Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virut infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 eggscalibur

eggscalibur

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 05 March 2009 - 08:33 PM

Hey folks, and thanks for a great site with great people with great help =)

First of all, the problem : I have 2 computers, a desktop and a laptop. My desktop is infected and is definately not running properly, but my laptop, thankfully, is perfectly fine. Last week, when I tried accessing my C: directly through My Computer by double-clicking the icon, I got an error : "Windows cannot find "RECYCLER\S-7-4-17-(lots of digits).com".

Not having any time to look into such a problem, I found that right-clicking on the icon and clicking on "explore" got me in fine. It would appear that I made a serious mistake.

Today, upon booting up my computer, I got all the usual FakeAV-type problems : background image changed to one with a warning!, the big red cross in the taskbar telling me my computer was infected and that I needed to use a virus-removal program, and such. My version of Windows XP SP3 runs in French, so it was rather obvious what was wrong. I don't know how this got through my Spybot S/D and BitDefender, but I was getting registry changing demands very frequently, asking to update csrssc.exe and winlognn.exe.

Figuring that these problems stemmed from the original problem with my drives not opening, I assumed that there was a backdoor type file feeding my computer malware. I ran a full system scan using BitDefender, which removed a bunch of stuff except 3 infected files, all located in C:\Documents and settings\%username%\Local settings\temp\. The three files are called mousehook.dll, csrssc.exe and winlognn.exe.

So I went looking for them manually ; couldn't find the "local settings" folder, so naturally hidden files. Tools => show file options didn't exist in the menu, and I was starting to get unnerved. I looked on the internet, and found the required register keys to change this, and tried to run regedit. Naturally, my computer said that the "administrator" (I'm running under administrator, naturally) had disabled regedit. I therefore went and got a VBscript from a Microsoft Employee's site (forgot name, Goud perhaps) to switch regedit capabilities back on.

Entering regedit, I found the key, but it wasn't as descripted in the instructions. I then set it to how it should have been and rebooted, no change. So I decided to run in safe mode ; the hidden file feature was activated, and I deleted over 1 GB of files in the "Temp" folder, including the three files. I then went to windows/system32 and had a look at the most recent files. I found a bunch of files I had never seen before, and deleted them. Some, of course, I could not : hs3i7jdgfd.dll, a new svchost.exe (didn't attempt to delete that), a wpa.dbl, and a bdod.bin.

Now, my computer has a light blue desktop image (I deleted the image with the WARNING sign from the temp folder, but I still cannot change the background), I still get the error when opening a drive, and I am unable to restore internet access on that computer (via USB through an AOLBox router, scared to plug Ethernet cable in).

Windows Firewall is now active (it wasn't, never thought it was any use with Spybot). Spybot has not been able to run since I first got the problem with the drives, but resident was active until recently. I've installed Malwarebytes via USB, but won't run either. I also used DDS, from which I'll post the logs and attach the "attach.txt" file, as per recommended in the Preparation Guide.

The computer doesn't seem to be running particularily sluggish (I haven't tried running anything more powerful than Hearts), I've scanned then backed up all vital files. I now have access to msconfig, regedit, and safe mode. Impossible to get Internet running, though, and I'm pretty sure something is still lurking on the damn computer! Ah yes, one last thing : every time I start up my computer, the first thing it says is "An error has occured and windows\system32\NVcpl.dll,NVStartup cannot be initialised". (I've had a look at the file, it's the Nvidia gfx control panel ; I'm using a 9600 GT and there used to be a Nvidia icon in my panel, not anymore).

Any help will be deeply appreciated ; I'd rather not reformat if possible. And that's all I can think of! Thank you much.

DDS.txt :


DDS (Ver_09-02-01.01) - NTFSx86
Run by Mathiew at 1:49:12,79 on 06/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.2815.2237 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Mathiew\Bureau\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\tsi32\tsircusr.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\hs3i7jdgfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hs3i7jdgfd.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [EoEngine]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [Lsass Service] c:\documents and settings\mathiew\application data\microsoft\windows\lsass.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\aol90i~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Recherche AOL Toolbar - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\temp\ntdll64.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/stream.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vjage.com/download/vjocx-en.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
TCP: NameServer = 85.255.112.72,85.255.112.151
TCP: {5B0441D5-83EA-4817-976F-50473BF468EC} = 85.255.112.72,85.255.112.151
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hs3i7jdgfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hs3i7jdgfd.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2008-6-8 120320]
R2 Alert Notification Server;Alert Notification Server;c:\program files\ca\sharedcomponents\alert\alert.exe [2006-8-27 192574]
R2 SFTSER;SFTSER;c:\windows\system32\drivers\sftser.sys [2008-11-30 42944]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-10-1 1272000]
S2 FCI;FCI;c:\windows\system32\svchost.exe:ext.exe --> c:\windows\system32\svchost.exe:ext.exe [?]
S2 InoNmSrv;eTrust Antivirus Admin Server;c:\program files\ca\etrust antivirus\InoNmSrv.exe [2004-6-25 344336]
S2 vvdsvc;VJVodServices;c:\windows\system32\svchost.exe -k vvdsvc [2004-8-5 14336]
S3 alcan5ln;SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2006-12-26 36256]
S4 MapMemP;MapMemP;\??\c:\windows\system32\drivers\mapmemp.sys --> c:\windows\system32\drivers\MapMemP.Sys [?]

=============== Created Last 30 ================

2009-03-06 00:57 81,984 a------- c:\windows\system32\bdod.bin
2009-03-06 00:52 2,126 a------- c:\windows\system32\wpa.dbl
2009-03-06 00:11 <DIR> --d----- c:\program files\Viewpoint
2009-03-05 22:55 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-05 22:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-05 22:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-05 22:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-05 21:59 <DIR> --d----- c:\windows\pss
2009-03-05 17:09 121 a------- c:\windows\bdagent.INI
2009-03-05 14:31 <DIR> --d----- c:\program files\BitDefender
2009-03-05 14:29 <DIR> --d----- c:\program files\fichiers communs\BitDefender
2009-03-05 14:28 0 a------- C:\jimi.exe
2009-03-05 14:28 0 a------- C:\sdogn.exe
2009-03-05 14:28 0 a------- C:\vmya.exe
2009-03-05 14:27 0 a------- C:\xfgo.exe
2009-03-05 14:27 65,024 a------- C:\pcks.exe
2009-03-05 14:27 15,000 a------- c:\windows\system32\hs3i7jdgfd.dll
2009-03-05 14:26 <DIR> --d----- c:\program files\DivxAccess
2009-02-26 03:41 374 ---shr-- C:\autorun.inf
2009-02-20 00:45 <DIR> --d----- c:\windows\speech
2009-02-20 00:45 29,952 a------- c:\windows\system32\Borlndmm.dll
2009-02-20 00:45 <DIR> --d----- C:\iNemesis4
2009-02-19 17:08 <DIR> --d----- c:\program files\WinBoard
2009-02-15 21:01 <DIR> --d----- c:\docume~1\mathiew\applic~1\TVU networks
2009-02-15 19:00 159,744 a------- c:\windows\system32\lfpng13n.dll
2009-02-15 19:00 462,848 a------- c:\windows\system32\ltkrn13n.dll
2009-02-15 19:00 450,560 a------- c:\windows\system32\ltimg13n.dll
2009-02-15 19:00 401,408 a------- c:\windows\system32\lfcmp13n.dll
2009-02-15 19:00 299,008 a------- c:\windows\system32\ltdis13n.dll
2009-02-15 19:00 206,336 a------- c:\windows\system32\ltefx13n.dll
2009-02-15 19:00 163,840 a------- c:\windows\system32\ltfil13n.dll
2009-02-15 19:00 69,632 a------- c:\windows\system32\lfgif13n.dll
2009-02-15 19:00 57,344 a------- c:\windows\system32\lfbmp13n.dll

