Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected rootkit


  • This topic is locked This topic is locked
19 replies to this topic

#1 HezForce

HezForce

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 04 October 2011 - 10:31 PM

Hello, when i start the computer i always get this error message : The maximum number of secrets has been exceeded.. blablabla,


i get this error with explorer.exe, svhost, firefox,

i cant connect to the internet,

i also have a weird process running : 2663632943:3492756577.exe

i think my problem is similar to this one :


http://www.bleepingcomputer.com/forums/topic420647.html

i ran SDFIX and i got this log :

[b]SDFix: Version 1.240 [/b]
Run by Administrateur on 2011-10-04 at 22:29

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

AUTOEXEC.NT Restored from backups
Config.nt Restored from backups

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]: 

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:
 


                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-04 22:37:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\$NtUninstallKB5041$:SummaryInformation 0 bytes hidden from API
C:\WINDOWS\$NtUninstallKB5041$\802210718
C:\WINDOWS\$NtUninstallKB5041$\802210718\@ 2048 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\click.tlb 2144 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\L
C:\WINDOWS\$NtUninstallKB5041$\802210718\L\cmatiteg 75264 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\loader.tlb 2540 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@00000001 45968 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@000000c0 3584 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@000000cb 2048 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@000000cf 1536 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@80000000 26112 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@800000c0 35840 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@800000cb 27648 bytes
C:\WINDOWS\$NtUninstallKB5041$\802210718\U\@800000cf 27648 bytes
C:\WINDOWS\$NtUninstallKB5041$\894512640 0 bytes
C:\WINDOWS\2663632943:3492756577.exe 816 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 18


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Service Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:FrostWire"
"C:\\Documents and Settings\\Joelle Girard\\Application Data\\E-73473-3674-74335\\lmsngrsn.exe"="C:\\Documents and Settings\\Joelle Girard\\Application Data\\E-73473-3674-74335\\lmsngrsn.exe:*:Enabled:Main Messenger Update"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:

Fri 18 Dec 2009       634,648 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 13 Apr 2008        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 13 Apr 2008       142,208 A.SH. --- "C:\Documents and Settings\All Users\Local Settings\Temp\02e1fd74.com"
Fri 23 Sep 2011       192,512 ..SHR --- "C:\Documents and Settings\Joelle Girard\Application Data\E-73473-3674-74335\lmsngrsn.exe"
Fri 23 Sep 2011       294,952 A.SH. --- "C:\Documents and Settings\Joelle Girard\Local Settings\Temp\028c3749.tmp"
Fri 23 Sep 2011       192,512 A.SH. --- "C:\Documents and Settings\Joelle Girard\Local Settings\Temp\028c4daf.tmp"
Fri 20 Feb 2009           162 A..H. --- "C:\Documents and Settings\Joelle Girard\Local Settings\Temporary Internet Files\Content.Word\~$RD0536.tmp"
Fri 20 Feb 2009           162 A..H. --- "C:\Documents and Settings\Joelle Girard\Local Settings\Temporary Internet Files\Content.Word\~$RD3977.tmp"
Fri 20 Feb 2009       442,368 A..H. --- "C:\Documents and Settings\Joelle Girard\Local Settings\Temporary Internet Files\Content.Word\~WRD3977.tmp"
Tue 28 Mar 2006        31,744 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\Fran‡ais\~WRL0622.tmp"
Mon 21 Nov 2005        26,112 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\Fran‡ais\~WRL3035.tmp"
Mon 21 Nov 2005        29,184 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\Fran‡ais\~WRL3409.tmp"
Mon 21 Nov 2005        24,064 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\Fran‡ais\~WRL3519.tmp"
Fri  4 Nov 2005        25,088 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL0039.tmp"
Fri  4 Nov 2005        28,672 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL0115.tmp"
Thu  3 Nov 2005        24,064 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL0174.tmp"
Fri  4 Nov 2005        28,160 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL0175.tmp"
Wed 18 Jan 2006        65,024 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL0406.tmp"
Fri  4 Nov 2005        29,696 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL0418.tmp"
Fri  4 Nov 2005        29,696 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL1228.tmp"
Mon 16 Jan 2006        61,952 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL1385.tmp"
Fri  4 Nov 2005        25,600 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL1540.tmp"
Fri  4 Nov 2005        26,112 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL1667.tmp"
Fri  4 Nov 2005        29,696 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL1845.tmp"
Fri  4 Nov 2005        24,576 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL1882.tmp"
Fri  4 Nov 2005        27,648 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL2918.tmp"
Fri  4 Nov 2005        31,744 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL2956.tmp"
Fri  4 Nov 2005        26,624 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL3951.tmp"
Fri  4 Nov 2005        25,088 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\M‚moire\~WRL4089.tmp"
Wed  7 Dec 2005        28,160 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Br‚beuf\conomie\~WRL0001.tmp"
Wed  7 Oct 2009        68,608 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Heenan - t‚ 2009\Fiducie orale\~WRL0208.tmp"
Mon 12 Oct 2009        77,312 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Heenan - t‚ 2009\Fiducie orale\~WRL0211.tmp"
Mon 12 Oct 2009        74,752 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Heenan - t‚ 2009\Fiducie orale\~WRL2248.tmp"
Mon 12 Oct 2009        75,264 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Heenan - t‚ 2009\Fiducie orale\~WRL3083.tmp"
Mon 12 Oct 2009        75,776 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Heenan - t‚ 2009\Fiducie orale\~WRL3262.tmp"
Mon 12 Oct 2009        69,632 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Heenan - t‚ 2009\Fiducie orale\~WRL3814.tmp"
Mon  9 Oct 2006       101,888 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2006 - Hiver 2007\Droit constitutionnel\~WRL0003.tmp"
Mon 18 Sep 2006        87,552 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2006 - Hiver 2007\Obligations contractuelles\~WRL0023.tmp"
Wed 20 Sep 2006        90,624 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2006 - Hiver 2007\Obligations contractuelles\~WRL0264.tmp"
Wed 20 Sep 2006        96,256 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2006 - Hiver 2007\Obligations contractuelles\~WRL0562.tmp"
Wed 20 Sep 2006        90,624 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2006 - Hiver 2007\Obligations contractuelles\~WRL1506.tmp"
Wed 20 Sep 2006        93,184 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2006 - Hiver 2007\Obligations contractuelles\~WRL1607.tmp"
Thu 15 Nov 2007       760,320 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\Droit patrimonial de la famille\~WRL0004.tmp"
Tue 27 Nov 2007       621,568 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL0005.tmp"
Sat 29 Dec 2007       687,616 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL0714.tmp"
Sat 29 Dec 2007       623,616 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL1304.tmp"
Sat 29 Dec 2007       623,104 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL1506.tmp"
Sat 29 Dec 2007       626,688 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL1823.tmp"
Sat 29 Dec 2007       622,592 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL1974.tmp"
Sat 29 Dec 2007       623,104 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL2090.tmp"
Sat 29 Dec 2007       626,688 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL3127.tmp"
Sat 29 Dec 2007       623,104 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL3544.tmp"
Sat 29 Dec 2007       624,640 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\~WRL3643.tmp"
Fri 30 Oct 2009       452,608 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL0088.tmp"
Fri 30 Oct 2009       450,048 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL0385.tmp"
Fri 30 Oct 2009       431,616 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL0505.tmp"
Fri 30 Oct 2009       430,080 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL0777.tmp"
Fri 30 Oct 2009       450,048 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL0946.tmp"
Fri 30 Oct 2009       441,856 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL1038.tmp"
Fri 30 Oct 2009       429,056 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL1696.tmp"
Fri 30 Oct 2009       429,568 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL2452.tmp"
Fri 30 Oct 2009       449,024 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL3422.tmp"
Thu 29 Oct 2009       422,912 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Corporate Finance\~WRL3976.tmp"
Thu  5 Nov 2009       411,136 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Taxation\~WRL0091.tmp"
Thu  5 Nov 2009       411,648 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Taxation\~WRL1251.tmp"
Thu  5 Nov 2009       414,208 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Taxation\~WRL3977.tmp"
Tue  3 Nov 2009       405,504 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2009\Taxation\~WRL4076.tmp"
Fri  1 Feb 2008       389,120 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Advanced common law obligations\~WRL2642.tmp"
Tue 22 Jan 2008       108,544 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Droit international priv‚\~WRL1099.tmp"
Sun 13 Apr 2008        40,960 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL0092.tmp"
Sat 12 Apr 2008        26,624 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL0380.tmp"
Sat 12 Apr 2008       690,688 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL2124.tmp"
Sun 13 Apr 2008       700,928 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL2234.tmp"
Sun 13 Apr 2008        24,064 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL2255.tmp"
Sun 13 Apr 2008       690,688 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL2472.tmp"
Thu 31 Jan 2008       295,424 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL2573.tmp"
Sun 13 Apr 2008       704,512 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL2613.tmp"
Sun 13 Apr 2008        40,448 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL2660.tmp"
Sun 13 Apr 2008       690,688 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL3637.tmp"
Sun 13 Apr 2008       715,264 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Obligations droit civil avanc‚\~WRL4044.tmp"
Mon  9 Feb 2009       514,048 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Famille\~WRL1104.tmp"
Wed 11 Feb 2009       515,584 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Famille\~WRL1884.tmp"
Wed 11 Feb 2009       515,584 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Famille\~WRL3225.tmp"
Wed 11 Feb 2009       514,048 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Famille\~WRL3994.tmp"
Thu 26 Feb 2009       132,608 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\S–ret‚s\~WRL1605.tmp"
Thu 26 Feb 2009       138,240 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\S–ret‚s\~WRL2545.tmp"
Thu 26 Feb 2009       134,144 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\S–ret‚s\~WRL2728.tmp"
Wed  4 Apr 2007       596,992 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2006 - Hiver 2007\Obligations contractuelles\Hiver 2007\~WRL3179.tmp"
Fri 14 Dec 2007        26,112 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\Take home\~WRL0003.tmp"
Fri 14 Dec 2007        34,816 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2007\R‚gulation de l'‚conomie - Droit de la concurrence\Take home\~WRL2626.tmp"
Thu 13 Nov 2008        79,872 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2008\Intellectual and Industrial Property\Assignment\~WRL0003.tmp"
Thu 13 Nov 2008        78,848 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Automne 2008\Intellectual and Industrial Property\Assignment\~WRL0005.tmp"
Tue 22 Jan 2008        31,744 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2008\Soci‚t‚s et compagnies\Travail 1\~WRL0001.tmp"
Wed  1 Apr 2009       773,632 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL0048.tmp"
Wed  1 Apr 2009       777,216 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL0134.tmp"
Wed  1 Apr 2009       754,688 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL0489.tmp"
Wed  1 Apr 2009       768,512 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL0693.tmp"
Wed  1 Apr 2009       779,776 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL0827.tmp"
Wed  1 Apr 2009       775,168 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL1284.tmp"
Wed  1 Apr 2009       758,272 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL1884.tmp"
Wed  1 Apr 2009       777,728 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL1916.tmp"
Wed  1 Apr 2009       785,920 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL2111.tmp"
Wed  1 Apr 2009       761,856 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL2478.tmp"
Wed  1 Apr 2009       751,104 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL2488.tmp"
Wed  1 Apr 2009       786,432 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL2790.tmp"
Wed  1 Apr 2009       756,736 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL2817.tmp"
Wed  1 Apr 2009       771,584 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL3040.tmp"
Tue 31 Mar 2009       738,816 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL3297.tmp"
Wed  1 Apr 2009       784,384 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL3370.tmp"
Wed  1 Apr 2009       765,952 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL3496.tmp"
Wed  1 Apr 2009       760,320 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL3649.tmp"
Wed  1 Apr 2009       783,360 A..H. --- "C:\Documents and Settings\Joelle Girard\Bureau\Nouveau dossier (2)\Joelle\Droit - McGill\Hiver 2009\Prof. Saumier\Jurisprudence art. 3148 para. 3 C.c.Q\Tableaux\~WRL3650.tmp"

