Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan.Dropper

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan.Dropper

Unread postby Joebanane » May 18th, 2010, 1:43 pm

Hello,

My husband's computer got infected when he downloaded what he thought was a subtitle file. The infection was massive and prevented the computer from even booting normally. I ran a first course of Malewarebyte in safe mode, which fixed the booting problem; then I updated Malewarebyte and ran it again and downloaded Superantispyware and ran that. Superantispyware detects a Trojan.Droper SVChost-Fake and deletes it but it always comes back.

At first IE and Opera didn't connect to the internet at all (although Firefox did), because the malware had checked the box "Use a proxy server". I unchecked the box and all internet connections are back.

Remaining symptoms include Popup windows in IE (even though we never use IE), problems with the sound level when watching a video on the Opera browser and MOST IMPORTANTLY, inability to connect to Windows Update whichever browser we use.

Here is the Hijackthis log as requested:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:14:56, on 2010-05-18
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.fr/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.infoclick.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par INFO CLICK®
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infoclick.ca
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 7323 bytes

And the uninstall list:

3DMark05
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Software Update
Arena 1.1
Assistant de connexion Windows Live
AVG Free 9.0
CCleaner
Combined Community Codec Pack 2008-09-21 16:18
Defraggler
DVD Suite
Eusing Free Registry Cleaner
Foxit Creator
Foxit PDF Editor
Foxit Phantom
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Installation Windows Live
Installation Windows Live
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 13
Lecteur Windows Media 11
Lexmark Z600 Series
Malwarebytes' Anti-Malware
Media Key Uninstaller
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mise à jour de sécurité pour Windows XP (KB923789)
Mozilla Firefox (3.5.9)
MSVCRT
Nero 7 Lite 7.9.6.0
OpenOffice.org 2.0
Opera 9.63
Outil de téléchargement Windows Live
PDFCreator
PowerDVD
PowerProducer
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.0
Revo Uninstaller 1.88
Segoe UI
SUPERAntiSpyware Free Edition
System Requirements Lab for Intel
TUGZip 3.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
VC 9.0 Runtime
Veoh Web Player Beta
VLC media player 0.9.8a
WinDjView 1.0.1
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

Thanks for you time in helping me out with this,

Joanne
Joebanane
Active Member
 
Posts: 7
Joined: May 18th, 2010, 1:07 pm
Advertisement
Register to Remove

Re: Trojan.Dropper

Unread postby Airscape » May 18th, 2010, 3:06 pm

Hello Joanne... welcome to the forum.
My name is Airscape and I'll be helping you with your malware issues.
HijackThis logs can take time to analyze. Please be patient with me.

Take note of following before we begin:
  • Post to this thread only and please stick to it until you are given an All Clean. Absence of symptoms does not mean that your computer is clean.
  • The instructions I give are for This computer only and should not be used on any other pc.
  • Do NOT run any tools/scans unless I instruct you to.
  • Try not to install/uninstall any programs while we work. This will add extra time researching your logs.
  • If you have found assistance elsewhere and no longer require our help, please say so, and this topic will be closed.
  • If you have any problems, please stop and ask before proceeding with any fixes.
  • ALL USERS OF THIS FORUM MUST READ THIS FIRST

Note: As I'm in training here at MRU, everything I post must be checked by an expert first. So there may be a slight delay in between posts.

No reply within 3 days will result in your topic being closed. If you need more time, please let me know.
Last edited by Airscape on May 18th, 2010, 8:35 pm, edited 1 time in total.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Trojan.Dropper

Unread postby Airscape » May 18th, 2010, 8:29 pm

TFC(Temp File Cleaner)
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted.
It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

-----------------------------------

As you have Malwarebytes installed please do a scan and post the log:

Run Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware and click the Update tab >>> then Check for Updates.
  • If an update is found, it will download and install the latest version.
  • Back at the Scanner tab, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to restart to finish cleaning.... see Note below.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.

-----------------------------------

Random's System Information Tool (RSIT)
  • Please download RSIT by random/random from here and save it to your desktop.
  • Double-click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open.
  • Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Note: both logs can be found in the C:\rsit folder if you lose them.

-----------------------------------

Disable AVG9
  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.

Note: Don't forget to re-enable it after the fix.

-----------------------------------

Gmer
Download GMER Rootkit Scanner from here & save it to your desktop.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. UNCHECK the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

Do not run any programs while Gmer is running.

-----------------------------------

Enable back the AVG resident shield after the above is done.

