Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brontok-CE infection and various others


  • This topic is locked This topic is locked
32 replies to this topic

#1 blinblin

blinblin

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 22 May 2010 - 12:31 AM

Hi,

Following a diagnosis by boopme there, I am here for some help with a Brontok-CE infection and others, including backdoos, trojans and rootkits, it seems.

To begin with here follows DDS, Hijackthis and Gmer log.

Thank you very much for your help !


DDS (Ver_10-03-17.01) - NTFSx86
Run by JEANINE MARTINET at 8:52:57,68 on 21/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.41.1036.18.1013.522 [GMT 2:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Orange\AntivirusFirewall\Common\FSMB32.EXE
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Orange\AntivirusFirewall\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FAMEH32.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JEANINE MARTINET\Bureau\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.site-officiel.110mb.com/
uSearch Page = hxxp://www.google.com
uWindow Title = (-[ MyLoveFaceBook.LiuYiFei@Hotmail.CoM ]-)
uDefault_Page_URL = hxxp://www.bing.fr/
uInternet Settings,ProxyOverride =
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: barre d'outils Orange: {d3028143-6145-4318-99d3-3edce54a95a9} - c:\program files\orange\toolbar fr\ToolbarContainer101000303.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Recherche Orange: {86d596ef-de80-4458-9aae-3e75c75d8127} - c:\windows\system32\SHDOCVW.DLL
EB: barre d'outils Orange: {d3028143-6145-4318-99d3-3edce54a95a9} - c:\program files\orange\toolbar fr\ToolbarContainer101000303.dll
EB: Orange Desktop Search: {e62194c0-4596-4676-a0b3-c4554dcb3ffb} - c:\program files\orange\desktopsearch\DesktopSearchBand203000033.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [baseWINDOWS] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LanguageShortcut] "c:\program files\homecinema\powerdvd\language\Language.exe"
mRun: [BEWINTERNET-FR-DMGP-V2SessionManager] c:\program files\orange\iewinternet\sessionmanager\SessionManager.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: []
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader 9.0] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211958002140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222858644459
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: AutorunRemover.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
IFEO: autoruns.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
IFEO: Avira.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
IFEO: chrome.exe - c:\program files\internet explorer\IEXPLORE.EXE
IFEO: drwtsn32.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db

Note: multiple IFEO entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-14 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-14 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-19 40384]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-6-10 159744]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-19 40384]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-6-10 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-5-28 572416]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\orange\antivirusfirewall\anti-virus\minifilter\fsgk.sys --> c:\program files\orange\antivirusfirewall\anti-virus\minifilter\fsgk.sys [?]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\program files\orange\antivirusfirewall\anti-virus\fsbldrv.sys --> c:\program files\orange\antivirusfirewall\anti-virus\fsbldrv.sys [?]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-7-11 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-7-11 51968]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\orange\antivirusfirewall\anti-virus\win2k\fsfilter.sys --> c:\program files\orange\antivirusfirewall\anti-virus\win2k\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\orange\antivirusfirewall\anti-virus\win2k\fsrec.sys --> c:\program files\orange\antivirusfirewall\anti-virus\win2k\FSrec.sys [?]

=============== Created Last 30 ================

2010-05-20 03:20:41 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-20 03:20:24 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 03:20:24 0 d-----w- c:\docume~1\jeanin~1\applic~1\SUPERAntiSpyware.com
2010-05-20 03:20:07 0 d-----w- c:\program files\fichiers communs\Wise Installation Wizard
2010-05-20 02:11:07 0 d-----w- c:\docume~1\jeanin~1\applic~1\Malwarebytes
2010-05-20 02:10:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 02:10:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 02:10:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-20 02:10:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 01:02:36 0 d-----w- c:\program files\Trend Micro
2010-05-19 15:35:08 0 d-----w- c:\windows\pss
2010-05-19 15:17:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-19 15:11:37 0 d-----w- c:\program files\CCleaner
2010-05-18 05:49:27 108 --sha-r- C:\autorun.inf
2010-05-16 15:27:43 0 d-sh--w- c:\documents and settings\jeanine martinet\PrivacIE
2010-05-16 15:15:49 108 --sha-r- C:\autorun.9nf
2010-05-16 15:12:05 0 d-sh--w- c:\documents and settings\jeanine martinet\IETldCache
2010-05-16 15:10:15 0 dc-h--w- c:\windows\ie8
2010-05-16 15:09:49 0 d--h--w- c:\windows\msdownld.tmp
2010-05-11 05:49:50 108 --sha-r- C:\autorun.8nf
2010-05-11 05:49:50 108 --sha-r- C:\autorun.7nf
2010-05-11 05:49:50 108 --sha-r- C:\autorun.5nf
2010-05-08 05:47:01 108 --sha-r- C:\autorun.6nf
2010-04-23 07:03:13 108 --sha-r- C:\autorun.4nf
2010-04-23 07:03:13 108 --sha-r- C:\autorun.3nf
2010-04-23 07:03:13 108 --sha-r- C:\autorun.2nf
2010-04-23 07:03:13 108 --sha-r- C:\autorun.1nf
2010-04-23 07:03:13 108 --sha-r- C:\autorun.0nf

==================== Find3M ====================

2010-05-19 15:26:27 525662 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-19 15:26:26 91532 ----a-w- c:\windows\system32\perfc00C.dat
2008-10-13 11:55:00 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-06-09 13:10:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012008060920080610\index.dat
2009-01-10 09:15:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012009011020090111\index.dat

============= FINISH: 8:53:51,25 ===============


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 07:24:50, on 22/05/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
C:\Program Files\Orange\AntivirusFirewall\Common\FSMB32.EXE
C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FAMEH32.EXE
C:\WINDOWS\system32\Wscript.exe
C:\WINDOWS\system32\Wscript.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Wscript.exe
C:\HijackThis\gabuzomeu204.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bing.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.site-officiel.110mb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = (-[ MyLoveFaceBook.LiuYiFei@Hotmail.CoM ]-)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {814C76CB-2623-43F4-AAD0-58A0E5190A20} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\HomeCinema\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [BEWINTERNET-FR-DMGP-V2SessionManager] C:\Program Files\Orange\IEWInternet\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [Adobe Reader 9.0] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [baseWINDOWS] C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Orange\Toolbar FR\ToolbarContainer101000303.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Orange\Toolbar FR\ToolbarContainer101000303.dll
O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Orange\Toolbar FR\ToolbarContainer101000303.dll
O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Orange\Toolbar FR\ToolbarContainer101000303.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Sélection intelligente HP - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Orange\Toolbar FR\ToolbarContainer101000303.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1211958002140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222858644459
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - Unknown owner - C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Micro Star SCM - Unknown owner - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 11145 bytes





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-21 22:32:05
Windows 5.1.2600 Service Pack 3
Running: AsTuYbO.exe; Driver: C:\DOCUME~1\JEANIN~1\LOCALS~1\Temp\pfriypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA59A2C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA59A2B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA59A30EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA59A3014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA59A270C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA59A2C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA59A264C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA59A26B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA59A2D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA59A31B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA59A2CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA59A2E70]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA5A66950]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA59AFAC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA59AF8EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA59AFA24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CCC 80504568 4 Bytes JMP 66A59A30
PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP A59AFA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB3AC 7 Bytes JMP A59AF8EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC520 5 Bytes JMP A59AB536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FA4 5 Bytes JMP A59ACEC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A59AFACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 00C89315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 00D64832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 00E7E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 00E7DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 00E7DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 00E7DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 00E7DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 00E7E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[176] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 00E7DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 00C89315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 00D5DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!CallNextHookEx 7E3AB3C6 5 Bytes JMP 00D5DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 00D64832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!UnhookWindowsHookEx 7E3AD5F3 5 Bytes JMP 00CC1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 00E7E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 00E7DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 00E7DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 00E7DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 00E7DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 00E7E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 00E7DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2148] ole32.dll!CoCreateInstance 774C057E 5 Bytes JMP 00D6488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 00C89315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 00D5DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!CallNextHookEx 7E3AB3C6 5 Bytes JMP 00D5DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 00D64832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!UnhookWindowsHookEx 7E3AD5F3 5 Bytes JMP 00CC1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 00E7E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 00E7DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 00E7DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 00E7DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 00E7DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 00E7E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 00E7DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3068] ole32.dll!CoCreateInstance 774C057E 5 Bytes JMP 00D6488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 00C89315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 00D5DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!CallNextHookEx 7E3AB3C6 5 Bytes JMP 00D5DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 00D64832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!UnhookWindowsHookEx 7E3AD5F3 5 Bytes JMP 00CC1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 00E7E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 00E7DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 00E7DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 00E7DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 00E7DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 00E7E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 00E7DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3076] ole32.dll!CoCreateInstance 774C057E 5 Bytes JMP 00D6488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart C5200 series@ChangeID 246703
Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@y!s!\24!r!s!`!\30!y!\24!\24!t!\30!c!y!s!d! 19583823

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:28 PM

Posted 24 May 2010 - 05:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 blinblin

blinblin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 25 May 2010 - 04:48 AM

Thanks Shannon.

The DDS and GMER logs I sent should be fine for the computer didn't run since then. But here follows fresh ones anyway. Also here is a description of the symptoms and what we did in the diagnosis topic

- run MBAM
- run Bitdefender online scan
- run ATFcleaner and Super Anti Spyware

And the symptoms were : On a windows xp sp3 system I found with a startup scan of avast 5 a series of files infected with win32:Brontok-CE, they were put to quarantine.

Some of the problems I noticed, even after the files were quarantined :

- internet explorer 8 start page always come back to www.site-officiel.110mb.com, even if changed
- the task manager is unreachable with ctrl alt del
- regedit doesn't launch
- display hidden files and folders in windows explorer doesn't work, switch itself back to "don't display"

The problems are still there, to begin with the start page of ie8

And now for fresh DDS and GMER :


DDS (Ver_10-03-17.01) - NTFSx86
Run by JEANINE MARTINET at 8:07:46,20 on 25/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.41.1036.18.1013.540 [GMT 2:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FSMA32.EXE
C:\PROGRA~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Orange\AntivirusFirewall\Common\FSMB32.EXE
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FCH32.EXE
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Orange\AntivirusFirewall\Common\FAMEH32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JEANINE MARTINET\Bureau\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.site-officiel.110mb.com/
uSearch Page = hxxp://www.google.com
uWindow Title = (-[ MyLoveFaceBook.LiuYiFei@Hotmail.CoM ]-)
uDefault_Page_URL = hxxp://www.bing.fr/
uInternet Settings,ProxyOverride =
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: barre d'outils Orange: {d3028143-6145-4318-99d3-3edce54a95a9} - c:\program files\orange\toolbar fr\ToolbarContainer101000303.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Recherche Orange: {86d596ef-de80-4458-9aae-3e75c75d8127} - c:\windows\system32\SHDOCVW.DLL
EB: barre d'outils Orange: {d3028143-6145-4318-99d3-3edce54a95a9} - c:\program files\orange\toolbar fr\ToolbarContainer101000303.dll
EB: Orange Desktop Search: {e62194c0-4596-4676-a0b3-c4554dcb3ffb} - c:\program files\orange\desktopsearch\DesktopSearchBand203000033.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [baseWINDOWS] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LanguageShortcut] "c:\program files\homecinema\powerdvd\language\Language.exe"
mRun: [BEWINTERNET-FR-DMGP-V2SessionManager] c:\program files\orange\iewinternet\sessionmanager\SessionManager.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: []
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader 9.0] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211958002140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222858644459
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: AutorunRemover.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
IFEO: autoruns.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
IFEO: Avira.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db
IFEO: chrome.exe - c:\program files\internet explorer\IEXPLORE.EXE
IFEO: drwtsn32.exe - c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db

Note: multiple IFEO entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-14 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-14 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-19 40384]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-6-10 159744]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-19 40384]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-6-10 156160]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-5-28 572416]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\orange\antivirusfirewall\anti-virus\minifilter\fsgk.sys --> c:\program files\orange\antivirusfirewall\anti-virus\minifilter\fsgk.sys [?]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\program files\orange\antivirusfirewall\anti-virus\fsbldrv.sys --> c:\program files\orange\antivirusfirewall\anti-virus\fsbldrv.sys [?]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-7-11 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-7-11 51968]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\orange\antivirusfirewall\anti-virus\win2k\fsfilter.sys --> c:\program files\orange\antivirusfirewall\anti-virus\win2k\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\orange\antivirusfirewall\anti-virus\win2k\fsrec.sys --> c:\program files\orange\antivirusfirewall\anti-virus\win2k\FSrec.sys [?]