==================== Find3M ====================

2009-03-05 14:27 14,336 a------- c:\windows\system32\svchost.exe
2009-01-27 00:01 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-26 23:58 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-26 23:58 22,328 a------- c:\docume~1\mathiew\applic~1\PnkBstrK.sys
2009-01-26 23:58 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-01-26 23:58 2,250,024 a------- c:\windows\system32\pbsvc.exe
2009-01-26 23:58 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-23 21:58 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-20 23:47 826,368 a------- c:\windows\system32\wininet.dll
2008-11-30 21:29 45,688 a------- c:\docume~1\mathiew\applic~1\GDIPFONTCACHEV1.DAT
2007-02-21 11:14 278,528 a------- c:\program files\fichiers communs\FDEUnInstaller.exe
2008-08-27 00:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 1:51:37,01 ===============

And Attach.txt is uploaded.

Thanks again!

(crosses fingers)

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 13 March 2009 - 06:53 PM

Hello.

If you indeed have Virut, I would suggest a format and reinstall.

The damage that it does is likely unrepairable.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#3 eggscalibur

eggscalibur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 15 March 2009 - 07:24 PM

Many thanks for having a look at all this.

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda


Nope, I have done nothing since I started the topic aside from the ComboFix and GMER scans that you requested. See attachments for logs.

Once more, thanks alot ; I'm rather hoping I won't have to format the whole thing.

Take care,

Eggs

ComboFix 09-03-14.02 - Mathiew 2009-03-15 21:20:21.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.2815.2440 [GMT 1:00]
Lancé depuis: c:\documents and settings\Mathiew\Bureau\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\Mathiew\Application Data\Microsoft\Windows\lsass.exe
c:\recycler\S-1-2-68-100030608-100016716-100022738-7722.com
c:\recycler\S-7-4-77-100028297-100032671-100006672-7632.com
c:\windows\system32\303359.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekamokjrgen.sys
c:\windows\system32\frmwrk32.exe
c:\windows\system32\hs3i7jdgfd.dll
c:\windows\system32\init32.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\ntdll64.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\senekaalmpeppp.dat
c:\windows\system32\senekaff.dll
c:\windows\system32\senekafpullvbr.dll
c:\windows\system32\senekahtkalmmr.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekapxmgyxdp.dll
c:\windows\system32\senekavygtfnmn.dll
c:\windows\system32\senekawi.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
D:\Autorun.inf
d:\recycler\S-0-4-90-100020169-100003986-100017008-5338.com
d:\recycler\S-1-1-77-100024662-100000416-100008692-5678.com
d:\recycler\S-1-2-68-100030608-100016716-100022738-7722.com
d:\recycler\S-5-6-34-100022125-100023813-100025654-5385.com
d:\recycler\S-7-3-87-100029302-100002106-100000176-3245.com
d:\recycler\S-7-4-77-100028297-100032671-100006672-7632.com
d:\recycler\S-9-5-39-100005854-100019238-100009384-9827.com
d:\recycler\S-9-9-75-100018023-100023528-100029593-7762.com
E:\Autorun.inf
e:\recycler\S-0-4-90-100020169-100003986-100017008-5338.com
e:\recycler\S-1-1-77-100024662-100000416-100008692-5678.com
e:\recycler\S-1-2-68-100030608-100016716-100022738-7722.com
e:\recycler\S-5-6-34-100022125-100023813-100025654-5385.com
e:\recycler\S-7-3-87-100029302-100002106-100000176-3245.com
e:\recycler\S-7-4-77-100028297-100032671-100006672-7632.com
e:\recycler\S-9-5-39-100005854-100019238-100009384-9827.com
e:\recycler\S-9-9-75-100018023-100023528-100029593-7762.com

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_FCI
-------\Service_FCI


((((((((((((((((((((((((((((( Fichiers créés du 2009-02-15 au 2009-03-15 ))))))))))))))))))))))))))))))))))))
.