[b]Finished![/b]


Your help is apreciated, Thanks in advance!!!!

BC AdBot (Login to Remove)

 


#2 HezForce

HezForce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 06 October 2011 - 04:30 PM

Sorry i didnt completely read the instructions :S

I ran dds and got the logs, but it didnt work with gmer, the program automatically closes after scanning this process : 2663632943:3492756577.exe

Here's the DDS log :

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 7.0.5730.11  BrowserJavaVersion: 1.6.0_24
Run by Joelle Girard at 17:39:43 on 2011-10-06
Microsoft Windows XP Professionnel  5.1.2600.3.1252.33.1036.18.1014.536 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\2663632943:3492756577.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Documents and Settings\Joelle Girard\Application Data\dwm.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Documents and Settings\Joelle Girard\Application Data\Microsoft\conhost.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRAM FILES\DELL\QUICKSET\QUICKSET.EXE
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
svchost.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\DOCUME~1\JOELLE~1\LOCALS~1\Temp\csrss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRAM FILES\NETWAITING\NETWAITING.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Joelle Girard\Application Data\E-73473-3674-74335\lmsngrsn.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.ca/ig/dell?hl=fr&client=dell-row&channel=ca&ibd=4060911
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ca.mcafee.com/root/campaign.asp?cid=16981
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:55677
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://search.babylon.com/?babsrc=SP_ss&q={searchTerms}&mntrId=44a9c22c0000000000000018de21a7f6&tlver=1.4.19.19&ss=1&affID=17393
mWinlogon: Taskman=d:\izuvas\izcipica.exe
uWinlogon: Shell=explorer.exe,c:\documents and settings\joelle girard\application data\dwm.exe
uWindows: Load=c:\docume~1\joelle~1\locals~1\temp\csrss.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {9A7D6AD2-0881-451F-BB27-F5E2EE2C5B14} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ModemOnHold] c:\program files\netwaiting\NETWAITING.EXE
uRun: [Main Messenger Update] c:\documents and settings\joelle girard\application data\e-73473-3674-74335\lmsngrsn.exe
uRun: [Main Messenger Update] c:\documents and settings\joelle girard\application data\e-73473-3674-74335\lmsngrsn.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\QUICKSET.EXE
mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [ISUSScheduler] "c:\program files\fichiers communs\installshield\updateservice\issch.exe" -start
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [conhost] c:\documents and settings\joelle girard\application data\microsoft\conhost.exe
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSPM Startup] c:\progra~1\fichie~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AppleSyncNotifier] c:\program files\fichiers communs\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [2600] c:\docume~1\alluse~1\locals~1\temp\02e1fd74.com
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\lancem~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-system: AllowMultipleTSSessions = 1 (0x1)
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joelle girard\application data\mozilla\firefox\profiles\2suhke6y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&mntrId=44a9c22c0000000000000018de21a7f6&tlver=1.4.19.19&instlRef=sst&ss=1&affID=17393&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55677
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\joelle girard\application data\mozilla\firefox\profiles\2suhke6y.default\extensions\ffxtlbr@babylon.com\components\FFHst.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-9-30 11608]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-9-30 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-4 366152]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-4 22216]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-9-30 269480]
S2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\webupdatesvc4.exe --> c:\windows\system32\WebUpdateSvc4.exe [?]
.
=============== Created Last 30 ================
.
2011-10-05 02:27:03	579584	----a-w-	c:\windows\system32\dllcache\user32.dll
2011-10-05 02:21:49	--------	d-----w-	c:\windows\ERUNT
2011-10-05 02:20:28	--------	d-----w-	C:\SDFix
2011-10-05 01:44:30	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-05 01:44:21	--------	d-----w-	c:\documents and settings\joelle girard\application data\Malwarebytes
2011-10-05 01:44:09	--------	d-----w-	c:\documents and settings\all users\application data\Malwarebytes
2011-10-05 01:44:05	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-10-05 01:44:05	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-10-01 02:18:23	--------	d-----w-	c:\windows\pss
2011-10-01 02:07:37	--------	d-----w-	C:\!KillBox
2011-10-01 02:05:47	--------	d-----w-	c:\program files\Trend Micro
2011-10-01 02:04:57	--------	d-----w-	c:\documents and settings\joelle girard\application data\GlarySoft
2011-10-01 02:01:13	--------	d-----w-	c:\program files\Glary Utilities
2011-09-30 22:22:09	--------	d-----w-	c:\documents and settings\joelle girard\application data\Avira
2011-09-30 22:18:49	61960	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2011-09-30 22:18:47	--------	d-----w-	c:\program files\Avira
2011-09-30 22:18:47	--------	d-----w-	c:\documents and settings\all users\application data\Avira
2011-09-24 23:32:47	--------	d--h--w-	c:\windows\PIF
2011-09-24 02:43:00	--------	d-----w-	C:\spoolerlogs
2011-09-24 02:42:41	--------	d-----w-	c:\documents and settings\all users\application data\lE27400AnGmH27400
2011-09-24 02:39:32	192512	----a-w-	c:\documents and settings\joelle girard\application data\9.exe
2011-09-24 02:36:58	192512	----a-w-	c:\documents and settings\joelle girard\application data\1C9.exe
2011-09-24 02:35:01	187392	----a-w-	c:\documents and settings\joelle girard\application data\dwm.exe
2011-09-24 02:34:57	--------	d-sh--r-	c:\documents and settings\joelle girard\application data\E-73473-3674-74335
2011-09-24 02:34:27	294952	----a-w-	c:\documents and settings\joelle girard\application data\microsoft\conhost.exe
.
==================== Find3M  ====================
.
2011-10-05 02:11:07	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200BEVS-75LAT0 rev.02.06M02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xA1BEBE90]<< 
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI;  }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F88AB8]
3 CLASSPNP[0xF76BDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x860E3030]
\Driver\00002864[0x85F985D0] -> IRP_MJ_CREATE -> 0xA1BEBE90
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x100; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSW ; JMP FAR 0x0:0x62c;  }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVS-75LAT0___________________02.06M02#5&38e7dd72&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EBC701
user & kernel MBR OK 
sectors 231496648 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:42:13,57 ===============

Edited by HezForce, 06 October 2011 - 04:59 PM.


