Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection - unknown virus, multiple symptoms...


  • This topic is locked This topic is locked
25 replies to this topic

#1 tbellier

tbellier

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 11 January 2011 - 12:54 PM

Hi!
I've been having some major problems with my computer since last week. I've had a variety of issues and have been able to fix some of them, but new ones keep emerging... Over the past few days, I've scanned my drive multiple times with Malwarebytes, AdAware, McAfee Stinger, Hitman Pro, and the Windows malicious software removal tool. Each one of them found suspicious files and deleted them. Here are the symptoms I'm currently experiencing:

- About 10 min to an hour after I start my computer, I get a "Generic Host Process for Win32 services" error message
- The windows update website won't load. Yesterday I wasn't able to access any website related to malware, antiviruses, through Google but it seems like now I can. Also, my internet would stop working after a few hours, but this stopped happening too.
- When I restart my computer, the computer turns off and freezes on a blue screen that reads "c000021a system error"
- Sometimes, one of my svchost.exe uses a lot of UC, even when I'm not doing anything on the computer. THis is a new problem that started happening this morning

It all started last Friday when I was trying to fix her computer that has crashed. I did a few file transfers using a flash drive from her computer to mine, and she has a similar problem on her computer now. It started off with the "Generic Host Process" error message and with the internet related issues. Also, yesterday a fake antivirus started running on my computer, constantly displaying error messages. I was able to uninstall it using rkill and Malwarebytes.

Here are my DDS logs. I tried running Gmer two times and each time my computer crashed and restarted. When that happened it displayed a blue screen for 2 seconds before restarting. I wasn't able to see everything that that bluescreen read but I did see "BAD_POOL_HEADER"

Thank you so much for your time and help!


DDS log:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Asthom at 12:15:59,50 on 11/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.502.38 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Antivirus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dgdersvc.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Asthom\Mes documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://vcl.vaio.sony.co.jp/eu/PforVAIO.htm
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [VoipBuster] "c:\program files\voipbuster.com\voipbuster\VoipBuster.exe" -nosplash -minimized
uRun: [KiesTrayAgent]
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RavAV] c:\windows\RavMonE.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
Notify: winijt32 - winijt32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\asthom\applic~1\mozilla\firefox\profiles\bzgc09qe.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\asthom\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-1-8 64288]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-7-30 18120]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-12-25 36608]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2010-12-25 64320]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2010-12-25 179520]
S3 ssudserd;SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudserd.sys [2010-12-25 179520]

=============== Created Last 30 ================

2011-01-09 02:36:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-08 23:05:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-08 23:05:27 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-08 22:55:19 -------- d-----w- c:\docume~1\asthom\locals~1\applic~1\Sunbelt Software
2011-01-08 22:54:23 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-08 22:53:36 -------- d-----w- c:\program files\Lavasoft
2011-01-08 17:34:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-01-08 17:32:24 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-08 05:57:37 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-08 05:56:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-01-07 21:15:00 106496 ----a-w- c:\windows\system32\winijt32.dll
2011-01-07 19:08:28 200704 ----a-w- c:\windows\system32\vbalExpBar6.ocx
2011-01-07 19:08:27 44544 ----a-w- c:\windows\system32\GIF89.DLL
2011-01-07 19:08:26 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2011-01-07 19:08:26 15360 ----a-w- c:\windows\system32\inetfr.DLL
2011-01-07 19:08:26 115920 ----a-w- c:\windows\system32\msinet.OCX
2011-01-07 19:08:25 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-01-07 19:08:25 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-01-07 19:08:24 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-01-07 19:08:24 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-01-07 19:08:23 484352 ----a-w- c:\windows\system32\lame_enc.dll
2011-01-07 19:08:23 -------- d-----w- c:\program files\Free Easy Burner
2011-01-07 19:08:23 -------- d-----w- c:\docume~1\asthom\applic~1\FreeBurner
2010-12-25 16:08:19 179520 ----a-w- c:\windows\system32\drivers\ssudserd.sys
2010-12-25 16:08:18 179520 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2010-12-25 16:08:17 64320 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2010-12-25 16:07:03 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-12-25 16:07:03 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-12-25 16:07:03 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-12-25 16:04:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-12-25 16:02:33 -------- d-----w- c:\program files\Common Files
2010-12-25 16:02:07 -------- d-----w- c:\docume~1\asthom\applic~1\Samsung
2010-12-25 16:02:05 -------- d-----w- c:\program files\MarkAny
2010-12-25 16:02:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Samsung
2010-12-25 16:01:46 -------- d-----w- c:\program files\Samsung
2010-12-25 16:01:38 -------- d-----w- c:\program files\fichiers communs\Samsung
2010-12-22 11:26:02 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-22 11:22:10 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-18 18:12:45 86016 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:21:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:21:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:21:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:26:15 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:14:14 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 14:07:17 1853440 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8032GSX rev.AS111G -> Harddisk0\DR0 -> \Device\0000007f

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82974555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8297a7b0]; MOV EAX, [0x8297a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82936030]
3 CLASSPNP[0xF8515FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000078[0x829CB460]
5 ACPI[0xF838B620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x829CB5F8]
\Driver\atapi[0x82987788] -> IRP_MJ_CREATE -> 0x82974555
error: Read Le périphérique n'est pas prêt.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8032GSX_______________________AS111G__#5&49717e6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8297439B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 12:18:37,14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:28 PM

Posted 17 January 2011 - 08:54 AM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a log from the GMER anti-rootkit scanner, but, first, we need to disable your CD Emulation drivers.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next, please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Once you have the above logs, click on the Add Reply button below, copy in the DDS log, and include the Attach.txt and the GMER log as attachments. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 tbellier

tbellier
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 18 January 2011 - 04:29 PM

Hi Shannon,
Thanks a lot for your reply. I had no problem running DDS but I couldn't run GMER. I used DeFogger as directed, but everytime I launched GMER I got a blue screen and my computer restarted. I tried running it in safe mode 4 times in a row, but every time it froze after 1 to 15 minutes of scanning, and I couldn't do anything but restart the computer. I don't know if it's relevant, but DeFogger did not ask me to reboot the computer after I disabled the emulation drives. Here's the DeFogger log just in case:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:40 on 18/01/2011 (Asthom)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-



And here is the DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Asthom at 14:19:24,43 on 18/01/2011
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dgdersvc.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Asthom\Mes documents\Downloads\dds.scr
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://vcl.vaio.sony.co.jp/eu/PforVAIO.htm
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8074
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [VoipBuster] "c:\program files\voipbuster.com\voipbuster\VoipBuster.exe" -nosplash -minimized
uRun: [KiesTrayAgent]
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RavAV] c:\windows\RavMonE.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
Notify: winijt32 - winijt32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\asthom\applic~1\mozilla\firefox\profiles\bzgc09qe.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\asthom\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R? dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
R? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
R? NPF;NetGroup Packet Filter Driver
R? ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
R? ssudserd;SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.)
S? AdobeActiveFileMonitor;Adobe Active File Monitor
S? dgderdrv;dgderdrv
S? dgdersvc;Device Error Recovery Service
S? FsUsbExDisk;FsUsbExDisk
S? FsUsbExService;FsUsbExService
S? Lavasoft Kernexplorer;Lavasoft helper driver
S? Lbd;Lbd
S? PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect

=============== Created Last 30 ================

2011-01-13 03:19:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-01-09 02:36:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-01-08 23:05:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-01-08 23:05:27 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-08 22:55:19 -------- d-----w- c:\docume~1\asthom\locals~1\applic~1\Sunbelt Software
2011-01-08 22:54:23 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2011-01-08 22:53:36 -------- d-----w- c:\program files\Lavasoft
2011-01-08 17:34:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-01-08 17:32:24 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-01-08 05:57:37 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-01-08 05:56:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-01-07 21:15:00 106496 ----a-w- c:\windows\system32\winijt32.dll
2011-01-07 19:08:28 200704 ----a-w- c:\windows\system32\vbalExpBar6.ocx
2011-01-07 19:08:27 44544 ----a-w- c:\windows\system32\GIF89.DLL
2011-01-07 19:08:26 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2011-01-07 19:08:26 15360 ----a-w- c:\windows\system32\inetfr.DLL
2011-01-07 19:08:26 115920 ----a-w- c:\windows\system32\msinet.OCX
2011-01-07 19:08:25 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2011-01-07 19:08:25 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2011-01-07 19:08:24 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-01-07 19:08:24 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2011-01-07 19:08:23 484352 ----a-w- c:\windows\system32\lame_enc.dll
2011-01-07 19:08:23 -------- d-----w- c:\program files\Free Easy Burner
2011-01-07 19:08:23 -------- d-----w- c:\docume~1\asthom\applic~1\FreeBurner
2010-12-25 16:08:19 179520 ----a-w- c:\windows\system32\drivers\ssudserd.sys
2010-12-25 16:08:18 179520 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2010-12-25 16:08:17 64320 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2010-12-25 16:07:03 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-12-25 16:07:03 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-12-25 16:07:03 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-12-25 16:04:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-12-25 16:02:33 -------- d-----w- c:\program files\Common Files
2010-12-25 16:02:07 -------- d-----w- c:\docume~1\asthom\applic~1\Samsung
2010-12-25 16:02:05 -------- d-----w- c:\program files\MarkAny
2010-12-25 16:02:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Samsung
2010-12-25 16:01:46 -------- d-----w- c:\program files\Samsung
2010-12-25 16:01:38 -------- d-----w- c:\program files\fichiers communs\Samsung
2010-12-22 11:26:02 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-22 11:22:10 45568 -c----w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-18 18:12:45 86016 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:21:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:21:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:21:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:26:15 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:14:14 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 14:07:17 1853440 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8032GSX rev.AS111G -> Harddisk0\DR0 -> \Device\0000007d

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82904555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8290a7b0]; MOV EAX, [0x8290a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x829589C0]
3 CLASSPNP[0xF8515FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000076[0x82959F18]
5 ACPI[0xF838B620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82922B58]
\Driver\atapi[0x82970BC8] -> IRP_MJ_CREATE -> 0x82904555
error: Read Le périphérique n'est pas prêt.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK8032GSX_______________________AS111G__#5&49717e6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8290439B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:21:49,04 ===============

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:28 PM

Posted 19 January 2011 - 09:29 AM

Hi-

Thank for the reports. They did show some problems and one was backdoor trojan. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with the cleanup -

Download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Your Java runtimes are out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 23 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.

Looking at the logs, I don't see an Anti Virus Program running on your machine and one is needed to help prevent more infections
  • Download and install an antivirus program, and make sure that you keep it updated.
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs, free for non-commercial home use, are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impair the performance of your PC.

Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, please copy in the ComboFix report and the two OTL reports, and let me know how your computer is running now.
Shannon

#5 tbellier

tbellier
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 20 January 2011 - 11:49 AM

Hi Shannon,
Once again, thanks for the prompt reply.

- I tried running combofix. It installed the recovery console and restarted. It then told me that a rootkit TD3 had been detected. Then, it reached "step 50" and all of a sudden I got a blue screen and the computer restarted.

- I looked for the Java update that you told me to install, but I can't figure out which one I need to get: is it the "Java Platform, Standard Edition" -> Download JRE? Or is it one of the JDK bundles?

- Should I install antivirus software now? Or wait until my computer is cleaned up?

- I figured I would wait for your reply to this post before creating an OTL report, as it seems like it needs to be done after running ComboFix and updating Java.

Thanks you so much,

Thomas

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:28 PM

Posted 20 January 2011 - 12:05 PM

Hi-

ComboFix might have saved its report at C:\ComboFix.txt. If it has, copy that into your reply. If there is no report file, rerun ComboFix.

Java - the instructions call for the JRE version.

On the anti-virus software, let's wait until we get ComboFix run.
Shannon

#7 tbellier

tbellier
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 20 January 2011 - 01:07 PM

Hi Shannon,
Thank you again. I installed the newest version on Java JRE. I then tried to run Combofix, as I could not find the log in the C: drive, but the same thing happened. The blue screen I got before the computer restarted read "BAD_POOL_HEADER". What should I do now?

Thanks so much,

Thomas

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:28 PM

Posted 20 January 2011 - 02:03 PM

Hi-

Well, let's try another tool instead of ComboFix for now.

Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Double click TDSSKiller.exe
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected
  • Click Continue > Reboot now
  • Copy and paste the log in your next reply
    Note:A copy of the log will be saved automatically to the root of the drive (typically C:\)

Copy the TDSSKiller report into your reply.
Shannon

#9 tbellier

tbellier
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 20 January 2011 - 06:27 PM

Hey Shannon!
I just ran TDSSkiller: it found one rootkit infection and deleted it. When the computer rebooted, I didn't get the blue screen that usually got everytime I rebooted. Here's the log:


2011/01/20 18:15:32.0595 TDSS rootkit removing tool 2.4.14.0 Jan 18 2011 09:33:51
2011/01/20 18:15:32.0595 ================================================================================
2011/01/20 18:15:32.0595 SystemInfo:
2011/01/20 18:15:32.0595
2011/01/20 18:15:32.0595 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/20 18:15:32.0595 Product type: Workstation
2011/01/20 18:15:32.0595 ComputerName: THOMAS
2011/01/20 18:15:32.0595 UserName: Asthom
2011/01/20 18:15:32.0595 Windows directory: C:\WINDOWS
2011/01/20 18:15:32.0595 System windows directory: C:\WINDOWS
2011/01/20 18:15:32.0595 Processor architecture: Intel x86
2011/01/20 18:15:32.0595 Number of processors: 1
2011/01/20 18:15:32.0595 Page size: 0x1000
2011/01/20 18:15:32.0595 Boot type: Normal boot
2011/01/20 18:15:32.0595 ================================================================================
2011/01/20 18:15:33.0516 Initialize success
2011/01/20 18:15:40.0048 ================================================================================
2011/01/20 18:15:40.0048 Scan started
2011/01/20 18:15:40.0048 Mode: Manual;
2011/01/20 18:15:40.0048 ================================================================================
2011/01/20 18:15:42.0048 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/20 18:15:42.0111 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/01/20 18:15:42.0220 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/20 18:15:42.0267 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/01/20 18:15:42.0376 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2011/01/20 18:15:42.0689 ApfiltrService (b21fcbc58cb13bac70f74b5ac5da7409) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/01/20 18:15:42.0767 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/20 18:15:43.0002 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/20 18:15:43.0158 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/20 18:15:43.0267 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/20 18:15:43.0345 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/20 18:15:43.0392 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/20 18:15:43.0689 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/20 18:15:43.0752 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/20 18:15:43.0830 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/20 18:15:43.0892 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/20 18:15:43.0986 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/20 18:15:44.0283 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/01/20 18:15:44.0361 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/20 18:15:44.0564 dgderdrv (3be1651c63954067940e7f473498ad70) C:\WINDOWS\system32\drivers\dgderdrv.sys
2011/01/20 18:15:44.0627 dg_ssudbus (2b7e31520f3bcf584b99366a6d192fb5) C:\WINDOWS\system32\DRIVERS\ssudbus.sys
2011/01/20 18:15:44.0767 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/20 18:15:44.0861 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/20 18:15:44.0924 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
2011/01/20 18:15:45.0017 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/20 18:15:45.0158 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/20 18:15:45.0205 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/20 18:15:45.0314 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/20 18:15:45.0377 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/20 18:15:45.0439 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/20 18:15:45.0486 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/20 18:15:45.0658 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/20 18:15:45.0752 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/20 18:15:45.0830 FsUsbExDisk (cbe5f69a5e5b918225f420ba748f3742) C:\WINDOWS\system32\FsUsbExDisk.SYS
2011/01/20 18:15:45.0939 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/20 18:15:46.0017 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/20 18:15:46.0096 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/20 18:15:46.0158 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/20 18:15:46.0252 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/20 18:15:46.0439 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/20 18:15:46.0642 HSFHWAZL (9bec5d4ac6efdaaf001d42c77811e3db) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/01/20 18:15:47.0189 HSF_DPV (6cad234becf58529879b6c303f02777f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/01/20 18:15:47.0392 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/20 18:15:47.0580 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/20 18:15:47.0705 ialm (240d0f5d7caafd87bd8d801a97bbe041) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/01/20 18:15:47.0893 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/20 18:15:48.0283 IntcAzAudAddService (8443479648f804445e9dafef0f219231) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/20 18:15:48.0799 IntelIde (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/20 18:15:48.0861 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/20 18:15:48.0924 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/20 18:15:48.0971 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/20 18:15:49.0049 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/20 18:15:49.0127 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/20 18:15:49.0236 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/20 18:15:49.0393 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/20 18:15:49.0471 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/20 18:15:49.0518 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/20 18:15:49.0596 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/20 18:15:49.0674 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/20 18:15:49.0877 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/01/20 18:15:49.0940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/20 18:15:50.0018 Modem (510ade9327fe84c10254e1902697e25f) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/20 18:15:50.0127 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/20 18:15:50.0190 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/20 18:15:50.0377 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/20 18:15:50.0486 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/20 18:15:50.0658 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/20 18:15:50.0846 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/20 18:15:50.0971 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/20 18:15:51.0018 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/20 18:15:51.0080 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/20 18:15:51.0127 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/20 18:15:51.0346 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/20 18:15:51.0487 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/20 18:15:51.0533 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/20 18:15:51.0643 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/20 18:15:51.0737 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/20 18:15:51.0768 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/20 18:15:51.0799 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/20 18:15:51.0830 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/20 18:15:51.0908 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/20 18:15:52.0002 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/20 18:15:52.0096 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/20 18:15:52.0252 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/20 18:15:52.0315 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/01/20 18:15:52.0377 NPF (b15e0180c43d8b5219196d76878cc2dd) C:\WINDOWS\system32\drivers\npf.sys
2011/01/20 18:15:52.0471 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/20 18:15:52.0533 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/20 18:15:52.0658 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/20 18:15:52.0721 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/20 18:15:52.0752 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/20 18:15:52.0846 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/20 18:15:52.0908 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\drivers\Parport.sys
2011/01/20 18:15:52.0987 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/20 18:15:53.0112 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/20 18:15:53.0174 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/20 18:15:53.0252 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/20 18:15:53.0315 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/01/20 18:15:53.0549 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/20 18:15:53.0580 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/20 18:15:53.0721 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/20 18:15:53.0784 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/20 18:15:53.0924 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/20 18:15:53.0971 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/20 18:15:54.0002 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/20 18:15:54.0049 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/20 18:15:54.0127 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/20 18:15:54.0268 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/20 18:15:54.0362 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/20 18:15:54.0455 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/20 18:15:54.0549 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2011/01/20 18:15:54.0596 s24trans (208491a652c79871737edfe629de2c45) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/01/20 18:15:54.0674 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2011/01/20 18:15:54.0815 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/20 18:15:54.0862 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/20 18:15:54.0956 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/20 18:15:55.0018 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/20 18:15:55.0065 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys
2011/01/20 18:15:55.0174 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/20 18:15:55.0268 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/20 18:15:55.0393 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/20 18:15:55.0471 ssudmdm (9c8f881a270e8e3bcc1b6e5f620234ba) C:\WINDOWS\system32\DRIVERS\ssudmdm.sys
2011/01/20 18:15:55.0549 ssudserd (07888d763184acd61df3d38f3fac20e3) C:\WINDOWS\system32\DRIVERS\ssudserd.sys
2011/01/20 18:15:55.0612 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/20 18:15:55.0659 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/20 18:15:55.0721 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/20 18:15:55.0846 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/20 18:15:55.0987 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/20 18:15:56.0065 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/20 18:15:56.0127 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/20 18:15:56.0237 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/20 18:15:56.0299 tifmsony (2c946b5dfbe608ec036f88d98658ef75) C:\WINDOWS\system32\drivers\tifmsony.sys
2011/01/20 18:15:56.0362 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/20 18:15:56.0456 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/20 18:15:56.0549 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/01/20 18:15:56.0659 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/20 18:15:56.0721 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/20 18:15:56.0753 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/20 18:15:56.0815 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/20 18:15:56.0862 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/20 18:15:56.0924 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/20 18:15:56.0971 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/20 18:15:57.0096 usbvm321 (45bec1a2ed39187853c0edade0502e82) C:\WINDOWS\system32\Drivers\usbvm321.sys
2011/01/20 18:15:57.0190 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/20 18:15:57.0299 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/20 18:15:57.0503 w29n51 (67caa926ef06e07f2d31056b39f51c54) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/01/20 18:15:57.0721 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/20 18:15:57.0768 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/20 18:15:57.0862 winachsf (ab7646d4cb9bb83d29d21ef7e00a0d15) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/01/20 18:15:57.0987 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/01/20 18:15:58.0049 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/20 18:15:58.0190 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/20 18:15:58.0253 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/20 18:15:58.0331 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/20 18:15:58.0331 ================================================================================
2011/01/20 18:15:58.0331 Scan finished
2011/01/20 18:15:58.0331 ================================================================================
2011/01/20 18:15:58.0346 Detected object count: 1
2011/01/20 18:16:07.0660 \HardDisk0 - will be cured after reboot
2011/01/20 18:16:07.0660 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/20 18:16:11.0160 Deinitialize success