2009-03-13 17:30 . 2009-03-15 21:26 41 --a------ C:\WLANCUGINA.TEXT
2009-03-13 13:23 . 2007-11-20 23:54 308,096 --a------ c:\windows\system32\drivers\RTL8185.SYS
2009-03-13 13:23 . 2009-03-15 21:27 20 --a------ C:\GINA.TEXT
2009-03-13 13:22 . 2009-03-13 13:22 21,035 --a------ c:\windows\system32\drivers\AegisP.sys
2009-03-13 13:21 . 2009-03-13 13:21 <REP> d-------- c:\windows\system32\Wireless
2009-03-13 13:21 . 2009-03-13 13:21 <REP> d-------- c:\windows\OPTIONS
2009-03-13 13:20 . 2009-03-13 13:20 <REP> d-------- c:\program files\TRENDnet
2009-03-06 00:57 . 2009-03-06 01:03 81,984 --a------ c:\windows\system32\bdod.bin
2009-03-06 00:52 . 2009-03-15 21:27 2,206 --a------ c:\windows\system32\wpa.dbl
2009-03-06 00:29 . 2009-03-06 00:29 <REP> d-------- c:\documents and settings\Administrateur\Application Data\AOL
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d--h----- c:\documents and settings\Administrateur\Voisinage réseau
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d--h----- c:\documents and settings\Administrateur\Voisinage d'impression
2009-03-06 00:27 . 2006-08-27 15:46 <REP> d--h----- c:\documents and settings\Administrateur\Modèles
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d-------- c:\documents and settings\Administrateur\Mes documents
2009-03-06 00:27 . 2006-08-27 17:41 <REP> dr------- c:\documents and settings\Administrateur\Menu Démarrer
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d-------- c:\documents and settings\Administrateur\Favoris
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d-------- c:\documents and settings\Administrateur\Bureau
2009-03-06 00:27 . 2008-11-21 00:26 <REP> d-------- c:\documents and settings\Administrateur\Application Data\Spearit
2009-03-06 00:27 . 2009-03-06 00:27 <REP> d-------- c:\documents and settings\Administrateur
2009-03-06 00:11 . 2009-03-06 00:11 <REP> d-------- c:\program files\Viewpoint
2009-03-05 22:55 . 2009-03-05 22:55 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-05 22:55 . 2009-03-05 22:55 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-05 22:55 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-05 22:55 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-05 17:09 . 2009-03-06 00:51 121 --a------ c:\windows\bdagent.INI
2009-03-05 14:45 . 2009-03-05 14:45 <REP> dr------- c:\documents and settings\LocalService\Favoris
2009-03-05 14:31 . 2009-03-05 14:31 <REP> d-------- c:\program files\BitDefender
2009-03-05 14:29 . 2009-03-05 14:32 <REP> d-------- c:\program files\Fichiers communs\BitDefender
2009-03-05 14:28 . 2009-03-05 14:28 0 --a------ C:\vmya.exe
2009-03-05 14:28 . 2009-03-05 14:28 0 --a------ C:\sdogn.exe
2009-03-05 14:28 . 2009-03-05 14:28 0 --a------ C:\jimi.exe
2009-03-05 14:27 . 2009-03-05 14:27 65,024 --a------ C:\pcks.exe
2009-03-05 14:27 . 2009-03-05 14:27 0 --a------ C:\xfgo.exe
2009-03-05 14:26 . 2009-03-05 14:26 <REP> d-------- c:\program files\DivxAccess
2009-02-20 00:45 . 2009-02-20 00:45 <REP> d-------- c:\windows\speech
2009-02-20 00:45 . 2009-02-20 00:51 <REP> d-------- C:\iNemesis4
2009-02-20 00:45 . 1998-02-09 03:00 29,952 --a------ c:\windows\system32\Borlndmm.dll
2009-02-19 17:08 . 2009-02-19 17:17 <REP> d-------- c:\program files\WinBoard
2009-02-15 21:01 . 2009-02-15 21:01 <REP> d-------- c:\documents and settings\Mathiew\Application Data\TVU networks
2009-02-15 19:00 . 2004-05-14 16:53 462,848 --a------ c:\windows\system32\ltkrn13n.dll
2009-02-15 19:00 . 2004-05-14 16:53 450,560 --a------ c:\windows\system32\ltimg13n.dll
2009-02-15 19:00 . 2004-05-14 16:53 401,408 --a------ c:\windows\system32\lfcmp13n.dll
2009-02-15 19:00 . 2004-05-14 16:53 299,008 --a------ c:\windows\system32\ltdis13n.dll
2009-02-15 19:00 . 2004-01-12 02:09 206,336 --a------ c:\windows\system32\ltefx13n.dll
2009-02-15 19:00 . 2004-05-14 16:53 163,840 --a------ c:\windows\system32\ltfil13n.dll
2009-02-15 19:00 . 2003-11-04 15:11 159,744 --a------ c:\windows\system32\lfpng13n.dll
2009-02-15 19:00 . 2003-11-04 15:10 69,632 --a------ c:\windows\system32\lfgif13n.dll
2009-02-15 19:00 . 2004-05-14 16:53 57,344 --a------ c:\windows\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 12:04 --------- d-----w c:\program files\Fichiers communs\AOL
2009-03-05 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-05 22:55 --------- d-----w c:\program files\Virtools
2009-02-27 12:29 --------- d-----w c:\program files\Railroad Tycoon II - Platinum
2009-02-26 00:06 --------- d-----w c:\documents and settings\Mathiew\Application Data\vlc
2009-02-23 23:36 --------- d-----w c:\program files\Steam
2009-02-05 20:16 --------- d-----w c:\documents and settings\Mathiew\Application Data\OpenOffice.org2
2009-01-26 23:33 --------- d--h--r c:\documents and settings\Mathiew\Application Data\SecuROM
2009-01-26 22:58 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-26 22:58 22,328 ----a-w c:\documents and settings\Mathiew\Application Data\PnkBstrK.sys
2009-01-26 22:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-26 22:54 --------- d-----w c:\program files\Ubisoft
2009-01-20 22:39 --------- d-----w c:\program files\Qonquer2 Online Client
2009-01-20 14:30 --------- d-----w c:\program files\ATI Technologies
2009-01-15 18:51 --------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard
2009-01-15 18:51 --------- d-----w c:\program files\AGEIA Technologies
2008-11-30 20:29 45,688 ----a-w c:\documents and settings\Mathiew\Application Data\GDIPFONTCACHEV1.DAT
2007-02-21 10:14 278,528 ----a-w c:\program files\Fichiers communs\FDEUnInstaller.exe
2008-04-07 08:02 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 08:02 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 08:02 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 08:02 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 08:02 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-26 23:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008082720080828\index.dat
.

------- Sigcheck -------

2004-08-05 13:00 14336 1bd6c2f707a275cb7c16fd99fe0f31ca c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 03:34 14336 e4bdf223cd75478bf44567b4d5c2634d c:\windows\ServicePackFiles\i386\svchost.exe
2009-03-05 14:27 14336 e4bdf223cd75478bf44567b4d5c2634d c:\windows\system32\svchost.exe
2009-03-05 14:27 14336 e4bdf223cd75478bf44567b4d5c2634d c:\windows\system32\dllcache\svchost.exe

2005-03-02 19:20 578048 c34920eb988ce98910bd6b0417f334eb c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 16:50 579072 4d88aaf39adabfe45958ea1384e2c4ff c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-03-08 16:37 578560 753354f594809a9b96f73999b435a533 c:\windows\$NtServicePackUninstall$\user32.dll
2004-08-05 13:00 578048 e46fb493e3b33704f0715020cf52106b c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 19:10 578048 0df75fb73f705b011630159a43d7c354 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 03:33 579584 e853f84d3ce2faa2a802e33cf89ac023 c:\windows\ServicePackFiles\i386\user32.dll
2008-04-14 03:33 579584 e853f84d3ce2faa2a802e33cf89ac023 c:\windows\system32\user32.dll

2004-08-05 13:00 82944 bc41f51a39d3b255805fdb759b7814ae c:\windows\$NtServicePackUninstall$\ws2_32.dll
2008-04-14 03:33 82432 fb836f9e62d82904c983ad21296a5d9c c:\windows\ServicePackFiles\i386\ws2_32.dll
2008-04-14 03:33 82432 fb836f9e62d82904c983ad21296a5d9c c:\windows\system32\ws2_32.dll

2006-06-23 12:25 668672 582953780721ac5d38f98cab229ec7b9 c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
2006-09-14 09:38 668672 b8b6f05885a6f42724e8d6bfede6bd3f c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
2006-10-23 16:34 668672 efa0c2870cba1747809a13e09f35bf82 c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
2007-01-04 15:02 669184 114342601ac7ea73b0d2a0ed8505b8b9 c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
2007-02-19 16:23 669696 1bde6d5dba35797eca8db8fcb80fc015 c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
2007-04-18 13:44 669696 a3bf56a786b277e881fd9137f55f0b4b c:\windows\$hf_mig$\KB933566\SP2QFE\wininet.dll
2007-06-26 15:36 669696 19058fbdc72f7bae085369c6d0a7d074 c:\windows\$hf_mig$\KB937143\SP2QFE\wininet.dll
2007-08-22 13:57 669696 4f6a45b54d26708e2c2bf2c43d83edea c:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
2007-10-11 06:59 670208 0465cde31add22f6233ffb4fe4af01cf c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
2007-10-11 00:22 825344 871ae10d6ae8877e9636ae5017953d52 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 02:42 825344 f4fd487241d3ac291046a22cebd2cf71 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 13:34 827392 5a0093f59b505c008ed0cee615563c72 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 08:19 827392 78d3d2b0be6ad3e6d82ccb115cf74310 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 16:40 827904 52589bae67dd9859724287372668690b c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 10:10 827904 4b0e70d44297877a313045bd059770e1 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 20:33 827904 37d1a1bfe3d9904f2c3d11592456f9c0 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2008-12-21 00:47 827904 4e192082a5fce9ef19198a24cdea3442 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
2004-08-05 13:00 660480 58fe94ef42e074f4cad8bf02e70e6478 c:\windows\$NtUninstallKB918899$\wininet.dll
2006-06-23 12:11 663040 4f343f414f05e81cf61b1001634fc6b7 c:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 09:40 663040 b1e994472f3574db141266f1aa905433 c:\windows\$NtUninstallKB925454$\wininet.dll
2006-10-23 16:18 663040 6091fee2b68974683d52119a98be3564 c:\windows\$NtUninstallKB928090$\wininet.dll
2007-01-04 14:55 663040 25d38ffa2b441e326850ae4cb67d1a91 c:\windows\$NtUninstallKB931768$\wininet.dll
2007-02-19 16:04 663040 129a4681b22150d08e35e144494240a2 c:\windows\$NtUninstallKB933566$\wininet.dll
2007-04-18 13:32 663040 ca6f58031096fc2509c57670129469f7 c:\windows\$NtUninstallKB937143$\wininet.dll
2007-06-26 15:12 663040 889269134af28b2142f47a337ca3a1cd c:\windows\$NtUninstallKB939653$\wininet.dll
2007-08-22 14:13 663040 18048557aa56de4b1955fdf7a21f9b24 c:\windows\$NtUninstallKB942615$\wininet.dll
2007-10-11 07:13 663552 d2fd027e5d3af96dee6c5cc225079df0 c:\windows\ie7\wininet.dll
2007-08-13 18:54 818688 a4a0fc92358f39538a6494c42ef99fe9 c:\windows\ie7updates\KB942615-IE7\wininet.dll
2007-10-11 00:49 824832 bc5119c53bdd48dabc628d448a3bdccb c:\windows\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 03:08 824832 4fc90bece54fac81b0090b94e27bfb6b c:\windows\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 13:58 826368 8e027981ddffa690d456fe18b37415a0 c:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-04-23 05:16 826368 02d6aabd5f5a32c61478b5cdfe50e4a8 c:\windows\ie7updates\KB953838-IE7\wininet.dll
2008-06-23 17:28 826368 ac0bd61dc2c64906fbfe50e005fefa2c c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-08-26 09:11 826368 e30cacd98479b36a3dbfa3267bf62dd0 c:\windows\ie7updates\KB958215-IE7\wininet.dll
2008-10-16 21:18 826368 cfbfa47415e85018e2cdc509e5e3d011 c:\windows\ie7updates\KB961260-IE7\wininet.dll
2008-04-14 03:33 670208 4a6e04ea20f48d750d9bfed8600d516b c:\windows\ServicePackFiles\i386\wininet.dll
2008-12-20 23:47 826368 0551c946e305cee0a79ba744dc141bfc c:\windows\system32\wininet.dll
2008-12-20 23:47 826368 0551c946e305cee0a79ba744dc141bfc c:\windows\system32\dllcache\wininet.dll