#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:16 AM

Posted 08 October 2011 - 02:10 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\2663632943
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 HezForce

HezForce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 October 2011 - 01:33 PM

Hello thanks for your reply! unfortunately im running on windows xp, and combofix asked me to download the recovery console.
But as i said for some reason i cant connect to the internet, it keeps saying "reading network address" and never connects.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:16 AM

Posted 08 October 2011 - 02:48 PM

Go ahead and run it without installing combofix


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 HezForce

HezForce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 October 2011 - 04:48 PM

Ok i ran combofix and finally got the log,and I stopped getting the number of secrets error. Internet says its connected, but its not. and when i open firefox it says :
reference error : bblyn is not defined.

heres the log :
]ComboFix 11-10-08.02 - Joelle Girard 2011-10-08 17:04:23.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1014.726 [GMT -4:00]
Lancé depuis: c:\documents and settings\Joelle Girard\Bureau\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Un nouveau point de restauration a été créé
.
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Starware316
c:\documents and settings\All Users\Application Data\Starware316\buttons\FindIt.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\FindItHot.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\findithotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\finditxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\Highlight.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\HighlightHot.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\highlighthotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\highlightxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\logo.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\logoxp.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\Reference.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\ReferenceHot.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\referencehotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\referencexp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\screensaver.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\Screensavers0.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\Weather.bmp
c:\documents and settings\All Users\Application Data\Starware316\buttons\weatherhotxp.png
c:\documents and settings\All Users\Application Data\Starware316\buttons\weatherxp.png
c:\documents and settings\All Users\Application Data\Starware316\contexts\error.xml
c:\documents and settings\All Users\Application Data\Starware316\contexts\Related.xml
c:\documents and settings\All Users\Application Data\Starware316\contexts\Travel.xml
c:\documents and settings\All Users\Application Data\Starware316\Games\images\active\Games0.bmp
c:\documents and settings\All Users\Application Data\Starware316\images\walertXP.bmp
c:\documents and settings\All Users\Application Data\Starware316\Movies\images\active\Movies0.bmp
c:\documents and settings\All Users\Application Data\Starware316\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConfig.xml
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\ProductMessagingConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.xml
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\SimpleUpdateConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.xml
c:\documents and settings\All Users\Application Data\Starware316\SimpleUpdate\TimerManagerConfig.xml.backup
c:\documents and settings\All Users\Application Data\Starware316\U0027E1A7.exe
c:\documents and settings\Joelle Girard\Application Data\1C9.exe
c:\documents and settings\Joelle Girard\Application Data\855A.9AE
c:\documents and settings\Joelle Girard\Application Data\9.exe
c:\documents and settings\Joelle Girard\Application Data\dwm.exe
c:\documents and settings\Joelle Girard\Application Data\E-73473-3674-74335
c:\documents and settings\Joelle Girard\Application Data\E-73473-3674-74335\lmsngrsn.exe
c:\documents and settings\Joelle Girard\Application Data\Microsoft\conhost.exe
c:\documents and settings\Joelle Girard\Application Data\Starware316
c:\documents and settings\Joelle Girard\Application Data\Starware316\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Configurator\Configurator.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Configurator\Configurator.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\ErrorSearch\ErrorSearchOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Games\GamesOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Games\GamesOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Layouts\PitchLayout.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Layouts\PitchLayout.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Layouts\ToolbarLayout.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Layouts\ToolbarLayout.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Manager\ManagerOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Manager\ManagerOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Movies\MoviesOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Movies\MoviesOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Reference\ReferenceOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Reference\ReferenceOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\RelatedSearch\RelatedSearchOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Screensavers\ScreensaversOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Screensavers\ScreensaversOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\SearchMatch\SearchMatchOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\SearchMatch\SearchMatchOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Toolbar\TBProductsOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Toolbar\TBProductsOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\ToolbarLogo\ToolbarLogoOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\ToolbarSearch\ToolbarSearchOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\TravelSearch\TravelSearchOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\Starware316\Weather\AlertArchive.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Weather\WeatherOptions.xml
c:\documents and settings\Joelle Girard\Application Data\Starware316\Weather\WeatherOptions.xml.backup
c:\documents and settings\Joelle Girard\Application Data\winupds.txt
c:\documents and settings\Joelle Girard\Application Data\Wonqnm.exe
c:\windows\$NtUninstallKB5041$\802210718\@
c:\windows\$NtUninstallKB5041$\802210718\click.tlb
c:\windows\$NtUninstallKB5041$\802210718\L\cmatiteg
c:\windows\$NtUninstallKB5041$\802210718\loader.tlb
c:\windows\$NtUninstallKB5041$\802210718\U\@00000001
c:\windows\$NtUninstallKB5041$\802210718\U\@000000c0
c:\windows\$NtUninstallKB5041$\802210718\U\@000000cb
c:\windows\$NtUninstallKB5041$\802210718\U\@000000cf
c:\windows\$NtUninstallKB5041$\802210718\U\@80000000
c:\windows\$NtUninstallKB5041$\802210718\U\@800000c0
c:\windows\$NtUninstallKB5041$\802210718\U\@800000cb
c:\windows\$NtUninstallKB5041$\802210718\U\@800000cf
c:\windows\$NtUninstallKB5041$\894512640
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\2663632943
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\kb913800.exe
c:\windows\system32\
c:\windows\system32\sblog.txt
c:\windows\$NtUninstallKB5041$ . . . . impossible à supprimer
.
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe . . . est infecté!!
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_2fd0c39e
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-09-08 au 2011-10-08 ))))))))))))))))))))))))))))))))))))
.
.
2011-10-05 02:27 . 2011-10-05 02:27 579584 ----a-w- c:\windows\system32\dllcache\user32.dll
2011-10-05 02:21 . 2011-10-05 02:21 -------- d-----w- c:\windows\ERUNT
2011-10-05 02:20 . 2011-10-05 02:41 -------- d-----w- C:\SDFix
2011-10-05 01:44 . 2011-10-05 01:44 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-05 01:44 . 2011-10-05 01:44 -------- d-----w- c:\documents and settings\Joelle Girard\Application Data\Malwarebytes
2011-10-05 01:44 . 2011-10-05 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 01:44 . 2011-10-08 21:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-05 01:44 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-01 02:07 . 2011-10-01 02:07 -------- d-----w- C:\!KillBox
2011-10-01 02:05 . 2011-10-01 02:05 -------- d-----w- c:\program files\Trend Micro
2011-10-01 02:04 . 2011-10-01 02:04 -------- d-----w- c:\documents and settings\Joelle Girard\Application Data\GlarySoft
2011-10-01 02:01 . 2011-10-01 02:01 -------- d-----w- c:\program files\Glary Utilities
2011-09-30 22:22 . 2011-09-30 22:22 -------- d-----w- c:\documents and settings\Joelle Girard\Application Data\Avira
2011-09-30 22:18 . 2011-07-20 15:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-09-30 22:18 . 2011-07-20 15:30 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-09-30 22:18 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-09-30 22:18 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-09-30 22:18 . 2011-09-30 22:18 -------- d-----w- c:\program files\Avira
2011-09-30 22:18 . 2011-09-30 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-09-24 23:32 . 2011-09-24 23:32 -------- d--h--w- c:\windows\PIF
2011-09-24 02:43 . 2011-09-24 02:43 -------- d-----w- C:\spoolerlogs
2011-09-24 02:42 . 2011-09-30 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\lE27400AnGmH27400
.
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 02:11 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"ModemOnHold"="c:\program files\NETWAITING\NETWAITING.EXE" [2003-09-10 20480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Dell QuickSet"="c:\program files\DELL\QUICKSET\QUICKSET.EXE" [2006-04-06 1032192]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"ISUSPM Startup"="c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"AppleSyncNotifier"="c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"2600"="c:\docume~1\ALLUSE~1\LOCALS~1\Temp\02e1fd74.com" [2008-04-14 142208]
.
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-11 24576]
Lancement rapide d'Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-04 22216]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" --> c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [?]
S2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe --> c:\windows\system32\WebUpdateSvc4.exe [?]
.
Contenu du dossier 'Tâches planifiées'
.
2011-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-10-08 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-10-01 13:07]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ca.mcafee.com/root/campaign.asp?cid=16981
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:55677
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Joelle Girard\Application Data\Mozilla\Firefox\Profiles\2suhke6y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&mntrId=44a9c22c0000000000000018de21a7f6&tlver=1.4.19.19&instlRef=sst&ss=1&affID=17393&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55677
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHELINS SUPPRIMES - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Wonqnm - c:\documents and settings\Joelle Girard\Application Data\Wonqnm.exe
HKCU-Run-Main Messenger Update - c:\documents and settings\Joelle Girard\Application Data\E-73473-3674-74335\lmsngrsn.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 17:23
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"C040AC1900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(3984)
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Heure de fin: 2011-10-08 17:31:29 - La machine a redémarré
ComboFix-quarantined-files.txt 2011-10-08 21:31
.
Avant-CF: 91 959 926 784 octets libres
Après-CF: 92 063 395 840 octets libres
.
- - End Of File - - 3ED6F3FB68EF4E818F23786250597012
[/code]