Logs/information to post in next reply:
  • MBAM log
  • Rsit logs (log.txt and info.txt)
  • Gmer.txt
  • How is the pc running?
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Trojan.Dropper

Unread postby Joebanane » May 19th, 2010, 4:31 pm

Finally I'm back. The PC is still the same with no improvement and I still can't access the Microsoft Update website. The GMer took forever to run and I had to start over a couple of times because it hung.

So here are the logs requested:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Version de la base de données: 4116

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2010-05-19 06:55:33
mbam-log-2010-05-19 (06-55-33).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 122586
Temps écoulé: 6 minute(s), 43 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

_________________________________

RSIT logs:

Logfile of random's system information tool 1.07 (written by random/random)
Run by Denis at 2010-05-19 06:58:20
Microsoft Windows XP Édition familiale Service Pack 3
System drive C: has 65 GB (43%) free of 153 GB
Total RAM: 2036 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 06:58:24, on 2010-05-19
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Denis\Bureau\RSIT.exe
C:\Program Files\trend micro\Denis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.fr/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.infoclick.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par INFO CLICK®
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infoclick.ca
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 7323 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-04-20 1615200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Programme d'aide de l'Assistant de connexion Windows Live - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2009-11-25 1230080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-17 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-17 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - Veoh Web Player Video Finder - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll [2008-11-03 463872]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2009-11-25 1230080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-04-20 2064736]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2010-01-13 134656]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2010-01-13 135680]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2009-10-16 18782720]
"TkBellExe"=C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [2010-05-14 202256]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-05-12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gotnewupdate000.exe]
C:\Documents and Settings\Denis\Application Data\E0BC07F01DB3F5532C5EA7D79F2D0521\gotnewupdate000.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2010-01-13 166912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2010-01-13 134656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-12-05 54832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M5T8QL3YW3]
C:\DOCUME~1\Denis\LOCALS~1\Temp\Vj1.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe [2010-01-13 135680]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2006-11-23 56928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-17 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-05-06 2017280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\symubodd]
C:\Documents and Settings\Denis\Local Settings\Application Data\ghqmlhbjp\ouruqybtssd.exe [2010-05-16 300800]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [2010-05-14 202256]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Versato]
C:\Program Files\Media Key\Versato.exe [2002-12-25 733184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Denis^Menu Démarrer^Programmes^Démarrage^Antimalware Doctor.lnk]
C:\DOCUME~1\Denis\APPLIC~1\E0BC07~1\GOTNEW~1.EXE []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\SYSTEM32\avgrsstx.dll [2010-03-16 12464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\SYSTEM32\igfxdev.dll [2010-01-13 205824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoStartMenuMFUprogramsList"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\AVG\AVG9\avgemc.exe"="C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\spoolsv.exe"="C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2010-05-19 06:58:20 ----D---- C:\rsit
2010-05-17 12:44:13 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-17 12:44:01 ----D---- C:\Program Files\SUPERAntiSpyware
2010-05-17 12:44:01 ----D---- C:\Documents and Settings\Denis\Application Data\SUPERAntiSpyware.com
2010-05-17 12:43:30 ----D---- C:\Program Files\Fichiers communs\Wise Installation Wizard
2010-05-17 12:38:26 ----D---- C:\Program Files\Trend Micro
2010-05-16 23:47:46 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-16 21:08:47 ----D---- C:\Documents and Settings\Denis\Application Data\ATManager
2010-05-16 21:08:37 ----D---- C:\Documents and Settings\Denis\Application Data\E0BC07F01DB3F5532C5EA7D79F2D0521
2010-05-14 18:37:19 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2010-05-14 18:37:15 ----A---- C:\WINDOWS\system32\pndx5032.dll
2010-05-14 18:37:15 ----A---- C:\WINDOWS\system32\pndx5016.dll
2010-05-14 18:37:09 ----D---- C:\Program Files\Fichiers communs\xing shared
2010-05-14 18:36:49 ----A---- C:\WINDOWS\system32\pncrt.dll
2010-05-14 18:36:48 ----D---- C:\Program Files\real
2010-05-09 17:42:35 ----D---- C:\Documents and Settings\All Users\Application Data\Real
2010-04-24 17:43:47 ----A---- C:\mbam-error.txt
2010-04-24 17:22:12 ----D---- C:\Program Files\Defraggler

