Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection by dehafunu.dll, zebelivu.dll, nimuhoke.dll (?)


  • This topic is locked This topic is locked
10 replies to this topic

#1 flap

flap

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 15 December 2008 - 06:33 AM

Hello,

Since, last friday, I have spotted that my comuter has been infected by a malware :

- When opening a new page in Firefox, often an other is opened (linking to a software to remove malware)
- When typing in a box in firefox, I think that it opens an other page too.
- I suspect that it "kills" some firefox panel (for example : a panel for google stops downloading results. If I close it and re-opens an other one it is working again. I have the feeling that this behaviour is new)
- When firefox is closed, my antivirus (avast) warns me that something tried to open IE
- I have tried to run kaspersky antivirus. After the data had been downloaded, Firefox has been closed twice. Would it be caused by a malware protecting itself ? (actuallyn the scan is being done right now)
- A scan form avast friday found and destroy a few malware. I am not sure where to find the report.

A scan from Kaspersky is being done now. I'll post it when it is finished.

(Edit : Scan on critical Areas (the other was too long)
Scan statistics
Files scanned 77370
Threat names 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:52:37 )

(Edit 2 : A web search told me that I was infected by "Trojan:Win32/Vundo", which creates all these random name dll)



Thank you for your help !

Logfile of random's system information tool 1.04 (written by random/random)
Run by Fabien at 2008-12-15 12:21:01
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 27 GB (41%) free of 66 GB
Total RAM: 2047 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:04, on 15/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\InstantTimeZone\InstantTimeZone.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Fabien\Bureau\RSIT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Fabien.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fli.ie/webmail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://serveur/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = subcisa01:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {48caf42d-aad7-42f8-933a-c4e5b6b058ee} - C:\WINDOWS\system32\ruhobazi.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll
O3 - Toolbar: Copernic Desktop Search - Home - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand300000081.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [Install5G] E:\Install.exe plug_ethernet
O4 - HKLM\..\Run: [mesulekuko] Rundll32.exe "C:\WINDOWS\system32\dehafunu.dll",s
O4 - HKLM\..\Run: [CPM6b403fda] Rundll32.exe "c:\windows\system32\zebelivu.dll",a
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [clipdiary] C:\Program Files\Clipdiary\clipdiary.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [mesulekuko] Rundll32.exe "C:\WINDOWS\system32\dehafunu.dll",s (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
O4 - Global Startup: InstantTimeZone.lnk = C:\Program Files\InstantTimeZone\InstantTimeZone.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\kanolalo.dll c:\windows\system32\zebelivu.dll
O20 - Winlogon Notify: OneCard - c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zebelivu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zebelivu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8565 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48caf42d-aad7-42f8-933a-c4e5b6b058ee}]
C:\WINDOWS\system32\ruhobazi.dll [2008-09-12 61644]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 501400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF21F1DB-80C6-11D3-9483-B03D0EC10000}]
ASUS Security Protect Manager - c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll [2006-01-24 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{968631B6-4729-440D-9BF4-251F5593EC9A} - Copernic Desktop Search - Home - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand300000081.dll [2008-09-18 995328]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HControl"=C:\WINDOWS\ATK0100\HControl.exe [2006-04-17 110592]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"ACMON"=C:\Program Files\ASUS\Splendid\ACMON.exe [2006-05-30 811008]
"ATKMEDIA"=C:\Program Files\ASUS\ATK Media\DMEDIA.EXE [2006-06-08 53248]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-05-25 786521]
"ABLKSR"=C:\WINDOWS\ABLKSR\ABLKSR.exe [2006-01-02 61440]
"Power_Gear"=C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe [2006-03-14 90112]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-11-26 81000]
"CognizanceTS"=c:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll [2003-12-22 17920]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2006-08-02 802816]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2006-08-02 696320]
"Wireless Console 2"=C:\Program Files\Wireless Console 2\wcourier.exe [2005-10-17 987136]
"Install5G"=E:\Install.exe plug_ethernet []
"mesulekuko"=C:\WINDOWS\system32\dehafunu.dll [2008-09-12 61644]
"CPM6b403fda"=c:\windows\system32\zebelivu.dll [2008-12-15 91313]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Gestionnaire Antidote.exe"=C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe [2008-06-03 536576]
"clipdiary"=C:\Program Files\Clipdiary\clipdiary.exe [2007-05-23 208896]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Copernic Desktop Search - Home"=C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe [2008-09-18 1698816]
"HijackThis startup scan"=C:\Program Files\Trend Micro\HijackThis\HijackThis.exe [2008-12-15 396288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
C:\Program Files\ASUS\ASUS Live Update\ALU.exe [2006-02-21 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [2006-05-10 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gestio~1.exe]
C:\Program Files\Druide\Antidote\Gestio~1.exe [2008-06-03 536576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-02-19 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenOffice Password Recovery]
C:\Program Files\Intelore\OpenOffice Password Recovery\OpenOfficePasswordRecovery.exe /hide []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
C:\Program Files\ASUS\PowerForPhone\PowerForPhone.exe [2006-06-29 774144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2007-12-11 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe [2004-11-02 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
C:\WINDOWS\RTHDCPL.EXE [2006-07-21 16261632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe /autorun []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe [2008-08-11 21741864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2006-08-06 573440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [2007-03-14 83608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^HP Digital Imaging Monitor.lnk]
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^MultiFrame.lnk]
C:\PROGRA~1\ASUS\ASUSMU~1\MULTIF~1.EXE [2006-06-01 491520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Fabien^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 2.0.lnk]
C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe []

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
GlobeTrotter Connect.lnk - C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
InstantTimeZone.lnk - C:\Program Files\InstantTimeZone\InstantTimeZone.exe

C:\Documents and Settings\Fabien\Menu Démarrer\Programmes\Démarrage
OpenOffice.org 3.0.lnk - C:\Program Files\OpenOffice.org 3\program\quickstart.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\kanolalo.dll c:\windows\system32\zebelivu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-08-02 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OneCard]
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll [2006-05-02 40448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zebelivu.dll [2008-12-15 91313]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zebelivu.dll [2008-12-15 91313]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ASWLNPkg
C:\WINDOWS\system32\kanolalo.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\LeechFTP\Leechftp.exe"="C:\Program Files\LeechFTP\Leechftp.exe:*:Enabled:LeechFTP"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\System32\ftp.exe"="C:\WINDOWS\System32\ftp.exe:*:Enabled:Logiciel de transfert de fichiers"
"F:\leechftp.exe"="F:\leechftp.exe:*:Enabled:LeechFTP"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\WINDOWS\System32\lexpps.exe"="C:\WINDOWS\System32\lexpps.exe:*:Disabled:LEXPPS.EXE"
"C:\Documents and Settings\Fabien\Bureau\beginmultiplayer0.92\beginmultiplayer\data\dosbox.exe"="C:\Documents and Settings\Fabien\Bureau\beginmultiplayer0.92\beginmultiplayer\data\dosbox.exe:*:Disabled:dosbox"
"C:\Program Files\Pax Galaxia\PaxGal.exe"="C:\Program Files\Pax Galaxia\PaxGal.exe:*:Disabled:PaxGal"
"C:\Program Files\dark-oberon\doberon.exe"="C:\Program Files\dark-oberon\doberon.exe:*:Enabled:doberon"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Explorer"
"C:\WINDOWS\System32\winlogon.exe"="C:\WINDOWS\System32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0663f35e-5498-11dd-a183-00f1d000f1d0}]
shell\Auto\command - F:\AdobeR.exe e
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{093d8200-48fb-11dd-a164-0018de6dee23}]
shell\AutoRun\command - F:\setup.exe AUTORUN=1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb238d50-ae75-11dc-a037-0018de6dee23}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd00620e-8c20-11dc-9ff5-0018f33fb032}]
shell\AutoRun\command - F:\LaunchU3.exe