=============== Created Last 30 ================

2010-05-21 07:13:24 0 d-----w- C:\HijackThis
2010-05-20 03:20:41 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-20 03:20:24 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 03:20:24 0 d-----w- c:\docume~1\jeanin~1\applic~1\SUPERAntiSpyware.com
2010-05-20 03:20:07 0 d-----w- c:\program files\fichiers communs\Wise Installation Wizard
2010-05-20 02:11:07 0 d-----w- c:\docume~1\jeanin~1\applic~1\Malwarebytes
2010-05-20 02:10:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 02:10:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 02:10:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-20 02:10:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 01:02:36 0 d-----w- c:\program files\Trend Micro
2010-05-19 15:35:08 0 d-----w- c:\windows\pss
2010-05-19 15:17:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-19 15:11:37 0 d-----w- c:\program files\CCleaner
2010-05-18 05:49:27 108 --sha-r- C:\autorun.inf
2010-05-16 15:27:43 0 d-sh--w- c:\documents and settings\jeanine martinet\PrivacIE
2010-05-16 15:15:49 108 --sha-r- C:\autorun.9nf
2010-05-16 15:12:05 0 d-sh--w- c:\documents and settings\jeanine martinet\IETldCache
2010-05-16 15:10:15 0 dc-h--w- c:\windows\ie8
2010-05-16 15:09:49 0 d--h--w- c:\windows\msdownld.tmp
2010-05-11 05:49:50 108 --sha-r- C:\autorun.8nf
2010-05-11 05:49:50 108 --sha-r- C:\autorun.7nf
2010-05-11 05:49:50 108 --sha-r- C:\autorun.5nf
2010-05-08 05:47:01 108 --sha-r- C:\autorun.6nf

==================== Find3M ====================

2010-05-19 15:26:27 525662 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-19 15:26:26 91532 ----a-w- c:\windows\system32\perfc00C.dat
2008-10-13 11:55:00 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-06-09 13:10:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012008060920080610\index.dat
2009-01-10 09:15:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012009011020090111\index.dat

============= FINISH: 8:08:27,12 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-25 11:40:27
Windows 5.1.2600 Service Pack 3
Running: TgUyHbNoKp.exe; Driver: C:\DOCUME~1\JEANIN~1\LOCALS~1\Temp\pfriypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA52C0C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA52C0B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA52C10EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA52C1014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA52C070C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA52C0C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA52C064C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA52C06B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA52C0D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA52C11B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA52C0CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA52C0E70]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA5384950]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA52CDAC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA52CD8EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA52CDA24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CCC 80504568 4 Bytes JMP 66A52C10
PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP A52CDA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB3AC 7 Bytes JMP A52CD8EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC520 5 Bytes JMP A52C9536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FA4 5 Bytes JMP A52CAEC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A52CDACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@y!s!\24!r!s!`!\30!y!\24!\24!t!\30!c!y!s!d! 19583823

---- EOF - GMER 1.0.15 ----


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 26 May 2010 - 04:42 PM

Hello, blinblin.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!




Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case CCleaner). Here at BC, we do not recommend using registry cleaners.

See here for more information:
http://www.bleepingcomputer.com/forums/ind...p;#entry1326578








Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as blinblinCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on blinblinCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 blinblin

blinblin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 26 May 2010 - 06:00 PM

Hello Etavares.

Here follows the combofix log.

After it has run, all the symptoms I described previously are gone. The start page is changeable, the task manager and regedit launchable, and the hidden files parameter works again. I don't know of any other malfunction.

I wait now for the "all clear" from you or any other needed step .

Thank you !



ComboFix 10-05-26.01 - JEANINE MARTINET 27/05/2010 0:35.1.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.41.1036.18.1013.549 [GMT 2:00]
Lancé depuis: c:\documents and settings\JEANINE MARTINET\Bureau\blinblinCF.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\AbaleZip.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-04-26 au 2010-05-26 ))))))))))))))))))))))))))))))))))))
.

2010-05-21 07:13 . 2010-05-22 05:24 -------- d-----w- C:\HijackThis
2010-05-20 03:21 . 2010-05-26 22:27 63488 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-20 03:21 . 2010-05-20 03:21 52224 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-20 03:21 . 2010-05-26 22:27 117760 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-20 03:20 . 2010-05-20 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-20 03:20 . 2010-05-20 03:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 03:20 . 2010-05-20 03:20 -------- d-----w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com
2010-05-20 03:20 . 2010-05-20 03:20 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-05-20 02:52 . 2010-05-20 04:20 -------- d-----w- c:\windows\BDOSCAN8
2010-05-20 02:11 . 2010-05-20 02:11 -------- d-----w- c:\documents and settings\JEANINE MARTINET\Application Data\Malwarebytes
2010-05-20 02:10 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 02:10 . 2010-05-20 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-20 02:10 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 02:10 . 2010-05-20 02:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 01:02 . 2010-05-20 01:02 -------- d-----w- c:\program files\Trend Micro
2010-05-19 15:17 . 2010-05-19 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-19 15:11 . 2010-05-19 15:11 -------- d-----w- c:\program files\CCleaner
2010-05-16 15:27 . 2010-05-16 15:27 -------- d-sh--w- c:\documents and settings\JEANINE MARTINET\PrivacIE
2010-05-16 15:15 . 2010-05-16 15:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-16 15:12 . 2010-05-16 15:12 -------- d-sh--w- c:\documents and settings\JEANINE MARTINET\IETldCache
2010-05-16 15:10 . 2010-05-16 15:10 -------- dc-h--w- c:\windows\ie8
2010-05-16 15:09 . 2010-05-16 15:11 -------- d--h--w- c:\windows\msdownld.tmp
2010-05-16 15:03 . 2010-05-16 15:03 86576 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Services Windows Live\Raccourci Galerie de Photos Windows Live.exe
2010-05-16 15:03 . 2010-05-16 15:03 392728 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Services Windows Live\Services Windows Live.dll
2010-05-16 15:03 . 2010-05-16 15:03 135680 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe
2010-05-16 15:03 . 2010-05-16 15:03 132672 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Services Windows Live\Raccourci Windows Live Messenger.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 15:26 . 2008-05-28 13:58 525662 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-19 15:26 . 2008-05-28 13:58 91532 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-19 15:23 . 2009-03-14 10:46 -------- d-----w- c:\program files\Alwil Software
2010-05-19 15:05 . 2008-10-02 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-05-16 15:05 . 2009-03-17 11:40 -------- d-----w- c:\documents and settings\JEANINE MARTINET\Application Data\HPAppData
2010-05-06 20:59 . 2009-03-14 10:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2009-03-14 10:46 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-03-14 10:47 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-03-14 10:47 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-03-14 10:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-03-14 10:47 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-03-14 10:47 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-03-14 10:47 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-03-14 10:47 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"baseWINDOWS"="c:\windows\system32\wscript.exe" [2008-05-08 155648]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-23 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"LanguageShortcut"="c:\program files\HomeCinema\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"BEWINTERNET-FR-DMGP-V2SessionManager"="c:\program files\Orange\IEWInternet\SessionManager\SessionManager.exe" [2008-02-13 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Adobe Reader 9.0"="c:\windows\system32\wscript.exe" [2008-05-08 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^JEANINE MARTINET^Menu Démarrer^Programmes^Démarrage^Notification de cadeaux MSN.lnk]
path=c:\documents and settings\JEANINE MARTINET\Menu Démarrer\Programmes\Démarrage\Notification de cadeaux MSN.lnk
backup=c:\windows\pss\Notification de cadeaux MSN.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader 9.0]
2008-05-08 11:24 155648 ----a-w- c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\baseWINDOWS]
2008-05-08 11:24 155648 ----a-w- c:\windows\system32\wscript.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardDetectorICON225]
2007-11-13 22:47 278528 ----a-r- c:\program files\CardDetector\ICON225\CardDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
2008-04-23 16:13 182936 ----a-w- c:\program files\Orange\AntivirusFirewall\Common\FSM32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
2008-06-10 13:38 782336 ----a-w- c:\program files\System Control Manager\MGSysCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orange Desktop Search]
2009-01-16 14:24 1583624 ----a-w- c:\program files\Orange\DesktopSearch\DesktopSearchService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 15:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-23 08:18 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
2007-02-09 14:54 16896 ----a-w- c:\program files\GoogleEULA\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-13 14:32 222504 ------w- c:\program files\HomeCinema\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\Conf.exe"=
"c:\\Program Files\\Orange\\IEWInternet\\Connectivity\\ConnectivityManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [14/03/2009 12:47 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 68168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14/03/2009 12:47 19024]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [10/06/2008 12:26 156160]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [10/06/2008 11:53 159744]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\minifilter\fsgk.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\minifilter\fsgk.sys [?]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\fsbldrv.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\fsbldrv.sys [?]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [11/07/2008 10:34 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [11/07/2008 10:34 51968]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [28/05/2008 08:29 572416]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSrec.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSrec.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contenu du dossier 'Tâches planifiées'

2010-05-25 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.site-officiel.110mb.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHELINS SUPPRIMES - - - -

URLSearchHooks-{814C76CB-2623-43F4-AAD0-58A0E5190A20} - (no file)
AddRemove-HijackThis - c:\hijackthis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-27 00:40
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Heure de fin: 2010-05-27 00:43:02
ComboFix-quarantined-files.txt 2010-05-26 22:42

Avant-CF: 113 533 284 352 octets libres
Après-CF: 113 530 171 392 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect

- - End Of File - - 93FAC9F2BACAF387C510C961D41982CD


#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 26 May 2010 - 06:22 PM

Hello, blinblin.

OK, we still have some malware on your system. First, I need to see part of the registry where the malware has hooked itself.



Please go to Start --> Run and copy and paste the text in the box below (exluding the word code)

CODE
reg query "HKLM\Software\Microsoft\Windows NT\currentversion\image file execution options" /s > c:\reglog.txt


and click OK.

Please attach c:\reglog.txt to your reply.


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 blinblin

blinblin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 27 May 2010 - 01:53 AM

Hello

Yes, I confirm there is some malware left... :-/

I restarted the computer to run your query send you the reg log - it was not used since the last answer - and the symptoms are, at the start of the computer:

- a never seen before green shield icon in the icon tray saying something like "windows just had an important security update that needed the computer to reboot", that is now gone. similar to the yellow shield indicating available updates.

