\Program Files\Opera
2008-10-09 14:39 --------- d-----w D:\Program Files\ESET
2008-10-09 14:01 90,112 ----a-w D:\WINDOWS\DUMP3f6a.tmp
2008-10-09 13:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\avg8
2008-10-09 13:41 --------- d-----w D:\Documents and Settings\nouredine\Application Data\AVGTOOLBAR
2008-10-09 13:40 --------- d-----w D:\Program Files\AVG
2008-10-09 11:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Skype
2008-10-09 10:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\skypePM
2008-10-08 19:03 --------- d-----w D:\Program Files\FindyKill
2008-10-08 15:39 --------- d-----w D:\Program Files\Integard
2008-10-08 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-08 15:05 --------- d-----w D:\Program Files\Zone Labs
2008-10-08 14:03 184,320 ----a-w D:\WINDOWS\system32\wscript.exe
2008-10-08 12:24 --------- d-----w D:\Program Files\microsoft frontpage
2008-10-08 10:09 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 09:36 --------- d-----w D:\Program Files\WebcamMax
2008-10-06 09:36 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webcammax
2008-10-05 17:03 359,040 ----a-w D:\WINDOWS\system32\drivers\TCPIP.SYS
2008-10-03 17:56 --------- d-----w D:\Documents and Settings\nouredine\Application Data\fltk.org
2008-10-02 03:45 90,112 ----a-w D:\WINDOWS\DUMP2e53.tmp
2008-09-09 22:04 38,528 ----a-w D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 16:32 519,680 ----a-w D:\WINDOWS\system32\cmd.exe
2008-08-31 09:36 89,725 --sh--r D:\ph.com
2008-08-27 16:04 --------- d-----w D:\Program Files\Webshots
2008-08-24 20:47 301,557 ----a-w D:\mnl6on3.com
2008-08-22 16:08 91,316 --sh--r D:\83fgj.com
2008-08-12 18:04 299,191 --sh--r D:\r2nl.com
2008-08-05 18:28 89,885 --sh--r D:\xqf.com
2008-08-02 15:46 89,037 --sh--r D:\e.com
2008-07-31 11:32 88,782 --sh--r D:\uis.com
2008-07-26 13:25 226,561 --sh--r D:\g2pfnid.com
2008-07-25 19:18 90,112 ----a-w D:\WINDOWS\DUMP469e.tmp
2008-07-22 04:03 90,112 ----a-w D:\WINDOWS\DUMPefaf.tmp
2008-07-20 10:11 90,112 ----a-w D:\WINDOWS\DUMPef90.tmp
2008-07-13 10:32 169,984 ----a-w D:\WINDOWS\system32\grpconv.exe
2008-07-09 07:05 75,248 ----a-w D:\WINDOWS\zllsputility.exe
2008-07-09 07:05 54,672 ----a-w D:\WINDOWS\system32\vsutil_loc040c.dll
2008-07-09 07:05 42,384 ----a-w D:\WINDOWS\zllsputility_loc040c.dll
2008-07-09 07:05 21,904 ----a-w D:\WINDOWS\system32\imsinstall_loc040c.dll
2008-07-09 07:05 17,808 ----a-w D:\WINDOWS\system32\imslsp_install_loc040c.dll
2008-07-09 07:05 1,086,952 ----a-w D:\WINDOWS\system32\zpeng24.dll
2008-07-03 17:02 6,587,613 ----a-w D:\Program Files\realalt152.exe
2008-06-26 16:26 70,293 ----a-w D:\Program Files\VLC media player.lnk
2008-06-24 11:01 737 ----a-w D:\Program Files\DivX Player.lnk
2008-06-24 11:01 1,816 ----a-w D:\Program Files\DivX Movies.lnk
2008-05-23 12:22 806 ----a-w D:\Program Files\DivX Converter.lnk
2008-05-12 09:41 32 ----a-w D:\Documents and Settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\dllcache\TCPIP.SYS
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\drivers\TCPIP.SYS
04/13/2006 01:03 AM 2176384 a76e78a8acbd870c63c096399620120e D:\WINDOWS\system32\ntoskrnl.exe
04/13/2006 12:53 AM 1150464 ed5c9dc44b07b7169b4d4968ec2abb28 D:\WINDOWS\explorer.exe
08/04/2004 02:56 AM 76800 947cdb64772c7c9810ed4bb0e1453934 D:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@Wed 10-08-2008_16.34.51.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-07 23:05:02 422,912 ----a-w D:\WINDOWS\system32\controlkids2.dll
+ 2007-07-19 13:10:28 127,768 ----a-w D:\WINDOWS\system32\drivers\klif.sys
+ 2008-07-09 07:05:08 796,048 ----a-w D:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2004-04-27 02:40:52 11,264 ----a-w D:\WINDOWS\system32\SpOrder.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\vsdata.dll
+ 2008-07-09 07:05:22 394,952 ----a-w D:\WINDOWS\system32\vsdatant.sys
+ 2008-07-09 07:05:10 157,160 ----a-w D:\WINDOWS\system32\vsinit.dll
+ 2008-07-09 07:05:10 103,912 ----a-w D:\WINDOWS\system32\vsmonapi.dll
+ 2008-07-09 07:05:10 275,944 ----a-w D:\WINDOWS\system32\vspubapi.dll
+ 2008-07-09 07:05:10 71,144 ----a-w D:\WINDOWS\system32\vsregexp.dll
+ 2008-07-09 07:05:12 472,552 ----a-w D:\WINDOWS\system32\vsutil.dll
+ 2008-07-09 07:05:12 46,568 ----a-w D:\WINDOWS\system32\vswmi.dll
+ 2008-07-09 07:05:12 99,816 ----a-w D:\WINDOWS\system32\vsxml.dll
+ 2008-07-09 07:05:12 83,432 ----a-w D:\WINDOWS\system32\zlcomm.dll
+ 2008-07-09 07:05:12 71,144 ----a-w D:\WINDOWS\system32\zlcommdb.dll
+ 2008-10-08 15:07:06 4,212 ---h--w D:\WINDOWS\system32\zllictbl.dat
+ 2008-07-09 07:05:06 370,208 ----a-w D:\WINDOWS\system32\ZoneLabs\av.dll
+ 2008-07-09 07:05:36 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\av_loc040c.dll
+ 2007-05-30 22:03:30 65,248 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 12:47:36 21,568 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-30 22:03:30 1,628 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-30 22:03:16 77,824 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-30 22:03:16 110,592 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-30 22:03:16 331,776 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-30 22:03:16 38,400 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-19 21:12:14 208,960 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 12:53:58 282,624 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 16:13:52 1,093,632 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-30 22:03:20 548,864 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-30 22:03:20 626,688 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-30 22:03:18 184,320 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 22:03:22 90,112 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 12:53:58 139,264 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 16:13:52 200,704 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2008-07-09 07:05:06 99,816 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2008-07-09 07:05:36 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd_loc040c.dll
+ 2004-01-30 10:35:08 813,568 ----a-w D:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2008-07-09 07:05:08 128,480 ----a-w D:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-07-09 07:05:08 38,376 ----a-w D:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-07-09 07:05:08 321,016 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure_loc040c.dll
+ 2008-07-09 07:05:38 288,144 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard_loc040c.zip.dll
+ 2008-07-09 07:05:42 152,976 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\LicenseUI_loc040c.zip.dll
+ 2008-07-09 07:05:24 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-07-09 07:05:24 1,361,296 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-07-09 07:05:24 71,056 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-07-09 07:06:26 30,184 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-07-09 07:06:26 30,216 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 01:10:26 714,208 ----a-w D:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2008-02-27 01:10:28 792,032 ----a-w D:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2008-07-09 07:05:08 173,544 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-02-27 01:10:32 1,504,736 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2008-02-27 01:10:44 51,176 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2008-07-09 07:05:10 456,168 ----a-w D:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-07-09 07:06:26 214,528 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-07-09 07:06:30 3,266,040 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp_loc040c.dll
+ 2006-09-04 18:59:14 503,875 ----a-w D:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 14:50:32 832,984 ----a-w D:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2008-07-09 07:05:18 144,936 ----a-w D:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2008-07-09 07:05:44 75,152 ----a-w D:\WINDOWS\system32\ZoneLabs\updClient_loc040c.dll
+ 2007-01-11 15:31:06 286,787 ----a-w D:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2008-07-09 07:05:10 108,008 ----a-w D:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb_loc040c.dll
+ 2008-07-09 07:05:18 136,744 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-07-09 07:05:44 46,480 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon_loc040c.dll
+ 2008-07-09 07:05:10 2,029,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2008-07-09 07:05:12 1,361,384 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-07-09 07:05:44 198,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb_loc040c.dll
+ 2008-07-09 07:05:12 239,080 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2008-07-09 07:05:12 177,640 ----a-w D:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-07-09 07:05:12 79,344 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine_loc040c.dll
+ 2008-07-09 07:05:14 382,440 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-07-09 07:05:44 21,904 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre_loc040c.dll