======File associations======

.scr - open - C:\WINDOWS\system32\notepad.exe "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2008-12-15 12:21:01 ----D---- C:\rsit
2008-12-15 11:43:42 ----D---- C:\WINDOWS\ERDNT
2008-12-15 11:42:54 ----D---- C:\Program Files\ERUNT
2008-12-15 09:15:58 ----D---- C:\Program Files\Trend Micro
2008-12-15 08:45:51 ----SH---- C:\WINDOWS\system32\ekohumin.ini
2008-12-14 20:07:10 ----SH---- C:\WINDOWS\system32\emitusiv.ini
2008-12-13 14:08:38 ----D---- C:\Program Files\Lavasoft
2008-12-13 14:08:37 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-13 14:08:05 ----D---- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-12-12 22:28:28 ----SH---- C:\WINDOWS\system32\uterivat.ini
2008-12-10 23:46:42 ----D---- C:\Documents and Settings\Fabien\Application Data\OpenOffice.org
2008-12-10 23:36:26 ----D---- C:\Program Files\JRE
2008-12-10 23:36:21 ----D---- C:\Program Files\OpenOffice.org 3
2008-12-01 03:01:07 ----HD---- C:\WINDOWS\$NtUninstallKB951978$
2008-12-01 03:00:42 ----HD---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-29 12:37:52 ----D---- C:\WINDOWS\Prefetch
2008-11-29 12:16:57 ----HD---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-29 12:16:51 ----HD---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-29 12:16:46 ----HD---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-29 12:16:41 ----HD---- C:\WINDOWS\$NtUninstallKB956803$
2008-11-29 12:16:35 ----HD---- C:\WINDOWS\$NtUninstallKB957095$
2008-11-29 12:16:29 ----HD---- C:\WINDOWS\$NtUninstallKB954211$
2008-11-29 12:16:22 ----HD---- C:\WINDOWS\$NtUninstallKB956841$
2008-11-29 12:16:15 ----HD---- C:\WINDOWS\$NtUninstallKB956390$
2008-11-29 12:16:10 ----HD---- C:\WINDOWS\$NtUninstallKB938464$
2008-11-29 12:16:05 ----HD---- C:\WINDOWS\$NtUninstallKB946648$
2008-11-29 12:15:58 ----HD---- C:\WINDOWS\$NtUninstallKB952287$
2008-11-29 12:15:53 ----HD---- C:\WINDOWS\$NtUninstallKB951066$
2008-11-29 12:15:46 ----HD---- C:\WINDOWS\$NtUninstallKB953838$
2008-11-29 12:15:40 ----HD---- C:\WINDOWS\$NtUninstallKB952954$
2008-11-29 12:15:35 ----HD---- C:\WINDOWS\$NtUninstallKB950974$
2008-11-29 12:15:27 ----HD---- C:\WINDOWS\$NtUninstallKB951748$
2008-11-29 12:15:22 ----HD---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-11-29 12:15:17 ----HD---- C:\WINDOWS\$NtUninstallKB950762$
2008-11-29 12:15:11 ----HD---- C:\WINDOWS\$NtUninstallKB951376$
2008-11-29 12:15:06 ----HD---- C:\WINDOWS\$NtUninstallKB951698$
2008-11-29 12:14:59 ----HD---- C:\WINDOWS\$NtUninstallKB950759$
2008-11-29 12:10:24 ----D---- C:\WINDOWS\system32\fr
2008-11-29 12:10:24 ----D---- C:\WINDOWS\system32\bits
2008-11-29 12:10:24 ----D---- C:\WINDOWS\l2schemas
2008-11-29 11:51:30 ----D---- C:\WINDOWS\ServicePackFiles
2008-11-29 11:49:31 ----D---- C:\WINDOWS\network diagnostic
2008-11-29 11:45:33 ----HD---- C:\WINDOWS\$NtServicePackUninstall$
2008-11-24 20:16:16 ----A---- C:\WINDOWS\PROTOCOL.INI
2008-11-24 20:16:06 ----A---- C:\WINDOWS\RCCONFIG.INI
2008-11-24 20:15:41 ----A---- C:\WINDOWS\uninst.exe
2008-11-21 20:17:23 ----D---- C:\Program Files\Xtreme Borders for Stars!
2008-11-18 16:46:41 ----A---- C:\WINDOWS\Stars.ini