Edited by gringo_pr, 08 October 2011 - 04:54 PM.


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:16 AM

Posted 08 October 2011 - 04:57 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

DDS::
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyServer = http=127.0.0.1:55677

Firefox::
FF - ProfilePath - c:\documents and settings\Joelle Girard\Application Data\Mozilla\Firefox\Profiles\2suhke6y.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55677
FF - prefs.js: network.proxy.type - 1

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 HezForce

HezForce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 October 2011 - 05:34 PM

The computer is still the same, heres the log:

ComboFix 11-10-08.02 - Joelle Girard 2011-10-08  18:08:03.2.2 - x86
Microsoft Windows XP Professionnel  5.1.2600.3.1252.33.1036.18.1014.673 [GMT -4:00]
Lancé depuis: c:\documents and settings\Joelle Girard\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Joelle Girard\Bureau\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
.
(((((((((((((((((((((((((((((   Fichiers créés du 2011-09-08 au 2011-10-08  ))))))))))))))))))))))))))))))))))))
.
.
2011-10-05 02:27 . 2011-10-05 02:27	579584	----a-w-	c:\windows\system32\dllcache\user32.dll
2011-10-05 02:21 . 2011-10-05 02:21	--------	d-----w-	c:\windows\ERUNT
2011-10-05 02:20 . 2011-10-05 02:41	--------	d-----w-	C:\SDFix
2011-10-05 01:44 . 2011-10-05 01:44	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-05 01:44 . 2011-10-05 01:44	--------	d-----w-	c:\documents and settings\Joelle Girard\Application Data\Malwarebytes
2011-10-05 01:44 . 2011-10-05 01:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-05 01:44 . 2011-10-08 21:18	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-10-05 01:44 . 2011-08-31 21:00	22216	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-10-01 02:07 . 2011-10-01 02:07	--------	d-----w-	C:\!KillBox
2011-10-01 02:05 . 2011-10-01 02:05	--------	d-----w-	c:\program files\Trend Micro
2011-10-01 02:04 . 2011-10-01 02:04	--------	d-----w-	c:\documents and settings\Joelle Girard\Application Data\GlarySoft
2011-10-01 02:01 . 2011-10-01 02:01	--------	d-----w-	c:\program files\Glary Utilities
2011-09-30 22:22 . 2011-09-30 22:22	--------	d-----w-	c:\documents and settings\Joelle Girard\Application Data\Avira
2011-09-30 22:18 . 2011-07-20 15:30	61960	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2011-09-30 22:18 . 2011-07-20 15:30	137656	----a-w-	c:\windows\system32\drivers\avipbb.sys
2011-09-30 22:18 . 2010-06-17 19:27	45416	----a-w-	c:\windows\system32\drivers\avgntdd.sys
2011-09-30 22:18 . 2010-06-17 19:27	22360	----a-w-	c:\windows\system32\drivers\avgntmgr.sys
2011-09-30 22:18 . 2011-09-30 22:18	--------	d-----w-	c:\program files\Avira
2011-09-30 22:18 . 2011-09-30 22:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\Avira
2011-09-24 23:32 . 2011-09-24 23:32	--------	d--h--w-	c:\windows\PIF
2011-09-24 02:43 . 2011-09-24 02:43	--------	d-----w-	C:\spoolerlogs
2011-09-24 02:42 . 2011-09-30 22:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\lE27400AnGmH27400
.
.
.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-05 02:11 . 2004-08-04 03:59	96512	----a-w-	c:\windows\system32\drivers\atapi.sys
.
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"ModemOnHold"="c:\program files\NETWAITING\NETWAITING.EXE" [2003-09-10 20480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-10-29 249064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Dell QuickSet"="c:\program files\DELL\QUICKSET\QUICKSET.EXE" [2006-04-06 1032192]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"ISUSPM Startup"="c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"AppleSyncNotifier"="c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"2600"="c:\docume~1\ALLUSE~1\LOCALS~1\Temp\02e1fd74.com" [2008-04-14 142208]
.
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-11 24576]
Lancement rapide d'Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-04 22216]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S2 MBAMService;MBAMService;"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe" --> c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [?]
S2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe --> c:\windows\system32\WebUpdateSvc4.exe [?]
.
Contenu du dossier 'Tâches planifiées'
.
2011-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-10-08 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-10-01 13:07]
.
.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ca.mcafee.com/root/campaign.asp?cid=16981
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Joelle Girard\Application Data\Mozilla\Firefox\Profiles\2suhke6y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=SP_ss&mntrId=44a9c22c0000000000000018de21a7f6&tlver=1.4.19.19&instlRef=sst&ss=1&affID=17393&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 18:19
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ... 
.
Recherche d'éléments en démarrage automatique cachés ... 
.
Recherche de fichiers cachés ... 
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200BEVS-75LAT0 rev.02.06M02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EBC856]<< 
c:\docume~1\JOELLE~1\LOCALS~1\Temp\catchme.sys  
_asm { PUSH EBP; MOV EBP, ESP; MOV ECX, [0xffdf0308]; MOV EAX, [EBP+0x8]; SUB ESP, 0x14; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; CMP EAX, [ECX+0x4]; JNZ 0x6d; XOR EDI, EDI;  }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86F5DAB8]
3 CLASSPNP[0xF76BDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000068[0x86FA5820]
5 ACPI[0xF7553620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86FD0D98]
[0x86F687F8] -> IRP_MJ_CREATE -> 0x86EBC856
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x100; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSW ; JMP FAR 0x0:0x62c;  }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1200BEVS-75LAT0___________________02.06M02#5&38e7dd72&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EBC701
user & kernel MBR OK 
sectors 231496648 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ€|ÿÿÿÿ•€|ù•9~*]
"C040AC1900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(4024)
c:\windows\system32\eappprxy.dll
.
Heure de fin: 2011-10-08  18:23:23
ComboFix-quarantined-files.txt  2011-10-08 22:23
ComboFix2.txt  2011-10-08 21:31
.
Avant-CF: 92 059 262 976 octets libres
Après-CF: 92 058 984 448 octets libres
.
- - End Of File - - 3B7367F38D5337E2876CB736D482E820


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:16 AM

Posted 08 October 2011 - 06:53 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 HezForce

HezForce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 08 October 2011 - 07:36 PM