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:28 PM

Posted 20 January 2011 - 08:38 PM

Hi-

Now try ComboFix again.
Shannon

#11 tbellier

tbellier
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 20 January 2011 - 09:15 PM

Hey Shannon,
I just tried running ComboFix again, and I got the blue screen again. And still no log in C:. It happened after "step_50". The 50 steps were completed, and "Deleting files" or something similar appeared, and one second after that I got a blue screen that read "BAD_POOL_HEADER" and my computer restarted. However, something new happened: in the first phase of the ComboFix scan (before it restarts your computer), it told me that it had found an infection and that I should right down its location:
C:\Documents and Settings\Asthom\Application Data\Wuluky\tybuc.exe

Thanks again for your help,
Thomas

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:28 PM

Posted 21 January 2011 - 09:46 AM

Hi-

The Step 50 abort is usually caused by an over active anti-virus program and you don't have one installed.

Let's check out that file that Combofix flagged -


Before we start
, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti
When the Jotti page has finished loading, click Jotti's Browse button and navigate to the following file and click the Submit file button within Jotti.

C:\Documents and Settings\Asthom\Application Data\Wuluky\tybuc.exe

If Jotti reports that the file has been scanned before and gives you those results, click on the Scan Again button.
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

Next, we need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your reply, let me know the results of the Jotti upload, and copy in the MBAM report and the two OTL reports.
Shannon

#13 tbellier

tbellier
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 22 January 2011 - 07:06 PM

Hi Shannon,

I can't find the file at:

C:\Documents and Settings\Asthom\Application Data\Wuluky\tybuc.exe

even though I made sure that I could view all hidden files, so I couldn't analyze it with Jotti. Could it be that ComboFix deleted it? When I look at the folder's properties, it says that its size is 0 ko.

Should I still proceed with the MBAM and OTL scans?

Thank you so much,
Thomas

#14 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:28 PM

Posted 22 January 2011 - 07:36 PM

Hi-

Yes, go ahead and run MBAM & OTL.
Shannon

#15 tbellier

tbellier
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 22 January 2011 - 09:07 PM

Ok, so here are the logs. Thanks!


MBAM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Version de la base de données: 5574

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/01/2011 20:42:20
mbam-log-2011-01-22 (20-42-20).txt

Type d'examen: Examen complet (C:\|)
Elément(s) analysé(s): 225759
Temps écoulé: 48 minute(s), 44 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 1
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 8

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{27D855D3-8D19-7510-077C-374862E05D3D} (Spyware.Passwords.XGen) -> Value: {27D855D3-8D19-7510-077C-374862E05D3D} -> Delete on reboot.

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
c:\documents and settings\Asthom\application data\Wenaqo\avil.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\administrateur\menu démarrer\programmes\démarrage\esvu.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Asthom\application data\Ovuci\egmyo.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Asthom\menu démarrer\programmes\démarrage\zuyked.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\default user\menu démarrer\programmes\démarrage\isinu.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\9M72IBP2\load[1].php (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Asthom\application data\Wuluky\tybuc.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{2ae20ede-3263-44a8-9a40-b36f1f414d5e}\RP405\A0065135.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.



OTL - OTL.txt

OTL logfile created on: 22/01/2011 21:00:35 - Run 1
OTL by OldTimer - Version 3.2.20.4 Folder = C:\Documents and Settings\Asthom\Bureau
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

502,00 Mb Total Physical Memory | 164,00 Mb Available Physical Memory | 33,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 64,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32,60 Gb Total Space | 2,54 Gb Free Space | 7,78% Space Free | Partition Type: NTFS
Drive D: | 34,94 Gb Total Space | 1,14 Gb Free Space | 3,27% Space Free | Partition Type: NTFS

Computer Name: THOMAS | User Name: Asthom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/01/22 20:52:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asthom\Bureau\OTL.exe
PRC - [2010/12/20 07:21:40 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/12/20 07:21:36 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/10/04 11:16:14 | 011,755,312 | ---- | M] (VoipBuster) -- C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe
PRC - [2010/07/30 00:51:50 | 000,095,568 | ---- | M] (Devguru Co., Ltd.) -- C:\WINDOWS\system32\dgdersvc.exe
PRC - [2010/06/24 08:00:14 | 000,233,472 | ---- | M] (Teruten) -- C:\WINDOWS\system32\FsUsbExService.Exe
PRC - [2010/05/14 11:44:46 | 000,248,552 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
PRC - [2009/08/31 10:14:56 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
PRC - [2009/07/09 05:22:18 | 000,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/04/13 21:34:03 | 001,037,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/08/04 20:56:58 | 000,098,304 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2005/06/15 04:06:44 | 000,131,072 | ---- | M] (Sony Corporation) -- C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
PRC - [2005/06/15 04:06:44 | 000,118,784 | ---- | M] (Sony Corporation) -- C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
PRC - [2005/06/15 04:06:42 | 000,270,336 | ---- | M] (Sony Corporation) -- C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
PRC - [2005/06/02 18:49:40 | 000,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/06/02 18:47:44 | 000,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/06/02 18:46:28 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/05/20 10:41:42 | 000,153,600 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2005/05/14 22:51:24 | 000,184,320 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2005/03/03 14:47:18 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2004/11/17 06:47:16 | 000,118,784 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/10/11 21:47:06 | 000,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PRC - [2004/10/11 20:40:38 | 000,118,784 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
PRC - [2004/08/18 19:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2004/02/20 07:12:34 | 000,032,768 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2002/03/14 09:46:58 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe


========== Modules (SafeList) ==========

MOD - [2011/01/22 20:52:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asthom\Bureau\OTL.exe
MOD - [2010/08/23 11:12:39 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2010/07/30 00:51:50 | 000,095,568 | ---- | M] (Devguru Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\dgdersvc.exe -- (dgdersvc)
SRV - [2010/06/24 08:00:14 | 000,233,472 | ---- | M] (Teruten) [Auto | Running] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2009/09/07 08:53:36 | 000,072,704 | ---- | M] (Adobe Systems) [On_Demand | Stopped] -- C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009/07/09 05:22:18 | 000,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/01/25 12:31:34 | 000,093,048 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2005/06/15 04:06:44 | 000,131,072 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
SRV - [2005/06/15 04:06:44 | 000,118,784 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- (VzFw)
SRV - [2005/06/15 04:06:44 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
SRV - [2005/06/15 04:06:42 | 000,270,336 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Fichiers communs\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
SRV - [2005/06/07 02:58:28 | 001,851,392 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe -- (VAIOMediaPlatform-IntegratedServer-AppServer)
SRV - [2005/06/06 20:44:10 | 000,770,048 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP)
SRV - [2005/06/06 20:38:26 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP)
SRV - [2005/06/06 20:37:14 | 000,188,416 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe -- (VAIOMediaPlatform-Mobile-Gateway)
SRV - [2005/06/06 18:32:54 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2005/06/06 18:28:04 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/06/06 18:22:34 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2005/06/02 18:49:40 | 000,372,809 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2005/06/02 18:47:44 | 000,086,016 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2005/06/02 18:46:28 | 000,139,264 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2005/05/20 10:41:42 | 000,153,600 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2005/04/05 06:06:36 | 000,032,768 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Image Converter 2\IcVzMon.exe -- (Image Converter video recording monitor for VAIO Entertainment)
SRV - [2005/01/04 04:09:36 | 000,398,336 | ---- | M] (Sony Corporation) [Auto | Stopped] -- C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_svc.exe -- (VCI)
SRV - [2004/10/11 21:47:06 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor)
SRV - [2004/10/11 20:40:38 | 000,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect)


========== Driver Services (SafeList) ==========

DRV - [2010/09/15 23:30:36 | 000,179,520 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudserd.sys -- (ssudserd) SAMSUNG Mobile USB Diagnostic Serial Port(DEVGURU Ver.)
DRV - [2010/09/15 23:30:32 | 000,179,520 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudmdm.sys -- (ssudmdm) SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.)
DRV - [2010/09/15 23:30:28 | 000,064,320 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ssudbus.sys -- (dg_ssudbus) SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.)
DRV - [2010/07/30 00:51:50 | 000,018,120 | ---- | M] (Devguru Co., Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dgderdrv.sys -- (dgderdrv)
DRV - [2010/06/24 08:00:14 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2008/04/13 13:53:09 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) Pilote USB audio (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/01/25 12:31:34 | 000,042,000 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
DRV - [2005/08/12 03:33:22 | 000,231,936 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbvm321.sys -- (usbvm321)
DRV - [2005/08/11 14:00:44 | 000,077,312 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifmsony.sys -- (tifmsony)
DRV - [2005/08/09 02:43:46 | 003,855,360 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/05/22 20:31:46 | 001,034,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/05/22 20:30:48 | 000,178,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2005/05/22 20:30:42 | 000,716,288 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/05/03 00:03:54 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/04/30 09:01:56 | 003,281,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Pilote de carte de connexion réseau Intel®
DRV - [2005/03/03 21:10:00 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/11/21 23:31:10 | 000,108,767 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2000/12/05 09:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/11/09 05:15:08 | 000,048,896 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/fr/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/fr/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/fr/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.club-vaio.com/fr/

IE - HKU\S-1-5-21-703727560-981756060-509531452-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-703727560-981756060-509531452-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-703727560-981756060-509531452-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-21-703727560-981756060-509531452-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-703727560-981756060-509531452-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/21 11:20:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/01/20 12:31:27 | 000,000,000 | ---D | M]