======List of files/folders modified in the last 1 months======

2008-12-15 11:05:02 ----A---- C:\WINDOWS\ModemLog_Motorola SM56 Speakerphone Modem.txt
2008-12-15 11:05:02 ----A---- C:\WINDOWS\ModemLog_Modem standard 33600 bps.txt
2008-12-15 09:58:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-15 08:45:38 ----ASH---- C:\WINDOWS\system32\nimuhoke.dll
2008-12-15 08:45:36 ----ASH---- C:\WINDOWS\system32\zebelivu.dll
2008-12-14 20:07:08 ----ASH---- C:\WINDOWS\system32\visutime.dll
2008-12-14 20:07:08 ----ASH---- C:\WINDOWS\system32\noweripe.dll
2008-12-12 22:28:26 ----N---- C:\WINDOWS\system32\taviretu.dll
2008-12-12 22:28:26 ----ASH---- C:\WINDOWS\system32\vujanumi.dll
2008-12-12 22:28:26 ----ASH---- C:\WINDOWS\system32\nuwilofo.dll
2008-12-12 14:58:12 ----A---- C:\WINDOWS\Antidote.ini
2008-12-09 23:14:52 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-01 03:01:00 ----A---- C:\WINDOWS\imsins.BAK
2008-11-30 09:23:42 ----A---- C:\WINDOWS\win.ini
2008-11-30 01:58:24 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-30 01:55:14 ----A---- C:\WINDOWS\OEWABLog.txt
2008-11-29 12:37:34 ----A---- C:\WINDOWS\setuplog.txt
2008-11-26 18:21:30 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-11-21 20:17:16 ----N---- C:\WINDOWS\Setup1.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-11-26 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-11-26 111184]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-11-26 50864]
R1 intelppm;Pilote de processeur Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 40576]
R1 ItSDisk;ItSDisk; C:\WINDOWS\System32\Drivers\ItSDisk.sys [2006-05-16 17840]
R1 truecrypt;truecrypt; C:\WINDOWS\System32\drivers\truecrypt.sys [2008-04-18 223424]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.5.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-10-13 21419]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-11-26 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-11-26 94032]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-08-02 12544]
R3 Arp1394;Protocole client ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-11-26 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-08-02 1681920]
R3 CmBatt;Pilote d'adaptateur secteur Microsoft; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HDAudBus;Pilote de bus Microsoft UAA pour High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Pilote de classe HID Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-07-24 4353024]
R3 MODEMCSA;Périphérique de filtrage de flux Unimodem; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Pilote HID de souris; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12288]
R3 MTsensor;ATK0100 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ATKACPI.sys [2005-02-17 5632]
R3 NETw3x32;Pilote de carte réseau Intel® PRO/Wireless 3945ABG pour Windows XP 32 bits; C:\WINDOWS\system32\DRIVERS\NETw3x32.sys [2006-07-26 1707776]
R3 NIC1394;Pilote réseau 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2005-11-16 28928]
R3 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2005-11-01 51584]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2006-03-24 5888]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2005-11-16 78976]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 smserial;smserial; C:\WINDOWS\system32\DRIVERS\smserial.sys [2006-08-06 980608]
R3 SynMini;USB2.0 1.3M WebCam; C:\WINDOWS\System32\Drivers\SynMini.sys [2006-08-08 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image; C:\WINDOWS\System32\Drivers\SynScan.sys [2006-08-08 7808]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-05-25 193088]
R3 usbehci;Pilote miniport de contrôleur d'hôte amélioré Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Pilote de concentrateur standard USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Pilote miniport de contrôleur hôte universel USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 kbdhid;Pilote HID de clavier; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720]
S1 Tosrfcom;Bluetooth RFCOMM from TOSHIBA; C:\WINDOWS\System32\Drivers\tosrfcom.sys [2005-08-01 64896]
S2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2005-03-14 41984]
S3 aaudstum;aaudstum; \??\C:\DOCUME~1\Fabien\LOCALS~1\Temp\aaudstum.sys []
S3 CCDECODE;Décodeur sous-titre fermé; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 GT680x;240TH Direct Webscan Gold Usb Scanner; C:\WINDOWS\System32\Drivers\Gt680x.sys [2003-02-18 17504]
S3 GT72NDISIPXP;GT 72 IP NDIS; C:\WINDOWS\system32\DRIVERS\Gt51Ip.sys [2007-07-09 95744]
S3 GT72UBUS;GT 72 U BUS; C:\WINDOWS\system32\DRIVERS\gt72ubus.sys [2007-06-26 51968]
S3 GTPTSER;GT PT SER; C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-03-30 8064]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-02-01 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-02-01 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-02-01 21568]
S3 ipswuio;ipswuio; C:\WINDOWS\System32\DRIVERS\ipswuio.sys [2006-01-24 34944]
S3 MHNDRV;Pilote MHN; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 MSTEE;Convertisseur en T/site-à-site de répartition Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;Codec NABTS/FEC VBI; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Connection TV/vidéo Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 PCANDIS5;PCANDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCANDIS5.SYS []
S3 sffdisk;Pilote de classe de stockage SFF; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-04-13 11904]
S3 sffp_sd;Pilote de protocole de stockage SFF pour SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-04-13 11008]
S3 SLIP;Détrameur décalage BDA; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC); C:\WINDOWS\system32\DRIVERS\SMCWGU.sys [2005-12-16 408064]
S3 SONYPVU1;Pilote de filtrage Sony USB (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 toshidpt;TOSHIBA Bluetooth HID port driver; C:\WINDOWS\system32\drivers\Toshidpt.sys [2005-07-11 3712]
S3 tosporte;Bluetooth Port Driver from Toshiba; C:\WINDOWS\system32\DRIVERS\tosporte.sys [2005-11-24 47104]
S3 Tosrfbd;Bluetooth RFBUS from TOSHIBA; C:\WINDOWS\System32\Drivers\tosrfbd.sys [2006-02-02 108928]
S3 Tosrfbnp;Bluetooth RFBNEP from TOSHIBA; C:\WINDOWS\System32\Drivers\tosrfbnp.sys [2005-12-14 37632]
S3 Tosrfhid;Bluetooth RFHID from TOSHIBA; C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys [2006-02-08 62848]
S3 tosrfnds;Bluetooth Personal Area Network from TOSHIBA; C:\WINDOWS\system32\DRIVERS\tosrfnds.sys [2005-01-06 18612]
S3 TosRfSnd;Bluetooth Audio Device (WDM) from TOSHIBA; C:\WINDOWS\system32\drivers\TosRfSnd.sys [2005-11-11 52864]
S3 Tosrfusb;Bluetooth USB Controller; C:\WINDOWS\System32\Drivers\tosrfusb.sys [2006-01-31 39808]
S3 usbccgp;Pilote parent générique USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Classe d'imprimantes USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Pilote de scanneur USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Pilote de stockage de masse USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WSTCODEC;Codec Teletext standard; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-12-13 611664]
R2 ASChannel;Canal de communication local; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-11-26 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-08-02 401408]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-11-26 155160]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-06-29 237568]
R2 ehSched;Service de planification Media Center; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 103424]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2006-08-02 434176]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2006-08-02 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2006-08-02 937984]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-11-26 254040]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-11-26 352920]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 ose;Office Source Engine; C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Service Partage réseau du Lecteur Windows Media; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

Edited by flap, 15 December 2008 - 10:21 AM.


BC AdBot (Login to Remove)

 


#2 flap

flap
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 16 December 2008 - 05:59 AM

Hello,

As this infection looked like many others described here (vundo), I have applied Malwarebytes Anti-Malware. Do I need to clean further ? (Aka combofix and other fun stuff ?)

I managed to remove the nasty .dll I was suspecting. Here is the result of last Malwarebytes search (seems clean) :

"Malwarebytes' Anti-Malware 1.31
Version de la base de données: 1506
Windows 5.1.2600 Service Pack 3

16/12/2008 11:53:10
mbam-log-2008-12-16 (11-53-10).txt

Type de recherche: Examen rapide
Eléments examinés: 60411
Temps écoulé: 3 minute(s), 26 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)"


--------------------------------
And a new HijackThis log :

(note 020 - AppInit_DLLs: - I have checked in binary mode, it only holds 20 00 20 00 00. So it should be safe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:13, on 16/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fli.ie/webmail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://serveur/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = subcisa01:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll
O3 - Toolbar: Copernic Desktop Search - Home - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand300000081.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe c:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [Install5G] E:\Install.exe plug_ethernet
O4 - HKCU\..\Run: [Gestionnaire Antidote.exe] C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
O4 - HKCU\..\Run: [clipdiary] C:\Program Files\Clipdiary\clipdiary.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Copernic Desktop Search - Home] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: OneCard - c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 8114 bytes

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:54 PM

Posted 23 December 2008 - 09:08 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 flap

flap
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 24 December 2008 - 11:55 AM

Hello.

Thank you for your help !
Ok, as stated in the previous post, I don't see anymore problems. Which does not mean that I don't have any...

Here are the results of the scan : (only the DDS.txt file)


DDS (Version 1.1.0) - FAT32x86
Run by Fabien at 17:50:31,42 on 24/12/2008
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1369 [GMT 1:00]