Internet is working fine now, the computer looks fine to me fow now, maybe to you its still not clean :P
Here's the log
20:31:17.0296 2076	TDSS rootkit removing tool 2.6.6.0 Oct  7 2011 12:45:24
20:31:17.0406 2076	============================================================
20:31:17.0406 2076	Current date / time: 2011/10/08 20:31:17.0406
20:31:17.0406 2076	SystemInfo:
20:31:17.0406 2076	
20:31:17.0406 2076	OS Version: 5.1.2600 ServicePack: 3.0
20:31:17.0406 2076	Product type: Workstation
20:31:17.0406 2076	ComputerName: MOUHAMAD
20:31:17.0406 2076	UserName: Joelle Girard
20:31:17.0406 2076	Windows directory: C:\WINDOWS
20:31:17.0406 2076	System windows directory: C:\WINDOWS
20:31:17.0406 2076	Processor architecture: Intel x86
20:31:17.0406 2076	Number of processors: 2
20:31:17.0406 2076	Page size: 0x1000
20:31:17.0406 2076	Boot type: Normal boot
20:31:17.0406 2076	============================================================
20:31:21.0281 2076	Initialize success
20:31:32.0437 1592	============================================================
20:31:32.0437 1592	Scan started
20:31:32.0437 1592	Mode: Manual; 
20:31:32.0437 1592	============================================================
20:31:33.0171 1592	Abiosdsk - ok
20:31:33.0203 1592	abp480n5        (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:31:33.0218 1592	abp480n5 - ok
20:31:33.0265 1592	ACPI            (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:31:33.0265 1592	ACPI - ok
20:31:33.0312 1592	ACPIEC          (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:31:33.0312 1592	ACPIEC - ok
20:31:33.0343 1592	adpu160m        (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:31:33.0343 1592	adpu160m - ok
20:31:33.0390 1592	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:31:33.0390 1592	aec - ok
20:31:33.0421 1592	AegisP          (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
20:31:33.0421 1592	AegisP - ok
20:31:33.0484 1592	AFD             (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
20:31:33.0484 1592	AFD - ok
20:31:33.0578 1592	agp440          (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:31:33.0578 1592	agp440 - ok
20:31:33.0593 1592	agpCPQ          (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:31:33.0593 1592	agpCPQ - ok
20:31:33.0656 1592	Aha154x         (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:31:33.0656 1592	Aha154x - ok
20:31:33.0671 1592	aic78u2         (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:31:33.0671 1592	aic78u2 - ok
20:31:33.0687 1592	aic78xx         (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:31:33.0687 1592	aic78xx - ok
20:31:33.0734 1592	AliIde          (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
20:31:33.0734 1592	AliIde - ok
20:31:33.0781 1592	alim1541        (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:31:33.0781 1592	alim1541 - ok
20:31:33.0796 1592	amdagp          (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:31:33.0796 1592	amdagp - ok
20:31:33.0843 1592	amsint          (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
20:31:33.0843 1592	amsint - ok
20:31:33.0875 1592	APPDRV          (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
20:31:33.0875 1592	APPDRV - ok
20:31:34.0000 1592	Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:31:34.0000 1592	Arp1394 - ok
20:31:34.0031 1592	asc             (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
20:31:34.0031 1592	asc - ok
20:31:34.0046 1592	asc3350p        (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:31:34.0046 1592	asc3350p - ok
20:31:34.0078 1592	asc3550         (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:31:34.0078 1592	asc3550 - ok
20:31:34.0109 1592	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:31:34.0109 1592	AsyncMac - ok
20:31:34.0140 1592	atapi           (7cb2149b264d24e20bcae3fda1d27f11) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:31:34.0140 1592	Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: 7cb2149b264d24e20bcae3fda1d27f11, Fake md5: 9f3a2f5aa6875c72bf062c712cfa2674
20:31:34.0140 1592	atapi ( Rootkit.Win32.TDSS.tdl3 ) - infected
20:31:34.0140 1592	atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
20:31:34.0156 1592	Atdisk - ok
20:31:34.0281 1592	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:31:34.0281 1592	Atmarpc - ok
20:31:34.0296 1592	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:31:34.0296 1592	audstub - ok
20:31:34.0359 1592	avgio           (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
20:31:34.0359 1592	avgio - ok
20:31:34.0390 1592	avgntflt        (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
20:31:34.0390 1592	avgntflt - ok
20:31:34.0421 1592	avipbb          (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
20:31:34.0437 1592	avipbb - ok
20:31:34.0531 1592	bcm4sbxp        (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
20:31:34.0531 1592	bcm4sbxp - ok
20:31:34.0546 1592	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:31:34.0562 1592	Beep - ok
20:31:34.0609 1592	BrScnUsb        (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
20:31:34.0609 1592	BrScnUsb - ok
20:31:34.0703 1592	catchme - ok
20:31:34.0718 1592	cbidf           (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:31:34.0718 1592	cbidf - ok
20:31:34.0734 1592	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:31:34.0734 1592	cbidf2k - ok
20:31:34.0750 1592	cd20xrnt        (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:31:34.0750 1592	cd20xrnt - ok
20:31:34.0781 1592	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:31:34.0781 1592	Cdaudio - ok
20:31:34.0828 1592	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:31:34.0828 1592	Cdfs - ok
20:31:34.0859 1592	Cdrom           (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:31:34.0859 1592	Cdrom - ok
20:31:34.0875 1592	Changer - ok
20:31:34.0921 1592	CmBatt          (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
20:31:34.0921 1592	CmBatt - ok
20:31:34.0953 1592	CmdIde          (e3726ad522d0bdae090671048c991ab3) C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:31:34.0953 1592	CmdIde - ok
20:31:34.0968 1592	Compbatt        (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
20:31:34.0968 1592	Compbatt - ok
20:31:35.0015 1592	Cpqarray        (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:31:35.0015 1592	Cpqarray - ok
20:31:35.0046 1592	dac2w2k         (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:31:35.0046 1592	dac2w2k - ok
20:31:35.0093 1592	dac960nt        (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:31:35.0093 1592	dac960nt - ok
20:31:35.0171 1592	Disk            (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:31:35.0171 1592	Disk - ok
20:31:35.0203 1592	DLABOIOM        (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
20:31:35.0203 1592	DLABOIOM - ok
20:31:35.0203 1592	DLACDBHM        (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
20:31:35.0218 1592	DLACDBHM - ok
20:31:35.0234 1592	DLADResN        (bb445bcea5aa6bc695a56eb2fbb4686f) C:\WINDOWS\system32\DLA\DLADResN.SYS
20:31:35.0234 1592	DLADResN - ok
20:31:35.0265 1592	DLAIFS_M        (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
20:31:35.0265 1592	DLAIFS_M - ok
20:31:35.0281 1592	DLAOPIOM        (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
20:31:35.0281 1592	DLAOPIOM - ok
20:31:35.0296 1592	DLAPoolM        (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
20:31:35.0296 1592	DLAPoolM - ok
20:31:35.0296 1592	DLARTL_N        (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
20:31:35.0312 1592	DLARTL_N - ok
20:31:35.0328 1592	DLAUDFAM        (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
20:31:35.0328 1592	DLAUDFAM - ok
20:31:35.0343 1592	DLAUDF_M        (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
20:31:35.0343 1592	DLAUDF_M - ok
20:31:35.0421 1592	dmboot          (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys
20:31:35.0437 1592	dmboot - ok
20:31:35.0500 1592	dmio            (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys
20:31:35.0500 1592	dmio - ok
20:31:35.0609 1592	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:31:35.0609 1592	dmload - ok
20:31:35.0671 1592	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:31:35.0671 1592	DMusic - ok
20:31:35.0718 1592	dpti2o          (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:31:35.0718 1592	dpti2o - ok
20:31:35.0734 1592	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:31:35.0734 1592	drmkaud - ok
20:31:35.0765 1592	DRVMCDB         (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
20:31:35.0765 1592	DRVMCDB - ok
20:31:35.0796 1592	DRVNDDM         (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
20:31:35.0796 1592	DRVNDDM - ok
20:31:35.0828 1592	E100B           (1961f8b618e3c20df54c146b294efd2a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
20:31:35.0828 1592	E100B - ok
20:31:35.0890 1592	Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:31:35.0890 1592	Fastfat - ok
20:31:35.0921 1592	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:31:35.0921 1592	Fdc - ok
20:31:35.0968 1592	Fips            (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys
20:31:35.0968 1592	Fips - ok
20:31:36.0015 1592	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:31:36.0015 1592	Flpydisk - ok
20:31:36.0125 1592	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:31:36.0140 1592	FltMgr - ok
20:31:36.0171 1592	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:31:36.0171 1592	Fs_Rec - ok
20:31:36.0218 1592	Ftdisk          (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:31:36.0218 1592	Ftdisk - ok
20:31:36.0265 1592	GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:31:36.0265 1592	GEARAspiWDM - ok
20:31:36.0312 1592	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:31:36.0312 1592	Gpc - ok
20:31:36.0328 1592	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:31:36.0343 1592	HDAudBus - ok
20:31:36.0375 1592	HidUsb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:31:36.0375 1592	HidUsb - ok
20:31:36.0406 1592	hpn             (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
20:31:36.0406 1592	hpn - ok
20:31:36.0484 1592	HSF_DPV         (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
20:31:36.0484 1592	HSF_DPV - ok
20:31:36.0546 1592	HSXHWAZL        (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
20:31:36.0546 1592	HSXHWAZL - ok
20:31:36.0687 1592	HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:31:36.0687 1592	HTTP - ok
20:31:36.0703 1592	i2omgmt         (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:31:36.0703 1592	i2omgmt - ok
20:31:36.0718 1592	i2omp           (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:31:36.0718 1592	i2omp - ok
20:31:36.0750 1592	i8042prt        (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:31:36.0750 1592	i8042prt - ok
20:31:36.0843 1592	ialm            (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
20:31:36.0859 1592	ialm - ok
20:31:36.0875 1592	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:31:36.0875 1592	Imapi - ok
20:31:36.0906 1592	ini910u         (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:31:36.0906 1592	ini910u - ok
20:31:36.0937 1592	IntelIde        (4b6da2f0a4095857a9e3f3697399d575) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:31:36.0937 1592	IntelIde - ok
20:31:36.0953 1592	intelppm        (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:31:36.0953 1592	intelppm - ok
20:31:37.0000 1592	Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:31:37.0000 1592	Ip6Fw - ok
20:31:37.0062 1592	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:31:37.0062 1592	IpFilterDriver - ok
20:31:37.0171 1592	IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:31:37.0171 1592	IpInIp - ok
20:31:37.0203 1592	IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:31:37.0203 1592	IpNat - ok
20:31:37.0218 1592	IPSec           (c773971c089973d2ef124120cfa360a7) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:31:37.0234 1592	IPSec ( Rootkit.Win32.ZAccess.h ) - infected
20:31:37.0234 1592	IPSec - detected Rootkit.Win32.ZAccess.h (0)
20:31:37.0265 1592	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:31:37.0265 1592	IRENUM - ok
20:31:37.0281 1592	isapnp          (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:31:37.0281 1592	isapnp - ok
20:31:37.0328 1592	Kbdclass        (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:31:37.0328 1592	Kbdclass - ok
20:31:37.0343 1592	kbdhid          (94c59cb884ba010c063687c3a50dce8e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:31:37.0343 1592	kbdhid - ok
20:31:37.0375 1592	kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:31:37.0375 1592	kmixer - ok
20:31:37.0406 1592	KSecDD          (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:31:37.0406 1592	KSecDD - ok
20:31:37.0453 1592	lbrtfdc - ok
20:31:37.0500 1592	MBAMProtector   (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
20:31:37.0500 1592	MBAMProtector - ok
20:31:37.0609 1592	mdmxsdk         (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:31:37.0609 1592	mdmxsdk - ok