- a PSSWCORE software trying to install itself, unsuccessfully, but launching its install again and again. saying "the feature you are trying to use is on a network resource that is unavailable" " OK to try again, or enter an alternate pathe to a folder containing the installation package 'PSSWCODE.msi' in the box below". I cancel and it tries to install again.

- the start page of ie8 back to something else than the one chosen. Super anti spyware is on since I used it in the diagnosis with boopme, so it is offering to block the start page change, but this is endless, the question will be asked every 10 seconds

About the reg log: to run the command line you gave me doesn't produce any reglog.txt. a console window seems to open briefly, but no new file I can see in c:\

Also, as before, to run a regedit in the start -> run doesn't open a regedit.



#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 27 May 2010 - 06:15 PM

OK, let's do this the hard way. Open My Computer and go to C:\Windows

Look for regedit.exe

Rename regedit.exe to blinblin.exe by right-clicking on it and selecting rename.

Double click blinblin.exe to run it. The registry edit should open.

In the left pane, navigate to this path:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options

Highlight "Image File Execution Options" by clicking on it in the left pane. Select File-->Export from the menu. Change the 'save as' type to Text File (TXT) and save it as export.txt on your desktop. Please post the contents of export.txt in your reply.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 blinblin

blinblin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 28 May 2010 - 12:51 AM

Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23

Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutorunRemover.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avira.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\Program Files\Internet Explorer\IEXPLORE.EXE


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 90 04 34 00 ..............4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 00 00 07 00 ....½.ïþ........
00000040 0b 00 00 00 00 00 07 00 - 0b 00 00 00 3f 00 00 00 ............?...
00000050 02 00 00 00 04 00 01 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 44 00 00 00 01 00 56 00 ........D.....V.
00000070 61 00 72 00 46 00 69 00 - 6c 00 65 00 49 00 6e 00 a.r.F.i.l.e.I.n.
00000080 66 00 6f 00 00 00 00 00 - 24 00 04 00 00 00 54 00 f.o.....$.....T.
00000090 72 00 61 00 6e 00 73 00 - 6c 00 61 00 74 00 69 00 r.a.n.s.l.a.t.i.
000000a0 6f 00 6e 00 00 00 00 00 - 09 04 e4 04 f0 03 00 00 o.n..... .ä.ð...
000000b0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000000c0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000000d0 cc 03 00 00 01 00 30 00 - 34 00 30 00 39 00 30 00 Ì.....0.4.0.9.0.
000000e0 34 00 45 00 34 00 00 00 - 4a 00 19 00 01 00 43 00 4.E.4...J.....C.
000000f0 6f 00 6d 00 6d 00 65 00 - 6e 00 74 00 73 00 00 00 o.m.m.e.n.t.s...
00000100 43 00 72 00 79 00 73 00 - 74 00 61 00 6c 00 20 00 C.r.y.s.t.a.l. .
00000110 53 00 51 00 4c 00 20 00 - 44 00 65 00 73 00 69 00 S.Q.L. .D.e.s.i.
00000120 67 00 6e 00 65 00 72 00 - 20 00 37 00 2e 00 30 00 g.n.e.r. .7...0.
00000130 00 00 00 00 88 00 34 00 - 01 00 43 00 6f 00 6d 00 ......4...C.o.m.
00000140 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
00000150 00 00 00 00 53 00 65 00 - 61 00 67 00 61 00 74 00 ....S.e.a.g.a.t.
00000160 65 00 20 00 53 00 6f 00 - 66 00 74 00 77 00 61 00 e. .S.o.f.t.w.a.
00000170 72 00 65 00 20 00 49 00 - 6e 00 66 00 6f 00 72 00 r.e. .I.n.f.o.r.
00000180 6d 00 61 00 74 00 69 00 - 6f 00 6e 00 20 00 4d 00 m.a.t.i.o.n. .M.
00000190 61 00 6e 00 61 00 67 00 - 65 00 6d 00 65 00 6e 00 a.n.a.g.e.m.e.n.
000001a0 74 00 20 00 47 00 72 00 - 6f 00 75 00 70 00 2c 00 t. .G.r.o.u.p.,.
000001b0 20 00 49 00 6e 00 63 00 - 2e 00 00 00 ae 00 45 00 .I.n.c.....®.E.
000001c0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
000001d0 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000001e0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000001f0 74 00 20 00 28 00 63 00 - 29 00 20 00 31 00 39 00 t. .(.c.). .1.9.
00000200 39 00 31 00 2d 00 31 00 - 39 00 39 00 10 00 00 00 9.1.-.1.9.9.....
00000210 00 00 00 00 ....


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : DisableHeapLookAside
Type : REG_SZ
Données : 1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\Program Files\Internet Explorer\IEXPLORE.EXE