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 11:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-05 13:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 18:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\drivers\tcpip.sys

2004-08-05 13:00 506368 d2de785aeab0bb8ca4c14a8a199dbe4e c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-14 03:34 512000 dd73d6b9f6b4cb630cf35b438b540174 c:\windows\ServicePackFiles\i386\winlogon.exe
2008-04-14 03:34 512000 dd73d6b9f6b4cb630cf35b438b540174 c:\windows\system32\winlogon.exe

2004-08-05 13:00 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 20:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 20:20 182656 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2004-08-05 13:00 29056 4448006b6bc60e6c027932cfc38d6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
2008-04-13 19:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\ServicePackFiles\i386\ip6fw.sys
2008-04-13 19:53 36608 3bb22519a194418d5fec05d800a19ad0 c:\windows\system32\drivers\ip6fw.sys

2005-03-02 19:13 2059008 5311776074b6c13f983dc75baeac9c0c c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 19:45 2061440 8b039efbe4c9aa23f152ffa0e238b8fa c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 17:08 2061440 7a56a64eb50399613587e90292dd2aab c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2008-08-14 18:26 2068096 755b50949d0dbc0f0136b0db58765331 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
2007-02-28 17:02 2059648 a1d5231403329478ae4fe2778c55c77f c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-05 13:00 2058880 f252fae094c54572ece38a039f2103c4 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 19:07 2058880 73fa9c95d235844a36968c7852c7dbdd c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 19:22 2059648 06015d137b02542f07d5cd7b144df942 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
2008-04-14 03:07 2067968 b71a8f101cefaf82fc5ec16130a54a3f c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
2008-08-14 14:23 2068096 8da71f1900721e1e4fcb5b02d55fb771 c:\windows\Driver Cache\i386\ntkrnlpa.exe
2008-04-14 03:07 2067968 b71a8f101cefaf82fc5ec16130a54a3f c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
2008-08-14 14:23 2068096 8da71f1900721e1e4fcb5b02d55fb771 c:\windows\system32\ntkrnlpa.exe
2008-08-14 14:23 2068096 8da71f1900721e1e4fcb5b02d55fb771 c:\windows\system32\dllcache\ntkrnlpa.exe

2005-03-02 19:13 2181632 3e2a0a4a0c0b19fc113618a9562a3b2a c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 19:45 2184064 1f3fa2065e6e043a1d82a487b5da309c c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 17:08 2184192 8e244108562e0e452eb68dff64cb08a9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2008-08-14 18:26 2191232 d79210549bbf09b7638e860440504299 c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
2007-02-28 17:02 2182400 7d6d19aac51a4325f6039f083c22303c c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-05 13:00 2183040 7d38ce4398e6aa6339b4644feadcc0d8 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 19:08 2181376 63729dd0f2aae36cc52b89c05505146c c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 19:22 2182400 d27929db7b7f92f9d0f8ec9ba01c601c c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
2008-04-14 03:08 2191104 099d639da1ef6968d4e41795bb507e6b c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
2008-08-14 14:23 2191232 c8d4d5974f9671da0a37175650912960 c:\windows\Driver Cache\i386\ntoskrnl.exe
2008-04-14 03:08 2191104 099d639da1ef6968d4e41795bb507e6b c:\windows\ServicePackFiles\i386\ntoskrnl.exe
2008-08-14 14:23 2191232 c8d4d5974f9671da0a37175650912960 c:\windows\system32\ntoskrnl.exe
2008-08-14 14:23 2191232 c8d4d5974f9671da0a37175650912960 c:\windows\system32\dllcache\ntoskrnl.exe

2008-04-14 03:34 1037824 f2317622d29f9ff0f88aeecd5f60f0dd c:\windows\explorer.exe
2007-06-13 14:10 1037312 b795475444d6d57a572c14b9e1a29839 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 14:22 1037312 d0288319660edcfed07c7e74c4ea38a5 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-05 13:00 1036288 4c33e5b9a6197b6ed215f6cfba0a2daa c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 03:34 1037824 f2317622d29f9ff0f88aeecd5f60f0dd c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-05 13:00 108544 732e0b1abaace15d80ec19056b0a2af9 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 03:34 109056 54cb50058851d95e56ec70d09f70857f c:\windows\ServicePackFiles\i386\services.exe
2008-04-14 03:34 109056 54cb50058851d95e56ec70d09f70857f c:\windows\system32\services.exe

2004-08-05 13:00 13312 9f3744a5c6f49291a7a685040a013399 c:\windows\$NtServicePackUninstall$\lsass.exe
2008-04-14 03:34 13312 91e6024d6d4dcdecdb36c43ecf9bbecb c:\windows\ServicePackFiles\i386\lsass.exe
2008-04-14 03:34 13312 91e6024d6d4dcdecdb36c43ecf9bbecb c:\windows\system32\lsass.exe

2004-08-05 13:00 15360 5584247b568c2e53934873f4b655fe6a c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 03:33 15360 59dc5bb82e4c8e0b3eadcfdbc44ba6e4 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 03:33 15360 59dc5bb82e4c8e0b3eadcfdbc44ba6e4 c:\windows\system32\ctfmon.exe

2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-05 13:00 57856 b4ef928e4fad79364a80acba6d999934 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 03:34 57856 460e4ce148bd07218da0b6a3d31885a9 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 03:34 57856 460e4ce148bd07218da0b6a3d31885a9 c:\windows\system32\spoolsv.exe