20:31:37.0640 1592	MHNDRV          (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:31:37.0640 1592	MHNDRV - ok
20:31:37.0687 1592	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:31:37.0687 1592	mnmdd - ok
20:31:37.0703 1592	Modem           (510ade9327fe84c10254e1902697e25f) C:\WINDOWS\system32\drivers\Modem.sys
20:31:37.0703 1592	Modem - ok
20:31:37.0718 1592	Mouclass        (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:31:37.0718 1592	Mouclass - ok
20:31:37.0750 1592	mouhid          (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:31:37.0750 1592	mouhid - ok
20:31:37.0781 1592	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:31:37.0781 1592	MountMgr - ok
20:31:37.0859 1592	mraid35x        (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:31:37.0859 1592	mraid35x - ok
20:31:37.0875 1592	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:31:37.0875 1592	MRxDAV - ok
20:31:37.0953 1592	MRxSmb          (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:31:37.0953 1592	MRxSmb - ok
20:31:37.0984 1592	Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:31:37.0984 1592	Msfs - ok
20:31:38.0046 1592	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:31:38.0046 1592	MSKSSRV - ok
20:31:38.0140 1592	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:31:38.0140 1592	MSPCLOCK - ok
20:31:38.0171 1592	MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:31:38.0171 1592	MSPQM - ok
20:31:38.0218 1592	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:31:38.0218 1592	mssmbios - ok
20:31:38.0234 1592	Mup             (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
20:31:38.0234 1592	Mup - ok
20:31:38.0265 1592	NDIS            (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:31:38.0265 1592	NDIS - ok
20:31:38.0281 1592	NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:31:38.0296 1592	NdisTapi - ok
20:31:38.0312 1592	Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:31:38.0312 1592	Ndisuio - ok
20:31:38.0328 1592	NdisWan         (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:31:38.0328 1592	NdisWan - ok
20:31:38.0359 1592	NDProxy         (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
20:31:38.0359 1592	NDProxy - ok
20:31:38.0375 1592	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:31:38.0375 1592	NetBIOS - ok
20:31:38.0468 1592	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:31:38.0468 1592	NetBT - ok
20:31:38.0515 1592	NIC1394         (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:31:38.0515 1592	NIC1394 - ok
20:31:38.0562 1592	Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:31:38.0562 1592	Npfs - ok
20:31:38.0609 1592	Ntfs            (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:31:38.0609 1592	Ntfs - ok
20:31:38.0718 1592	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:31:38.0718 1592	Null - ok
20:31:38.0875 1592	nv              (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:31:38.0890 1592	nv - ok
20:31:38.0906 1592	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:31:38.0906 1592	NwlnkFlt - ok
20:31:38.0921 1592	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:31:38.0921 1592	NwlnkFwd - ok
20:31:39.0031 1592	ohci1394        (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:31:39.0031 1592	ohci1394 - ok
20:31:39.0078 1592	Parport         (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\DRIVERS\parport.sys
20:31:39.0078 1592	Parport - ok
20:31:39.0093 1592	PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:31:39.0109 1592	PartMgr - ok
20:31:39.0109 1592	ParVdm          (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys
20:31:39.0109 1592	ParVdm - ok
20:31:39.0125 1592	PCI             (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys
20:31:39.0125 1592	PCI - ok
20:31:39.0140 1592	PCIDump - ok
20:31:39.0156 1592	PCIIde          (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:31:39.0171 1592	PCIIde - ok
20:31:39.0187 1592	Pcmcia          (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:31:39.0203 1592	Pcmcia - ok
20:31:39.0203 1592	PDCOMP - ok
20:31:39.0218 1592	PDFRAME - ok
20:31:39.0234 1592	PDRELI - ok
20:31:39.0250 1592	PDRFRAME - ok
20:31:39.0281 1592	perc2           (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
20:31:39.0281 1592	perc2 - ok
20:31:39.0281 1592	perc2hib        (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:31:39.0281 1592	perc2hib - ok
20:31:39.0343 1592	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:31:39.0343 1592	PptpMiniport - ok
20:31:39.0343 1592	PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:31:39.0359 1592	PSched - ok
20:31:39.0359 1592	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:31:39.0359 1592	Ptilink - ok
20:31:39.0375 1592	PxHelp20 - ok
20:31:39.0406 1592	ql1080          (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:31:39.0406 1592	ql1080 - ok
20:31:39.0421 1592	Ql10wnt         (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:31:39.0421 1592	Ql10wnt - ok
20:31:39.0437 1592	ql12160         (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:31:39.0437 1592	ql12160 - ok
20:31:39.0546 1592	ql1240          (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:31:39.0546 1592	ql1240 - ok
20:31:39.0562 1592	ql1280          (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:31:39.0562 1592	ql1280 - ok
20:31:39.0578 1592	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:31:39.0593 1592	RasAcd - ok
20:31:39.0609 1592	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:31:39.0609 1592	Rasl2tp - ok
20:31:39.0640 1592	RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:31:39.0640 1592	RasPppoe - ok
20:31:39.0640 1592	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:31:39.0640 1592	Raspti - ok
20:31:39.0671 1592	Rdbss           (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:31:39.0671 1592	Rdbss - ok
20:31:39.0671 1592	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:31:39.0671 1592	RDPCDD - ok
20:31:39.0703 1592	rdpdr           (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:31:39.0703 1592	rdpdr - ok
20:31:39.0734 1592	RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
20:31:39.0734 1592	RDPWD - ok
20:31:39.0781 1592	redbook         (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:31:39.0781 1592	redbook - ok
20:31:39.0828 1592	rimmptsk        (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
20:31:39.0828 1592	rimmptsk - ok
20:31:39.0875 1592	rimsptsk        (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
20:31:39.0875 1592	rimsptsk - ok
20:31:39.0937 1592	rismxdp         (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
20:31:39.0937 1592	rismxdp - ok
20:31:40.0031 1592	s24trans        (2c0e9e777ab1849b43494626c1f308b5) C:\WINDOWS\system32\DRIVERS\s24trans.sys
20:31:40.0031 1592	s24trans - ok
20:31:40.0062 1592	sdbus           (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
20:31:40.0062 1592	sdbus - ok
20:31:40.0187 1592	Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:31:40.0187 1592	Secdrv - ok
20:31:40.0265 1592	serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:31:40.0265 1592	serenum - ok
20:31:40.0296 1592	Serial          (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\DRIVERS\serial.sys
20:31:40.0296 1592	Serial - ok
20:31:40.0328 1592	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:31:40.0328 1592	Sfloppy - ok
20:31:40.0343 1592	Simbad - ok
20:31:40.0375 1592	sisagp          (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:31:40.0375 1592	sisagp - ok
20:31:40.0421 1592	Sparrow         (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:31:40.0421 1592	Sparrow - ok
20:31:40.0468 1592	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:31:40.0468 1592	splitter - ok
20:31:40.0484 1592	sr              (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys
20:31:40.0484 1592	sr - ok
20:31:40.0515 1592	Srv             (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
20:31:40.0515 1592	Srv - ok
20:31:40.0562 1592	ssmdrv          (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
20:31:40.0562 1592	ssmdrv - ok
20:31:40.0625 1592	STHDA           (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
20:31:40.0625 1592	STHDA - ok
20:31:40.0718 1592	swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:31:40.0718 1592	swenum - ok
20:31:40.0750 1592	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:31:40.0750 1592	swmidi - ok
20:31:40.0796 1592	symc810         (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
20:31:40.0796 1592	symc810 - ok
20:31:40.0843 1592	symc8xx         (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:31:40.0843 1592	symc8xx - ok
20:31:40.0875 1592	sym_hi          (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:31:40.0875 1592	sym_hi - ok
20:31:40.0875 1592	sym_u3          (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:31:40.0875 1592	sym_u3 - ok
20:31:40.0921 1592	SynTP           (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
20:31:40.0937 1592	SynTP - ok
20:31:40.0968 1592	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:31:40.0968 1592	sysaudio - ok
20:31:41.0015 1592	Tcpip           (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:31:41.0015 1592	Tcpip - ok
20:31:41.0078 1592	TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:31:41.0078 1592	TDPIPE - ok
20:31:41.0203 1592	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:31:41.0203 1592	TDTCP - ok
20:31:41.0265 1592	TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:31:41.0265 1592	TermDD - ok
20:31:41.0328 1592	TosIde          (b411668322c3bf4e690888706b999679) C:\WINDOWS\system32\DRIVERS\toside.sys
20:31:41.0328 1592	TosIde - ok
20:31:41.0375 1592	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:31:41.0375 1592	Udfs - ok
20:31:41.0406 1592	ultra           (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
20:31:41.0406 1592	ultra - ok
20:31:41.0453 1592	Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:31:41.0453 1592	Update - ok
20:31:41.0515 1592	USBAAPL         (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:31:41.0515 1592	USBAAPL - ok
20:31:41.0531 1592	usbccgp         (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:31:41.0531 1592	usbccgp - ok
20:31:41.0562 1592	usbehci         (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:31:41.0562 1592	usbehci - ok
20:31:41.0578 1592	usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:31:41.0578 1592	usbhub - ok
20:31:41.0609 1592	usbprint        (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:31:41.0609 1592	usbprint - ok
20:31:41.0640 1592	usbscan         (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:31:41.0640 1592	usbscan - ok
20:31:41.0718 1592	USBSTOR         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:31:41.0718 1592	USBSTOR - ok
20:31:41.0765 1592	usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:31:41.0765 1592	usbuhci - ok
20:31:41.0781 1592	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:31:41.0781 1592	VgaSave - ok
20:31:41.0812 1592	viaagp          (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:31:41.0812 1592	viaagp - ok
20:31:41.0859 1592	ViaIde          (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:31:41.0859 1592	ViaIde - ok
20:31:41.0906 1592	VolSnap         (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys
20:31:41.0906 1592	VolSnap - ok
20:31:42.0000 1592	w39n51          (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys
20:31:42.0000 1592	w39n51 - ok
20:31:42.0031 1592	Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:31:42.0031 1592	Wanarp - ok
20:31:42.0046 1592	WDICA - ok
20:31:42.0078 1592	wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:31:42.0078 1592	wdmaud - ok
20:31:42.0140 1592	winachsf        (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
20:31:42.0140 1592	winachsf - ok
20:31:42.0203 1592	MBR (0x1B8)     (dea9e81f0228b68c9adaf84c9b0cf931) \Device\Harddisk0\DR0
20:31:42.0218 1592	\Device\Harddisk0\DR0 - ok
20:31:42.0218 1592	MBR (0x1B8)     (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR8
20:31:42.0265 1592	\Device\Harddisk1\DR8 - ok
20:31:42.0281 1592	Boot (0x1200)   (5ae950d5844a3a3d6824a70dbf139c56) \Device\Harddisk0\DR0\Partition0
20:31:42.0281 1592	\Device\Harddisk0\DR0\Partition0 - ok
20:31:42.0281 1592	Boot (0x1200)   (5f6262bf4bd079133c38ea27d43b571f) \Device\Harddisk1\DR8\Partition0
20:31:42.0281 1592	\Device\Harddisk1\DR8\Partition0 - ok
20:31:42.0281 1592	============================================================
20:31:42.0281 1592	Scan finished
20:31:42.0281 1592	============================================================
20:31:42.0296 1604	Detected object count: 2
20:31:42.0296 1604	Actual detected object count: 2
20:31:57.0156 1604	Backup copy found, using it..
20:31:57.0156 1604	C:\WINDOWS\system32\DRIVERS\atapi.sys - will be cured on reboot
20:31:57.0156 1604	atapi ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure 
20:31:57.0562 1604	Backup copy found, using it..
20:31:57.0562 1604	C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot
20:31:57.0562 1604	IPSec ( Rootkit.Win32.ZAccess.h ) - User select action: Cure 
20:32:13.0484 3660	Deinitialize success