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 54 09 00 00 54 02 00 00 - 00 02 00 00 8c 03 34 00 T ..T.........4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 02 00 a8 11 ....½.ïþ......¨.
00000040 2e 04 00 00 02 00 a8 11 - 2e 04 00 00 3f 00 00 00 ......¨.....?...
00000050 20 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ...............
00000060 00 00 00 00 00 00 00 00 - ec 02 00 00 01 00 53 00 ........ì.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 c8 02 00 00 e.I.n.f.o...È...
00000090 01 00 30 00 30 00 30 00 - 30 00 30 00 34 00 62 00 ..0.0.0.0.0.4.b.
000000a0 30 00 00 00 38 00 10 00 - 01 00 43 00 6f 00 6d 00 0...8.....C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 4f 00 72 00 m.e.n.t.s...O.r.
000000c0 69 00 67 00 6e 00 61 00 - 6c 00 20 00 56 00 65 00 i.g.n.a.l. .V.e.
000000d0 72 00 73 00 69 00 6f 00 - 6e 00 00 00 42 00 11 00 r.s.i.o.n...B...
000000e0 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
000000f0 4e 00 61 00 6d 00 65 00 - 00 00 00 00 53 00 41 00 N.a.m.e.....S.A.
00000100 50 00 20 00 41 00 47 00 - 2c 00 20 00 57 00 61 00 P. .A.G.,. .W.a.
00000110 6c 00 6c 00 64 00 6f 00 - 72 00 66 00 00 00 00 00 l.l.d.o.r.f.....
00000120 5a 00 19 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 Z.....F.i.l.e.D.
00000130 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
00000140 6f 00 6e 00 00 00 00 00 - 53 00 41 00 50 00 20 00 o.n.....S.A.P. .
00000150 46 00 72 00 6f 00 6e 00 - 74 00 65 00 6e 00 64 00 F.r.o.n.t.e.n.d.
00000160 20 00 66 00 6f 00 72 00 - 20 00 57 00 69 00 6e 00 .f.o.r. .W.i.n.
00000170 64 00 6f 00 77 00 73 00 - 00 00 00 00 3c 00 0e 00 d.o.w.s.....<...
00000180 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000190 73 00 69 00 6f 00 6e 00 - 00 00 00 00 34 00 35 00 s.i.o.n.....4.5.
000001a0 32 00 30 00 2e 00 32 00 - 2e 00 30 00 2e 00 31 00 2.0...2...0...1.
000001b0 30 00 37 00 30 00 00 00 - 32 00 09 00 01 00 49 00 0.7.0...2. ...I.
000001c0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001d0 61 00 6d 00 65 00 00 00 - 46 00 45 00 57 00 46 00 a.m.e...F.E.W.F.
000001e0 52 00 4f 00 4e 00 54 00 - 00 00 00 00 7a 00 2b 00 R.O.N.T.....z.+.
000001f0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000200 70 00 79 00 72 00 69 00 - 67 00 68 00 02 00 00 00 p.y.r.i.g.h.....
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 04 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 03 00 00 00 00 00 01 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 33 00 00 00 23 00 - 54 02 00 00 00 02 00 00 .3...#.T.......
00000260 8c 03 34 00 00 00 56 00 - 53 00 5f 00 56 00 45 00 ..4...V.S._.V.E.
00000270 52 00 53 00 49 00 4f 00 - 4e 00 5f 00 49 00 4e 00 R.S.I.O.N._.I.N.
00000280 46 00 4f 00 00 00 00 00 - bd 04 ef fe 00 00 01 00 F.O.....½.ïþ....
00000290 03 00 9e 11 26 04 00 00 - 03 00 9e 11 26 04 00 00 ....&.......&...
000002a0 3f 00 00 00 20 00 00 00 - 04 00 00 00 01 00 00 00 ?... ...........
000002b0 00 00 00 00 00 00 00 00 - 00 00 00 00 ec 02 00 00 ............ì...
000002c0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000002d0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000002e0 c8 02 00 00 01 00 30 00 - 30 00 30 00 30 00 30 00 È.....0.0.0.0.0.
000002f0 34 00 62 00 30 00 00 00 - 38 00 10 00 01 00 43 00 4.b.0...8.....C.
00000300 6f 00 6d 00 6d 00 65 00 - 6e 00 74 00 73 00 00 00 o.m.m.e.n.t.s...
00000310 4f 00 72 00 69 00 67 00 - 6e 00 61 00 6c 00 20 00 O.r.i.g.n.a.l. .
00000320 56 00 65 00 72 00 73 00 - 69 00 6f 00 6e 00 00 00 V.e.r.s.i.o.n...
00000330 42 00 11 00 01 00 43 00 - 6f 00 6d 00 70 00 61 00 B.....C.o.m.p.a.
00000340 6e 00 79 00 4e 00 61 00 - 6d 00 65 00 00 00 00 00 n.y.N.a.m.e.....
00000350 53 00 41 00 50 00 20 00 - 41 00 47 00 2c 00 20 00 S.A.P. .A.G.,. .
00000360 57 00 61 00 6c 00 6c 00 - 64 00 6f 00 72 00 66 00 W.a.l.l.d.o.r.f.
00000370 00 00 00 00 5a 00 19 00 - 01 00 46 00 69 00 6c 00 ....Z.....F.i.l.
00000380 65 00 44 00 65 00 73 00 - 63 00 72 00 69 00 70 00 e.D.e.s.c.r.i.p.
00000390 74 00 69 00 6f 00 6e 00 - 00 00 00 00 53 00 41 00 t.i.o.n.....S.A.
000003a0 50 00 20 00 46 00 72 00 - 6f 00 6e 00 74 00 65 00 P. .F.r.o.n.t.e.
000003b0 6e 00 64 00 20 00 66 00 - 6f 00 72 00 20 00 57 00 n.d. .f.o.r. .W.
000003c0 69 00 6e 00 64 00 6f 00 - 77 00 73 00 00 00 00 00 i.n.d.o.w.s.....
000003d0 3c 00 0e 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 <.....F.i.l.e.V.
000003e0 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
000003f0 34 00 35 00 31 00 30 00 - 2e 00 33 00 2e 00 30 00 4.5.1.0...3...0.
00000400 2e 00 31 00 30 00 36 00 - 32 00 00 00 32 00 09 00 ..1.0.6.2...2. .
00000410 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000420 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 46 00 45 00 l.N.a.m.e...F.E.
00000430 57 00 46 00 52 00 4f 00 - 4e 00 54 00 00 00 00 00 W.F.R.O.N.T.....
00000440 7a 00 2b 00 01 00 4c 00 - 65 00 67 00 61 00 6c 00 z.+...L.e.g.a.l.
00000450 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
00000460 02 00 00 00 00 00 00 00 - 01 00 00 00 4c 00 00 00 ............L...
00000470 3c fd 06 00 04 00 00 00 - 00 00 00 00 65 05 00 00 <ý..........e...
00000480 02 00 00 00 03 00 00 00 - 00 00 01 00 53 00 65 00 ............S.e.
00000490 72 00 76 00 69 00 63 00 - 65 00 20 00 50 00 61 00 r.v.i.c.e. .P.a.
000004a0 63 00 6b 00 20 00 33 00 - 00 00 23 00 54 02 00 00 c.k. .3...#.T...
000004b0 00 02 00 00 20 03 34 00 - 00 00 56 00 53 00 5f 00 .... .4...V.S._.
000004c0 56 00 45 00 52 00 53 00 - 49 00 4f 00 4e 00 5f 00 V.E.R.S.I.O.N._.
000004d0 49 00 4e 00 46 00 4f 00 - 00 00 00 00 bd 04 ef fe I.N.F.O.....½.ïþ
000004e0 00 00 01 00 00 00 04 00 - f0 03 00 00 00 00 04 00 ........ð.......
000004f0 f0 03 00 00 3f 00 00 00 - 00 00 00 00 04 00 01 00 ð...?...........
00000500 01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000510 7e 02 00 00 01 00 53 00 - 74 00 72 00 69 00 6e 00 ~.....S.t.r.i.n.
00000520 67 00 46 00 69 00 6c 00 - 65 00 49 00 6e 00 66 00 g.F.i.l.e.I.n.f.
00000530 6f 00 00 00 5a 02 00 00 - 01 00 30 00 34 00 30 00 o...Z.....0.4.0.
00000540 39 00 30 00 34 00 45 00 - 34 00 00 00 2e 00 07 00 9.0.4.E.4.......
00000550 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
00000560 4e 00 61 00 6d 00 65 00 - 00 00 00 00 53 00 41 00 N.a.m.e.....S.A.
00000570 50 00 20 00 41 00 47 00 - 00 00 00 00 5a 00 19 00 P. .A.G.....Z...
00000580 01 00 46 00 69 00 6c 00 - 65 00 44 00 65 00 73 00 ..F.i.l.e.D.e.s.
00000590 63 00 72 00 69 00 70 00 - 74 00 69 00 6f 00 6e 00 c.r.i.p.t.i.o.n.
000005a0 00 00 00 00 53 00 41 00 - 50 00 20 00 46 00 72 00 ....S.A.P. .F.r.
000005b0 6f 00 6e 00 74 00 65 00 - 6e 00 64 00 20 00 66 00 o.n.t.e.n.d. .f.
000005c0 6f 00 72 00 20 00 57 00 - 69 00 6e 00 64 00 6f 00 o.r. .W.i.n.d.o.
000005d0 77 00 73 00 00 00 00 00 - 36 00 0b 00 01 00 46 00 w.s.....6.....F.
000005e0 69 00 6c 00 65 00 56 00 - 65 00 72 00 73 00 69 00 i.l.e.V.e.r.s.i.
000005f0 6f 00 6e 00 00 00 00 00 - 34 00 2e 00 30 00 2e 00 o.n.....4...0...
00000600 30 00 2e 00 31 00 30 00 - 30 00 38 00 00 00 00 00 0...1.0.0.8.....
00000610 2c 00 06 00 01 00 49 00 - 6e 00 74 00 65 00 72 00 ,.....I.n.t.e.r.
00000620 6e 00 61 00 6c 00 4e 00 - 61 00 6d 00 65 00 00 00 n.a.l.N.a.m.e...
00000630 46 00 52 00 4f 00 4e 00 - 54 00 00 00 5e 00 1d 00 F.R.O.N.T...^...
00000640 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000650 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
00000660 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
00000670 74 00 20 00 a9 00 20 00 - 31 00 39 00 39 00 33 00 t. .©. .1.9.9.3.
00000680 2d 00 31 00 39 00 39 00 - 37 00 20 00 53 00 41 00 -.1.9.9.7. .S.A.
00000690 50 00 20 00 41 00 47 00 - 00 00 00 00 28 00 00 00 P. .A.G.....(...
000006a0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 54 00 72 00 ..L.e.g.a.l.T.r.
000006b0 61 00 64 00 02 00 00 00 - 00 00 00 00 01 00 00 00 a.d.............
000006c0 4c 00 00 00 3c fd 06 00 - 04 00 00 00 00 00 00 00 L...<ý..........
000006d0 65 05 00 00 02 00 00 00 - 03 00 00 00 00 00 01 00 e...............
000006e0 53 00 65 00 72 00 76 00 - 69 00 63 00 65 00 20 00 S.e.r.v.i.c.e. .
000006f0 50 00 61 00 63 00 6b 00 - 20 00 33 00 00 00 23 00 P.a.c.k. .3...#.
00000700 54 02 00 00 00 02 00 00 - 18 03 34 00 00 00 56 00 T.........4...V.
00000710 53 00 5f 00 56 00 45 00 - 52 00 53 00 49 00 4f 00 S._.V.E.R.S.I.O.
00000720 4e 00 5f 00 49 00 4e 00 - 46 00 4f 00 00 00 00 00 N._.I.N.F.O.....
00000730 bd 04 ef fe 00 00 01 00 - 00 00 04 00 dd 03 00 00 ½.ïþ........Ý...
00000740 00 00 04 00 dd 03 00 00 - 3f 00 00 00 00 00 00 00 ....Ý...?.......
00000750 04 00 01 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000760 00 00 00 00 78 02 00 00 - 01 00 53 00 74 00 72 00 ....x.....S.t.r.
00000770 69 00 6e 00 67 00 46 00 - 69 00 6c 00 65 00 49 00 i.n.g.F.i.l.e.I.
00000780 6e 00 66 00 6f 00 00 00 - 54 02 00 00 01 00 30 00 n.f.o...T.....0.
00000790 34 00 30 00 39 00 30 00 - 34 00 45 00 34 00 00 00 4.0.9.0.4.E.4...
000007a0 2e 00 07 00 01 00 43 00 - 6f 00 6d 00 70 00 61 00 ......C.o.m.p.a.
000007b0 6e 00 79 00 4e 00 61 00 - 6d 00 65 00 00 00 00 00 n.y.N.a.m.e.....
000007c0 53 00 41 00 50 00 20 00 - 41 00 47 00 00 00 00 00 S.A.P. .A.G.....
000007d0 5a 00 19 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 Z.....F.i.l.e.D.
000007e0 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
000007f0 6f 00 6e 00 00 00 00 00 - 53 00 41 00 50 00 20 00 o.n.....S.A.P. .
00000800 46 00 72 00 6f 00 6e 00 - 74 00 65 00 6e 00 64 00 F.r.o.n.t.e.n.d.
00000810 20 00 66 00 6f 00 72 00 - 20 00 57 00 69 00 6e 00 .f.o.r. .W.i.n.
00000820 64 00 6f 00 77 00 73 00 - 00 00 00 00 34 00 0a 00 d.o.w.s.....4...
00000830 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000840 73 00 69 00 6f 00 6e 00 - 00 00 00 00 34 00 2e 00 s.i.o.n.....4...
00000850 30 00 2e 00 30 00 2e 00 - 39 00 38 00 39 00 00 00 0...0...9.8.9...
00000860 2c 00 06 00 01 00 49 00 - 6e 00 74 00 65 00 72 00 ,.....I.n.t.e.r.
00000870 6e 00 61 00 6c 00 4e 00 - 61 00 6d 00 65 00 00 00 n.a.l.N.a.m.e...
00000880 46 00 52 00 4f 00 4e 00 - 54 00 00 00 5e 00 1d 00 F.R.O.N.T...^...
00000890 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
000008a0 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000008b0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000008c0 74 00 20 00 a9 00 20 00 - 31 00 39 00 39 00 33 00 t. .©. .1.9.9.3.
000008d0 2d 00 31 00 39 00 39 00 - 37 00 20 00 53 00 41 00 -.1.9.9.7. .S.A.
000008e0 50 00 20 00 41 00 47 00 - 00 00 00 00 28 00 00 00 P. .A.G.....(...
000008f0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 54 00 72 00 ..L.e.g.a.l.T.r.
00000900 61 00 64 00 65 00 6d 00 - 02 00 00 00 00 00 00 00 a.d.e.m.........
00000910 01 00 00 00 4c 00 00 00 - 3c fd 06 00 04 00 00 00 ....L...<ý......
00000920 00 00 00 00 65 05 00 00 - 02 00 00 00 03 00 00 00 ....e...........
00000930 00 00 01 00 53 00 65 00 - 72 00 76 00 69 00 63 00 ....S.e.r.v.i.c.
00000940 65 00 20 00 50 00 61 00 - 63 00 6b 00 20 00 33 00 e. .P.a.c.k. .3.
00000950 00 00 23 00 ..#.


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 58 02 00 00 54 02 00 00 - 00 02 00 00 6c 07 34 00 X...T.......l.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 05 00 05 00 ....½.ïþ........
00000040 07 00 a8 07 05 00 05 00 - 07 00 a8 07 3f 00 00 00 ..¨.......¨.?...
00000050 00 00 00 00 04 00 04 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - cc 06 00 00 01 00 53 00 ........Ì.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 54 03 00 00 e.I.n.f.o...T...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 42 00 ..0.4.0.9.0.4.B.
000000a0 30 00 00 00 18 00 00 00 - 01 00 43 00 6f 00 6d 00 0.........C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 4c 00 16 00 m.e.n.t.s...L...
000000c0 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
000000d0 4e 00 61 00 6d 00 65 00 - 00 00 00 00 4d 00 69 00 N.a.m.e.....M.i.
000000e0 63 00 72 00 6f 00 73 00 - 6f 00 66 00 74 00 20 00 c.r.o.s.o.f.t. .
000000f0 43 00 6f 00 72 00 70 00 - 6f 00 72 00 61 00 74 00 C.o.r.p.o.r.a.t.
00000100 69 00 6f 00 6e 00 00 00 - 68 00 20 00 01 00 46 00 i.o.n...h. ...F.
00000110 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000120 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000130 4d 00 69 00 63 00 72 00 - 6f 00 73 00 6f 00 66 00 M.i.c.r.o.s.o.f.
00000140 74 00 20 00 45 00 78 00 - 63 00 68 00 61 00 6e 00 t. .E.x.c.h.a.n.
00000150 67 00 65 00 20 00 53 00 - 65 00 72 00 76 00 65 00 g.e. .S.e.r.v.e.
00000160 72 00 20 00 53 00 65 00 - 74 00 75 00 70 00 00 00 r. .S.e.t.u.p...
00000170 36 00 0b 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 6.....F.i.l.e.V.
00000180 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000190 35 00 2e 00 35 00 2e 00 - 31 00 39 00 36 00 30 00 5...5...1.9.6.0.
000001a0 2e 00 37 00 00 00 00 00 - 2c 00 06 00 01 00 49 00 ..7.....,.....I.
000001b0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001c0 61 00 6d 00 65 00 00 00 - 53 00 65 00 74 00 75 00 a.m.e...S.e.t.u.
000001d0 70 00 00 00 9c 00 3c 00 - 01 00 4c 00 65 00 67 00 p.....<...L.e.g.
000001e0 61 00 6c 00 43 00 6f 00 - 70 00 79 00 72 00 69 00 a.l.C.o.p.y.r.i.
000001f0 67 00 68 00 74 00 00 00 - 43 00 6f 00 70 00 79 00 g.h.t...C.o.p.y.
00000200 72 00 69 00 67 00 68 00 - 74 00 20 00 02 00 00 00 r.i.g.h.t. .....
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 05 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 03 00 00 00 02 00 00 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 34 00 00 00 23 00 - .4...#.