+ 2008-07-09 07:05:14 120,296 ----a-w D:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2006-12-01 20:56:00 96,256 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 20:54:32 479,232 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54:34 548,864 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54:32 626,688 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 40,960 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 76800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZSSnp211"="D:\WINDOWS\ZSSnp211.exe" [04/06/2007 11:06 AM 118784]
"Domino"="D:\WINDOWS\Domino.exe" [08/18/2006 04:58 PM 110592]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 214416]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/29/2008 05:36 AM 247336]
"Control Kids"="D:\Program Files\Control Kids\Control kids.exe" [07/21/2005 10:43 AM 2971648]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [01/18/2002 05:33 PM 106496 D:\WINDOWS\system32\NVATray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="D:\WINDOWS\system32\sti_ci.dll" [08/04/2004 02:55 AM 136192]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 76800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="D:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 12:59 AM 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\WINDOWS\\system32\\NVATray.exe"=
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"D:\\WINDOWS\\system32\\ctfmon.exe"=
"D:\\WINDOWS\\Domino.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe"=
"E:\\udr.com"=
"D:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"D:\\WINDOWS\\ZSSnp211.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\WinRAR\\WinRAR.exe"=
"D:\\WINDOWS\\system32\\cleanmgr.exe"=
"E:\\[u]0[/u]0hoeav.com"=
"C:\\Program Files\\Real\\RealPlayer\\RecordingManager.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jucheck.exe"=
"D:\\PROGRA~1\\Webshots\\webshots.scr"=
"D:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"D:\\WINDOWS\\system32\\MsiExec.exe"= D:\\WINDOWS\\system32\\msiexec.exe
"D:\\WINDOWS\\system32\\cmd.exe"=
"D:\\ComboFix\\regt.cfexe"=
"D:\\Program Files\\Control Kids\\Control Kids.exe"=
"D:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winbvfhu.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\wintieml.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winxvnk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP المنفذ 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP المنفذ 37675
R2 CAMTHWDM;WebcamMax, WDM Video Capture;D:\WINDOWS\system32\DRIVERS\CAMTHWDM.sys [03/11/2008 03:14 PM 941784]
R3 aic32p;aic32p;D:\WINDOWS\system32\drivers\fnmpfl.sys [ ]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;D:\WINDOWS\system32\DRIVERS\slnt.sys [07/11/2005 03:31 AM 18004]
S2 Wlansvc;@%SystemRoot%\System32\wlansvc.dll,-257;D:\WINDOWS\system32\svchost.exe [08/04/2004 02:56 AM 14336]
[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
WmdmPmSN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
Contents of the 'Scheduled Tasks' folder
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart\ErrorSmart.exe []
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ZoneAlarm Client - D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\nouredine\Application Data\Mozilla\Firefox\Profiles\rx4fcwvd.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxd&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fr
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 17:04:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\D:\DOCUME~1\NOURED~1\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\lsass.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\explorer.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\csrss.exe
-> D:\Program Files\Control Kids\ck2.dll
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\wdfmgr.exe
D:\ComboFix\NirCmd.cfexe
D:\PROGRA~1\Webshots\webshots.scr
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winbvfhu.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\wintieml.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winxvnk.exe
.
**************************************************************************
.
Completion time: 10/09/2008 17:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 15:10:34
ComboFix2.txt 2008-10-08 14:37:40
Pre-Run: 288,948,224 bytes free
Post-Run: 330,080,256 bytes free
358
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.81 [GMT 2:00]
Running from: D:\Documents and Settings\nouredine\??? ??????\ComboFix.exe
* Created a new restore point
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ranvrgn.exe
D:\ranvrgn.exe
D:\WINDOWS\IE4 Error Log.txt
E:\ranvrgn.exe
F:\ranvrgn.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 15:05 383,008 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-10-09 15:03 6,536 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-10-09 15:03 --------- d-----w D:\Program Files\Control Kids
2008-10-09 14:57 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-10-09 14:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webshots
2008-10-09 14:56 --------- d-----w D:\Program Files\Opera
2008-10-09 14:39 --------- d-----w D:\Program Files\ESET
2008-10-09 14:01 90,112 ----a-w D:\WINDOWS\DUMP3f6a.tmp
2008-10-09 13:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\avg8
2008-10-09 13:41 --------- d-----w D:\Documents and Settings\nouredine\Application Data\AVGTOOLBAR
2008-10-09 13:40 --------- d-----w D:\Program Files\AVG
2008-10-09 11:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Skype
2008-10-09 10:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\skypePM
2008-10-08 19:03 --------- d-----w D:\Program Files\FindyKill
2008-10-08 15:39 --------- d-----w D:\Program Files\Integard
2008-10-08 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-08 15:05 --------- d-----w D:\Program Files\Zone Labs
2008-10-08 14:03 184,320 ----a-w D:\WINDOWS\system32\wscript.exe
2008-10-08 12:24 --------- d-----w D:\Program Files\microsoft frontpage
2008-10-08 10:09 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 09:36 --------- d-----w D:\Program Files\WebcamMax
2008-10-06 09:36 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webcammax
2008-10-05 17:03 359,040 ----a-w D:\WINDOWS\system32\drivers\TCPIP.SYS
2008-10-03 17:56 --------- d-----w D:\Documents and Settings\nouredine\Application Data\fltk.org
2008-10-02 03:45 90,112 ----a-w D:\WINDOWS\DUMP2e53.tmp
2008-09-09 22:04 38,528 ----a-w D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 16:32 519,680 ----a-w D:\WINDOWS\system32\cmd.exe
2008-08-31 09:36 89,725 --sh--r D:\ph.com
2008-08-27 16:04 --------- d-----w D:\Program Files\Webshots
2008-08-24 20:47 301,557 ----a-w D:\mnl6on3.com
2008-08-22 16:08 91,316 --sh--r D:\83fgj.com
2008-08-12 18:04 299,191 --sh--r D:\r2nl.com
2008-08-05 18:28 89,885 --sh--r D:\xqf.com
2008-08-02 15:46 89,037 --sh--r D:\e.com
2008-07-31 11:32 88,782 --sh--r D:\uis.com
2008-07-26 13:25 226,561 --sh--r D:\g2pfnid.com
2008-07-25 19:18 90,112 ----a-w D:\WINDOWS\DUMP469e.tmp
2008-07-22 04:03 90,112 ----a-w D:\WINDOWS\DUMPefaf.tmp
2008-07-20 10:11 90,112 ----a-w D:\WINDOWS\DUMPef90.tmp
2008-07-13 10:32 169,984 ----a-w D:\WINDOWS\system32\grpconv.exe
2008-07-09 07:05 75,248 ----a-w D:\WINDOWS\zllsputility.exe
2008-07-09 07:05 54,672 ----a-w D:\WINDOWS\system32\vsutil_loc040c.dll
2008-07-09 07:05 42,384 ----a-w D:\WINDOWS\zllsputility_loc040c.dll
2008-07-09 07:05 21,904 ----a-w D:\WINDOWS\system32\imsinstall_loc040c.dll
2008-07-09 07:05 17,808 ----a-w D:\WINDOWS\system32\imslsp_install_loc040c.dll
2008-07-09 07:05 1,086,952 ----a-w D:\WINDOWS\system32\zpeng24.dll
2008-07-03 17:02 6,587,613 ----a-w D:\Program Files\realalt152.exe
2008-06-26 16:26 70,293 ----a-w D:\Program Files\VLC media player.lnk
2008-06-24 11:01 737 ----a-w D:\Program Files\DivX Player.lnk
2008-06-24 11:01 1,816 ----a-w D:\Program Files\DivX Movies.lnk
2008-05-23 12:22 806 ----a-w D:\Program Files\DivX Converter.lnk
2008-05-12 09:41 32 ----a-w D:\Documents and Settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\dllcache\TCPIP.SYS
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\drivers\TCPIP.SYS
04/13/2006 01:03 AM 2176384 a76e78a8acbd870c63c096399620120e D:\WINDOWS\system32\ntoskrnl.exe
04/13/2006 12:53 AM 1150464 ed5c9dc44b07b7169b4d4968ec2abb28 D:\WINDOWS\explorer.exe
08/04/2004 02:56 AM 76800 947cdb64772c7c9810ed4bb0e1453934 D:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@Wed 10-08-2008_16.34.51.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-07 23:05:02 422,912 ----a-w D:\WINDOWS\system32\controlkids2.dll
+ 2007-07-19 13:10:28 127,768 ----a-w D:\WINDOWS\system32\drivers\klif.sys
+ 2008-07-09 07:05:08 796,048 ----a-w D:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2004-04-27 02:40:52 11,264 ----a-w D:\WINDOWS\system32\SpOrder.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\vsdata.dll
+ 2008-07-09 07:05:22 394,952 ----a-w D:\WINDOWS\system32\vsdatant.sys
+ 2008-07-09 07:05:10 157,160 ----a-w D:\WINDOWS\system32\vsinit.dll
+ 2008-07-09 07:05:10 103,912 ----a-w D:\WINDOWS\system32\vsmonapi.dll
+ 2008-07-09 07:05:10 275,944 ----a-w D:\WINDOWS\system32\vspubapi.dll