AV: avast! antivirus 4.8.1296 [VPS 081224-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\HPZipm12.exe
SVCHOST.EXE
SVCHOST.EXE
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
SVCHOST.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Fabien\Bureau\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.fli.ie/webmail
mDefault_Page_URL = hxxp://www.asus.com
uInternet Connection Wizard,ShellNext = hxxp://serveur/
uInternet Settings,ProxyServer = subcisa01:8080
uInternet Settings,ProxyOverride = <local>
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: ASUS Security Protect Manager: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dll
TB: Copernic Desktop Search - Home: {968631B6-4729-440D-9BF4-251F5593EC9A} - c:\program files\copernic desktop search 2\DesktopSearchBand300000081.dll
uRun: [Gestionnaire Antidote.exe] c:\program files\druide\antidote\Gestionnaire Antidote.exe
uRun: [clipdiary] c:\program files\clipdiary\clipdiary.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Copernic Desktop Search - Home] "c:\program files\copernic desktop search 2\DesktopSearchService.exe" /tray
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModule
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [Install5G] E:\Install.exe plug_ethernet
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\fabien\menudé~1\progra~1\démarr~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\lancem~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\globet~1.lnk - c:\program files\option\globetrotter connect\GlobeTrotter Connect.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\fichiers communs\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OneCard - c:\program files\asus security center\asus security protect manager\bin\ASWLNPkg.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fabien\applic~1\mozilla\firefox\profiles\57jth45b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/
FF - plugin: c:\program files\mozilla firefox\plugins\npExentCtl.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-10 111184]
R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\ItSDisk.sys [2006-5-16 17840]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-17 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-17 394952]
R2 ASChannel;Canal de communication local;c:\windows\system32\svchost.exe -k Cognizance [2006-9-15 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-10 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2006-11-9 155160]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2006-8-8 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2006-8-8 7808]
S3 aaudstum;aaudstum;\??\c:\docume~1\fabien\locals~1\temp\aaudstum.sys []
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2006-11-9 254040]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2006-11-9 352920]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-7-9 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2007-6-26 51968]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-3-30 8064]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2006-10-13 34944]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2007-11-10 408064]

=============== Created Last 30 ================

2008-12-23 01:15 <DIR> --d----- c:\documents and settings\fabien\.hedgewars
2008-12-23 01:11 <DIR> --d----- c:\program files\Hedgewars
2008-12-17 12:09 3,839 a------- c:\windows\system32\drivers\GETPADD.sys
2008-12-17 11:38 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-17 11:38 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-17 11:25 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-17 11:25 54,672 a------- c:\windows\system32\vsutil_loc040c.dll
2008-12-17 11:25 42,384 a------- c:\windows\zllsputility_loc040c.dll
2008-12-17 11:25 21,904 a------- c:\windows\system32\imsinstall_loc040c.dll
2008-12-17 11:25 17,808 a------- c:\windows\system32\imslsp_install_loc040c.dll
2008-12-17 11:25 75,248 a------- c:\windows\zllsputility.exe
2008-12-17 11:25 11,264 a------- c:\windows\system32\SpOrder.dll
2008-12-17 11:24 1,086,952 a------- c:\windows\system32\zpeng24.dll
2008-12-17 11:24 <DIR> --d----- c:\windows\system32\ZoneLabs
2008-12-17 11:24 <DIR> --d----- c:\program files\Zone Labs
2008-12-17 11:24 358,382 a------- c:\windows\system32\vsconfig.xml
2008-12-17 11:16 <DIR> --d----- c:\windows\Internet Logs
2008-12-16 16:41 0 a------- c:\windows\consult.INI
2008-12-16 16:41 74 a------- c:\windows\html.INI
2008-12-16 16:38 11 a------- c:\windows\system32\jdc32_mm.vcd
2008-12-16 16:38 <DIR> --d----- C:\dvdkpfr
2008-12-16 16:06 <DIR> --d----- c:\program files\Securite
2008-12-16 11:05 <DIR> --d----- c:\docume~1\fabien\applic~1\Malwarebytes
2008-12-16 11:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-16 11:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 11:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-16 10:55 401,408 a------- c:\windows\system32\cmd.execf
2008-12-16 10:51 401,408 a------- c:\windows\system32\CF3843.exe
2008-12-16 06:32 2,157 ---sh--- c:\windows\system32\zefukava.exe
2008-12-15 09:15 <DIR> --d----- c:\program files\Trend Micro
2008-12-14 20:07 1,591,818 ---sh--- c:\windows\system32\emitusiv.ini
2008-12-13 14:08 <DIR> --d----- c:\program files\Lavasoft
2008-12-10 23:46 <DIR> --d----- c:\docume~1\fabien\applic~1\OpenOffice.org
2008-12-10 23:36 <DIR> --d----- c:\program files\JRE
2008-12-10 23:36 <DIR> --d----- c:\program files\OpenOffice.org 3
2008-12-10 09:41 670,208 a------- c:\windows\system32\SET28.tmp
2008-12-10 09:41 1,499,648 a------- c:\windows\system32\SET2A.tmp
2008-12-10 09:41 620,544 a------- c:\windows\system32\SET29.tmp
2008-12-10 09:41 3,088,896 a------- c:\windows\system32\SET2B.tmp
2008-11-29 12:10 <DIR> --d----- c:\windows\system32\fr
2008-11-29 12:10 <DIR> --d----- c:\windows\system32\bits
2008-11-29 12:10 <DIR> --d----- c:\windows\l2schemas
2008-11-29 11:51 <DIR> --d----- c:\windows\ServicePackFiles
2008-11-29 11:49 <DIR> --d----- c:\windows\network diagnostic
2008-11-24 20:16 0 a------- c:\windows\PROTOCOL.INI
2008-11-24 20:16 25 a------- c:\windows\RCCONFIG.INI
2008-11-24 20:15 299,520 a------- c:\windows\uninst.exe

==================== Find3M ====================

2008-12-12 18:02 3,088,896 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-30 01:58 514,296 a------- c:\windows\system32\perfh00C.dat
2008-11-30 01:58 438,940 a------- c:\windows\system32\perfh040.dat
2008-11-30 01:58 86,100 a------- c:\windows\system32\perfc00C.dat
2008-11-30 01:58 61,060 a------- c:\windows\system32\perfc040.dat
2008-11-29 12:13 86,815 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-21 20:17 286,720 -------- c:\windows\Setup1.exe
2008-11-09 21:59 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 12:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:36 286,720 a------- c:\windows\system32\SET19.tmp
2008-10-23 13:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 13:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 02:01 670,208 a------- c:\windows\system32\wininet.dll
2008-10-16 02:01 1,499,648 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-16 02:01 670,208 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-16 02:01 620,544 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 17:35 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-10-03 11:03 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 11:03 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-08 17:16 104,152 a------- c:\docume~1\fabien\applic~1\GDIPFONTCACHEV1.DAT
2008-06-13 09:14 278,528 a------- c:\program files\fichiers communs\FDEUnInstaller.exe

============= FINISH: 17:51:01,62 ===============

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 24 December 2008 - 10:50 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Disable Avast!'s realtime protection by right clicking on the try icon beside your clock that looks like Posted Image and selecting Stop On-Access Protection.

In the settings:
Posted Image

Download and Run ComboFix
If you have already run ComboFix, delete your copy and download a new one. If the computer in question is unable to download ComboFix, transfer it using a removable media (CDs, flash drive).

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

In your next reply include:
-the ComboFix log
-a new HijackThis or DDS log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#6 flap

flap
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 25 December 2008 - 10:01 AM

ComboFix 08-12-24.01 - Admin 2008-12-25 15:46:33.1 - FAT32x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.2047.1514 [GMT 1:00]
Lancé depuis: c:\documents and settings\Fabien\Bureau\ComboFix.exe
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents
c:\windows\system32\acovcnt.exe
c:\windows\system32\emitusiv.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((( Fichiers créés du 2008-11-25 au 2008-12-25 ))))))))))))))))))))))))))))))))))))
.