Edited by HezForce, 08 October 2011 - 07:41 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:16 AM

Posted 08 October 2011 - 09:42 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 HezForce

HezForce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 October 2011 - 01:12 AM

here it is :
Adobe Flash Player 10 Plugin

Adobe Flash Player 9 ActiveX

Adobe Reader 7.1.0 - Français

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Assistant de connexion Windows Live

Avira AntiVir Personal - Free Antivirus

Bonjour

Conexant HDA D110 MDC V.92 Modem

Corel WordPerfect Suite 8

Correctif n° 2 pour Windows XP Édition Media Center 2005

Correctif pour Windows Internet Explorer 7 (KB947864)

Correctif pour Windows XP (KB952287)

Correctif pour Windows XP (KB961118)

Correctif pour Windows XP (KB970653-v3)

Correctif pour Windows XP (KB976098-v2)

DAO

Dell CinePlayer

Dell Driver Reset Tool

Dell Picture Studio - Dell Image Expert

Digital Line Detect

DivX Content Uploader

DivX Web Player

FrostWire 4.21.5

GemMaster Mystic

Glary Utilities 2.38.0.1288

High Definition Audio Driver Package - KB835221

HL-2240

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB954550-v5)

Installation Windows Live

Intel(R) Graphics Media Accelerator Driver

iTunes

J2SE Runtime Environment 5.0 Update 6

Java Auto Updater

Java(TM) 6 Update 24

Larousse Chambers Français - Anglais

Logiciel Intel(R) PROSet/Wireless

Malwarebytes' Anti-Malware version 1.51.2.1300

mCore

MCU

mDrWiFi

mHlpDell

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 French Language Pack

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Live Add-in 1.3

Microsoft Office Outlook Connector

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Small Business Edition 2003

Microsoft Office Word Viewer 2003

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft Works

Mise à jour de sécurité pour Lecteur Windows Media (KB952069)

Mise à jour de sécurité pour Lecteur Windows Media (KB954155)

Mise à jour de sécurité pour Lecteur Windows Media (KB968816)