+ 2008-07-09 07:05:10 71,144 ----a-w D:\WINDOWS\system32\vsregexp.dll
+ 2008-07-09 07:05:12 472,552 ----a-w D:\WINDOWS\system32\vsutil.dll
+ 2008-07-09 07:05:12 46,568 ----a-w D:\WINDOWS\system32\vswmi.dll
+ 2008-07-09 07:05:12 99,816 ----a-w D:\WINDOWS\system32\vsxml.dll
+ 2008-07-09 07:05:12 83,432 ----a-w D:\WINDOWS\system32\zlcomm.dll
+ 2008-07-09 07:05:12 71,144 ----a-w D:\WINDOWS\system32\zlcommdb.dll
+ 2008-10-08 15:07:06 4,212 ---h--w D:\WINDOWS\system32\zllictbl.dat
+ 2008-07-09 07:05:06 370,208 ----a-w D:\WINDOWS\system32\ZoneLabs\av.dll
+ 2008-07-09 07:05:36 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\av_loc040c.dll
+ 2007-05-30 22:03:30 65,248 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 12:47:36 21,568 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-30 22:03:30 1,628 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-30 22:03:16 77,824 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-30 22:03:16 110,592 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-30 22:03:16 331,776 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-30 22:03:16 38,400 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-19 21:12:14 208,960 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 12:53:58 282,624 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 16:13:52 1,093,632 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-30 22:03:20 548,864 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-30 22:03:20 626,688 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-30 22:03:18 184,320 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 22:03:22 90,112 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 12:53:58 139,264 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 16:13:52 200,704 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2008-07-09 07:05:06 99,816 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2008-07-09 07:05:36 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd_loc040c.dll
+ 2004-01-30 10:35:08 813,568 ----a-w D:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2008-07-09 07:05:08 128,480 ----a-w D:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-07-09 07:05:08 38,376 ----a-w D:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-07-09 07:05:08 321,016 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure_loc040c.dll
+ 2008-07-09 07:05:38 288,144 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard_loc040c.zip.dll
+ 2008-07-09 07:05:42 152,976 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\LicenseUI_loc040c.zip.dll
+ 2008-07-09 07:05:24 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-07-09 07:05:24 1,361,296 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-07-09 07:05:24 71,056 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-07-09 07:06:26 30,184 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-07-09 07:06:26 30,216 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 01:10:26 714,208 ----a-w D:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2008-02-27 01:10:28 792,032 ----a-w D:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2008-07-09 07:05:08 173,544 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-02-27 01:10:32 1,504,736 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2008-02-27 01:10:44 51,176 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2008-07-09 07:05:10 456,168 ----a-w D:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-07-09 07:06:26 214,528 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-07-09 07:06:30 3,266,040 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp_loc040c.dll
+ 2006-09-04 18:59:14 503,875 ----a-w D:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 14:50:32 832,984 ----a-w D:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2008-07-09 07:05:18 144,936 ----a-w D:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2008-07-09 07:05:44 75,152 ----a-w D:\WINDOWS\system32\ZoneLabs\updClient_loc040c.dll
+ 2007-01-11 15:31:06 286,787 ----a-w D:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2008-07-09 07:05:10 108,008 ----a-w D:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb_loc040c.dll
+ 2008-07-09 07:05:18 136,744 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-07-09 07:05:44 46,480 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon_loc040c.dll
+ 2008-07-09 07:05:10 2,029,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2008-07-09 07:05:12 1,361,384 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-07-09 07:05:44 198,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb_loc040c.dll
+ 2008-07-09 07:05:12 239,080 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2008-07-09 07:05:12 177,640 ----a-w D:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-07-09 07:05:12 79,344 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine_loc040c.dll
+ 2008-07-09 07:05:14 382,440 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-07-09 07:05:44 21,904 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre_loc040c.dll
+ 2008-07-09 07:05:14 120,296 ----a-w D:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2006-12-01 20:56:00 96,256 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 20:54:32 479,232 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54:34 548,864 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54:32 626,688 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 40,960 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 76800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZSSnp211"="D:\WINDOWS\ZSSnp211.exe" [04/06/2007 11:06 AM 118784]
"Domino"="D:\WINDOWS\Domino.exe" [08/18/2006 04:58 PM 110592]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 214416]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/29/2008 05:36 AM 247336]
"Control Kids"="D:\Program Files\Control Kids\Control kids.exe" [07/21/2005 10:43 AM 2971648]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [01/18/2002 05:33 PM 106496 D:\WINDOWS\system32\NVATray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="D:\WINDOWS\system32\sti_ci.dll" [08/04/2004 02:55 AM 136192]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 76800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="D:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 12:59 AM 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\WINDOWS\\system32\\NVATray.exe"=
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"D:\\WINDOWS\\system32\\ctfmon.exe"=
"D:\\WINDOWS\\Domino.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe"=
"E:\\udr.com"=
"D:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"D:\\WINDOWS\\ZSSnp211.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\WinRAR\\WinRAR.exe"=
"D:\\WINDOWS\\system32\\cleanmgr.exe"=
"E:\\[u]0[/u]0hoeav.com"=
"C:\\Program Files\\Real\\RealPlayer\\RecordingManager.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jucheck.exe"=
"D:\\PROGRA~1\\Webshots\\webshots.scr"=
"D:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"D:\\WINDOWS\\system32\\MsiExec.exe"= D:\\WINDOWS\\system32\\msiexec.exe
"D:\\WINDOWS\\system32\\cmd.exe"=
"D:\\ComboFix\\regt.cfexe"=
"D:\\Program Files\\Control Kids\\Control Kids.exe"=
"D:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winbvfhu.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\wintieml.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winxvnk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP المنفذ 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP المنفذ 37675
R2 CAMTHWDM;WebcamMax, WDM Video Capture;D:\WINDOWS\system32\DRIVERS\CAMTHWDM.sys [03/11/2008 03:14 PM 941784]
R3 aic32p;aic32p;D:\WINDOWS\system32\drivers\fnmpfl.sys [ ]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;D:\WINDOWS\system32\DRIVERS\slnt.sys [07/11/2005 03:31 AM 18004]
S2 Wlansvc;@%SystemRoot%\System32\wlansvc.dll,-257;D:\WINDOWS\system32\svchost.exe [08/04/2004 02:56 AM 14336]
[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
WmdmPmSN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
Contents of the 'Scheduled Tasks' folder
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart\ErrorSmart.exe []
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ZoneAlarm Client - D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\nouredine\Application Data\Mozilla\Firefox\Profiles\rx4fcwvd.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxd&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fr
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 17:04:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\D:\DOCUME~1\NOURED~1\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\lsass.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\explorer.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\csrss.exe
-> D:\Program Files\Control Kids\ck2.dll
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\wdfmgr.exe
D:\ComboFix\NirCmd.cfexe
D:\PROGRA~1\Webshots\webshots.scr
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winbvfhu.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\wintieml.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winxvnk.exe
.