[2009/08/31 06:56:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asthom\Application Data\Mozilla\Extensions
[2011/01/21 00:38:51 | 000,000,000 | ---D | M] ("Extension") -- C:\Documents and Settings\Asthom\Application Data\Mozilla\Firefox\Profiles\bzgc09qe.default\extensions
[2009/11/22 18:09:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asthom\Application Data\Mozilla\Firefox\Profiles\bzgc09qe.default\extensions\_Output
[2010/08/21 03:51:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Asthom\Application Data\Mozilla\Firefox\Profiles\bzgc09qe.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/22 18:09:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asthom\Application Data\Mozilla\Firefox\Profiles\bzgc09qe.default\extensions\chrome
[2009/11/22 18:09:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Asthom\Application Data\Mozilla\Firefox\Profiles\bzgc09qe.default\extensions\defaults
[2011/01/21 00:38:51 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/20 12:31:30 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/01/20 12:31:07 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/01/20 12:31:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/01/07 16:20:27 | 000,001,059 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.8minutedating.com
O1 - Hosts: 127.0.0.1 whysohardx.com
O1 - Hosts: 127.0.0.1 protectyourpc-11.com
O1 - Hosts: 127.0.0.1 checkserverstatux.com
O1 - Hosts: 127.0.0.1 xinmin.cn
O1 - Hosts: 127.0.0.1 xy95.cn
O1 - Hosts: 127.0.0.1 koralda.com
O1 - Hosts: 127.0.0.1 weirden.com
O1 - Hosts: 127.0.0.1 nanocloudcontroller.com
O1 - Hosts: 127.0.0.1 coo0lnet.net
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-703727560-981756060-509531452-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-703727560-981756060-509531452-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-703727560-981756060-509531452-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [RavAV] File not found
O4 - HKLM..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VAIO Update 2] C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe (Sony Corporation)
O4 - HKU\S-1-5-21-703727560-981756060-509531452-1006..\Run: [KiesTrayAgent] File not found
O4 - HKU\S-1-5-21-703727560-981756060-509531452-1006..\Run: [VoipBuster] C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe (VoipBuster)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-703727560-981756060-509531452-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-703727560-981756060-509531452-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} http://lads.myspace.com/upload/MySpaceUploader2.cab (MySpace Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Fichiers communs\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O20 - Winlogon\Notify\winijt32: DllName - winijt32.dll - C:\WINDOWS\System32\winijt32.dll ()
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O24 - Desktop WallPaper:
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Asthom\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/22 08:24:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/01/22 20:52:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Asthom\Bureau\OTL.exe
[2011/01/22 18:59:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Ovuci
[2011/01/22 18:59:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Ekgo
[2011/01/20 21:06:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Wenaqo
[2011/01/20 21:06:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Ikle
[2011/01/20 20:47:08 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/01/20 18:10:06 | 001,349,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Asthom\Bureau\TDSSKiller.exe
[2011/01/20 17:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Wuluky
[2011/01/20 17:36:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Pedupi
[2011/01/20 12:31:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/01/20 12:31:58 | 000,000,000 | ---D | C] -- C:\Program Files\Fichiers communs\Java
[2011/01/20 12:31:27 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/01/20 12:31:27 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/01/20 12:31:27 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/01/20 12:31:27 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/01/20 12:31:27 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/01/20 12:21:57 | 016,561,952 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Asthom\Bureau\jre-6u23-windows-i586.exe
[2011/01/20 10:57:41 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/01/20 10:52:20 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/01/20 10:52:19 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/01/20 10:52:19 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/01/20 10:52:19 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/01/20 10:52:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/01/20 10:51:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/01/20 08:26:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/01/18 14:22:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Mes documents\Logs 2
[2011/01/18 09:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/01/17 21:06:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Microsoft Silverlight
[2011/01/17 21:06:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2011/01/13 10:02:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/01/12 22:19:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DivX
[2011/01/11 13:07:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/01/11 12:22:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/01/09 14:12:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/01/08 18:05:27 | 000,098,392 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/01/08 17:55:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Local Settings\Application Data\Sunbelt Software
[2011/01/08 17:53:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2011/01/08 14:28:58 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2011/01/08 12:34:34 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2011/01/08 12:32:24 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2011/01/08 00:56:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/01/08 00:06:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/01/08 00:06:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/01/07 19:06:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/01/07 19:06:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Sun
[2011/01/07 14:08:28 | 000,200,704 | ---- | C] (vbAccelerator) -- C:\WINDOWS\System32\vbalExpBar6.ocx
[2011/01/07 14:08:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Free Easy Burner
[2011/01/07 14:08:26 | 000,115,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msinet.OCX
[2011/01/07 14:08:26 | 000,040,960 | ---- | C] (vbAccelerator) -- C:\WINDOWS\System32\SSubTmr6.dll
[2011/01/07 14:08:26 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetfr.DLL
[2011/01/07 14:08:25 | 000,119,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB6FR.DLL
[2011/01/07 14:08:25 | 000,101,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\VB6STKIT.DLL
[2011/01/07 14:08:24 | 000,141,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCMCFR.DLL
[2011/01/07 14:08:24 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CMDLGFR.DLL
[2011/01/07 14:08:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\FreeBurner
[2011/01/07 14:08:23 | 000,000,000 | ---D | C] -- C:\Program Files\Free Easy Burner
[2010/12/25 11:11:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Mes documents\Samsung
[2010/12/25 11:09:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Samsung
[2010/12/25 11:08:19 | 000,179,520 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\WINDOWS\System32\drivers\ssudserd.sys
[2010/12/25 11:08:18 | 000,179,520 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\WINDOWS\System32\drivers\ssudmdm.sys
[2010/12/25 11:08:17 | 000,064,320 | ---- | C] (DEVGURU Co., LTD.(www.devguru.co.kr)) -- C:\WINDOWS\System32\drivers\ssudbus.sys
[2010/12/25 11:07:03 | 000,233,472 | ---- | C] (Teruten) -- C:\WINDOWS\System32\FsUsbExService.Exe
[2010/12/25 11:04:46 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2010/12/25 11:02:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files
[2010/12/25 11:02:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Asthom\Application Data\Samsung
[2010/12/25 11:02:05 | 000,000,000 | ---D | C] -- C:\Program Files\MarkAny
[2010/12/25 11:02:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Samsung
[2010/12/25 11:01:46 | 000,000,000 | ---D | C] -- C:\Program Files\Samsung
[2010/12/25 11:01:38 | 000,000,000 | ---D | C] -- C:\Program Files\Fichiers communs\Samsung
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/01/22 20:52:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Asthom\Bureau\OTL.exe
[2011/01/22 20:48:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/01/22 20:47:59 | 526,569,472 | -HS- | M] () -- C:\hiberfil.sys
[2011/01/20 20:46:05 | 004,158,707 | R--- | M] () -- C:\Documents and Settings\Asthom\Bureau\ComboFix.exe
[2011/01/20 12:31:06 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/01/20 12:31:06 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/01/20 12:31:06 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/01/20 12:31:06 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/01/20 12:31:05 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/01/20 12:23:24 | 016,561,952 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\Asthom\Bureau\jre-6u23-windows-i586.exe
[2011/01/20 10:57:49 | 000,000,332 | RHS- | M] () -- C:\boot.ini
[2011/01/20 08:10:08 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/01/20 00:22:14 | 000,002,559 | ---- | M] () -- C:\Documents and Settings\Asthom\Bureau\Microsoft Word.lnk
[2011/01/19 13:20:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/01/18 14:24:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Asthom\defogger_reenable
[2011/01/18 09:34:52 | 001,349,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Asthom\Bureau\TDSSKiller.exe
[2011/01/17 17:21:45 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/01/15 08:48:14 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\scribeShakeIcon.job
[2011/01/08 18:05:27 | 000,098,392 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2011/01/08 12:35:45 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/01/08 12:32:24 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2011/01/08 12:25:03 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/01/07 18:42:28 | 000,501,138 | ---- | M] () -- C:\WINDOWS\System32\perfh00C.dat
[2011/01/07 18:42:28 | 000,432,690 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/01/07 18:42:28 | 000,080,946 | ---- | M] () -- C:\WINDOWS\System32\perfc00C.dat
[2011/01/07 18:42:28 | 000,067,646 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/01/07 16:14:59 | 000,106,496 | ---- | M] () -- C:\WINDOWS\System32\winijt32.dll
[2011/01/01 20:37:44 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Asthom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/12/25 11:13:10 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\Msft_User_WpdMtpDr_01_00_00.Wdf
[2010/12/25 11:06:27 | 000,002,528 | ---- | M] () -- C:\Documents and Settings\Asthom\Application Data\$_hpcst$.hpc
[2010/12/25 11:01:59 | 000,002,006 | ---- | M] () -- C:\aqua_bitmap.cpp
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/01/20 10:57:48 | 000,000,216 | ---- | C] () -- C:\Boot.bak
[2011/01/20 10:57:43 | 000,263,488 | RHS- | C] () -- C:\cmldr
[2011/01/20 10:52:20 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/01/20 10:52:20 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/01/20 10:52:19 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/01/20 10:52:19 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/01/20 10:52:19 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/01/20 10:43:56 | 004,158,707 | R--- | C] () -- C:\Documents and Settings\Asthom\Bureau\ComboFix.exe
[2011/01/18 16:20:21 | 526,569,472 | -HS- | C] () -- C:\hiberfil.sys
[2011/01/18 14:24:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Asthom\defogger_reenable
[2011/01/08 18:11:08 | 000,000,492 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/01/08 00:57:37 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2011/01/07 18:43:34 | 000,002,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/01/07 16:15:00 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\winijt32.dll
[2011/01/07 14:08:27 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\GIF89.DLL
[2011/01/07 14:08:23 | 000,484,352 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2010/12/30 18:00:55 | 000,000,280 | ---- | C] () -- C:\WINDOWS\tasks\scribeShakeIcon.job
[2010/12/25 11:07:03 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2010/12/25 11:07:03 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2010/12/25 11:06:27 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Asthom\Application Data\$_hpcst$.hpc
[2010/12/25 11:01:59 | 000,002,006 | ---- | C] () -- C:\aqua_bitmap.cpp
[2010/06/24 07:59:32 | 000,974,848 | ---- | C] () -- C:\WINDOWS\System32\cis-2.4.dll
[2010/06/24 07:59:32 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\issacapi_bs-2.3.dll
[2010/06/24 07:59:32 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\issacapi_pe-2.3.dll
[2010/06/24 07:59:32 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\issacapi_se-2.3.dll
[2010/03/15 13:31:24 | 000,019,328 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\x406THs3wg8XQ
[2010/03/15 13:31:23 | 000,019,328 | -HS- | C] () -- C:\Documents and Settings\Asthom\Local Settings\Application Data\x406THs3wg8XQ
[2009/12/07 13:53:42 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/08/31 08:32:58 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Asthom\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/31 06:00:24 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/31 04:57:28 | 000,000,385 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/31 04:41:44 | 000,000,057 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/08/31 04:40:05 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2007/01/25 12:31:36 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2005/08/23 04:26:48 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/23 03:13:18 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/08/23 03:13:18 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/08/23 03:13:18 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/08/23 03:13:18 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/08/23 03:13:18 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/08/23 03:13:18 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/08/23 03:10:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2005/08/23 03:04:34 | 000,000,829 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/08/22 10:17:07 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/08/22 01:10:31 | 000,002,041 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/06/15 02:59:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