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LaunchU3.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 58 02 00 00 54 02 00 00 - 00 02 00 00 44 02 34 00 X...T.......D.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 01 00 01 00 ....½.ïþ........
00000040 0c 00 00 00 01 00 01 00 - 0c 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 44 00 00 00 00 00 56 00 ........D.....V.
00000070 61 00 72 00 46 00 69 00 - 6c 00 65 00 49 00 6e 00 a.r.F.i.l.e.I.n.
00000080 66 00 6f 00 00 00 00 00 - 24 00 04 00 00 00 54 00 f.o.....$.....T.
00000090 72 00 61 00 6e 00 73 00 - 6c 00 61 00 74 00 69 00 r.a.n.s.l.a.t.i.
000000a0 6f 00 6e 00 00 00 00 00 - 09 04 b0 04 a4 01 00 00 o.n..... .°.¤...
000000b0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000000c0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000000d0 80 01 00 00 01 00 30 00 - 34 00 30 00 39 00 30 00 ......0.4.0.9.0.
000000e0 34 00 42 00 30 00 00 00 - 40 00 20 00 01 00 43 00 4.B.0...@. ...C.
000000f0 6f 00 6d 00 70 00 61 00 - 6e 00 79 00 4e 00 61 00 o.m.p.a.n.y.N.a.
00000100 6d 00 65 00 00 00 00 00 - 44 00 65 00 4c 00 6f 00 m.e.....D.e.L.o.
00000110 72 00 6d 00 65 00 20 00 - 4d 00 61 00 70 00 70 00 r.m.e. .M.a.p.p.
00000120 69 00 6e 00 67 00 00 00 - 44 00 22 00 01 00 50 00 i.n.g...D."...P.
00000130 72 00 6f 00 64 00 75 00 - 63 00 74 00 4e 00 61 00 r.o.d.u.c.t.N.a.
00000140 6d 00 65 00 00 00 00 00 - 52 00 65 00 67 00 20 00 m.e.....R.e.g. .
00000150 28 00 44 00 4c 00 69 00 - 62 00 62 00 79 00 5c 00 (.D.L.i.b.b.y.\.
00000160 6d 00 73 00 66 00 29 00 - 00 00 00 00 34 00 14 00 m.s.f.).....4...
00000170 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000180 73 00 69 00 6f 00 6e 00 - 00 00 00 00 31 00 2e 00 s.i.o.n.....1...
00000190 30 00 31 00 2e 00 30 00 - 30 00 31 00 32 00 00 00 0.1...0.0.1.2...
000001a0 38 00 14 00 01 00 50 00 - 72 00 6f 00 64 00 75 00 8.....P.r.o.d.u.
000001b0 63 00 74 00 56 00 65 00 - 72 00 73 00 69 00 6f 00 c.t.V.e.r.s.i.o.
000001c0 6e 00 00 00 31 00 2e 00 - 30 00 31 00 2e 00 30 00 n...1...0.1...0.
000001d0 30 00 31 00 32 00 00 00 - 34 00 12 00 01 00 49 00 0.1.2...4.....I.
000001e0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001f0 61 00 6d 00 65 00 00 00 - 4d 00 4e 00 47 00 52 00 a.m.e...M.N.G.R.
00000200 45 00 47 00 33 00 32 00 - 00 00 00 00 02 00 00 00 E.G.3.2.........
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 04 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 03 00 00 00 00 00 01 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 33 00 00 00 23 00 - .3...#.


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSConfig.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mvyA.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Opera.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\Program Files\Internet Explorer\IEXPLORE.EXE


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : GlobalFlag
Type : REG_SZ
Données : 0x00200000


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : GlobalFlag
Type : REG_SZ
Données : 0x00200000


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : DisableHeapLookAside
Type : REG_SZ
Données : 1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : DisableHeapLookAside
Type : REG_SZ
Données : 1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 b4 02 34 00 ............´.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 35 00 07 00 ....½.ïþ....5...
00000040 00 00 00 00 35 00 07 00 - 00 00 00 00 3f 00 00 00 ....5.......?...
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 12 02 00 00 01 00 53 00 ..............S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 ee 01 00 00 e.I.n.f.o...î...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 62 00 ..0.4.0.9.0.4.b.
000000a0 30 00 00 00 42 00 11 00 - 01 00 43 00 6f 00 6d 00 0...B.....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 50 00 65 00 - 6f 00 70 00 6c 00 65 00 ....P.e.o.p.l.e.
000000d0 53 00 6f 00 66 00 74 00 - 2c 00 20 00 49 00 6e 00 S.o.f.t.,. .I.n.
000000e0 63 00 2e 00 00 00 00 00 - 28 00 00 00 01 00 46 00 c.......(.....F.
000000f0 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000100 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000110 2a 00 05 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 *.....F.i.l.e.V.
00000120 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000130 37 00 2e 00 35 00 33 00 - 00 00 00 00 9c 00 3c 00 7...5.3.......<.
00000140 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000150 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
00000160 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
00000170 74 00 20 00 a9 00 20 00 - 31 00 39 00 38 00 38 00 t. .©. .1.9.8.8.
00000180 2d 00 31 00 39 00 39 00 - 38 00 20 00 50 00 65 00 -.1.9.9.8. .P.e.
00000190 6f 00 70 00 6c 00 65 00 - 53 00 6f 00 66 00 74 00 o.p.l.e.S.o.f.t.
000001a0 2c 00 20 00 49 00 6e 00 - 63 00 2e 00 20 00 20 00 ,. .I.n.c... . .
000001b0 41 00 6c 00 6c 00 20 00 - 52 00 69 00 67 00 68 00 A.l.l. .R.i.g.h.
000001c0 74 00 73 00 20 00 52 00 - 65 00 73 00 65 00 72 00 t.s. .R.e.s.e.r.
000001d0 76 00 65 00 64 00 00 00 - 3c 00 0a 00 01 00 4f 00 v.e.d...<.....O.
000001e0 72 00 69 00 67 00 69 00 - 6e 00 61 00 6c 00 46 00 r.i.g.i.n.a.l.F.
000001f0 69 00 6c 00 65 00 6e 00 - 61 00 6d 00 65 00 00 00 i.l.e.n.a.m.e...
00000200 70 00 73 00 64 00 6d 00 - 74 00 2e 00 10 00 00 00 p.s.d.m.t.......
00000210 00 00 00 00 ....


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : DisableHeapLookAside
Type : REG_SZ
Données : 1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : DisableHeapLookAside
Type : REG_SZ
Données : 1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rmvtrjan.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\Program Files\Internet Explorer\IEXPLORE.EXE