**************************************************************************
.
Completion time: 10/09/2008 17:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 15:10:34
ComboFix2.txt 2008-10-08 14:37:40
Pre-Run: 288,948,224 bytes free
Post-Run: 330,080,256 bytes free
358
ComboFix 08-10-07.06 - nouredine 10/09/2008 17:00:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.81 [GMT 2:00]
Running from: D:\Documents and Settings\nouredine\??? ??????\ComboFix.exe
* Created a new restore point
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ranvrgn.exe
D:\ranvrgn.exe
D:\WINDOWS\IE4 Error Log.txt
E:\ranvrgn.exe
F:\ranvrgn.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 15:05 383,008 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-10-09 15:03 6,536 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-10-09 15:03 --------- d-----w D:\Program Files\Control Kids
2008-10-09 14:57 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-10-09 14:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webshots
2008-10-09 14:56 --------- d-----w D:\Program Files\Opera
2008-10-09 14:39 --------- d-----w D:\Program Files\ESET
2008-10-09 14:01 90,112 ----a-w D:\WINDOWS\DUMP3f6a.tmp
2008-10-09 13:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\avg8
2008-10-09 13:41 --------- d-----w D:\Documents and Settings\nouredine\Application Data\AVGTOOLBAR
2008-10-09 13:40 --------- d-----w D:\Program Files\AVG
2008-10-09 11:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Skype
2008-10-09 10:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\skypePM
2008-10-08 19:03 --------- d-----w D:\Program Files\FindyKill
2008-10-08 15:39 --------- d-----w D:\Program Files\Integard
2008-10-08 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-08 15:05 --------- d-----w D:\Program Files\Zone Labs
2008-10-08 14:03 184,320 ----a-w D:\WINDOWS\system32\wscript.exe
2008-10-08 12:24 --------- d-----w D:\Program Files\microsoft frontpage
2008-10-08 10:09 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 09:36 --------- d-----w D:\Program Files\WebcamMax
2008-10-06 09:36 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webcammax
2008-10-05 17:03 359,040 ----a-w D:\WINDOWS\system32\drivers\TCPIP.SYS
2008-10-03 17:56 --------- d-----w D:\Documents and Settings\nouredine\Application Data\fltk.org
2008-10-02 03:45 90,112 ----a-w D:\WINDOWS\DUMP2e53.tmp
2008-09-09 22:04 38,528 ----a-w D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 16:32 519,680 ----a-w D:\WINDOWS\system32\cmd.exe
2008-08-31 09:36 89,725 --sh--r D:\ph.com
2008-08-27 16:04 --------- d-----w D:\Program Files\Webshots
2008-08-24 20:47 301,557 ----a-w D:\mnl6on3.com
2008-08-22 16:08 91,316 --sh--r D:\83fgj.com
2008-08-12 18:04 299,191 --sh--r D:\r2nl.com
2008-08-05 18:28 89,885 --sh--r D:\xqf.com
2008-08-02 15:46 89,037 --sh--r D:\e.com
2008-07-31 11:32 88,782 --sh--r D:\uis.com
2008-07-26 13:25 226,561 --sh--r D:\g2pfnid.com
2008-07-25 19:18 90,112 ----a-w D:\WINDOWS\DUMP469e.tmp
2008-07-22 04:03 90,112 ----a-w D:\WINDOWS\DUMPefaf.tmp
2008-07-20 10:11 90,112 ----a-w D:\WINDOWS\DUMPef90.tmp
2008-07-13 10:32 169,984 ----a-w D:\WINDOWS\system32\grpconv.exe
2008-07-09 07:05 75,248 ----a-w D:\WINDOWS\zllsputility.exe
2008-07-09 07:05 54,672 ----a-w D:\WINDOWS\system32\vsutil_loc040c.dll
2008-07-09 07:05 42,384 ----a-w D:\WINDOWS\zllsputility_loc040c.dll
2008-07-09 07:05 21,904 ----a-w D:\WINDOWS\system32\imsinstall_loc040c.dll
2008-07-09 07:05 17,808 ----a-w D:\WINDOWS\system32\imslsp_install_loc040c.dll
2008-07-09 07:05 1,086,952 ----a-w D:\WINDOWS\system32\zpeng24.dll
2008-07-03 17:02 6,587,613 ----a-w D:\Program Files\realalt152.exe
2008-06-26 16:26 70,293 ----a-w D:\Program Files\VLC media player.lnk
2008-06-24 11:01 737 ----a-w D:\Program Files\DivX Player.lnk
2008-06-24 11:01 1,816 ----a-w D:\Program Files\DivX Movies.lnk
2008-05-23 12:22 806 ----a-w D:\Program Files\DivX Converter.lnk
2008-05-12 09:41 32 ----a-w D:\Documents and Settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\dllcache\TCPIP.SYS
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\drivers\TCPIP.SYS
04/13/2006 01:03 AM 2176384 a76e78a8acbd870c63c096399620120e D:\WINDOWS\system32\ntoskrnl.exe
04/13/2006 12:53 AM 1150464 ed5c9dc44b07b7169b4d4968ec2abb28 D:\WINDOWS\explorer.exe
08/04/2004 02:56 AM 76800 947cdb64772c7c9810ed4bb0e1453934 D:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@Wed 10-08-2008_16.34.51.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-07 23:05:02 422,912 ----a-w D:\WINDOWS\system32\controlkids2.dll
+ 2007-07-19 13:10:28 127,768 ----a-w D:\WINDOWS\system32\drivers\klif.sys
+ 2008-07-09 07:05:08 796,048 ----a-w D:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2004-04-27 02:40:52 11,264 ----a-w D:\WINDOWS\system32\SpOrder.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\vsdata.dll
+ 2008-07-09 07:05:22 394,952 ----a-w D:\WINDOWS\system32\vsdatant.sys
+ 2008-07-09 07:05:10 157,160 ----a-w D:\WINDOWS\system32\vsinit.dll
+ 2008-07-09 07:05:10 103,912 ----a-w D:\WINDOWS\system32\vsmonapi.dll
+ 2008-07-09 07:05:10 275,944 ----a-w D:\WINDOWS\system32\vspubapi.dll
+ 2008-07-09 07:05:10 71,144 ----a-w D:\WINDOWS\system32\vsregexp.dll
+ 2008-07-09 07:05:12 472,552 ----a-w D:\WINDOWS\system32\vsutil.dll
+ 2008-07-09 07:05:12 46,568 ----a-w D:\WINDOWS\system32\vswmi.dll
+ 2008-07-09 07:05:12 99,816 ----a-w D:\WINDOWS\system32\vsxml.dll
+ 2008-07-09 07:05:12 83,432 ----a-w D:\WINDOWS\system32\zlcomm.dll
+ 2008-07-09 07:05:12 71,144 ----a-w D:\WINDOWS\system32\zlcommdb.dll
+ 2008-10-08 15:07:06 4,212 ---h--w D:\WINDOWS\system32\zllictbl.dat
+ 2008-07-09 07:05:06 370,208 ----a-w D:\WINDOWS\system32\ZoneLabs\av.dll
+ 2008-07-09 07:05:36 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\av_loc040c.dll
+ 2007-05-30 22:03:30 65,248 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 12:47:36 21,568 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-30 22:03:30 1,628 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-30 22:03:16 77,824 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-30 22:03:16 110,592 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-30 22:03:16 331,776 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-30 22:03:16 38,400 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-19 21:12:14 208,960 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 12:53:58 282,624 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 16:13:52 1,093,632 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-30 22:03:20 548,864 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-30 22:03:20 626,688 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-30 22:03:18 184,320 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 22:03:22 90,112 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 12:53:58 139,264 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 16:13:52 200,704 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2008-07-09 07:05:06 99,816 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2008-07-09 07:05:36 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd_loc040c.dll