< End of report >



OTL - Extras.txt

OTL Extras logfile created on: 22/01/2011 21:00:35 - Run 1
OTL by OldTimer - Version 3.2.20.4 Folder = C:\Documents and Settings\Asthom\Bureau
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

502,00 Mb Total Physical Memory | 164,00 Mb Available Physical Memory | 33,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 64,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32,60 Gb Total Space | 2,54 Gb Free Space | 7,78% Space Free | Partition Type: NTFS
Drive D: | 34,94 Gb Total Space | 1,14 Gb Free Space | 3,27% Space Free | Partition Type: NTFS

Computer Name: THOMAS | User Name: Asthom | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-703727560-981756060-509531452-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"13346:TCP" = 13346:TCP:*:Enabled:NortonAV
"17940:TCP" = 17940:TCP:*:Enabled:NortonAV
"15084:TCP" = 15084:TCP:*:Enabled:NortonAV
"12731:TCP" = 12731:TCP:*:Enabled:NortonAV
"17752:TCP" = 17752:TCP:*:Enabled:NortonAV
"15693:TCP" = 15693:TCP:*:Enabled:NortonAV
"14703:TCP" = 14703:TCP:*:Enabled:NortonAV
"14869:TCP" = 14869:TCP:*:Enabled:NortonAV
"13340:TCP" = 13340:TCP:*:Enabled:NortonAV
"18587:TCP" = 18587:TCP:*:Enabled:NortonAV

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" = C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe:*:Enabled:VoipBuster -- (VoipBuster)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"G:\RavMonE.exe" = G:\RavMonE.exe:*:Disabled:RavMonE
"C:\WINDOWS\system32\drivers\svchost.exe" = C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\WINDOWS\system32\muzapp.exe" = C:\WINDOWS\system32\muzapp.exe:*:Enabled:MUZ AOD APP player -- (Musiccity Co.Ltd.)
"C:\WINDOWS\system32\winver.exe" = C:\WINDOWS\system32\winver.exe:*:Enabled:winver -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01AE599F-7B72-4135-8C56-9191F4ACBA88}" = VAIO Edit Components
"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio DigitalMedia Data
"{169C78C0-8C32-4CA1-9602-D8E998ECE96A}" = VAIO Original Screen Saver VAIO Scene HD Wide Contents
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1A91D1FA-B9B3-4556-9878-5C61059A19B2}" = InterVideo WinDVDX
"{1BEF9285-5530-426B-A5F1-5836B95C7EB1}" = VAIO Original Screen Saver
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 4.0
"{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{25CF0627-2EF6-4FCE-A0DE-7D6350C774B2}" = VAIO Original Screen Saver VAIO Scene HD Normal Contents
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 23
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{29999594-B540-4C88-A8D3-C99CA43809FC}" = Image Converter 2
"{311EEFFE-8354-42D8-B2A0-A0666689F69F}" = Alesis io|2 ASIO Driver
"{350C940c-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 2
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51735133-A296-4EB0-BF16-AD93B55BD000}" = VAIO Original Screen Saver VAIO Motion SD Wide Contents
"{531C0C3A-7112-4986-8222-5778FB547D81}" = VAIO Original Screen Saver VAIO Motion HD Normal Contents
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5701EFCA-EFA0-4109-BB33-BB461F63088A}" = ShowInfo
"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{61D6E4FB-1A62-4EB1-BE56-929B00C155CF}" = Wireless LAN Starter
"{639BB4D3-AA30-4A7B-8CB5-6DE681AD6659}" = VAIO Light Flo Wallpaper
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{71249EFF-EFAB-48A0-B967-630F4E70BBC3}" = VAIO Original Screen Saver VAIO Scene SD Normal Contents
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 4.0
"{7998F67D-655B-42E3-B651-18D96DD17268}" = Adobe Premiere Standard
"{7A79D11B-FD82-4A5E-834F-20173515DD14}" = VAIO Media Integrated Server 4.2
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{805BC1AB-46C5-438C-BCB7-537A1A32290C}" = VAIO Original Screen Saver VAIO Motion SD Normal Contents
"{849ABF1A-6AE3-45E1-B260-D5447B2F29F5}" = OpenMG Secure Module 4.2.00
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{88DA0A52-3372-4803-971A-ADFB961707E8}" = PictureGear Studio 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9113040C-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for VAIO
"{95120000-00AF-040C-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (French)
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A80E49B2-4D45-4BEC-AE12-DB233216E2D9}" = D-Link DHP-300 Powerline HD Utility
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio DigitalMedia Audio
"{AC76BA86-7AD7-1036-7B44-A70000000000}" = Adobe Reader 7.0 - Français
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}" = Outil VAIO Media Registration 4.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio DigitalMedia Copy
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B91DF289-D36F-40D7-9CD6-1983E3DD0848}_is1" = 1.29
"{BBD4DAC9-DF99-48CA-8F62-AE6F2BD47063}" = VAIO Original Screen Saver VAIO Motion HD Wide Contents
"{BBFFB027-7D53-4E1B-95BC-35A2216D1D60}" = VAIO Long Battery Life Wallpaper
"{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CCB3F587-BAD0-4F32-99FC-301E6F9ABAB4}" = MIDI Yoke
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{D6CD26FD-CD7F-4C86-96A3-EEBFABE5FE47}" = Kies
"{D917FD82-6CE5-489A-AAF8-C701AAC85C4D}" = VAIO Entertainment Platform
"{E365AAB7-F160-4E2F-ACAC-28D487ACF47D}" = VAIO Original Screen Saver VAIO Scene SD Wide Contents
"{E5E6E687-1036-0000-0000-000000000002}" = Adobe Acrobat 7.0 Elements - Français
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{FC37C108-821D-4EDE-8F40-D5B497586805}" = VAIO Control Center
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Acrobat 7.0 Elements - Français" = Adobe Acrobat 7.0 Elements - Français
"Adobe Audition 3.0" = Adobe Audition 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BitTorrent" = BitTorrent
"Bome's Mouse Keyboard_is1" = Bome's Mouse Keyboard 2.00
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_104D0600" = HDAUDIO SoftV92 Data Fax Modem with SmartCP
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"EOS Utility" = Canon Utilities EOS Utility
"Free Easy Burner_is1" = Free Easy Burner V 4.1
"Guitar Pro 5_is1" = Guitar Pro 5.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{849ABF1A-6AE3-45E1-B260-D5447B2F29F5}" = OpenMG Secure Module 4.2.00
"InstallShield_{A80E49B2-4D45-4BEC-AE12-DB233216E2D9}" = D-Link DHP-300 Powerline HD Utility
"InstallShield_{D6CD26FD-CD7F-4C86-96A3-EEBFABE5FE47}" = Kies
"linksadoor_is1" = linksadoor 1.29
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MouseSuite98" = Sony USB Mouse
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"ProInst" = Intel® PROSet/Wireless Software
"RealPlayer 12.0" = RealPlayer
"Scribe" = Express Scribe
"Veetle TV" = Veetle TV 0.9.16
"VLC media player" = VLC media player 1.0.1
"VoipBuster_is1" = VoipBuster
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Lecteur Windows Media 11
"Windows XP Service" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 4.0
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-703727560-981756060-509531452-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Facebook Plug-In" = Facebook Plug-In