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\salwrap.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 00 07 00 00 54 02 00 00 - 00 02 00 00 84 07 34 00 ....T.........4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 05 00 05 00 ....½.ïþ........
00000040 07 00 a8 07 05 00 05 00 - 07 00 a8 07 3f 00 00 00 ..¨.......¨.?...
00000050 00 00 00 00 04 00 04 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - e4 06 00 00 01 00 53 00 ........ä.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 60 03 00 00 e.I.n.f.o...`...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 42 00 ..0.4.0.9.0.4.B.
000000a0 30 00 00 00 18 00 00 00 - 01 00 43 00 6f 00 6d 00 0.........C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 4c 00 16 00 m.e.n.t.s...L...
000000c0 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
000000d0 4e 00 61 00 6d 00 65 00 - 00 00 00 00 4d 00 69 00 N.a.m.e.....M.i.
000000e0 63 00 72 00 6f 00 73 00 - 6f 00 66 00 74 00 20 00 c.r.o.s.o.f.t. .
000000f0 43 00 6f 00 72 00 70 00 - 6f 00 72 00 61 00 74 00 C.o.r.p.o.r.a.t.
00000100 69 00 6f 00 6e 00 00 00 - 68 00 20 00 01 00 46 00 i.o.n...h. ...F.
00000110 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000120 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000130 4d 00 69 00 63 00 72 00 - 6f 00 73 00 6f 00 66 00 M.i.c.r.o.s.o.f.
00000140 74 00 20 00 45 00 78 00 - 63 00 68 00 61 00 6e 00 t. .E.x.c.h.a.n.
00000150 67 00 65 00 20 00 53 00 - 65 00 72 00 76 00 65 00 g.e. .S.e.r.v.e.
00000160 72 00 20 00 53 00 65 00 - 74 00 75 00 70 00 00 00 r. .S.e.t.u.p...
00000170 36 00 0b 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 6.....F.i.l.e.V.
00000180 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000190 35 00 2e 00 35 00 2e 00 - 31 00 39 00 36 00 30 00 5...5...1.9.6.0.
000001a0 2e 00 37 00 00 00 00 00 - 2c 00 06 00 01 00 49 00 ..7.....,.....I.
000001b0 6e 00 74 00 65 00 72 00 - 6e 00 61 00 6c 00 4e 00 n.t.e.r.n.a.l.N.
000001c0 61 00 6d 00 65 00 00 00 - 53 00 65 00 74 00 75 00 a.m.e...S.e.t.u.
000001d0 70 00 00 00 9e 00 3d 00 - 01 00 4c 00 65 00 67 00 p.....=...L.e.g.
000001e0 61 00 6c 00 43 00 6f 00 - 70 00 79 00 72 00 69 00 a.l.C.o.p.y.r.i.
000001f0 67 00 68 00 74 00 00 00 - 43 00 6f 00 70 00 79 00 g.h.t...C.o.p.y.
00000200 72 00 69 00 67 00 68 00 - 74 00 20 00 02 00 00 00 r.i.g.h.t. .....
00000210 00 00 00 00 01 00 00 00 - 4c 00 00 00 3c fd 06 00 ........L...<ý..
00000220 05 00 00 00 00 00 00 00 - 65 05 00 00 02 00 00 00 ........e.......
00000230 00 00 00 00 00 00 00 00 - 53 00 65 00 72 00 76 00 ........S.e.r.v.
00000240 69 00 63 00 65 00 20 00 - 50 00 61 00 63 00 6b 00 i.c.e. .P.a.c.k.
00000250 20 00 33 00 00 00 24 00 - 54 02 00 00 00 02 00 00 .3...$.T.......
00000260 a4 08 34 00 00 00 56 00 - 53 00 5f 00 56 00 45 00 ¤.4...V.S._.V.E.
00000270 52 00 53 00 49 00 4f 00 - 4e 00 5f 00 49 00 4e 00 R.S.I.O.N._.I.N.
00000280 46 00 4f 00 00 00 00 00 - bd 04 ef fe 00 00 01 00 F.O.....½.ïþ....
00000290 05 00 05 00 07 00 a8 07 - 05 00 05 00 07 00 a8 07 ......¨.......¨.
000002a0 3f 00 00 00 00 00 00 00 - 04 00 04 00 01 00 00 00 ?...............
000002b0 00 00 00 00 00 00 00 00 - 00 00 00 00 04 08 00 00 ................
000002c0 01 00 53 00 74 00 72 00 - 69 00 6e 00 67 00 46 00 ..S.t.r.i.n.g.F.
000002d0 69 00 6c 00 65 00 49 00 - 6e 00 66 00 6f 00 00 00 i.l.e.I.n.f.o...
000002e0 f0 03 00 00 01 00 30 00 - 34 00 30 00 39 00 30 00 ð.....0.4.0.9.0.
000002f0 34 00 42 00 30 00 00 00 - 18 00 00 00 01 00 43 00 4.B.0.........C.
00000300 6f 00 6d 00 6d 00 65 00 - 6e 00 74 00 73 00 00 00 o.m.m.e.n.t.s...
00000310 4c 00 16 00 01 00 43 00 - 6f 00 6d 00 70 00 61 00 L.....C.o.m.p.a.
00000320 6e 00 79 00 4e 00 61 00 - 6d 00 65 00 00 00 00 00 n.y.N.a.m.e.....
00000330 4d 00 69 00 63 00 72 00 - 6f 00 73 00 6f 00 66 00 M.i.c.r.o.s.o.f.
00000340 74 00 20 00 43 00 6f 00 - 72 00 70 00 6f 00 72 00 t. .C.o.r.p.o.r.
00000350 61 00 74 00 69 00 6f 00 - 6e 00 00 00 68 00 20 00 a.t.i.o.n...h. .
00000360 01 00 46 00 69 00 6c 00 - 65 00 44 00 65 00 73 00 ..F.i.l.e.D.e.s.
00000370 63 00 72 00 69 00 70 00 - 74 00 69 00 6f 00 6e 00 c.r.i.p.t.i.o.n.
00000380 00 00 00 00 4d 00 69 00 - 63 00 72 00 6f 00 73 00 ....M.i.c.r.o.s.
00000390 6f 00 66 00 74 00 20 00 - 45 00 78 00 63 00 68 00 o.f.t. .E.x.c.h.
000003a0 61 00 6e 00 67 00 65 00 - 20 00 53 00 65 00 72 00 a.n.g.e. .S.e.r.
000003b0 76 00 65 00 72 00 20 00 - 53 00 65 00 74 00 75 00 v.e.r. .S.e.t.u.
000003c0 70 00 00 00 36 00 0b 00 - 01 00 46 00 69 00 6c 00 p...6.....F.i.l.
000003d0 65 00 56 00 65 00 72 00 - 73 00 69 00 6f 00 6e 00 e.V.e.r.s.i.o.n.
000003e0 00 00 00 00 35 00 2e 00 - 35 00 2e 00 31 00 39 00 ....5...5...1.9.
000003f0 36 00 30 00 2e 00 37 00 - 00 00 00 00 2c 00 06 00 6.0...7.....,...
00000400 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000410 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 53 00 65 00 l.N.a.m.e...S.e.
00000420 74 00 75 00 70 00 00 00 - a6 00 41 00 01 00 4c 00 t.u.p...¦.A...L.
00000430 65 00 67 00 61 00 6c 00 - 43 00 6f 00 70 00 79 00 e.g.a.l.C.o.p.y.
00000440 72 00 69 00 67 00 68 00 - 74 00 00 00 43 00 6f 00 r.i.g.h.t...C.o.
00000450 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 20 00 p.y.r.i.g.h.t. .
00000460 02 00 00 00 00 00 00 00 - 01 00 00 00 4c 00 00 00 ............L...
00000470 3c fd 06 00 05 00 00 00 - 00 00 00 00 65 05 00 00 <ý..........e...
00000480 02 00 00 00 00 00 00 00 - 00 00 00 00 53 00 65 00 ............S.e.
00000490 72 00 76 00 69 00 63 00 - 65 00 20 00 50 00 61 00 r.v.i.c.e. .P.a.
000004a0 63 00 6b 00 20 00 33 00 - 00 00 24 00 54 02 00 00 c.k. .3...$.T...
000004b0 00 02 00 00 18 04 34 00 - 00 00 56 00 53 00 5f 00 ......4...V.S._.
000004c0 56 00 45 00 52 00 53 00 - 49 00 4f 00 4e 00 5f 00 V.E.R.S.I.O.N._.
000004d0 49 00 4e 00 46 00 4f 00 - 00 00 00 00 bd 04 ef fe I.N.F.O.....½.ïþ
000004e0 00 00 01 00 05 00 05 00 - 07 00 a8 07 05 00 05 00 ..........¨.....
000004f0 07 00 a8 07 3f 00 00 00 - 00 00 00 00 04 00 04 00 ..¨.?...........
00000500 01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000510 78 03 00 00 01 00 53 00 - 74 00 72 00 69 00 6e 00 x.....S.t.r.i.n.
00000520 67 00 46 00 69 00 6c 00 - 65 00 49 00 6e 00 66 00 g.F.i.l.e.I.n.f.
00000530 6f 00 00 00 54 03 00 00 - 01 00 30 00 34 00 30 00 o...T.....0.4.0.
00000540 39 00 30 00 34 00 42 00 - 30 00 00 00 18 00 00 00 9.0.4.B.0.......
00000550 01 00 43 00 6f 00 6d 00 - 6d 00 65 00 6e 00 74 00 ..C.o.m.m.e.n.t.
00000560 73 00 00 00 4c 00 16 00 - 01 00 43 00 6f 00 6d 00 s...L.....C.o.m.
00000570 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
00000580 00 00 00 00 4d 00 69 00 - 63 00 72 00 6f 00 73 00 ....M.i.c.r.o.s.
00000590 6f 00 66 00 74 00 20 00 - 43 00 6f 00 72 00 70 00 o.f.t. .C.o.r.p.
000005a0 6f 00 72 00 61 00 74 00 - 69 00 6f 00 6e 00 00 00 o.r.a.t.i.o.n...
000005b0 68 00 20 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 h. ...F.i.l.e.D.
000005c0 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
000005d0 6f 00 6e 00 00 00 00 00 - 4d 00 69 00 63 00 72 00 o.n.....M.i.c.r.
000005e0 6f 00 73 00 6f 00 66 00 - 74 00 20 00 45 00 78 00 o.s.o.f.t. .E.x.
000005f0 63 00 68 00 61 00 6e 00 - 67 00 65 00 20 00 53 00 c.h.a.n.g.e. .S.
00000600 65 00 72 00 76 00 65 00 - 72 00 20 00 53 00 65 00 e.r.v.e.r. .S.e.
00000610 74 00 75 00 70 00 00 00 - 36 00 0b 00 01 00 46 00 t.u.p...6.....F.
00000620 69 00 6c 00 65 00 56 00 - 65 00 72 00 73 00 69 00 i.l.e.V.e.r.s.i.
00000630 6f 00 6e 00 00 00 00 00 - 35 00 2e 00 35 00 2e 00 o.n.....5...5...
00000640 31 00 39 00 36 00 30 00 - 2e 00 37 00 00 00 00 00 1.9.6.0...7.....
00000650 2c 00 06 00 01 00 49 00 - 6e 00 74 00 65 00 72 00 ,.....I.n.t.e.r.
00000660 6e 00 61 00 6c 00 4e 00 - 61 00 6d 00 65 00 00 00 n.a.l.N.a.m.e...
00000670 53 00 65 00 74 00 75 00 - 70 00 00 00 9a 00 3b 00 S.e.t.u.p.....;.
00000680 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000690 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000006a0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000006b0 74 00 20 00 02 00 00 00 - 00 00 00 00 01 00 00 00 t. .............
000006c0 4c 00 00 00 3c fd 06 00 - 05 00 00 00 00 00 00 00 L...<ý..........
000006d0 65 05 00 00 02 00 00 00 - 00 00 00 00 00 00 00 00 e...............
000006e0 53 00 65 00 72 00 76 00 - 69 00 63 00 65 00 20 00 S.e.r.v.i.c.e. .
000006f0 50 00 61 00 63 00 6b 00 - 20 00 33 00 00 00 24 00 P.a.c.k. .3...$.



Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 04 03 34 00 ..............4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 1c 00 08 00 ....½.ïþ........
00000040 00 00 00 00 00 00 08 00 - 00 00 00 00 3f 00 00 00 ............?...
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 64 02 00 00 01 00 53 00 ........d.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 40 02 00 00 e.I.n.f.o...@...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 62 00 ..0.4.0.9.0.4.b.
000000a0 30 00 00 00 44 00 12 00 - 01 00 43 00 6f 00 6d 00 0...D.....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 43 00 6f 00 - 72 00 65 00 6c 00 20 00 ....C.o.r.e.l. .
000000d0 43 00 6f 00 72 00 70 00 - 6f 00 72 00 61 00 74 00 C.o.r.p.o.r.a.t.
000000e0 69 00 6f 00 6e 00 00 00 - 4e 00 13 00 01 00 46 00 i.o.n...N.....F.
000000f0 69 00 6c 00 65 00 44 00 - 65 00 73 00 63 00 72 00 i.l.e.D.e.s.c.r.
00000100 69 00 70 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 i.p.t.i.o.n.....
00000110 43 00 6f 00 72 00 65 00 - 6c 00 20 00 53 00 65 00 C.o.r.e.l. .S.e.
00000120 74 00 75 00 70 00 20 00 - 57 00 69 00 7a 00 61 00 t.u.p. .W.i.z.a.
00000130 72 00 64 00 00 00 00 00 - 2c 00 06 00 01 00 46 00 r.d.....,.....F.
00000140 69 00 6c 00 65 00 56 00 - 65 00 72 00 73 00 69 00 i.l.e.V.e.r.s.i.
00000150 6f 00 6e 00 00 00 00 00 - 38 00 2e 00 30 00 32 00 o.n.....8...0.2.
00000160 38 00 00 00 46 00 13 00 - 01 00 49 00 6e 00 74 00 8...F.....I.n.t.
00000170 65 00 72 00 6e 00 61 00 - 6c 00 4e 00 61 00 6d 00 e.r.n.a.l.N.a.m.
00000180 65 00 00 00 43 00 6f 00 - 72 00 65 00 6c 00 20 00 e...C.o.r.e.l. .
00000190 53 00 65 00 74 00 75 00 - 70 00 20 00 57 00 69 00 S.e.t.u.p. .W.i.
000001a0 7a 00 61 00 72 00 64 00 - 00 00 00 00 6c 00 24 00 z.a.r.d.....l.$.
000001b0 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
000001c0 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000001d0 43 00 6f 00 70 00 79 00 - 72 00 69 00 67 00 68 00 C.o.p.y.r.i.g.h.
000001e0 74 00 20 00 a9 00 20 00 - 31 00 39 00 39 00 37 00 t. .©. .1.9.9.7.
000001f0 2c 00 20 00 43 00 6f 00 - 72 00 65 00 6c 00 20 00 ,. .C.o.r.e.l. .
00000200 43 00 6f 00 72 00 70 00 - 6f 00 72 00 08 00 00 00 C.o.r.p.o.r.....
00000210 00 00 00 00 ....