2008-12-23 01:15 . 2008-12-23 01:15 <REP> d-------- c:\documents and settings\Fabien\.hedgewars
2008-12-23 01:11 . 2008-12-23 01:11 <REP> d-------- c:\program files\Hedgewars
2008-12-17 11:38 . 2008-12-25 15:49 32 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-12-17 11:38 . 2008-12-25 15:49 32 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-12-17 11:25 . 2008-12-17 11:25 <REP> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-17 11:25 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe
2008-12-17 11:25 . 2008-07-09 09:05 54,672 --a------ c:\windows\system32\vsutil_loc040c.dll
2008-12-17 11:25 . 2008-07-09 09:05 42,384 --a------ c:\windows\zllsputility_loc040c.dll
2008-12-17 11:25 . 2008-07-09 09:05 21,904 --a------ c:\windows\system32\imsinstall_loc040c.dll
2008-12-17 11:25 . 2008-07-09 09:05 17,808 --a------ c:\windows\system32\imslsp_install_loc040c.dll
2008-12-17 11:25 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll
2008-12-17 11:25 . 2008-12-17 11:27 4,212 ---h----- c:\windows\system32\zllictbl.dat
2008-12-17 11:24 . 2008-12-17 11:24 <REP> d-------- c:\windows\system32\ZoneLabs
2008-12-17 11:24 . 2008-12-17 11:24 <REP> d-------- c:\program files\Zone Labs
2008-12-17 11:24 . 2008-07-09 09:05 1,086,952 --a------ c:\windows\system32\zpeng24.dll
2008-12-17 11:24 . 2008-12-25 15:50 358,382 --a------ c:\windows\system32\vsconfig.xml
2008-12-17 11:16 . 2008-12-17 11:16 <REP> d-------- c:\windows\Internet Logs
2008-12-16 16:41 . 2008-12-16 16:41 74 --a------ c:\windows\html.INI
2008-12-16 16:41 . 2008-12-16 16:41 0 --a------ c:\windows\consult.INI
2008-12-16 16:38 . 2008-12-16 16:38 <REP> d-------- C:\dvdkpfr
2008-12-16 16:38 . 2008-12-16 16:38 11 --a------ c:\windows\system32\jdc32_mm.vcd
2008-12-16 16:17 . 2006-10-13 13:08 <REP> d--h----- c:\documents and settings\Admin\Voisinage réseau
2008-12-16 16:17 . 2006-10-13 13:08 <REP> d--h----- c:\documents and settings\Admin\Voisinage d'impression
2008-12-16 16:17 . 2006-10-13 13:08 <REP> d--h----- c:\documents and settings\Admin\Modèles
2008-12-16 16:17 . 2008-12-16 16:17 <REP> dr------- c:\documents and settings\Admin\Mes documents
2008-12-16 16:17 . 2006-10-13 13:08 <REP> dr------- c:\documents and settings\Admin\Menu Démarrer
2008-12-16 16:17 . 2008-12-16 16:17 <REP> dr------- c:\documents and settings\Admin\Favoris
2008-12-16 16:17 . 2006-10-13 13:08 <REP> d-------- c:\documents and settings\Admin\Bureau
2008-12-16 16:17 . 2006-10-13 14:03 <REP> d-------- c:\documents and settings\Admin\Application Data\Symantec
2008-12-16 16:17 . 2006-10-13 13:57 <REP> d-------- c:\documents and settings\Admin\Application Data\Skype
2008-12-16 16:17 . 2006-10-13 14:15 <REP> d-------- c:\documents and settings\Admin\Application Data\Intel
2008-12-16 16:17 . 2008-12-16 16:17 <REP> d-------- c:\documents and settings\Admin\Application Data\ATI
2008-12-16 16:17 . 2008-12-16 16:17 <REP> d-------- c:\documents and settings\Admin
2008-12-16 16:08 . 2008-12-16 16:08 <REP> d-------- C:\rsit
2008-12-16 16:06 . 2008-12-16 16:06 <REP> d-------- c:\program files\Securite
2008-12-16 11:05 . 2008-12-16 11:05 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 11:05 . 2008-12-16 11:05 <REP> d-------- c:\documents and settings\Fabien\Application Data\Malwarebytes
2008-12-16 11:05 . 2008-12-16 11:05 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-16 11:05 . 2008-12-03 19:54 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 11:05 . 2008-12-03 19:54 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-16 06:32 . 2008-12-16 06:32 2,157 ---hs---- c:\windows\system32\zefukava.exe
2008-12-15 09:15 . 2008-12-15 09:16 <REP> d-------- c:\program files\Trend Micro
2008-12-13 14:08 . 2008-12-13 14:08 <REP> d-------- c:\program files\Lavasoft
2008-12-13 14:08 . 2008-12-13 14:08 <REP> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-10 23:46 . 2008-12-10 23:46 <REP> d-------- c:\documents and settings\Fabien\Application Data\OpenOffice.org
2008-12-10 23:36 . 2008-12-10 23:36 <REP> d-------- c:\program files\OpenOffice.org 3
2008-12-10 23:36 . 2008-12-10 23:36 <REP> d-------- c:\program files\JRE
2008-12-10 09:41 . 2008-10-16 02:01 3,088,896 --a------ c:\windows\system32\SET2B.tmp
2008-12-10 09:41 . 2008-10-16 02:01 1,499,648 --a------ c:\windows\system32\SET2A.tmp
2008-12-10 09:41 . 2008-10-16 02:01 670,208 --a------ c:\windows\system32\SET28.tmp
2008-12-10 09:41 . 2008-10-16 02:01 620,544 --a------ c:\windows\system32\SET29.tmp
2008-11-29 12:10 . 2008-11-29 12:10 <REP> d-------- c:\windows\system32\fr
2008-11-29 12:10 . 2008-11-29 12:10 <REP> d-------- c:\windows\system32\bits
2008-11-29 12:10 . 2008-11-29 12:10 <REP> d-------- c:\windows\l2schemas
2008-11-29 11:51 . 2008-11-29 11:51 <REP> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 17:02 3,088,896 ------w c:\windows\system32\dllcache\mshtml.dll
2008-11-21 19:17 286,720 ------w c:\windows\Setup1.exe
2008-11-15 10:50 --------- d-----w c:\program files\The Ur-Quan Masters
2008-11-15 10:50 --------- d-----w c:\documents and settings\Fabien\Application Data\uqm
2008-11-13 10:48 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2008-11-09 20:59 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-09 20:56 --------- d-----w c:\program files\Telltale Games
2008-11-09 10:12 --------- d-----w c:\program files\UnRealWorld
2008-10-27 09:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 09:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 09:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 09:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\SET19.tmp
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 01:01 670,208 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:01 670,208 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:01 620,544 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:01 1,499,648 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 16:35 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-10 03:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 03:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 03:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-10-03 10:03 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:03 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-08 16:16 104,152 ----a-w c:\documents and settings\Fabien\Application Data\GDIPFONTCACHEV1.DAT
2008-06-13 08:14 278,528 ----a-w c:\program files\Fichiers communs\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Secure Disks]
@="{666C7836-A9B6-4AB4-94ED-DC238C81E925}"
[HKEY_CLASSES_ROOT\CLSID\{666C7836-A9B6-4AB4-94ED-DC238C81E925}]
2006-04-02 17:08 381952 -ra------ c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\SFSShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-11 21741864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-17 110592]
"ACMON"="c:\program files\ASUS\Splendid\ACMON.exe" [2006-05-30 811008]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-06-08 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-02 61440]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-14 90112]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"CognizanceTS"="c:\progra~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Fabien\Menu D‚marrer\Programmes\D‚marrage\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\Fabien\Menu D‚marrer\Programmes\D‚marrage\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\Fabien\Menu D‚marrer\Programmes\D‚marrage\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-09-12 384000]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Lancement rapide d'Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
GlobeTrotter Connect.lnk - c:\program files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe [2007-08-21 774144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-05-02 22:23 40448 c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ASWLNPkg