2004-08-05 13:00 25088 d6d65ea32b190401b57edb6706f29669 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 03:34 26624 e74ddb12188c2ff57a78624dbf7332fc c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 03:34 26624 e74ddb12188c2ff57a78624dbf7332fc c:\windows\system32\userinit.exe
2008-04-14 03:34 26624 e74ddb12188c2ff57a78624dbf7332fc c:\windows\system32\dllcache\userinit.exe

2004-08-05 13:00 297984 7d521b8cf926459e270d18c559323815 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-14 03:33 297984 710bc85a8c22626ee094439e3ea0d38c c:\windows\ServicePackFiles\i386\termsrv.dll
2008-04-14 03:33 297984 710bc85a8c22626ee094439e3ea0d38c c:\windows\system32\termsrv.dll

2006-07-05 11:58 1050112 fb85ef2a6713e3a58a497e093626b93c c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 17:11 1051136 62e3f0e9abfcbcee62c51546f622c455 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 16:53 1049600 6f1fe2ae7b22eb9ced1bff533c9455ea c:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-05 13:00 1048576 7830e20c74611281b1bdae5888cd50f5 c:\windows\$NtUninstallKB917422$\kernel32.dll
2006-07-05 11:56 1049088 ce4af1fa47a29adf97cb107775ce395c c:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-14 03:33 1054720 3ac8886dfa5ab641417df4d3b7f5512e c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-14 03:33 1054720 3ac8886dfa5ab641417df4d3b7f5512e c:\windows\system32\kernel32.dll

2004-08-05 13:00 17408 b02e4ddbe0e98f42f3b61292ddb3a104 c:\windows\$NtServicePackUninstall$\powrprof.dll
2008-04-14 03:33 17408 9f2c862e39bf8e8fc51c3f6a6bceb415 c:\windows\ServicePackFiles\i386\powrprof.dll
2008-04-14 03:33 17408 9f2c862e39bf8e8fc51c3f6a6bceb415 c:\windows\system32\powrprof.dll

2004-08-05 13:00 110080 39ee5faf56260ebb8d77a08f525ebbb4 c:\windows\$NtServicePackUninstall$\imm32.dll
2008-04-14 03:33 110080 0469b73db32e5520f342c5e163aa3cca c:\windows\ServicePackFiles\i386\imm32.dll
2008-04-14 03:33 110080 0469b73db32e5520f342c5e163aa3cca c:\windows\system32\imm32.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
AOL 9.0 Ic“ne AOL.lnk - c:\program files\AOL 9.0\aoltray.exe [2007-02-21 156784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Wireless Configuration Utility .lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2005-09-11 622592]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2007-06-21 11:01 70952 c:\program files\Fichiers communs\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 03:33 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-11-17 14:16 50736 c:\program files\Fichiers communs\AOL\1172057926\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-13 06:25 57344 c:\program files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 03:34 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-12-26 00:08 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
--a------ 2004-06-25 23:17 504080 c:\progra~1\CA\ETRUST~1\Realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 08:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Raccourci vers la page des propriétés de High Definition Audio]
--------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\KKnD - Extreme\\Kknd.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\stinga\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Fichiers communs\\AOL\\1172057926\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Mathiew\\Bureau\\Civilization II Multiplayer Gold Edition\\civ2.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Laplink FileMover\\SFTHost.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"<NO NAME>"= c:\\ecyay.exe

R2 InoNmSrv;eTrust Antivirus Admin Server;c:\program files\CA\eTrust Antivirus\InoNmSrv.exe [2004-06-25 344336]
R2 vvdsvc;VJVodServices;c:\windows\System32\svchost.exe [2009-03-05 14336]
R3 alcan5ln;SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\DRIVERS\alcan5ln.sys [2003-09-05 36256]
R4 MapMemP;MapMemP; [x]
S1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2008-06-08 120320]
S2 Alert Notification Server;Alert Notification Server;c:\program files\CA\SharedComponents\Alert\ALERT.EXE [2004-06-29 192574]
S2 SFTSER;SFTSER; [x]
S3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2006-08-27 1272000]


--- Autres Services/Pilotes en mémoire ---

*Deregistered* - AegisP
*Deregistered* - AFD
*Deregistered* - Alert Notification Server
*Deregistered* - AOL ACS
*Deregistered* - Arp1394
*Deregistered* - ASCTRM
*Deregistered* - Ati HotKey Poller
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - Fastfat
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HTTP
*Deregistered* - ImapiService
*Deregistered* - INO_FLPY
*Deregistered* - INO_FLTR
*Deregistered* - InoNmSrv
*Deregistered* - InoRPC
*Deregistered* - InoRT
*Deregistered* - InoTask
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LexBceS
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PCIIde
*Deregistered* - PnkBstrA
*Deregistered* - PnkBstrB
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - SCDEmu
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SFTSER
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - SSHDRV65
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - vvdsvc
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - wanatw
*Deregistered* - WANMiniportService
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57a194ba-3674-11db-824e-00e0a66641e1}]
\Shell\AutoRun\command - J:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb66b5c8-b14e-11dc-85de-0016ae698e03}]
\Shell\AutoRun\command - L:\AutoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{40DPY04I-LB34-W2LC-340D-05M563H731U3}]
"c:\windows\cgi-bin.exe"
.
Contenu du dossier 'Tâches planifiées'

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hs3i7jdgfd.dll
HKLM-Run-EoEngine - (no file)
HKLM-Explorer_Run-Lsass Service - c:\documents and settings\Mathiew\Application Data\Microsoft\Windows\lsass.exe
SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\hs3i7jdgfd.dll
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
MSConfigStartUp-BDAgent - c:\program files\BitDefender\BitDefender 2008\bdagent.exe
MSConfigStartUp-jsf8uiw3jnjgffght - c:\docume~1\Mathiew\LOCALS~1\Temp\winlognn.exe
MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl
MSConfigStartUp-LapLink Server Proxy - ServerProxy.exe


.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-15 21:27:26
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Lsass Service = c:\documents and settings\Mathiew\Application Data\Microsoft\Windows\lsass.exe????????????????????????????B?????????????????????

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys]
"imagepath"="\systemroot\system32\drivers\gaopdxomlidqxyvjnkcepabuyfulnbaudeoxrl.sys"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-1659004503-884357618-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1659004503-884357618-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:29,9c,ad,84,dc,50,07,50,f1,d4,9c,96,6a,cc,7a,c1,ed,e7,bd,b2,9b,
65,df,8f,93,dc,b8,c7,c6,2e,d2,c2,67,85,b2,cd,82,7d,ec,c5,05,cd,9e,e1,11,8e,\
"rkeysecu"=hex:af,2f,e5,d3,ca,cd,7e,e9,1f,49,d9,b3,7b,4f,bd,62
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\SYSTEM32\Wireless\WirelessGina.DLL
c:\windows\system32\Ati2evxx.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\FICHIE~1\AOL\ACS\AOLacsd.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\wanmpsvc.exe
c:\progra~1\CA\SHARED~1\SCANEN~1\Inodist.exe
.
**************************************************************************
.
Heure de fin: 2009-03-15 21:43:00 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-03-15 20:42:57

Avant-CF: 50,445,209,600 octets libres
Après-CF: 50,619,310,080 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect

586 --- E O F --- 2009-02-25 12:26:46

Attached Files


Edited by PropagandaPanda, 16 March 2009 - 08:09 AM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 16 March 2009 - 08:24 AM

Hello.

I'm hoping that we don't have to reformat. However, the case with Virut is simply that, the infected files cannot be repaired. If system files are infected, then we have no choice.

Let's finish off what's left and then get an online scan to see how much Virut has infected.