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 38 03 34 00 ............8.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 02 00 0a 00 ....½.ïþ........
00000040 01 00 0a 00 02 00 0a 00 - 01 00 0a 00 00 00 00 00 ................
00000050 00 00 00 00 04 00 01 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 98 02 00 00 01 00 53 00 ..............S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 74 02 00 00 e.I.n.f.o...t...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 45 00 ..0.4.0.9.0.4.E.
000000a0 34 00 00 00 4a 00 15 00 - 01 00 43 00 6f 00 6d 00 4...J.....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 53 00 79 00 - 6d 00 61 00 6e 00 74 00 ....S.y.m.a.n.t.
000000d0 65 00 63 00 20 00 43 00 - 6f 00 72 00 70 00 6f 00 e.c. .C.o.r.p.o.
000000e0 72 00 61 00 74 00 69 00 - 6f 00 6e 00 00 00 00 00 r.a.t.i.o.n.....
000000f0 60 00 1c 00 01 00 46 00 - 69 00 6c 00 65 00 44 00 `.....F.i.l.e.D.
00000100 65 00 73 00 63 00 72 00 - 69 00 70 00 74 00 69 00 e.s.c.r.i.p.t.i.
00000110 6f 00 6e 00 00 00 00 00 - 53 00 79 00 6d 00 61 00 o.n.....S.y.m.a.
00000120 6e 00 74 00 65 00 63 00 - 20 00 53 00 79 00 6d 00 n.t.e.c. .S.y.m.
00000130 65 00 76 00 65 00 6e 00 - 74 00 20 00 49 00 6e 00 e.v.e.n.t. .I.n.
00000140 73 00 74 00 61 00 6c 00 - 6c 00 65 00 72 00 00 00 s.t.a.l.l.e.r...
00000150 34 00 0a 00 01 00 46 00 - 69 00 6c 00 65 00 56 00 4.....F.i.l.e.V.
00000160 65 00 72 00 73 00 69 00 - 6f 00 6e 00 00 00 00 00 e.r.s.i.o.n.....
00000170 31 00 30 00 2e 00 32 00 - 2e 00 31 00 30 00 2e 00 1.0...2...1.0...
00000180 31 00 00 00 30 00 08 00 - 01 00 49 00 6e 00 74 00 1...0.....I.n.t.
00000190 65 00 72 00 6e 00 61 00 - 6c 00 4e 00 61 00 6d 00 e.r.n.a.l.N.a.m.
000001a0 65 00 00 00 53 00 45 00 - 56 00 49 00 4e 00 53 00 e...S.E.V.I.N.S.
000001b0 54 00 00 00 7e 00 2d 00 - 01 00 4c 00 65 00 67 00 T...~.-...L.e.g.
000001c0 61 00 6c 00 43 00 6f 00 - 70 00 79 00 72 00 69 00 a.l.C.o.p.y.r.i.
000001d0 67 00 68 00 74 00 00 00 - 43 00 6f 00 70 00 79 00 g.h.t...C.o.p.y.
000001e0 72 00 69 00 67 00 68 00 - 74 00 20 00 28 00 43 00 r.i.g.h.t. .(.C.
000001f0 29 00 20 00 53 00 79 00 - 6d 00 61 00 6e 00 74 00 ). .S.y.m.a.n.t.
00000200 65 00 63 00 20 00 43 00 - 6f 00 72 00 01 00 00 00 e.c. .C.o.r.....
00000210 00 00 00 00 ....


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Startup CP.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.DLL
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trjscan.exe
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 08:23
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : C:\WINDOWS\system32\wscript.exe /E:vbs C:\WINDOWS\system32\baseWINDOWS.db


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : DisableHeapLookAside
Type : REG_SZ
Données : 1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : DisableHeapLookAside
Type : REG_SZ
Données : 1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : CheckAppHelp
Type : REG_DWORD
Données : 0x1


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 7c 03 34 00 ............|.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 00 00 01 00 ....½.ïþ........
00000040 09 00 26 00 00 00 01 00 - 09 00 26 00 3f 00 00 00 .&..... .&.?...
00000050 00 00 00 00 04 00 00 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - dc 02 00 00 01 00 53 00 ........Ü.....S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 b8 02 00 00 e.I.n.f.o...¸...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 62 00 ..0.4.0.9.0.4.b.
000000a0 30 00 00 00 66 00 27 00 - 01 00 43 00 6f 00 6d 00 0...f.'...C.o.m.
000000b0 6d 00 65 00 6e 00 74 00 - 73 00 00 00 42 00 75 00 m.e.n.t.s...B.u.
000000c0 73 00 69 00 6e 00 65 00 - 73 00 73 00 20 00 49 00 s.i.n.e.s.s. .I.
000000d0 6e 00 74 00 65 00 6c 00 - 6c 00 69 00 67 00 65 00 n.t.e.l.l.i.g.e.
000000e0 6e 00 63 00 65 00 20 00 - 6f 00 6e 00 20 00 45 00 n.c.e. .o.n. .E.
000000f0 76 00 65 00 72 00 79 00 - 20 00 44 00 65 00 73 00 v.e.r.y. .D.e.s.
00000100 6b 00 74 00 6f 00 70 00 - 00 00 00 00 48 00 14 00 k.t.o.p.....H...
00000110 01 00 43 00 6f 00 6d 00 - 70 00 61 00 6e 00 79 00 ..C.o.m.p.a.n.y.
00000120 4e 00 61 00 6d 00 65 00 - 00 00 00 00 43 00 6f 00 N.a.m.e.....C.o.
00000130 67 00 6e 00 6f 00 73 00 - 20 00 49 00 6e 00 63 00 g.n.o.s. .I.n.c.
00000140 6f 00 72 00 70 00 6f 00 - 72 00 61 00 74 00 65 00 o.r.p.o.r.a.t.e.
00000150 64 00 00 00 60 00 1c 00 - 01 00 46 00 69 00 6c 00 d...`.....F.i.l.
00000160 65 00 44 00 65 00 73 00 - 63 00 72 00 69 00 70 00 e.D.e.s.c.r.i.p.
00000170 74 00 69 00 6f 00 6e 00 - 00 00 00 00 43 00 6f 00 t.i.o.n.....C.o.
00000180 67 00 6e 00 6f 00 73 00 - 20 00 47 00 65 00 6e 00 g.n.o.s. .G.e.n.
00000190 65 00 72 00 69 00 63 00 - 20 00 49 00 6e 00 73 00 e.r.i.c. .I.n.s.
000001a0 74 00 61 00 6c 00 6c 00 - 61 00 74 00 69 00 6f 00 t.a.l.l.a.t.i.o.
000001b0 6e 00 00 00 38 00 0c 00 - 01 00 46 00 69 00 6c 00 n...8.....F.i.l.
000001c0 65 00 56 00 65 00 72 00 - 73 00 69 00 6f 00 6e 00 e.V.e.r.s.i.o.n.
000001d0 00 00 00 00 31 00 2c 00 - 20 00 30 00 2c 00 20 00 ....1.,. .0.,. .
000001e0 33 00 38 00 2c 00 20 00 - 39 00 00 00 30 00 08 00 3.8.,. .9...0...
000001f0 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000200 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 01 00 00 00 l.N.a.m.e.......
00000210 00 00 00 00 ....


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : Debugger
Type : REG_SZ
Données : ntsd -d

Valeur 1
Nom : GlobalFlag
Type : REG_SZ
Données : 0x000010F0


Nom de la clé : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE
Nom de la classe : <Sans classe>
Heure de dernière écriture : 27.05.2010 - 00:43
Valeur 0
Nom : ApplicationGoo
Type : REG_BINARY
Données :
00000000 14 02 00 00 10 02 00 00 - 00 02 00 00 a4 02 34 00 ............¤.4.
00000010 00 00 56 00 53 00 5f 00 - 56 00 45 00 52 00 53 00 ..V.S._.V.E.R.S.
00000020 49 00 4f 00 4e 00 5f 00 - 49 00 4e 00 46 00 4f 00 I.O.N._.I.N.F.O.
00000030 00 00 00 00 bd 04 ef fe - 00 00 01 00 00 00 01 00 ....½.ïþ........
00000040 01 00 00 00 00 00 01 00 - 01 00 00 00 3f 00 00 00 ............?...
00000050 00 00 00 00 01 00 01 00 - 01 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 - 04 02 00 00 01 00 53 00 ..............S.
00000070 74 00 72 00 69 00 6e 00 - 67 00 46 00 69 00 6c 00 t.r.i.n.g.F.i.l.
00000080 65 00 49 00 6e 00 66 00 - 6f 00 00 00 e0 01 00 00 e.I.n.f.o...à...
00000090 01 00 30 00 34 00 30 00 - 39 00 30 00 34 00 45 00 ..0.4.0.9.0.4.E.
000000a0 34 00 00 00 20 00 00 00 - 01 00 43 00 6f 00 6d 00 4... .....C.o.m.
000000b0 70 00 61 00 6e 00 79 00 - 4e 00 61 00 6d 00 65 00 p.a.n.y.N.a.m.e.
000000c0 00 00 00 00 58 00 18 00 - 01 00 46 00 69 00 6c 00 ....X.....F.i.l.
000000d0 65 00 44 00 65 00 73 00 - 63 00 72 00 69 00 70 00 e.D.e.s.c.r.i.p.
000000e0 74 00 69 00 6f 00 6e 00 - 00 00 00 00 49 00 4e 00 t.i.o.n.....I.N.
000000f0 53 00 54 00 41 00 4c 00 - 4c 00 20 00 4d 00 46 00 S.T.A.L.L. .M.F.
00000100 43 00 20 00 41 00 70 00 - 70 00 6c 00 69 00 63 00 C. .A.p.p.l.i.c.
00000110 61 00 74 00 69 00 6f 00 - 6e 00 00 00 30 00 08 00 a.t.i.o.n...0...
00000120 01 00 46 00 69 00 6c 00 - 65 00 56 00 65 00 72 00 ..F.i.l.e.V.e.r.
00000130 73 00 69 00 6f 00 6e 00 - 00 00 00 00 31 00 2e 00 s.i.o.n.....1...
00000140 30 00 2e 00 30 00 30 00 - 31 00 00 00 30 00 08 00 0...0.0.1...0...
00000150 01 00 49 00 6e 00 74 00 - 65 00 72 00 6e 00 61 00 ..I.n.t.e.r.n.a.
00000160 6c 00 4e 00 61 00 6d 00 - 65 00 00 00 49 00 4e 00 l.N.a.m.e...I.N.
00000170 53 00 54 00 41 00 4c 00 - 4c 00 00 00 24 00 00 00 S.T.A.L.L...$...
00000180 01 00 4c 00 65 00 67 00 - 61 00 6c 00 43 00 6f 00 ..L.e.g.a.l.C.o.
00000190 70 00 79 00 72 00 69 00 - 67 00 68 00 74 00 00 00 p.y.r.i.g.h.t...
000001a0 28 00 00 00 01 00 4c 00 - 65 00 67 00 61 00 6c 00 (.....L.e.g.a.l.
000001b0 54 00 72 00 61 00 64 00 - 65 00 6d 00 61 00 72 00 T.r.a.d.e.m.a.r.
000001c0 6b 00 73 00 00 00 00 00 - 40 00 0c 00 01 00 4f 00 k.s.....@.....O.
000001d0 72 00 69 00 67 00 69 00 - 6e 00 61 00 6c 00 46 00 r.i.g.i.n.a.l.F.
000001e0 69 00 6c 00 65 00 6e 00 - 61 00 6d 00 65 00 00 00 i.l.e.n.a.m.e...
000001f0 49 00 4e 00 53 00 54 00 - 41 00 4c 00 4c 00 2e 00 I.N.S.T.A.L.L...
00000200 45 00 58 00 45 00 00 00 - 30 00 08 00 08 00 00 00 E.X.E...0.......
00000210 00 00 00 00 ....




#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 29 May 2010 - 05:26 AM

Hello, blinblin.

OK, we'll take that out first, but I need a little more information before we begin.