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^MultiFrame.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\MultiFrame.lnk
backup=c:\windows\pss\MultiFrame.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Fabien^Menu Démarrer^Programmes^Démarrage^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Fabien\Menu Démarrer\Programmes\Démarrage\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS Live Update]
--a------ 2006-02-21 15:20 180224 c:\program files\Asus\ASUS Live Update\ALU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 2006-05-10 11:12 90112 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:34 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gestio~1.exe]
--a------ 2008-06-03 21:13 536576 c:\program files\Druide\Antidote\GESTIO~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 04:34 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
--a------ 2006-06-29 14:40 774144 c:\program files\Asus\PowerForPhone\PowerForPhone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-08-11 17:46 21741864 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-08-06 22:11 573440 c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-07-21 01:56 16261632 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 03:04 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LeechFTP\\Leechftp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\System32\\ftp.exe"=
"c:\\Program Files\\Pax Galaxia\\PaxGal.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59000:TCP"= 59000:TCP:vnc
"5900:TCP"= 5900:TCP:vnc

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-10 111184]
R1 ItSDisk;ItSDisk;c:\windows\system32\Drivers\ItSDisk.sys [2006-05-16 17840]
R2 ASChannel;Canal de communication local;c:\windows\System32\svchost.exe -k Cognizance [2006-09-15 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-10 20560]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\Drivers\SynMini.sys [2006-08-08 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\Drivers\SynScan.sys [2006-08-08 7808]
S3 aaudstum;aaudstum;\??\c:\docume~1\Fabien\LOCALS~1\Temp\aaudstum.sys []
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\DRIVERS\Gt51Ip.sys [2007-07-09 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\DRIVERS\gt72ubus.sys [2007-06-26 51968]
S3 GTPTSER;GT PT SER;c:\windows\system32\DRIVERS\gtptser.sys [2007-03-30 8064]
S3 ipswuio;ipswuio;c:\windows\system32\DRIVERS\ipswuio.sys [2006-10-13 34944]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\DRIVERS\SMCWGU.sys [2007-11-10 408064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel
.
Contenu du dossier 'Tâches planifiées'

2008-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-Install5G - E:\Install.exe
Notify-WgaLogon - (no file)
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-OpenOffice Password Recovery - c:\program files\Intelore\OpenOffice Password Recovery\OpenOfficePasswordRecovery.exe
MSConfigStartUp-Samsung Common SM - c:\windows\Samsung\ComSMMgr\ssmmgr.exe


.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.asus.com
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\stdoubt8.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npExentCtl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 15:50:39
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dll
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsChnl.dll
c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItMsg.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\windows\SYSTEM32\ZONELABS\VSMON.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\program files\FICHIERS COMMUNS\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\HPZIPM12.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\windows\SYSTEM32\SCARDSVR.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
c:\program files\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\program files\ASUS SECURITY CENTER\ASUS SECURITY PROTECT MANAGER\BIN\ASGHOST.EXE
c:\windows\system32\ACEngSvr.exe
c:\windows\ATK0100\ATKOSD.exe
.
**************************************************************************
.
Heure de fin: 2008-12-25 15:53:38 - La machine a redémarré
ComboFix-quarantined-files.txt 2008-12-25 14:53:34

Avant-CF: 29 073 735 680 octets libres
Après-CF: 29,790,470,144 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

310 --- E O F --- 2008-12-19 14:10:32

----


DDS (Version 1.1.0) - FAT32x86
Run by Fabien at 16:00:35,78 on 25/12/2008
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_01
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1387 [GMT 1:00]

AV: avast! antivirus 4.8.1296 [VPS 081224-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\HPZipm12.exe
SVCHOST.EXE
SVCHOST.EXE
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Druide\Antidote\Gestionnaire Antidote.exe
C:\Program Files\Clipdiary\clipdiary.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Fabien\Bureau\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.fli.ie/webmail
uInternet Connection Wizard,ShellNext = hxxp://serveur/
uInternet Settings,ProxyServer = subcisa01:8080
uInternet Settings,ProxyOverride = <local>
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: ASUS Security Protect Manager: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dll
TB: Copernic Desktop Search - Home: {968631B6-4729-440D-9BF4-251F5593EC9A} - c:\program files\copernic desktop search 2\DesktopSearchBand300000081.dll
uRun: [Gestionnaire Antidote.exe] c:\program files\druide\antidote\Gestionnaire Antidote.exe
uRun: [clipdiary] c:\program files\clipdiary\clipdiary.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Copernic Desktop Search - Home] "c:\program files\copernic desktop search 2\DesktopSearchService.exe" /tray
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModule
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\fabien\menudé~1\progra~1\démarr~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\lancem~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\globet~1.lnk - c:\program files\option\globetrotter connect\GlobeTrotter Connect.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\fichiers communs\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OneCard - c:\program files\asus security center\asus security protect manager\bin\ASWLNPkg.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fabien\applic~1\mozilla\firefox\profiles\57jth45b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/
FF - plugin: c:\program files\mozilla firefox\plugins\npExentCtl.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-10 111184]
R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\ItSDisk.sys [2006-5-16 17840]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-17 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-17 394952]
R2 ASChannel;Canal de communication local;c:\windows\system32\svchost.exe -k Cognizance [2006-9-15 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-10 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2006-11-9 155160]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2006-11-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2006-11-9 352920]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2006-8-8 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2006-8-8 7808]
S3 aaudstum;aaudstum;\??\c:\docume~1\fabien\locals~1\temp\aaudstum.sys []
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-7-9 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2007-6-26 51968]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-3-30 8064]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2006-10-13 34944]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2007-11-10 408064]