Do you have any idea what "VJVodServices" is?

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    http://www.bleepingcomputer.com/forums/t/208742/possible-virut-infection/
    
    Suspect::
    c:\windows\system32\svchost.exe
    c:\windows\system32\winlogon.exe
    c:\windows\explorer.exe
    c:\windows\system32\lsass.exe
    c:\windows\system32\userinit.exe
    
    File::
    C:\vmya.exe
    C:\sdogn.exe
    C:\jimi.exe
    C:\pcks.exe
    C:\xfgo.exe
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    @=-
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    "Lsass Service"=-
    
    Driver::
    gaopdxserv.sys
    
    Rootkit::
    c:\documents and settings\Mathiew\Application Data\Microsoft\Windows\lsass.exe
    C:\WINDOWS\system32\drivers\gaopdxomlidqxyvjnkcepabuyfulnbaudeoxrl.sys
    C:\Documents and Settings\Mathiew\Local Settings\Temp\gaopdx000
    C:\Documents and Settings\Mathiew\Local Settings\Temp\gaopdxserv.sys000
    C:\WINDOWS\system32\gaopdxcounter
    C:\WINDOWS\system32\gaopdxovrevxvaswdljtiqxmqcwwohpjwxdqig.dll
    C:\WINDOWS\system32\drivers\gaopdxkberftcgdramqplhqvewwosrtuqqxdda.sys
    C:\WINDOWS\system32\drivers\gaopdxomlidqxyvjnkcepabuyfulnbaudeoxrl.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

#5 eggscalibur

eggscalibur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 22 March 2009 - 06:43 PM

Hey Panda,

Sorry this took so long, my life has been kinda hell this past week. I finally got down to doing this properly today, and here are the results : computer looks almost normal (I can now change desktop image, internet access (firewall up), only bug is in the execution of an nvidia .dll on startup (prolly needs a reinstall).

About your question, "VJVodServices" is the application my brother used to watch sports online (we live in France but originate from South Africa, watching the rugby is hard because french TV doesnt screen it!). Anyway, I'm almost certain it's harmless, he's had it for a long while.

Used the script, so combofix log and Kaspersky log are uploaded. Says I still have 14 infections but all but 2 seem to be quarantined. I'll let you be the judge, and I'm not using this computer until you advise.

"regtools.vbs" is the script I got from the net to reactivate taskmgr.exe when it was disabled. I have no idea what a service host would be doing in "All Users\Application Data\Microsoft\". Anyway.

Once more, thanks so much for your help and time with this.. if I don't have to reboot you're doing me a big favour!

Take care,

Eggs


ComboFix 09-03-14.02 - Mathiew 2009-03-22 17:28:33.2 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.1.1036.18.2815.2426 [GMT 1:00]
Lancé depuis: c:\documents and settings\Mathiew\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Mathiew\Bureau\CFScript.txt

FILE ::
C:\jimi.exe
C:\pcks.exe
C:\sdogn.exe
C:\vmya.exe
C:\xfgo.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mathiew\Application Data\Microsoft\Windows\lsass.exe
C:\jimi.exe
C:\pcks.exe
C:\sdogn.exe
C:\vmya.exe
c:\windows\system32\drivers\gaopdxkberftcgdramqplhqvewwosrtuqqxdda.sys
c:\windows\system32\drivers\gaopdxomlidqxyvjnkcepabuyfulnbaudeoxrl.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxovrevxvaswdljtiqxmqcwwohpjwxdqig.dll
C:\xfgo.exe

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((((((( Fichiers créés du 2009-02-22 au 2009-03-22 ))))))))))))))))))))))))))))))))))))
.

2009-03-13 17:30 . 2009-03-22 17:33 41 --a------ C:\WLANCUGINA.TEXT
2009-03-13 13:23 . 2007-11-20 23:54 308,096 --a------ c:\windows\system32\drivers\RTL8185.SYS
2009-03-13 13:23 . 2009-03-22 17:33 20 --a------ C:\GINA.TEXT
2009-03-13 13:22 . 2009-03-13 13:22 21,035 --a------ c:\windows\system32\drivers\AegisP.sys
2009-03-13 13:21 . 2009-03-13 13:21 <REP> d-------- c:\windows\system32\Wireless
2009-03-13 13:21 . 2009-03-13 13:21 <REP> d-------- c:\windows\OPTIONS
2009-03-13 13:20 . 2009-03-13 13:20 <REP> d-------- c:\program files\TRENDnet
2009-03-06 00:57 . 2009-03-06 01:03 81,984 --a------ c:\windows\system32\bdod.bin
2009-03-06 00:52 . 2009-03-22 17:27 2,206 --a------ c:\windows\system32\wpa.dbl
2009-03-06 00:29 . 2009-03-06 00:29 <REP> d-------- c:\documents and settings\Administrateur\Application Data\AOL
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d--h----- c:\documents and settings\Administrateur\Voisinage réseau
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d--h----- c:\documents and settings\Administrateur\Voisinage d'impression
2009-03-06 00:27 . 2006-08-27 15:46 <REP> d--h----- c:\documents and settings\Administrateur\Modèles
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d-------- c:\documents and settings\Administrateur\Mes documents
2009-03-06 00:27 . 2006-08-27 17:41 <REP> dr------- c:\documents and settings\Administrateur\Menu Démarrer
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d-------- c:\documents and settings\Administrateur\Favoris
2009-03-06 00:27 . 2006-08-27 17:41 <REP> d-------- c:\documents and settings\Administrateur\Bureau
2009-03-06 00:27 . 2008-11-21 00:26 <REP> d-------- c:\documents and settings\Administrateur\Application Data\Spearit
2009-03-06 00:27 . 2009-03-06 00:27 <REP> d-------- c:\documents and settings\Administrateur
2009-03-06 00:11 . 2009-03-06 00:11 <REP> d-------- c:\program files\Viewpoint
2009-03-05 22:55 . 2009-03-05 22:55 <REP> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-05 22:55 . 2009-03-05 22:55 <REP> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-05 22:55 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-05 22:55 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-05 17:09 . 2009-03-06 00:51 121 --a------ c:\windows\bdagent.INI
2009-03-05 14:45 . 2009-03-05 14:45 <REP> dr------- c:\documents and settings\LocalService\Favoris
2009-03-05 14:31 . 2009-03-05 14:31 <REP> d-------- c:\program files\BitDefender
2009-03-05 14:29 . 2009-03-05 14:32 <REP> d-------- c:\program files\Fichiers communs\BitDefender
2009-03-05 14:26 . 2009-03-05 14:26 <REP> d-------- c:\program files\DivxAccess