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 19/01/2011 14:28:36 | Computer Name = THOMAS | Source = crypt32 | ID = 131080
Description = Échec de la récupération de la mise à jour automatique du numéro de
séquence de la liste racine tierce partie à partir de : <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
avec l'erreur : A connection with the server could not be established

Error - 19/01/2011 14:28:36 | Computer Name = THOMAS | Source = crypt32 | ID = 131080
Description = Échec de la récupération de la mise à jour automatique du numéro de
séquence de la liste racine tierce partie à partir de : <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
avec l'erreur : Cette connexion réseau n'existe pas.

Error - 20/01/2011 00:53:17 | Computer Name = THOMAS | Source = Application Error | ID = 1000
Description = Application défaillante svchost.exe, version 5.1.2600.5512, module
défaillant ntdll.dll, version 5.1.2600.5512, adresse de défaillance 0x00023825.

Error - 20/01/2011 01:06:23 | Computer Name = THOMAS | Source = Application Error | ID = 1000
Description = Application défaillante plugin-container.exe, version 1.9.2.3989,
module défaillant ntdll.dll, version 5.1.2600.5512, adresse de défaillance 0x0000100b.

Error - 20/01/2011 01:30:47 | Computer Name = THOMAS | Source = Application Error | ID = 1000
Description = Application défaillante svchost.exe, version 5.1.2600.5512, module
défaillant ntdll.dll, version 5.1.2600.5512, adresse de défaillance 0x00023825.

Error - 20/01/2011 09:10:41 | Computer Name = THOMAS | Source = crypt32 | ID = 131080
Description = Échec de la récupération de la mise à jour automatique du numéro de
séquence de la liste racine tierce partie à partir de : <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
avec l'erreur : A connection with the server could not be established

Error - 20/01/2011 09:10:41 | Computer Name = THOMAS | Source = crypt32 | ID = 131080
Description = Échec de la récupération de la mise à jour automatique du numéro de
séquence de la liste racine tierce partie à partir de : <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
avec l'erreur : Cette connexion réseau n'existe pas.

Error - 20/01/2011 09:47:35 | Computer Name = THOMAS | Source = Application Error | ID = 1000
Description = Application défaillante svchost.exe, version 5.1.2600.5512, module
défaillant ntdll.dll, version 5.1.2600.5512, adresse de défaillance 0x00023825.

Error - 20/01/2011 13:11:36 | Computer Name = THOMAS | Source = crypt32 | ID = 131080
Description = Échec de la récupération de la mise à jour automatique du numéro de
séquence de la liste racine tierce partie à partir de : <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
avec l'erreur : A connection with the server could not be established

Error - 20/01/2011 13:11:36 | Computer Name = THOMAS | Source = crypt32 | ID = 131080
Description = Échec de la récupération de la mise à jour automatique du numéro de
séquence de la liste racine tierce partie à partir de : <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
avec l'erreur : Cette connexion réseau n'existe pas.

[ System Events ]
Error - 20/01/2011 13:43:20 | Computer Name = THOMAS | Source = Service Control Manager | ID = 7034
Description = Le service Photoshop Elements Device Connect s'est terminé de façon
inattendue pour la 1ème fois.

Error - 20/01/2011 13:43:20 | Computer Name = THOMAS | Source = Service Control Manager | ID = 7034
Description = Le service Adobe Active File Monitor s'est terminé de façon inattendue
pour la 1ème fois.

Error - 20/01/2011 13:57:44 | Computer Name = THOMAS | Source = System Error | ID = 1003
Description = Code erreur 00000019, paramètre 1 00000020, paramètre 2 81ad9618,
paramètre 3 81ad9a30, paramètre 4 1a830001.

Error - 20/01/2011 21:51:45 | Computer Name = THOMAS | Source = Service Control Manager | ID = 7034
Description = Le service Photoshop Elements Device Connect s'est terminé de façon
inattendue pour la 1ème fois.

Error - 20/01/2011 21:51:45 | Computer Name = THOMAS | Source = Service Control Manager | ID = 7034
Description = Le service Adobe Active File Monitor s'est terminé de façon inattendue
pour la 1ème fois.

Error - 20/01/2011 21:56:45 | Computer Name = THOMAS | Source = Service Control Manager | ID = 7034
Description = Le service Photoshop Elements Device Connect s'est terminé de façon
inattendue pour la 1ème fois.

Error - 20/01/2011 21:56:45 | Computer Name = THOMAS | Source = Service Control Manager | ID = 7034
Description = Le service Adobe Active File Monitor s'est terminé de façon inattendue
pour la 1ème fois.

Error - 20/01/2011 22:06:27 | Computer Name = THOMAS | Source = System Error | ID = 1003
Description = Code erreur 00000019, paramètre 1 00000020, paramètre 2 fec63a70,
paramètre 3 fec63e88, paramètre 4 1a830001.

Error - 22/01/2011 21:48:03 | Computer Name = THOMAS | Source = sr | ID = 1
Description = Le filtre de restauration du système à rencontré l'erreur inattendue
'0xC0000001' pendant le traitement du fichier '' sur le volume 'HarddiskVolume2'.
Ceci a entraîné l'arrêt de la surveillance du volume.

Error - 22/01/2011 21:48:08 | Computer Name = THOMAS | Source = Service Control Manager | ID = 7026
Description = Le pilote de démarrage système ou d'amorçage suivant n'a pas pu se
charger : IntelIde


< End of report >




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users