Mise à jour de sécurité pour Lecteur Windows Media (KB973540)

Mise à jour de sécurité pour Lecteur Windows Media 10 (KB917734)

Mise à jour de sécurité pour Lecteur Windows Media 10 (KB936782)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB928090)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB929969)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB931768)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB933566)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB937143)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB939653)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB942615)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB944533)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB950759)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB953838)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB956390)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB958215)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB960714)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB961260)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB963027)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB969897)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB972260)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB974455)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB976325)

Mise à jour de sécurité pour Windows Internet Explorer 7 (KB978207)

Mise à jour de sécurité pour Windows XP (KB923561)

Mise à jour de sécurité pour Windows XP (KB938464-v2)

Mise à jour de sécurité pour Windows XP (KB938464)

Mise à jour de sécurité pour Windows XP (KB941569)

Mise à jour de sécurité pour Windows XP (KB946648)

Mise à jour de sécurité pour Windows XP (KB950760)

Mise à jour de sécurité pour Windows XP (KB950762)

Mise à jour de sécurité pour Windows XP (KB950974)

Mise à jour de sécurité pour Windows XP (KB951066)

Mise à jour de sécurité pour Windows XP (KB951376-v2)

Mise à jour de sécurité pour Windows XP (KB951698)

Mise à jour de sécurité pour Windows XP (KB951748)

Mise à jour de sécurité pour Windows XP (KB952004)

Mise à jour de sécurité pour Windows XP (KB952954)

Mise à jour de sécurité pour Windows XP (KB953839)

Mise à jour de sécurité pour Windows XP (KB954211)

Mise à jour de sécurité pour Windows XP (KB954459)

Mise à jour de sécurité pour Windows XP (KB954600)

Mise à jour de sécurité pour Windows XP (KB955069)

Mise à jour de sécurité pour Windows XP (KB956391)

Mise à jour de sécurité pour Windows XP (KB956572)

Mise à jour de sécurité pour Windows XP (KB956744)

Mise à jour de sécurité pour Windows XP (KB956802)

Mise à jour de sécurité pour Windows XP (KB956803)

Mise à jour de sécurité pour Windows XP (KB956841)

Mise à jour de sécurité pour Windows XP (KB956844)

Mise à jour de sécurité pour Windows XP (KB957095)

Mise à jour de sécurité pour Windows XP (KB957097)

Mise à jour de sécurité pour Windows XP (KB958644)

Mise à jour de sécurité pour Windows XP (KB958687)

Mise à jour de sécurité pour Windows XP (KB958690)

Mise à jour de sécurité pour Windows XP (KB958869)

Mise à jour de sécurité pour Windows XP (KB959426)

Mise à jour de sécurité pour Windows XP (KB960225)

Mise à jour de sécurité pour Windows XP (KB960715)

Mise à jour de sécurité pour Windows XP (KB960803)

Mise à jour de sécurité pour Windows XP (KB960859)

Mise à jour de sécurité pour Windows XP (KB961371)

Mise à jour de sécurité pour Windows XP (KB961373)

Mise à jour de sécurité pour Windows XP (KB961501)

Mise à jour de sécurité pour Windows XP (KB968537)

Mise à jour de sécurité pour Windows XP (KB969059)

Mise à jour de sécurité pour Windows XP (KB969898)

Mise à jour de sécurité pour Windows XP (KB969947)

Mise à jour de sécurité pour Windows XP (KB970238)

Mise à jour de sécurité pour Windows XP (KB970430)

Mise à jour de sécurité pour Windows XP (KB971486)

Mise à jour de sécurité pour Windows XP (KB971557)

Mise à jour de sécurité pour Windows XP (KB971633)

Mise à jour de sécurité pour Windows XP (KB971657)

Mise à jour de sécurité pour Windows XP (KB971961)

Mise à jour de sécurité pour Windows XP (KB972270)

Mise à jour de sécurité pour Windows XP (KB973346)

Mise à jour de sécurité pour Windows XP (KB973354)

Mise à jour de sécurité pour Windows XP (KB973507)

Mise à jour de sécurité pour Windows XP (KB973525)

Mise à jour de sécurité pour Windows XP (KB973869)

Mise à jour de sécurité pour Windows XP (KB973904)

Mise à jour de sécurité pour Windows XP (KB974112)

Mise à jour de sécurité pour Windows XP (KB974318)

Mise à jour de sécurité pour Windows XP (KB974392)

Mise à jour de sécurité pour Windows XP (KB974571)

Mise à jour de sécurité pour Windows XP (KB975025)

Mise à jour de sécurité pour Windows XP (KB975467)

Mise à jour de sécurité pour Windows XP (KB977914)

Mise à jour de sécurité pour Windows XP (KB978706)

Mise à jour pour Lecteur Windows Media 10 (KB910393)

Mise à jour pour Lecteur Windows Media 10 (KB913800)

Mise à jour pour Lecteur Windows Media 10 (KB926251)

Mise à jour pour Windows Internet Explorer 7 (KB976749)

Mise à jour pour Windows XP (KB951072-v2)

Mise à jour pour Windows XP (KB951978)

Mise à jour pour Windows XP (KB955759)

Mise à jour pour Windows XP (KB955839)

Mise à jour pour Windows XP (KB961503)

Mise à jour pour Windows XP (KB967715)

Mise à jour pour Windows XP (KB968389)

Mise à jour pour Windows XP (KB971737)

Mise à jour pour Windows XP (KB973687)

Mise à jour pour Windows XP (KB973815)

mIWA

Mixeur

mLogView

mMHouse

MobileMe Control Panel

Modem Helper

Module de compatibilité pour Microsoft Office System 2007

Mozilla Firefox (3.0.19)

mPfMgr

mPfWiz

mProSafe

mSSO

MSVCRT

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

mWlsSafe

mWMI

mXML

mZConfig

NetWaiting

Outil de téléchargement Windows Live

Paint Shop Pro 7

QuickSet

QuickTime

Roxio DLA

Roxio MyDVD LE

Roxio RecordNow Audio

Roxio RecordNow Copy

Roxio RecordNow Data

SearchAssist

Securexam Student

Segoe UI

Sonic Activation Module

Sonic Encoders

Sonic Update Manager

Sound Blaster Audigy ADVANCED MB Demo

Synaptics Pointing Device Driver

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

URL Assistant

VideoLAN VLC media player 0.8.6c

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Web Update Wizard (Redistributable) 4.0

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Live Call

Windows Live Communications Platform

Windows Live FolderShare

Windows Live Messenger

Windows Media Format Runtime

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB912067

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:16 AM

Posted 09 October 2011 - 01:17 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 7.1.0 - Français
J2SE Runtime Environment 5.0 Update 6



and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

If you have problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 HezForce

HezForce
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 09 October 2011 - 09:06 PM

here are the logs :

MBAM
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Version de la base de données: 7911

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

2011-10-09 22:00:36
mbam-log-2011-10-09 (22-00-36).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 181930
Temps écoulé: 4 minute(s), 14 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 1
Elément(s) de données du Registre infecté(s): 1
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 1

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\2600 (Backdoor.Bot) -> Value: 2600 -> Delete on reboot.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Joelle Girard\Local Settings\Application Data\kpe.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
c:\documents and settings\all users\local settings\Temp\02e1fd74.com (Backdoor.Bot) -> Quarantined and deleted successfully.

HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:03:39, on 2011-10-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRAM FILES\DELL\QUICKSET\QUICKSET.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRAM FILES\NETWAITING\NETWAITING.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Joelle Girard\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=fr&client=dell-row&channel=ca&ibd=4060911
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ca.mcafee.com/root/campaign.asp?cid=16981
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRAM FILES\DELL\QUICKSET\QUICKSET.EXE
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRAM FILES\NETWAITING\NETWAITING.EXE
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_24.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\sched.exe (file missing)
O23 - Service: Avira AntiVir Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Unknown owner - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\AppleMobileDeviceService.exe (file missing)
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Service de planification Media Center (ehSched) - Unknown owner - C:\WINDOWS\eHome\ehSched.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (file missing)
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Partage de Bureau à distance NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Unknown owner - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (file missing)
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Web Update Wizard Service V4 (WebUpdate4) - Unknown owner - C:\WINDOWS\system32\WebUpdateSvc4.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 10394 bytes


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:16 AM

Posted 10 October 2011 - 06:48 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
      O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
      O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRAM FILES\DELL\QUICKSET\QUICKSET.EXE
      O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
      O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brakets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]



If you have any problems running Hijackthis.

sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users