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 12:04 --------- d-----w c:\program files\Fichiers communs\AOL
2009-03-05 23:11 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-05 22:55 --------- d-----w c:\program files\Virtools
2009-02-27 12:29 --------- d-----w c:\program files\Railroad Tycoon II - Platinum
2009-02-26 00:06 --------- d-----w c:\documents and settings\Mathiew\Application Data\vlc
2009-02-23 23:36 --------- d-----w c:\program files\Steam
2009-02-19 16:17 --------- d-----w c:\program files\WinBoard
2009-02-15 20:01 --------- d-----w c:\documents and settings\Mathiew\Application Data\TVU networks
2009-02-05 20:16 --------- d-----w c:\documents and settings\Mathiew\Application Data\OpenOffice.org2
2009-01-26 23:33 --------- d--h--r c:\documents and settings\Mathiew\Application Data\SecuROM
2009-01-26 22:58 22,328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-26 22:58 22,328 ----a-w c:\documents and settings\Mathiew\Application Data\PnkBstrK.sys
2009-01-26 22:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-26 22:54 --------- d-----w c:\program files\Ubisoft
2008-11-30 20:29 45,688 ----a-w c:\documents and settings\Mathiew\Application Data\GDIPFONTCACHEV1.DAT
2007-02-21 10:14 278,528 ----a-w c:\program files\Fichiers communs\FDEUnInstaller.exe
2008-04-07 08:02 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 08:02 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 08:02 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 08:02 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 08:02 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-26 23:27 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008082720080828\index.dat
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
AOL 9.0 Ic“ne AOL.lnk - c:\program files\AOL 9.0\aoltray.exe [2007-02-21 156784]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Wireless Configuration Utility .lnk - c:\program files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe [2005-09-11 622592]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2007-06-21 11:01 70952 c:\program files\Fichiers communs\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 03:33 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-11-17 14:16 50736 c:\program files\Fichiers communs\AOL\1172057926\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-13 06:25 57344 c:\program files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 03:34 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 09:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-12-26 00:08 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-12-26 00:08 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Realtime Monitor]
--a------ 2004-06-25 23:17 504080 c:\progra~1\CA\ETRUST~1\Realmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2004-06-29 08:06 88363 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-12-26 00:08 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Raccourci vers la page des propriétés de High Definition Audio]
--------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\KKnD - Extreme\\Kknd.exe"=
"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\stinga\\counter-strike\\hl.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Fichiers communs\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Fichiers communs\\AOL\\1172057926\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Mathiew\\Bureau\\Civilization II Multiplayer Gold Edition\\civ2.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Laplink FileMover\\SFTHost.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2008-06-08 120320]
R2 Alert Notification Server;Alert Notification Server;c:\program files\CA\SharedComponents\Alert\alert.exe [2006-08-27 192574]
R2 SFTSER;SFTSER;c:\windows\system32\drivers\sftser.sys [2008-11-30 42944]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-10-01 1272000]
S2 InoNmSrv;eTrust Antivirus Admin Server;c:\program files\CA\eTrust Antivirus\InoNmSrv.exe [2004-06-25 344336]
S2 vvdsvc;VJVodServices;c:\windows\System32\svchost.exe -k vvdsvc [2004-08-05 14336]
S3 alcan5ln;SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2006-12-26 36256]
S4 MapMemP;MapMemP;\??\c:\windows\SYSTEM32\Drivers\MapMemP.Sys --> c:\windows\SYSTEM32\Drivers\MapMemP.Sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57a194ba-3674-11db-824e-00e0a66641e1}]
\Shell\AutoRun\command - J:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb66b5c8-b14e-11dc-85de-0016ae698e03}]
\Shell\AutoRun\command - L:\AutoTransfer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{40DPY04I-LB34-W2LC-340D-05M563H731U3}]
"c:\windows\cgi-bin.exe"
.
Contenu du dossier 'Tâches planifiées'

2009-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-22 17:33:24
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-1659004503-884357618-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1659004503-884357618-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:29,9c,ad,84,dc,50,07,50,f1,d4,9c,96,6a,cc,7a,c1,ed,e7,bd,b2,9b,
65,df,8f,93,dc,b8,c7,c6,2e,d2,c2,67,85,b2,cd,82,7d,ec,c5,05,cd,9e,e1,11,8e,\
"rkeysecu"=hex:af,2f,e5,d3,ca,cd,7e,e9,1f,49,d9,b3,7b,4f,bd,62
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\SYSTEM32\Wireless\WirelessGina.DLL
c:\windows\system32\Ati2evxx.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\FICHIE~1\AOL\ACS\AOLacsd.exe
c:\program files\CA\eTrust Antivirus\InoRpc.exe
c:\program files\CA\eTrust Antivirus\InoRT.exe
c:\program files\CA\eTrust Antivirus\InoTask.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Heure de fin: 2009-03-22 17:39:15 - La machine a redémarré [Mathiew]
ComboFix-quarantined-files.txt 2009-03-22 16:39:12
ComboFix2.txt 2009-03-15 20:44:00

Avant-CF: 50,640,928,768 octets libres
Après-CF: 50,627,657,728 octets libres

256 --- E O F --- 2009-02-25 12:26:46

Attached Files


Edited by PropagandaPanda, 22 March 2009 - 06:53 PM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 22 March 2009 - 07:00 PM

Hello eggscalibur.

Luckily, the Virut infection had not been active. It does not appear that the item Kaspersky detected was active either.

I see that you have the AskToolbar installed. This is considered adware. I would suggest that you remove it using Add/Remove Programs.

Update Java to Version 6 Update 12
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows"

Delete the installer after use.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{40DPY04I-LB34-W2LC-340D-05M563H731U3}]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"=-
    
    :files
    C:\Documents and Settings\All Users\Application Data\Microsoft\svchost.exe
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

F-Secure Online Scan
Please run F-Secure Online Scanner to check for anything left.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Follow up with a fresh DDS log please.

With Regards,
The Panda

Edited by PropagandaPanda, 22 March 2009 - 07:02 PM.


#7 eggscalibur

eggscalibur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 23 March 2009 - 04:20 AM

Hey Panda,

Looking good.

- Uninstalled AskToolbar
- Updated Java
- Ran ATFCleaner
- Ran OTMoveIt3 (see attached log)
- Ran F-Secure Online Scanner (see attached log)
- Fresh DDS included

Only noticeable problem left is the Nvidia drivers, nothing that can't be fixed by a reinstall. Unless you can see things that still aren't good or are still affecting my PC?

I really can't thank you enough ; you really know your stuff!

Take care,

Eggs

DDS (Ver_09-02-01.01) - NTFSx86
Run by Mathiew at 10:12:39,48 on 23/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP 蒬ition familiale 5.1.2600.3.1252.33.1036.18.2815.2285 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\PROGRA~1\FICHIE~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TRENDnet\TRENDnet TEW-421PC_TEW-423PI\WlanCU.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mathiew\Bureau\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\aol90i~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\wirele~1.lnk - c:\program files\trendnet\trendnet tew-421pc_tew-423pi\WlanCU.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/stream.ocx
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vjage.com/download/vjocx-en.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - hxxp://www.candystand.com/assets/activex/virtools/CacheManager.CAB
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 SSHDRV65;SSHDRV65;c:\windows\system32\drivers\SSHDRV65.sys [2008-6-8 120320]
R2 Alert Notification Server;Alert Notification Server;c:\program files\ca\sharedcomponents\alert\alert.exe [2006-8-27 192574]
R2 SFTSER;SFTSER;c:\windows\system32\drivers\sftser.sys [2008-11-30 42944]
R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [2004-10-1 1272000]
S2 InoNmSrv;eTrust Antivirus Admin Server;c:\program files\ca\etrust antivirus\InoNmSrv.exe [2004-6-25 344336]
S2 vvdsvc;VJVodServices;c:\windows\system32\svchost.exe -k vvdsvc [2004-8-5 14336]
S3 alcan5ln;SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2006-12-26 36256]
S4 MapMemP;MapMemP;\??\c:\windows\system32\drivers\mapmemp.sys --> c:\windows\system32\drivers\MapMemP.Sys [?]