=============== Created Last 30 ================

2008-12-25 15:56 3,839 a------- c:\windows\system32\drivers\GETPADD.sys
2008-12-25 15:44 <DIR> a-dshr-- C:\cmdcons
2008-12-25 15:40 161,792 a------- c:\windows\SWREG.exe
2008-12-25 15:40 98,816 a------- c:\windows\sed.exe
2008-12-23 01:15 <DIR> --d----- c:\documents and settings\fabien\.hedgewars
2008-12-23 01:11 <DIR> --d----- c:\program files\Hedgewars
2008-12-17 11:38 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-17 11:38 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-17 11:25 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-17 11:25 54,672 a------- c:\windows\system32\vsutil_loc040c.dll
2008-12-17 11:25 42,384 a------- c:\windows\zllsputility_loc040c.dll
2008-12-17 11:25 21,904 a------- c:\windows\system32\imsinstall_loc040c.dll
2008-12-17 11:25 17,808 a------- c:\windows\system32\imslsp_install_loc040c.dll
2008-12-17 11:25 75,248 a------- c:\windows\zllsputility.exe
2008-12-17 11:25 11,264 a------- c:\windows\system32\SpOrder.dll
2008-12-17 11:24 1,086,952 a------- c:\windows\system32\zpeng24.dll
2008-12-17 11:24 <DIR> --d----- c:\windows\system32\ZoneLabs
2008-12-17 11:24 <DIR> --d----- c:\program files\Zone Labs
2008-12-17 11:24 358,382 a------- c:\windows\system32\vsconfig.xml
2008-12-17 11:16 <DIR> --d----- c:\windows\Internet Logs
2008-12-16 16:41 0 a------- c:\windows\consult.INI
2008-12-16 16:41 74 a------- c:\windows\html.INI
2008-12-16 16:38 11 a------- c:\windows\system32\jdc32_mm.vcd
2008-12-16 16:38 <DIR> --d----- C:\dvdkpfr
2008-12-16 16:06 <DIR> --d----- c:\program files\Securite
2008-12-16 11:05 <DIR> --d----- c:\docume~1\fabien\applic~1\Malwarebytes
2008-12-16 11:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-16 11:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 11:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-16 06:32 2,157 ---sh--- c:\windows\system32\zefukava.exe
2008-12-15 09:15 <DIR> --d----- c:\program files\Trend Micro
2008-12-13 14:08 <DIR> --d----- c:\program files\Lavasoft
2008-12-10 23:46 <DIR> --d----- c:\docume~1\fabien\applic~1\OpenOffice.org
2008-12-10 23:36 <DIR> --d----- c:\program files\JRE
2008-12-10 23:36 <DIR> --d----- c:\program files\OpenOffice.org 3
2008-12-10 09:41 670,208 a------- c:\windows\system32\SET28.tmp
2008-12-10 09:41 1,499,648 a------- c:\windows\system32\SET2A.tmp
2008-12-10 09:41 620,544 a------- c:\windows\system32\SET29.tmp
2008-12-10 09:41 3,088,896 a------- c:\windows\system32\SET2B.tmp
2008-11-29 12:10 <DIR> --d----- c:\windows\system32\fr
2008-11-29 12:10 <DIR> --d----- c:\windows\system32\bits
2008-11-29 12:10 <DIR> --d----- c:\windows\l2schemas
2008-11-29 11:51 <DIR> --d----- c:\windows\ServicePackFiles
2008-11-29 11:49 <DIR> --d----- c:\windows\network diagnostic

==================== Find3M ====================

2008-12-12 18:02 3,088,896 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-30 01:58 514,296 a------- c:\windows\system32\perfh00C.dat
2008-11-30 01:58 438,940 a------- c:\windows\system32\perfh040.dat
2008-11-30 01:58 86,100 a------- c:\windows\system32\perfc00C.dat
2008-11-30 01:58 61,060 a------- c:\windows\system32\perfc040.dat
2008-11-29 12:13 86,815 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-21 20:17 286,720 -------- c:\windows\Setup1.exe
2008-11-09 21:59 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 12:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:36 286,720 a------- c:\windows\system32\SET19.tmp
2008-10-23 13:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 13:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 02:01 670,208 a------- c:\windows\system32\wininet.dll
2008-10-16 02:01 1,499,648 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-16 02:01 670,208 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-16 02:01 620,544 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 17:35 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-10-03 11:03 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 11:03 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-08 17:16 104,152 a------- c:\docume~1\fabien\applic~1\GDIPFONTCACHEV1.DAT
2008-06-13 09:14 278,528 a------- c:\program files\fichiers communs\FDEUnInstaller.exe

============= FINISH: 16:01:06,46 ===============

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 25 December 2008 - 08:27 PM

Hello.

There does not appear to be any signs of infection remaining. Let's update you Java. Next round, we'll take out a leftover file.

Update Java to Version 6 Update 10
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please then install the latest Java, Java SE Runtime Environment (JRE) 6 Update 10 from this page. Follow the prompts and select the appropriate settings for your machine (most likely "Windows"). Click on the "Required File" jre-6u10-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post a new DDS log from after the above.

With Regards,
The Panda

#8 flap

flap
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 26 December 2008 - 08:09 AM

Hello.

Thank you. Well apparently, there was still some crap remaining...
Here is the log :

Scanning Report
Friday, December 26, 2008 13:01:54 - 13:56:55

Computer name: FLI-VIDAL
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 22 malware found
Exploit.Java.Gimsh.a (virus)

* C:\DOCUMENTS AND SETTINGS\FABIEN\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\40\2B2D8EE8-3D80EBDE (Renamed & Submitted)
* C:\DOCUMENTS AND SETTINGS\FABIEN\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\6.0\33\106D3BA1-29D64790 (Renamed & Submitted)

TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Adtech (spyware)

* System

TrackingCookie.Advertising (spyware)

* System

TrackingCookie.Atdmt (spyware)

* System

TrackingCookie.Atwola (spyware)

* System

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Instadia (spyware)

* System

TrackingCookie.Mediaplex (spyware)

* System

TrackingCookie.Revsci (spyware)

* System

TrackingCookie.Webtrends (spyware)

* System

TrackingCookie.Xiti (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Trojan.Win32.Monder.acxt (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3FE5BAF-8534-4EEA-BE8B-42C963A914C1}\RP786\A0105205.DLL (Renamed & Submitted)

Trojan:W32/Vundo.EA (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3FE5BAF-8534-4EEA-BE8B-42C963A914C1}\RP786\A0105199.DLL (Submitted)

Trojan:W32/Vundo.FJ (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3FE5BAF-8534-4EEA-BE8B-42C963A914C1}\RP786\A0105201.DLL (Submitted)

Vundo.FBW (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3FE5BAF-8534-4EEA-BE8B-42C963A914C1}\RP793\A0107973.INI (Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3FE5BAF-8534-4EEA-BE8B-42C963A914C1}\RP786\A0105200.INI (Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3FE5BAF-8534-4EEA-BE8B-42C963A914C1}\RP786\A0105202.INI (Submitted)

W32/Packed_Mew.C (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E3FE5BAF-8534-4EEA-BE8B-42C963A914C1}\RP749\A0092447.EXE (Submitted)
* C:\DOCUMENTS AND SETTINGS\FABIEN\MES DOCUMENTS\JEUX\Z-CODE\COMP08\WINDOWS\PROJECTDELTA\NXI.EXE (Submitted)

Statistics
Scanned:

* Files: 77588
* System: 3735
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 3
* Deleted: 0
* None: 19
* Submitted: 10

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 2.8.8110, 2008-12-26
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure AVP: 7.0.171, 2008-12-26

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

--


DDS (Version 1.1.0) - FAT32x86
Run by Admin at 14:03:59,98 on 26/12/2008
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1160 [GMT 1:00]

AV: avast! antivirus 4.8.1296 [VPS 081226-0] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Fabien\Bureau\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.asus.com
uInternet Connection Wizard,ShellNext = hxxp://www.asus.com/
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: ASUS Security Protect Manager: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Copernic Desktop Search - Home: {968631B6-4729-440D-9BF4-251F5593EC9A} - c:\program files\copernic desktop search 2\DesktopSearchBand300000081.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [ACMON] c:\program files\asus\splendid\ACMON.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModule
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\lancem~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\globet~1.lnk - c:\program files\option\globetrotter connect\GlobeTrotter Connect.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\fichiers communs\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: OneCard - c:\program files\asus security center\asus security protect manager\bin\ASWLNPkg.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\stdoubt8.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npExentCtl.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-10 111184]
R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\ItSDisk.sys [2006-5-16 17840]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-12-17 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-17 394952]
R2 ASChannel;Canal de communication local;c:\windows\system32\svchost.exe -k Cognizance [2006-9-15 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-10 20560]
R2 avast! Antivirus;avast! Antivirus;"c:\program files\alwil software\avast4\ashServ.exe" [2006-11-9 155160]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\admin\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [2008-12-26 70144]
R3 SynMini;USB2.0 1.3M WebCam;c:\windows\system32\drivers\SynMini.sys [2006-8-8 1116544]
R3 SynScan;USB2.0 1.3M WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [2006-8-8 7808]
S3 aaudstum;aaudstum;\??\c:\docume~1\fabien\locals~1\temp\aaudstum.sys []
S3 avast! Mail Scanner;avast! Mail Scanner;"c:\program files\alwil software\avast4\ashMaiSv.exe" /service [2006-11-9 254040]
S3 avast! Web Scanner;avast! Web Scanner;"c:\program files\alwil software\avast4\ashWebSv.exe" /service [2006-11-9 352920]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-7-9 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2007-6-26 51968]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-3-30 8064]
S3 ipswuio;ipswuio;c:\windows\system32\drivers\ipswuio.sys [2006-10-13 34944]
S3 SMCWGU(SMC);SMCWUSB-G 802.11g Wireless USB 2.0 Adapter(SMC);c:\windows\system32\drivers\SMCWGU.sys [2007-11-10 408064]