+ 2004-01-30 10:35:08 813,568 ----a-w D:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2008-07-09 07:05:08 128,480 ----a-w D:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-07-09 07:05:08 38,376 ----a-w D:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-07-09 07:05:08 321,016 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure_loc040c.dll
+ 2008-07-09 07:05:38 288,144 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard_loc040c.zip.dll
+ 2008-07-09 07:05:42 152,976 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\LicenseUI_loc040c.zip.dll
+ 2008-07-09 07:05:24 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-07-09 07:05:24 1,361,296 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-07-09 07:05:24 71,056 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-07-09 07:06:26 30,184 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-07-09 07:06:26 30,216 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 01:10:26 714,208 ----a-w D:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2008-02-27 01:10:28 792,032 ----a-w D:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2008-07-09 07:05:08 173,544 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-02-27 01:10:32 1,504,736 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2008-02-27 01:10:44 51,176 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2008-07-09 07:05:10 456,168 ----a-w D:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-07-09 07:06:26 214,528 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-07-09 07:06:30 3,266,040 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp_loc040c.dll
+ 2006-09-04 18:59:14 503,875 ----a-w D:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 14:50:32 832,984 ----a-w D:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2008-07-09 07:05:18 144,936 ----a-w D:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2008-07-09 07:05:44 75,152 ----a-w D:\WINDOWS\system32\ZoneLabs\updClient_loc040c.dll
+ 2007-01-11 15:31:06 286,787 ----a-w D:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2008-07-09 07:05:10 108,008 ----a-w D:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb_loc040c.dll
+ 2008-07-09 07:05:18 136,744 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-07-09 07:05:44 46,480 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon_loc040c.dll
+ 2008-07-09 07:05:10 2,029,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2008-07-09 07:05:12 1,361,384 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-07-09 07:05:44 198,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb_loc040c.dll
+ 2008-07-09 07:05:12 239,080 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2008-07-09 07:05:12 177,640 ----a-w D:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-07-09 07:05:12 79,344 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine_loc040c.dll
+ 2008-07-09 07:05:14 382,440 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-07-09 07:05:44 21,904 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre_loc040c.dll
+ 2008-07-09 07:05:14 120,296 ----a-w D:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2006-12-01 20:56:00 96,256 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 20:54:32 479,232 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54:34 548,864 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54:32 626,688 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 40,960 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 76800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZSSnp211"="D:\WINDOWS\ZSSnp211.exe" [04/06/2007 11:06 AM 118784]
"Domino"="D:\WINDOWS\Domino.exe" [08/18/2006 04:58 PM 110592]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 214416]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/29/2008 05:36 AM 247336]
"Control Kids"="D:\Program Files\Control Kids\Control kids.exe" [07/21/2005 10:43 AM 2971648]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [01/18/2002 05:33 PM 106496 D:\WINDOWS\system32\NVATray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="D:\WINDOWS\system32\sti_ci.dll" [08/04/2004 02:55 AM 136192]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 76800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="D:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 12:59 AM 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\WINDOWS\\system32\\NVATray.exe"=
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"D:\\WINDOWS\\system32\\ctfmon.exe"=
"D:\\WINDOWS\\Domino.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe"=
"E:\\udr.com"=
"D:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"D:\\WINDOWS\\ZSSnp211.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\WinRAR\\WinRAR.exe"=
"D:\\WINDOWS\\system32\\cleanmgr.exe"=
"E:\\[u]0[/u]0hoeav.com"=
"C:\\Program Files\\Real\\RealPlayer\\RecordingManager.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jucheck.exe"=
"D:\\PROGRA~1\\Webshots\\webshots.scr"=
"D:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"D:\\WINDOWS\\system32\\MsiExec.exe"= D:\\WINDOWS\\system32\\msiexec.exe
"D:\\WINDOWS\\system32\\cmd.exe"=
"D:\\ComboFix\\regt.cfexe"=
"D:\\Program Files\\Control Kids\\Control Kids.exe"=
"D:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winbvfhu.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\wintieml.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winxvnk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP المنفذ 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP المنفذ 37675
R2 CAMTHWDM;WebcamMax, WDM Video Capture;D:\WINDOWS\system32\DRIVERS\CAMTHWDM.sys [03/11/2008 03:14 PM 941784]
R3 aic32p;aic32p;D:\WINDOWS\system32\drivers\fnmpfl.sys [ ]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;D:\WINDOWS\system32\DRIVERS\slnt.sys [07/11/2005 03:31 AM 18004]
S2 Wlansvc;@%SystemRoot%\System32\wlansvc.dll,-257;D:\WINDOWS\system32\svchost.exe [08/04/2004 02:56 AM 14336]
[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
WmdmPmSN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
Contents of the 'Scheduled Tasks' folder
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart\ErrorSmart.exe []
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ZoneAlarm Client - D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\nouredine\Application Data\Mozilla\Firefox\Profiles\rx4fcwvd.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxd&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fr
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 17:04:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\D:\DOCUME~1\NOURED~1\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\lsass.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\explorer.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\csrss.exe
-> D:\Program Files\Control Kids\ck2.dll
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\wdfmgr.exe
D:\ComboFix\NirCmd.cfexe
D:\PROGRA~1\Webshots\webshots.scr
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winbvfhu.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\wintieml.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winxvnk.exe
.
**************************************************************************
.