=============== Created Last 30 ================

2009-03-23 02:17 <DIR> --d----- C:\fsaua.data
2009-03-23 02:06 <DIR> --d----- C:\_OTMoveIt
2009-03-23 02:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-23 02:03 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-15 21:14 <DIR> a-dshr-- C:\cmdcons
2009-03-15 21:10 161,792 a------- c:\windows\SWREG.exe
2009-03-15 21:10 98,816 a------- c:\windows\sed.exe
2009-03-13 17:30 41 a------- C:\WLANCUGINA.TEXT
2009-03-13 13:23 20 a------- C:\GINA.TEXT
2009-03-13 13:23 308,096 a------- c:\windows\system32\drivers\RTL8185.SYS
2009-03-13 13:22 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-03-13 13:21 <DIR> --d----- c:\windows\system32\Wireless
2009-03-13 13:21 <DIR> --d----- c:\windows\OPTIONS
2009-03-13 13:20 <DIR> --d----- c:\program files\TRENDnet
2009-03-06 00:57 81,984 a------- c:\windows\system32\bdod.bin
2009-03-06 00:52 2,206 a------- c:\windows\system32\wpa.dbl
2009-03-06 00:11 <DIR> --d----- c:\program files\Viewpoint
2009-03-05 22:55 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-05 22:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-05 22:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-05 22:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-05 21:59 <DIR> --d----- c:\windows\pss
2009-03-05 17:09 121 a------- c:\windows\bdagent.INI
2009-03-05 14:31 <DIR> --d----- c:\program files\BitDefender
2009-03-05 14:29 <DIR> --d----- c:\program files\fichiers communs\BitDefender
2009-03-05 14:26 <DIR> --d----- c:\program files\DivxAccess

==================== Find3M ====================

2009-03-05 14:27 14,336 a------- c:\windows\system32\svchost.exe
2009-02-09 15:05 1,846,912 a------- c:\windows\system32\win32k.sys
2009-01-27 00:01 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-26 23:58 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-26 23:58 22,328 a------- c:\docume~1\mathiew\applic~1\PnkBstrK.sys
2009-01-26 23:58 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-01-26 23:58 2,250,024 a------- c:\windows\system32\pbsvc.exe
2009-01-26 23:58 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-23 21:58 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-11-30 21:29 45,688 a------- c:\docume~1\mathiew\applic~1\GDIPFONTCACHEV1.DAT
2007-02-21 11:14 278,528 a------- c:\program files\fichiers communs\FDEUnInstaller.exe
2008-08-27 00:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 10:12:59,85 ===============

Attached Files


Edited by PropagandaPanda, 23 March 2009 - 07:24 AM.


#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 23 March 2009 - 07:27 AM

Hello.

It looks clean.

However, I want to make check to make sure a windows file is not infected.

Submit File to Online Scanner
There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\svchost.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

Any problems at the moment?

With Regards,
The Panda

#9 eggscalibur

eggscalibur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 23 March 2009 - 07:54 AM

Hey Panda,

Can I reinstall my Nvidia drivers now? And for some reason, the choose user screen when I first boot up the computer is completely different from the classic XP one.. I have to type in user name etc, and when I press ctrl+alt+delete, it sends me to "windows security" à la Vista, instead of just popping up taskmgr. Wierd.

Anyway, c:\windows\system32\svchost.exe looks clean :

File svchost.exe received on 03.20.2009 18:35:04 (CET)
Current status: finished

Result: 0/38 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.20 -
AhnLab-V3 5.0.0.2 2009.03.20 -
AntiVir 7.9.0.120 2009.03.20 -
Authentium 5.1.2.4 2009.03.20 -
Avast 4.8.1335.0 2009.03.20 -
AVG 8.5.0.283 2009.03.20 -
BitDefender 7.2 2009.03.20 -
CAT-QuickHeal 10.00 2009.03.20 -
ClamAV 0.94.1 2009.03.20 -
Comodo 1076 2009.03.20 -
DrWeb 4.44.0.09170 2009.03.20 -
eSafe 7.0.17.0 2009.03.19 -
eTrust-Vet 31.6.6408 2009.03.20 -
F-Prot 4.4.4.56 2009.03.20 -
F-Secure 8.0.14470.0 2009.03.20 -
Fortinet 3.117.0.0 2009.03.20 -
GData 19 2009.03.20 -
Ikarus T3.1.1.48.0 2009.03.20 -
K7AntiVirus 7.10.677 2009.03.20 -
Kaspersky 7.0.0.125 2009.03.20 -
McAfee 5558 2009.03.20 -
McAfee+Artemis 5558 2009.03.19 -
McAfee-GW-Edition 6.7.6 2009.03.20 -
Microsoft 1.4502 2009.03.20 -
NOD32 3952 2009.03.20 -
Norman 6.00.06 2009.03.20 -
nProtect 2009.1.8.0 2009.03.20 -
Panda 10.0.0.10 2009.03.20 -
PCTools 4.4.2.0 2009.03.20 -
Prevx1 V2 2009.03.20 -
Rising 21.21.42.00 2009.03.20 -
Sophos 4.39.0 2009.03.20 -
Sunbelt 3.2.1858.2 2009.03.19 -
Symantec 1.4.4.12 2009.03.20 -
TheHacker 6.3.3.0.286 2009.03.20 -
TrendMicro 8.700.0.1004 2009.03.20 -
ViRobot 2009.3.20.1658 2009.03.20 -
VirusBuster 4.6.5.0 2009.03.20 -
Additional information
File size: 14336 bytes
MD5...: e4bdf223cd75478bf44567b4d5c2634d
SHA1..: 3d70560753b0ab43252311fa85e12f36a51a5f55
SHA256: 6234155d6c02c67689744d21380b17db5fe395bc8622c71b046e40ca1767785a
SHA512: b806bd12bc6a507aa87ac8ab347044f82c3593bfae3832d0a3e88a545a051776
177aa9214eeac785d64f35ae83e695f90859e655d5020ff195791cefff407c7e
ssdeep: 384:nrdi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:jcG6xlCRaJKGOA7SH
J

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2509
timedatestamp.....: 0x48025bc0 (Sun Apr 13 19:15:12 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2c00 0x2c00 6.29 48331595af9d9d52b478844a07357653
.data 0x4000 0x210 0x200 1.62 cbd504e46c836e09e8faabdcfbabaec2
.rsrc 0x5000 0x408 0x600 2.51 dcede0c303bbb48c6875eb64477e5882

( 4 imports )
> ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening

( 0 exports )

Once more, I can't thank you enough =)

Take care,

Eggs

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 23 March 2009 - 02:15 PM

Hello.

Feel free to reinstall anything.

And for some reason, the choose user screen when I first boot up the computer is completely different from the classic XP one.. I have to type in user name etc, and when I press ctrl+alt+delete, it sends me to "windows security" à la Vista, instead of just popping up taskmgr. Wierd.

Please tell me after which step this started occuring.

With Regards,
The Panda

#11 eggscalibur

eggscalibur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 24 March 2009 - 05:08 AM

Reinstalled drivers, no problems.

The wierd log-in screen started happening before the very first step when I was trying to get a desktop to work with.

Either way, thanks a million for your help. You know your stuff and I am grateful!

Take care,

Eggs

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 24 March 2009 - 03:08 PM

Hello Eggs.

I'm not sure what it causing the logon screen. I would try posting a topic in the Windows XP Forum for that issues.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda

#13 eggscalibur

eggscalibur
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 24 March 2009 - 03:25 PM

Uninstalled Combofix.

Done! I have no more concerns or problems with my PC. And I'm very impressed. I wanted to congratulate you (and the whole team around here) for some excellent work.. keep it up! You help lots and lots of people like me, and it's much appreciated I'm sure. Thanks a million for all the help.

Take care,

Eggs

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:27 PM

Posted 24 March 2009 - 03:26 PM

Glad we could help.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users