First, I need a sample of one file.
  1. Please go to this link.
  2. Copy and paste the link to this thread in the top box.
  3. Click Browse and navigate to this file and click Open: c:\windows\system32\baseWINDOWS.db. If you don't see it, please view hidden files.
  4. In the comment, please post this info in the quotebox:

    QUOTE
    IFEO Exploit malware, requested by etavares


  5. Then click Send File
Next...Internet Explorer is configured to be launched in place of Firefox, Safari, Chrome or Opera...did you set that yourself? It could be malware doing that instead.

Let's take a look at IE:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Program Files\Internet Explorer\IEXPLORE.EXE

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares

Edited by etavares, 29 May 2010 - 05:26 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 blinblin

blinblin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 29 May 2010 - 05:57 AM

Hello etavares,

sorry but the impossibilty of viewing hidden files is one of my symptoms, as said at the beginning of this topic. I can select view hidden files but it has no effect and it switches itself back to hide hidden files

also, no possibilty to type the name of the file in the field of the submit malware sample, or to select another file and then modify to the right path and name.

so I can't send the sample at all.

iexplore.exe is not hidden, so I could scan it with Jotti, and it says:

Filename: iexplore.exe
Status: Scan finished. 0 out of 19 scanners reported malware.
Scan taken on: Fri 14 May 2010 22:36:13 (CET)
File size: 638816 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: b60dddd2d63ce41cb8c487fcfbb6419e
SHA1: eadce51c88c8261852c1903399dde742fba2061b

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 29 May 2010 - 06:29 AM

Hello, blinblin.

OK, let's get rid of that malware.

Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/318328/brontok-ce-infection-and-various-others/

KillAll::

Collect::
c:\windows\system32\baseWINDOWS.db
C:\autorun.9nf
C:\autorun.8nf
C:\autorun.7nf
C:\autorun.5nf
C:\autorun.6nf

DDS::
uRun: [baseWINDOWS] c:\windows\system32\wscript.exe /e:vbs c:\windows\system32\baseWINDOWS.db

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\AutorunRemover.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\autoruns.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\Avira.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\drwtsn32.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\HijackThis.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\autoruns.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\LaunchU3.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\MSConfig.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\mvyA.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\procexp.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\rav.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\regedit.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\Rmvtrjan.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\rstrui.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\Startup CP.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\taskmgr.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\Trjscan.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Opera.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 blinblin

blinblin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 29 May 2010 - 07:56 AM

No message box opened, just the log.

Also, combofix restarted the computer and as before there is this PSSWCORE trying to install.

And again some "windows update" stuff that doesn't look clean (there is a blinking cursor in the dialog box, like a small form field were you could type something) saying the windows update is nearly done, do you want to restart now or later the computer (2 buttons)

Here is the log:

ComboFix 10-05-26.01 - JEANINE MARTINET 29/05/2010 14:33:03.2.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.41.1036.18.1013.602 [GMT 2:00]
Lancé depuis: c:\documents and settings\JEANINE MARTINET\Bureau\blinblinCF.exe
Commutateurs utilisés :: c:\documents and settings\JEANINE MARTINET\Bureau\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: C:\autorun.5nf
file zipped: C:\autorun.6nf
file zipped: C:\autorun.7nf
file zipped: C:\autorun.8nf
file zipped: C:\autorun.9nf
file zipped: c:\windows\system32\baseWINDOWS.db
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.5nf
C:\autorun.6nf
C:\autorun.7nf
C:\autorun.8nf
C:\autorun.9nf
C:\Autorun.inf
c:\windows\system32\baseWINDOWS.db
c:\windows\system32\wscript.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-04-28 au 2010-05-29 ))))))))))))))))))))))))))))))))))))
.

2010-05-21 07:13 . 2010-05-22 05:24 -------- d-----w- C:\HijackThis
2010-05-20 03:21 . 2010-05-26 22:27 63488 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-20 03:21 . 2010-05-20 03:21 52224 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-20 03:21 . 2010-05-26 22:27 117760 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-20 03:20 . 2010-05-20 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-20 03:20 . 2010-05-26 22:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-20 03:20 . 2010-05-20 03:20 -------- d-----w- c:\documents and settings\JEANINE MARTINET\Application Data\SUPERAntiSpyware.com
2010-05-20 03:20 . 2010-05-20 03:20 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-05-20 02:52 . 2010-05-20 04:20 -------- d-----w- c:\windows\BDOSCAN8
2010-05-20 02:11 . 2010-05-20 02:11 -------- d-----w- c:\documents and settings\JEANINE MARTINET\Application Data\Malwarebytes
2010-05-20 02:10 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-20 02:10 . 2010-05-20 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-20 02:10 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-20 02:10 . 2010-05-20 02:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 01:02 . 2010-05-20 01:02 -------- d-----w- c:\program files\Trend Micro
2010-05-19 15:17 . 2010-05-19 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-19 15:11 . 2010-05-19 15:11 -------- d-----w- c:\program files\CCleaner
2010-05-16 15:27 . 2010-05-16 15:27 -------- d-sh--w- c:\documents and settings\JEANINE MARTINET\PrivacIE
2010-05-16 15:15 . 2010-05-16 15:15 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-16 15:12 . 2010-05-16 15:12 -------- d-sh--w- c:\documents and settings\JEANINE MARTINET\IETldCache
2010-05-16 15:10 . 2010-05-16 15:10 -------- dc-h--w- c:\windows\ie8
2010-05-16 15:09 . 2010-05-16 15:11 -------- d--h--w- c:\windows\msdownld.tmp
2010-05-16 15:03 . 2010-05-16 15:03 86576 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Services Windows Live\Raccourci Galerie de Photos Windows Live.exe
2010-05-16 15:03 . 2010-05-16 15:03 392728 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Services Windows Live\Services Windows Live.dll
2010-05-16 15:03 . 2010-05-16 15:03 135680 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe
2010-05-16 15:03 . 2010-05-16 15:03 132672 ----a-w- c:\documents and settings\JEANINE MARTINET\Application Data\Microsoft\Services Windows Live\Raccourci Windows Live Messenger.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 15:26 . 2008-05-28 13:58 525662 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-19 15:26 . 2008-05-28 13:58 91532 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-19 15:23 . 2009-03-14 10:46 -------- d-----w- c:\program files\Alwil Software
2010-05-19 15:05 . 2008-10-02 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-05-16 15:05 . 2009-03-17 11:40 -------- d-----w- c:\documents and settings\JEANINE MARTINET\Application Data\HPAppData
2010-05-06 20:59 . 2009-03-14 10:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2009-03-14 10:46 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-03-14 10:47 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-03-14 10:47 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-03-14 10:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-03-14 10:47 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-03-14 10:47 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-03-14 10:47 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-03-14 10:47 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-26_22.40.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-28 13:57 . 2008-04-14 12:00 153088 c:\windows\blinblin.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-23 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-26 2397424]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 16862208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"LanguageShortcut"="c:\program files\HomeCinema\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"BEWINTERNET-FR-DMGP-V2SessionManager"="c:\program files\Orange\IEWInternet\SessionManager\SessionManager.exe" [2008-02-13 102400]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^JEANINE MARTINET^Menu Démarrer^Programmes^Démarrage^Notification de cadeaux MSN.lnk]
path=c:\documents and settings\JEANINE MARTINET\Menu Démarrer\Programmes\Démarrage\Notification de cadeaux MSN.lnk
backup=c:\windows\pss\Notification de cadeaux MSN.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardDetectorICON225]
2007-11-13 22:47 278528 ----a-r- c:\program files\CardDetector\ICON225\CardDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
2008-04-23 16:13 182936 ----a-w- c:\program files\Orange\AntivirusFirewall\Common\FSM32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MGSysCtrl]
2008-06-10 13:38 782336 ----a-w- c:\program files\System Control Manager\MGSysCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orange Desktop Search]
2009-01-16 14:24 1583624 ----a-w- c:\program files\Orange\DesktopSearch\DesktopSearchService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2005-10-26 15:17 159744 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-02-23 08:18 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\toolbar_eula_launcher]
2007-02-09 14:54 16896 ----a-w- c:\program files\GoogleEULA\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-09-13 14:32 222504 ------w- c:\program files\HomeCinema\YouCam\MUITransfer\MUIStartMenu.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\NetMeeting\\Conf.exe"=
"c:\\Program Files\\Orange\\IEWInternet\\Connectivity\\ConnectivityManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [14/03/2009 12:47 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14/03/2009 12:47 19024]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [10/06/2008 11:53 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [10/06/2008 12:26 156160]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\minifilter\fsgk.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\minifilter\fsgk.sys [?]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\fsbldrv.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\fsbldrv.sys [?]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [11/07/2008 10:34 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [11/07/2008 10:34 51968]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [28/05/2008 08:29 572416]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSfilter.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSfilter.sys [?]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSrec.sys --> c:\program files\Orange\AntivirusFirewall\Anti-Virus\Win2K\FSrec.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contenu du dossier 'Tâches planifiées'

2010-05-25 c:\windows\Tasks\HPpromotions journeysoftware.job
- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.site-officiel.110mb.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-Adobe Reader 9.0 - c:\windows\system32\wscript.exe
MSConfigStartUp-Adobe Reader 9 - c:\windows\system32\wscript.exe
MSConfigStartUp-baseWINDOWS - c:\windows\system32\wscript.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 14:41
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1568)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Orange\AntivirusFirewall\Common\FSMA32.EXE
c:\progra~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Orange\AntivirusFirewall\Common\FSMB32.EXE
c:\windows\system32\PSIService.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\program files\MSN Messenger\usnsvc.exe
c:\program files\Orange\AntivirusFirewall\Common\FCH32.EXE
c:\program files\Orange\AntivirusFirewall\Common\FAMEH32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
c:\windows\SoftwareDistribution\Download\25d9710524bbd6f2a192edded347d2a9\update\update.exe
.
**************************************************************************
.
Heure de fin: 2010-05-29 14:44:47 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-05-29 12:44
ComboFix2.txt 2010-05-26 22:43

Avant-CF: 113 486 954 496 octets libres
Après-CF: 113 390 678 016 octets libres

- - End Of File - - A0E51C76821A934DCEE51737923E49B1


#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 29 May 2010 - 08:20 AM

Hello, blinblin.
I think that the update is legimate. There's a good chance the malware kept you from downloading updates and your computer may have just caught up. The directory it's trying to update from is is a legit one.

First, we need to upload the files. Please go to My Computer, and doubleclick on this file:
C:\CF-Submit.htm

The PSSWCORE is related to your HP computer. For now, let's remove the drivers, we'll reinstall when it's done.

Please go to Start --> Control Panel --> Add/Remove Programs and remove your HP printer software. If you're not sure which ones to remove, please run DDS and copy and paste the contents of attach.txt in your reply.

And reboot after that.


Finally...Combofix accidentally deleted a good file we need to restore. Please attach C:\Qoobox\ComboFix-quarantined-files.txt in your reply.



etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 blinblin

blinblin
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 29 May 2010 - 08:55 AM

OK, so I removed all HP printer related software, that's fine, and yes no PSSWCORE blocked anymore.

I restarted the computer and some windows update installed before the computer closed. At least one windows update is pending, should I install it and any other that would come afterwards ? Or would it interfere for now with our manipulations ?

There is no such file as CF-Submit.htm or any other html file in C:\
By the way, I sitched on the view hidden files feature and it works again.

Please find attached the combofix quarantine file

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users