Completion time: 10/09/2008 17:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 15:10:34
ComboFix2.txt 2008-10-08 14:37:40
Pre-Run: 288,948,224 bytes free
Post-Run: 330,080,256 bytes free
358
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1025.18.81 [GMT 2:00]
Running from: D:\Documents and Settings\nouredine\??? ??????\ComboFix.exe
* Created a new restore point
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\ranvrgn.exe
D:\ranvrgn.exe
D:\WINDOWS\IE4 Error Log.txt
E:\ranvrgn.exe
F:\ranvrgn.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-09 15:05 383,008 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2008-10-09 15:03 6,536 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2008-10-09 15:03 --------- d-----w D:\Program Files\Control Kids
2008-10-09 14:57 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-10-09 14:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webshots
2008-10-09 14:56 --------- d-----w D:\Program Files\Opera
2008-10-09 14:39 --------- d-----w D:\Program Files\ESET
2008-10-09 14:01 90,112 ----a-w D:\WINDOWS\DUMP3f6a.tmp
2008-10-09 13:42 --------- d-----w D:\Documents and Settings\All Users\Application Data\avg8
2008-10-09 13:41 --------- d-----w D:\Documents and Settings\nouredine\Application Data\AVGTOOLBAR
2008-10-09 13:40 --------- d-----w D:\Program Files\AVG
2008-10-09 11:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Skype
2008-10-09 10:57 --------- d-----w D:\Documents and Settings\nouredine\Application Data\skypePM
2008-10-08 19:03 --------- d-----w D:\Program Files\FindyKill
2008-10-08 15:39 --------- d-----w D:\Program Files\Integard
2008-10-08 15:07 --------- d-----w D:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-08 15:05 --------- d-----w D:\Program Files\Zone Labs
2008-10-08 14:03 184,320 ----a-w D:\WINDOWS\system32\wscript.exe
2008-10-08 12:24 --------- d-----w D:\Program Files\microsoft frontpage
2008-10-08 10:09 --------- d-----w D:\Program Files\Malwarebytes' Anti-Malware
2008-10-06 09:36 --------- d-----w D:\Program Files\WebcamMax
2008-10-06 09:36 --------- d-----w D:\Documents and Settings\nouredine\Application Data\Webcammax
2008-10-05 17:03 359,040 ----a-w D:\WINDOWS\system32\drivers\TCPIP.SYS
2008-10-03 17:56 --------- d-----w D:\Documents and Settings\nouredine\Application Data\fltk.org
2008-10-02 03:45 90,112 ----a-w D:\WINDOWS\DUMP2e53.tmp
2008-09-09 22:04 38,528 ----a-w D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w D:\WINDOWS\system32\drivers\mbam.sys
2008-09-02 16:32 519,680 ----a-w D:\WINDOWS\system32\cmd.exe
2008-08-31 09:36 89,725 --sh--r D:\ph.com
2008-08-27 16:04 --------- d-----w D:\Program Files\Webshots
2008-08-24 20:47 301,557 ----a-w D:\mnl6on3.com
2008-08-22 16:08 91,316 --sh--r D:\83fgj.com
2008-08-12 18:04 299,191 --sh--r D:\r2nl.com
2008-08-05 18:28 89,885 --sh--r D:\xqf.com
2008-08-02 15:46 89,037 --sh--r D:\e.com
2008-07-31 11:32 88,782 --sh--r D:\uis.com
2008-07-26 13:25 226,561 --sh--r D:\g2pfnid.com
2008-07-25 19:18 90,112 ----a-w D:\WINDOWS\DUMP469e.tmp
2008-07-22 04:03 90,112 ----a-w D:\WINDOWS\DUMPefaf.tmp
2008-07-20 10:11 90,112 ----a-w D:\WINDOWS\DUMPef90.tmp
2008-07-13 10:32 169,984 ----a-w D:\WINDOWS\system32\grpconv.exe
2008-07-09 07:05 75,248 ----a-w D:\WINDOWS\zllsputility.exe
2008-07-09 07:05 54,672 ----a-w D:\WINDOWS\system32\vsutil_loc040c.dll
2008-07-09 07:05 42,384 ----a-w D:\WINDOWS\zllsputility_loc040c.dll
2008-07-09 07:05 21,904 ----a-w D:\WINDOWS\system32\imsinstall_loc040c.dll
2008-07-09 07:05 17,808 ----a-w D:\WINDOWS\system32\imslsp_install_loc040c.dll
2008-07-09 07:05 1,086,952 ----a-w D:\WINDOWS\system32\zpeng24.dll
2008-07-03 17:02 6,587,613 ----a-w D:\Program Files\realalt152.exe
2008-06-26 16:26 70,293 ----a-w D:\Program Files\VLC media player.lnk
2008-06-24 11:01 737 ----a-w D:\Program Files\DivX Player.lnk
2008-06-24 11:01 1,816 ----a-w D:\Program Files\DivX Movies.lnk
2008-05-23 12:22 806 ----a-w D:\Program Files\DivX Converter.lnk
2008-05-12 09:41 32 ----a-w D:\Documents and Settings\All Users\Application Data\ezsid.dat
.
------- Sigcheck -------
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\dllcache\TCPIP.SYS
10/05/2008 07:03 PM 359040 c81d6a930a7805f6daa0c7902b99037e D:\WINDOWS\system32\drivers\TCPIP.SYS
04/13/2006 01:03 AM 2176384 a76e78a8acbd870c63c096399620120e D:\WINDOWS\system32\ntoskrnl.exe
04/13/2006 12:53 AM 1150464 ed5c9dc44b07b7169b4d4968ec2abb28 D:\WINDOWS\explorer.exe
08/04/2004 02:56 AM 76800 947cdb64772c7c9810ed4bb0e1453934 D:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@Wed 10-08-2008_16.34.51.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-06-07 23:05:02 422,912 ----a-w D:\WINDOWS\system32\controlkids2.dll
+ 2007-07-19 13:10:28 127,768 ----a-w D:\WINDOWS\system32\drivers\klif.sys
+ 2008-07-09 07:05:08 796,048 ----a-w D:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2004-04-27 02:40:52 11,264 ----a-w D:\WINDOWS\system32\SpOrder.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\vsdata.dll
+ 2008-07-09 07:05:22 394,952 ----a-w D:\WINDOWS\system32\vsdatant.sys
+ 2008-07-09 07:05:10 157,160 ----a-w D:\WINDOWS\system32\vsinit.dll
+ 2008-07-09 07:05:10 103,912 ----a-w D:\WINDOWS\system32\vsmonapi.dll
+ 2008-07-09 07:05:10 275,944 ----a-w D:\WINDOWS\system32\vspubapi.dll
+ 2008-07-09 07:05:10 71,144 ----a-w D:\WINDOWS\system32\vsregexp.dll
+ 2008-07-09 07:05:12 472,552 ----a-w D:\WINDOWS\system32\vsutil.dll
+ 2008-07-09 07:05:12 46,568 ----a-w D:\WINDOWS\system32\vswmi.dll
+ 2008-07-09 07:05:12 99,816 ----a-w D:\WINDOWS\system32\vsxml.dll
+ 2008-07-09 07:05:12 83,432 ----a-w D:\WINDOWS\system32\zlcomm.dll
+ 2008-07-09 07:05:12 71,144 ----a-w D:\WINDOWS\system32\zlcommdb.dll
+ 2008-10-08 15:07:06 4,212 ---h--w D:\WINDOWS\system32\zllictbl.dat
+ 2008-07-09 07:05:06 370,208 ----a-w D:\WINDOWS\system32\ZoneLabs\av.dll
+ 2008-07-09 07:05:36 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\av_loc040c.dll
+ 2007-05-30 22:03:30 65,248 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 12:47:36 21,568 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2007-05-30 22:03:30 1,628 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\bases\pdmkl.dat
+ 2007-05-30 22:03:16 77,824 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-30 22:03:16 110,592 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-30 22:03:16 331,776 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-30 22:03:16 38,400 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2006-09-19 21:12:14 208,960 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-12-03 12:53:58 282,624 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-19 16:13:52 1,093,632 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-30 22:03:20 548,864 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-30 22:03:20 626,688 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-30 22:03:18 184,320 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-30 22:03:22 90,112 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-12-03 12:53:58 139,264 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-19 16:13:52 200,704 ----a-w D:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2008-07-09 07:05:06 99,816 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2008-07-09 07:05:36 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\camupd_loc040c.dll
+ 2004-01-30 10:35:08 813,568 ----a-w D:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2008-07-09 07:05:08 128,480 ----a-w D:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2008-07-09 07:05:08 38,376 ----a-w D:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2008-07-09 07:05:08 321,016 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\imsecure_loc040c.dll
+ 2008-07-09 07:05:38 288,144 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard_loc040c.zip.dll
+ 2008-07-09 07:05:42 152,976 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\LicenseUI_loc040c.zip.dll
+ 2008-07-09 07:05:24 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2008-07-09 07:05:24 1,361,296 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2008-07-09 07:05:24 71,056 ----a-w D:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2008-07-09 07:06:26 30,184 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2008-07-09 07:06:26 30,216 ----a-w D:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2008-02-27 01:10:26 714,208 ----a-w D:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2008-02-27 01:10:28 792,032 ----a-w D:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2008-07-09 07:05:08 173,544 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\scheduler_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2008-02-27 01:10:32 1,504,736 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2008-02-27 01:10:44 51,176 ----a-w D:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2008-07-09 07:05:10 456,168 ----a-w D:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2008-07-09 07:06:26 214,528 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2008-07-09 07:06:30 3,266,040 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2008-07-09 07:05:42 26,000 ----a-w D:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp_loc040c.dll