=============== Created Last 30 ================

2008-12-26 12:53 <DIR> --d----- C:\fsaua.data
2008-12-26 12:51 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-26 12:51 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-25 16:53 <DIR> --d----- c:\program files\Wings 2
2008-12-25 15:44 <DIR> a-dshr-- C:\cmdcons
2008-12-25 15:40 161,792 a------- c:\windows\SWREG.exe
2008-12-25 15:40 98,816 a------- c:\windows\sed.exe
2008-12-23 01:11 <DIR> --d----- c:\program files\Hedgewars
2008-12-17 11:38 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-17 11:38 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-17 11:25 4,212 ----h--- c:\windows\system32\zllictbl.dat
2008-12-17 11:25 54,672 a------- c:\windows\system32\vsutil_loc040c.dll
2008-12-17 11:25 42,384 a------- c:\windows\zllsputility_loc040c.dll
2008-12-17 11:25 21,904 a------- c:\windows\system32\imsinstall_loc040c.dll
2008-12-17 11:25 17,808 a------- c:\windows\system32\imslsp_install_loc040c.dll
2008-12-17 11:25 75,248 a------- c:\windows\zllsputility.exe
2008-12-17 11:25 11,264 a------- c:\windows\system32\SpOrder.dll
2008-12-17 11:24 1,086,952 a------- c:\windows\system32\zpeng24.dll
2008-12-17 11:24 <DIR> --d----- c:\windows\system32\ZoneLabs
2008-12-17 11:24 <DIR> --d----- c:\program files\Zone Labs
2008-12-17 11:24 358,382 a------- c:\windows\system32\vsconfig.xml
2008-12-17 11:16 <DIR> --d----- c:\windows\Internet Logs
2008-12-16 16:41 0 a------- c:\windows\consult.INI
2008-12-16 16:41 74 a------- c:\windows\html.INI
2008-12-16 16:38 11 a------- c:\windows\system32\jdc32_mm.vcd
2008-12-16 16:38 <DIR> --d----- C:\dvdkpfr
2008-12-16 16:17 <DIR> --d-h--- c:\documents and settings\admin\Voisinage réseau
2008-12-16 16:17 <DIR> --d-h--- c:\documents and settings\admin\Voisinage d'impression
2008-12-16 16:17 <DIR> --d-h--- c:\documents and settings\admin\Modèles
2008-12-16 16:17 <DIR> --d--r-- c:\documents and settings\admin\Mes documents
2008-12-16 16:17 <DIR> --d--r-- c:\documents and settings\admin\Menu Démarrer
2008-12-16 16:17 <DIR> --d--r-- c:\documents and settings\admin\Favoris
2008-12-16 16:17 <DIR> --d----- c:\documents and settings\admin\Bureau
2008-12-16 16:17 <DIR> --d----- c:\docume~1\admin\applic~1\Symantec
2008-12-16 16:17 <DIR> --d----- c:\docume~1\admin\applic~1\Intel
2008-12-16 16:17 <DIR> --d----- c:\documents and settings\Admin
2008-12-16 16:06 <DIR> --d----- c:\program files\Securite
2008-12-16 11:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-16 11:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-16 11:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-16 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-16 06:32 2,157 ---sh--- c:\windows\system32\zefukava.exe
2008-12-15 09:15 <DIR> --d----- c:\program files\Trend Micro
2008-12-13 14:08 <DIR> --d----- c:\program files\Lavasoft
2008-12-10 23:36 <DIR> --d----- c:\program files\JRE
2008-12-10 23:36 <DIR> --d----- c:\program files\OpenOffice.org 3
2008-12-10 09:41 670,208 a------- c:\windows\system32\SET28.tmp
2008-12-10 09:41 1,499,648 a------- c:\windows\system32\SET2A.tmp
2008-12-10 09:41 620,544 a------- c:\windows\system32\SET29.tmp
2008-12-10 09:41 3,088,896 a------- c:\windows\system32\SET2B.tmp
2008-11-29 12:10 <DIR> --d----- c:\windows\system32\fr
2008-11-29 12:10 <DIR> --d----- c:\windows\system32\bits
2008-11-29 12:10 <DIR> --d----- c:\windows\l2schemas
2008-11-29 11:51 <DIR> --d----- c:\windows\ServicePackFiles
2008-11-29 11:49 <DIR> --d----- c:\windows\network diagnostic

==================== Find3M ====================

2008-12-12 18:02 3,088,896 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-30 01:58 514,296 a------- c:\windows\system32\perfh00C.dat
2008-11-30 01:58 438,940 a------- c:\windows\system32\perfh040.dat
2008-11-30 01:58 86,100 a------- c:\windows\system32\perfc00C.dat
2008-11-30 01:58 61,060 a------- c:\windows\system32\perfc040.dat
2008-11-29 12:13 86,815 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-21 20:17 286,720 -------- c:\windows\Setup1.exe
2008-11-09 21:59 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 12:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 13:36 286,720 a------- c:\windows\system32\SET19.tmp
2008-10-23 13:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 13:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 02:01 670,208 a------- c:\windows\system32\wininet.dll
2008-10-16 02:01 1,499,648 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-10-16 02:01 670,208 -------- c:\windows\system32\dllcache\wininet.dll
2008-10-16 02:01 620,544 -------- c:\windows\system32\dllcache\urlmon.dll
2008-10-15 17:35 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-10-03 11:03 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 11:03 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-06-13 09:14 278,528 a------- c:\program files\fichiers communs\FDEUnInstaller.exe

============= FINISH: 14:04:25,06 ===============

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 26 December 2008 - 09:20 PM

Hello.

F-Secure just found some leftovers. Let's clear those up and you are good to go.

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @ECHO OFF
    for %%a in (
    "C:\DOCUMENTS AND SETTINGS\FABIEN\MES DOCUMENTS\JEUX\Z-CODE\COMP08\WINDOWS\PROJECTDELTA\NXI.EXE"
    "c:\windows\system32\zefukava.exe"
    ) do (
    IF exist "%%~a" (
    attrib -s -r -h "%%~a"
    del /q /f "%%~a"
    )
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click Fix.bat. If you are using Windows Vista, right click the icon and select "Run as Administrator".

Uninstall ComboFix
Remove Combofix now that we're done with it.

If this tool has helped you, please consider making a donation to its author. Posted Image
  • Click on your Start Menu, then Run....
  • Type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hide file extensions and hidden/system files.
  • Clear System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#10 flap

flap
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 27 December 2008 - 03:19 PM

Well, thank you PP.

No everything seems fine now.

Happy new year !

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 27 December 2008 - 08:56 PM

Glad we could help :thumbsup: .

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users