+ 2006-09-04 18:59:14 503,875 ----a-w D:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 14:50:32 832,984 ----a-w D:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2008-07-09 07:05:18 144,936 ----a-w D:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2008-07-09 07:05:44 75,152 ----a-w D:\WINDOWS\system32\ZoneLabs\updClient_loc040c.dll
+ 2007-01-11 15:31:06 286,787 ----a-w D:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2008-07-09 07:05:10 108,008 ----a-w D:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2008-07-09 07:05:10 83,432 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsdb_loc040c.dll
+ 2008-07-09 07:05:18 136,744 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2008-07-09 07:05:44 46,480 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmon_loc040c.dll
+ 2008-07-09 07:05:10 2,029,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2008-07-09 07:05:12 1,361,384 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2008-07-09 07:05:44 198,032 ----a-w D:\WINDOWS\system32\ZoneLabs\vsruledb_loc040c.dll
+ 2008-07-09 07:05:12 239,080 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\vsvault_loc040c.dll
+ 2008-01-21 06:34:36 7,603,688 ----a-w D:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2008-07-09 07:05:12 177,640 ----a-w D:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2008-07-09 07:05:12 79,344 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2008-07-09 07:05:44 17,808 ----a-w D:\WINDOWS\system32\ZoneLabs\zlquarantine_loc040c.dll
+ 2008-07-09 07:05:14 382,440 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2008-07-09 07:05:44 21,904 ----a-w D:\WINDOWS\system32\ZoneLabs\zlsre_loc040c.dll
+ 2008-07-09 07:05:14 120,296 ----a-w D:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2006-12-01 20:56:00 96,256 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 20:54:32 479,232 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-01 20:54:34 548,864 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-01 20:54:32 626,688 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-01 22:25:52 1,101,824 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 22:25:56 1,093,120 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 22:25:58 69,632 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 22:26:00 57,856 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 22:08:00 40,960 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 22:08:00 45,056 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 22:08:00 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 22:08:00 57,344 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 22:08:00 61,440 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 22:08:00 49,152 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 22:46:44 65,536 ----a-w D:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 76800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZSSnp211"="D:\WINDOWS\ZSSnp211.exe" [04/06/2007 11:06 AM 118784]
"Domino"="D:\WINDOWS\Domino.exe" [08/18/2006 04:58 PM 110592]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM 214416]
"TkBellExe"="D:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/29/2008 05:36 AM 247336]
"Control Kids"="D:\Program Files\Control Kids\Control kids.exe" [07/21/2005 10:43 AM 2971648]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [01/18/2002 05:33 PM 106496 D:\WINDOWS\system32\NVATray.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="D:\WINDOWS\system32\sti_ci.dll" [08/04/2004 02:55 AM 136192]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 76800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="D:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 12:59 AM 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\WINDOWS\\system32\\NVATray.exe"=
"C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"D:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"D:\\WINDOWS\\system32\\ctfmon.exe"=
"D:\\WINDOWS\\Domino.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe"=
"E:\\udr.com"=
"D:\\Program Files\\MSN Messenger\\usnsvc.exe"=
"D:\\WINDOWS\\ZSSnp211.exe"=
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"D:\\Program Files\\MSN Messenger\\livecall.exe"=
"D:\\Program Files\\WinRAR\\WinRAR.exe"=
"D:\\WINDOWS\\system32\\cleanmgr.exe"=
"E:\\[u]0[/u]0hoeav.com"=
"C:\\Program Files\\Real\\RealPlayer\\RecordingManager.exe"=
"D:\\Program Files\\Java\\jre1.6.0_05\\bin\\jucheck.exe"=
"D:\\PROGRA~1\\Webshots\\webshots.scr"=
"D:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"D:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"D:\\WINDOWS\\system32\\MsiExec.exe"= D:\\WINDOWS\\system32\\msiexec.exe
"D:\\WINDOWS\\system32\\cmd.exe"=
"D:\\ComboFix\\regt.cfexe"=
"D:\\Program Files\\Control Kids\\Control Kids.exe"=
"D:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winbvfhu.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\wintieml.exe"=
"D:\\DOCUME~1\\NOURED~1\\LOCALS~1\\Temp\\winxvnk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP المنفذ 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP المنفذ 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP المنفذ 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP المنفذ 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP المنفذ 37675
R2 CAMTHWDM;WebcamMax, WDM Video Capture;D:\WINDOWS\system32\DRIVERS\CAMTHWDM.sys [03/11/2008 03:14 PM 941784]
R3 aic32p;aic32p;D:\WINDOWS\system32\drivers\fnmpfl.sys [ ]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;D:\WINDOWS\system32\DRIVERS\slnt.sys [07/11/2005 03:31 AM 18004]
S2 Wlansvc;@%SystemRoot%\System32\wlansvc.dll,-257;D:\WINDOWS\system32\svchost.exe [08/04/2004 02:56 AM 14336]
[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
WmdmPmSN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
Contents of the 'Scheduled Tasks' folder
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart\ErrorSmart.exe []
2008-10-09 D:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
- D:\Program Files\ErrorSmart []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ZoneAlarm Client - D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\nouredine\Application Data\Mozilla\Firefox\Profiles\rx4fcwvd.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divxd&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fr
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - D:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 17:04:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\D:\DOCUME~1\NOURED~1\LOCALS~1\Temp\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: D:\WINDOWS\system32\winlogon.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\lsass.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\explorer.exe
-> D:\Program Files\Control Kids\ck2.dll
PROCESS: D:\WINDOWS\system32\csrss.exe
-> D:\Program Files\Control Kids\ck2.dll
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\wdfmgr.exe
D:\ComboFix\NirCmd.cfexe
D:\PROGRA~1\Webshots\webshots.scr
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winbvfhu.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\wintieml.exe
D:\DOCUME~1\NOURED~1\LOCALS~1\temp\winxvnk.exe
.
**************************************************************************
.
Completion time: 10/09/2008 17:10:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-09 15:10:34
ComboFix2.txt 2008-10-08 14:37:40
Pre-Run: 288,948,224 bytes free
Post-Run: 330,080,256 bytes free
358
En fait je pense que le virus me bloque l acces aux site de detection en ligne car j ai essaye sur mon autre pc avec linux ben ca s ouvre
Bon hier soir j ai decider de formater car ca devenai insuportable j ai quand meme garder une partition de sauvegarde de mes fichiers, lorsque j ai installer antivir j ai trouver une 20aine d infection mais j arrive pas a coller le rapport en gros il a trouver
TR/Crypt.XPACK.GenTrojan
TR/OnlineG.105128.A.Trojan
TR/PSW.OnlGame.alrcTrojan
TR/Vundo.GenTrojan
W32/Sality Windows virus
Voila c est tout, j ai donc tout suppri;er
TR/Crypt.XPACK.GenTrojan
TR/OnlineG.105128.A.Trojan
TR/PSW.OnlGame.alrcTrojan
TR/Vundo.GenTrojan
W32/Sality Windows virus
Voila c est tout, j ai donc tout suppri;er
J ai encore fait un scan avec malware malbytes voila le rapport
Malwarebytes' Anti-Malware 1.28
Version de la base de données: 1246
Windows 5.1.2600 Service Pack 2
09/10/2008 01:05:10 م
mbam-log-2008-10-09 (13-05-10).txt
Type de recherche: Examen complet (C:\|D:\|E:\|F:\|)
Eléments examinés: 52814
Temps écoulé: 17 minute(s), 40 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 5
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)
Dossier(s) infecté(s):
(Aucun élément nuisible détecté)
Fichier(s) infecté(s):
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmdow.exe (Malware.Tool) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.28
Version de la base de données: 1246
Windows 5.1.2600 Service Pack 2
09/10/2008 01:05:10 م
mbam-log-2008-10-09 (13-05-10).txt
Type de recherche: Examen complet (C:\|D:\|E:\|F:\|)
Eléments examinés: 52814
Temps écoulé: 17 minute(s), 40 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 5
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)
Dossier(s) infecté(s):
(Aucun élément nuisible détecté)
Fichier(s) infecté(s):
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmdow.exe (Malware.Tool) -> Quarantined and deleted successfully.
Et pour finir j ai refait un combofix (msnfix et lop n ont rien trouver)
ComboFix 08-10-08.04 - Administrator 10/09/2008 13:32:48.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\??? ??????\ComboFix.exe
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 09:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-10-10 09:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.purple
2008-10-10 09:40 --------- d-----w C:\Program Files\Common Files\GTK
2008-10-10 09:28 --------- d-----w C:\Program Files\Hide and Protect any Drives
2008-10-10 09:27 --------- d-----w C:\Program Files\Everstrike Software
2008-10-10 09:10 --------- d-----w C:\Program Files\Blue Coat K9 Web Protection
2008-10-10 08:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-10-10 08:11 --------- d-----w C:\Program Files\xp-AntiSpy
2008-10-10 07:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-10 06:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-10-10 04:19 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-10 03:42 --------- d-----w C:\Program Files\Common Files\Everstrike Software
2008-10-09 21:22 --------- d-----w C:\Program Files\VideoLAN
2008-10-09 21:16 --------- d-----w C:\Program Files\Common Files\xing shared
2008-10-09 21:15 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-09 21:15 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-10-09 21:15 --------- d-----w C:\Program Files\Common Files\Real
2008-10-09 21:13 --------- d-----w C:\Program Files\Skype
2008-10-09 21:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-10-09 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-10-09 21:01 --------- d-----w C:\Program Files\Avira
2008-10-09 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-10-09 20:25 --------- d-----w C:\Program Files\ma-config.com
2008-10-09 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ma-config.com
2008-10-09 20:11 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-10-09 20:11 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-10-09 20:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-09 19:28 --------- d-----w C:\Program Files\Real
2008-10-09 19:26 --------- d-----w C:\Program Files\Your Uninstaller 2006
2008-10-09 19:26 --------- d-----w C:\Program Files\seah
2008-10-09 19:26 --------- d-----w C:\Program Files\Salheen
2008-10-09 19:26 --------- d-----w C:\Program Files\quran
2008-10-09 19:26 --------- d-----w C:\Program Files\PDF Reader
2008-10-09 19:26 --------- d-----w C:\Program Files\internet download manager
2008-10-09 19:26 --------- d-----w C:\Program Files\Dict
2008-10-09 19:26 --------- d-----w C:\Program Files\Avant Browser
2008-10-09 13:15 52,478 ------w C:\WINDOWS\system32\drivers\MDCBNT.SYS
2008-10-09 11:12 90,112 ----a-w C:\WINDOWS\DUMP45f2.tmp
2008-10-09 10:45 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-10-09 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-09 10:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-09 10:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Avant Browser
2008-10-09 10:23 --------- d-----w C:\Program Files\MSN Messenger
2008-09-09 22:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
.
------- Sigcheck -------
04/13/2006 01:03 AM 2176384 a76e78a8acbd870c63c096399620120e C:\WINDOWS\system32\ntoskrnl.exe
04/13/2006 12:53 AM 1150464 ed5c9dc44b07b7169b4d4968ec2abb28 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [06/03/2004 08:51 PM 131072]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM 266497]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/09/2008 11:15 PM 185872]
"HPDAgent"="C:\Program Files\Hide and Protect any Drives\HPDAgent.exe" [01/09/2008 12:26 AM 204288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 12:59 AM 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 cwmtdi;cwmtdi;C:\WINDOWS\system32\drivers\cwmtdi.sys [05/15/2007 01:04 AM 48640]
R1 MDCBNT;MDCBNT;C:\WINDOWS\system32\drivers\MDCBNT.SYS [01/09/2008 12:24 AM 52478]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\slnt.sys [07/11/2005 03:31 AM 18004]
[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
WmdmPmSN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tpcat4a4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fr
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 13:34:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 10/09/2008 13:36:36
ComboFix-quarantined-files.txt 2008-10-09 11:36:28
Pre-Run: 8,400,220,160 bytes free
Post-Run: 8,397,332,480 bytes free
173
ComboFix 08-10-08.04 - Administrator 10/09/2008 13:32:48.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\??? ??????\ComboFix.exe
[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.
((((((((((((((((((((((((( Files Created from 2008-09-09 to 2008-10-09 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-10 09:54 --------- d-----w C:\Documents and Settings\Administrator\Application Data\vlc
2008-10-10 09:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\.purple
2008-10-10 09:40 --------- d-----w C:\Program Files\Common Files\GTK
2008-10-10 09:28 --------- d-----w C:\Program Files\Hide and Protect any Drives
2008-10-10 09:27 --------- d-----w C:\Program Files\Everstrike Software
2008-10-10 09:10 --------- d-----w C:\Program Files\Blue Coat K9 Web Protection
2008-10-10 08:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-10-10 08:11 --------- d-----w C:\Program Files\xp-AntiSpy
2008-10-10 07:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-10 06:00 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2008-10-10 04:19 --------- d-----w C:\Program Files\microsoft frontpage
2008-10-10 03:42 --------- d-----w C:\Program Files\Common Files\Everstrike Software
2008-10-09 21:22 --------- d-----w C:\Program Files\VideoLAN
2008-10-09 21:16 --------- d-----w C:\Program Files\Common Files\xing shared
2008-10-09 21:15 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-10-09 21:15 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-10-09 21:15 --------- d-----w C:\Program Files\Common Files\Real
2008-10-09 21:13 --------- d-----w C:\Program Files\Skype
2008-10-09 21:13 --------- d-----w C:\Program Files\Common Files\Skype
2008-10-09 21:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-10-09 21:01 --------- d-----w C:\Program Files\Avira
2008-10-09 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-10-09 20:25 --------- d-----w C:\Program Files\ma-config.com
2008-10-09 20:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ma-config.com
2008-10-09 20:11 --------- d-----w C:\Program Files\NVIDIA Corporation
2008-10-09 20:11 --------- d-----w C:\Program Files\Common Files\NVIDIA Shared
2008-10-09 20:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-09 19:28 --------- d-----w C:\Program Files\Real
2008-10-09 19:26 --------- d-----w C:\Program Files\Your Uninstaller 2006
2008-10-09 19:26 --------- d-----w C:\Program Files\seah
2008-10-09 19:26 --------- d-----w C:\Program Files\Salheen
2008-10-09 19:26 --------- d-----w C:\Program Files\quran
2008-10-09 19:26 --------- d-----w C:\Program Files\PDF Reader
2008-10-09 19:26 --------- d-----w C:\Program Files\internet download manager
2008-10-09 19:26 --------- d-----w C:\Program Files\Dict
2008-10-09 19:26 --------- d-----w C:\Program Files\Avant Browser
2008-10-09 13:15 52,478 ------w C:\WINDOWS\system32\drivers\MDCBNT.SYS
2008-10-09 11:12 90,112 ----a-w C:\WINDOWS\DUMP45f2.tmp
2008-10-09 10:45 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-10-09 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-09 10:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-10-09 10:42 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Avant Browser
2008-10-09 10:23 --------- d-----w C:\Program Files\MSN Messenger
2008-09-09 22:04 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
.
------- Sigcheck -------
04/13/2006 01:03 AM 2176384 a76e78a8acbd870c63c096399620120e C:\WINDOWS\system32\ntoskrnl.exe
04/13/2006 12:53 AM 1150464 ed5c9dc44b07b7169b4d4968ec2abb28 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [06/03/2004 08:51 PM 131072]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM 266497]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/09/2008 11:15 PM 185872]
"HPDAgent"="C:\Program Files\Hide and Protect any Drives\HPDAgent.exe" [01/09/2008 12:26 AM 204288]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [08/04/2004 12:59 AM 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 cwmtdi;cwmtdi;C:\WINDOWS\system32\drivers\cwmtdi.sys [05/15/2007 01:04 AM 48640]
R1 MDCBNT;MDCBNT;C:\WINDOWS\system32\drivers\MDCBNT.SYS [01/09/2008 12:24 AM 52478]
R3 slnt;RTL8139D PCI Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\slnt.sys [07/11/2005 03:31 AM 18004]
[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
TrkWks
W32Time
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
ShellHWDetection
WmdmPmSN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tpcat4a4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.fr
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-09 13:34:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 10/09/2008 13:36:36
ComboFix-quarantined-files.txt 2008-10-09 11:36:28
Pre-Run: 8,400,220,160 bytes free
Post-Run: 8,397,332,480 bytes free
173
Et pour finir un autre rapport hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:00, on 2008-10-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Administrator\سطح المكتب\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDAgent] C:\Program Files\Hide and Protect any Drives\HPDAgent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:00, on 2008-10-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Administrator\سطح المكتب\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDAgent] C:\Program Files\Hide and Protect any Drives\HPDAgent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Blue Coat K9 Web Protection (WebFilter) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