======List of files/folders modified in the last 1 months======

2010-05-19 06:56:29 ----D---- C:\WINDOWS\Temp
2010-05-19 06:47:03 ----SD---- C:\Temp
2010-05-19 06:46:49 ----D---- C:\Program Files\Mozilla Firefox
2010-05-18 13:12:08 ----SHD---- C:\WINDOWS\Installer
2010-05-18 13:12:08 ----SD---- C:\Documents and Settings\Denis\Application Data\Microsoft
2010-05-18 13:02:09 ----RASH---- C:\boot.ini
2010-05-18 13:02:09 ----A---- C:\WINDOWS\win.ini
2010-05-18 13:02:09 ----A---- C:\WINDOWS\system.ini
2010-05-18 12:46:46 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-18 12:16:51 ----RD---- C:\Program Files
2010-05-17 22:33:35 ----D---- C:\WINDOWS
2010-05-17 19:58:04 ----D---- C:\WINDOWS\Prefetch
2010-05-17 16:56:48 ----D---- C:\WINDOWS\system32\drivers
2010-05-17 16:56:48 ----D---- C:\WINDOWS\Connection Wizard
2010-05-17 16:55:20 ----SD---- C:\WINDOWS\Tasks
2010-05-17 16:50:43 ----D---- C:\Program Files\Internet Explorer
2010-05-17 15:15:54 ----SHD---- C:\System Volume Information
2010-05-17 15:15:54 ----D---- C:\WINDOWS\system32\Restore
2010-05-17 13:32:05 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-05-17 13:22:34 ----D---- C:\WINDOWS\system32
2010-05-17 12:43:30 ----D---- C:\Program Files\Fichiers communs
2010-05-17 00:39:44 ----D---- C:\WINDOWS\system32\LogFiles
2010-05-17 00:38:49 ----D---- C:\WINDOWS\addins
2010-05-16 23:52:27 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-05-16 23:47:21 ----RD---- C:\WINDOWS\Web
2010-05-16 21:25:25 ----D---- C:\WINDOWS\Debug
2010-05-16 16:10:13 ----D---- C:\Documents and Settings\Denis\Application Data\dvdcss
2010-05-16 15:43:02 ----D---- C:\MyWorks
2010-05-16 15:42:49 ----D---- C:\Documents and Settings\Denis\Application Data\CyberLink
2010-05-16 15:42:45 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink
2010-05-14 20:15:30 ----D---- C:\Documents and Settings\Denis\Application Data\Real
2010-05-14 18:38:20 ----A---- C:\WINDOWS\cdplayer.ini
2010-05-14 18:37:22 ----D---- C:\Program Files\Fichiers communs\Real
2010-05-14 18:36:49 ----A---- C:\WINDOWS\system32\msvcr71.dll
2010-05-14 18:36:49 ----A---- C:\WINDOWS\system32\msvcp71.dll
2010-05-11 19:38:43 ----HD---- C:\WINDOWS\inf
2010-05-11 19:38:41 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-05-11 19:38:41 ----D---- C:\Program Files\Outlook Express
2010-05-11 19:01:32 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-30 14:51:06 ----A---- C:\WINDOWS\system32\MRT.exe
2010-04-24 17:38:01 ----D---- C:\WINDOWS\Minidump
2010-04-24 17:23:35 ----D---- C:\Program Files\CCleaner

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-03-16 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-03-16 29512]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-04-20 242896]
R1 intelppm;Pilote de processeur Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-05-12 40576]
R1 kbdhid;Pilote HID de clavier; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14720]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 HidUsb;USB Keyboard HID Device; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HDAudBus;Pilote de bus Microsoft UAA pour High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-05-12 144384]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2010-01-13 1730272]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-10-21 5934592]
R3 mouhid;Pilote HID de souris; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12288]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2010-01-21 202064]
R3 usbccgp;Pilote parent générique USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Pilote miniport de contrôleur d'hôte amélioré Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Concentrateur USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;Pilote de stockage de masse USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Pilote miniport de contrôleur hôte universel USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-05-12 20608]
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 cpudrv;cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys []
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 usbprint;Classe d'imprimantes USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-03-16 916760]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-17 152984]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-02-25 303104]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2008-05-12 167936]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Service Partage réseau du Lecteur Windows Media; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-05-12 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-05-19 06:58:25

======Uninstall list======

-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\setup.exe"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3DMark05-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2DF7B278-D3B6-40A4-B25C-0E7149F439EA}\Setup.exe" -l0x9
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Arena 1.1-->"C:\Program Files\Arena\unins000.exe"
Assistant de connexion Windows Live-->MsiExec.exe /I{DCE8CD14-FBF5-4464-B9A4-E18E473546C7}
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Combined Community Codec Pack 2008-09-21 16:18-->"C:\Program Files\Combined Community Codec Pack\unins000.exe"
Defraggler-->"C:\Program Files\Defraggler\uninst.exe"
DVD Suite-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Eusing Free Registry Cleaner-->C:\PROGRA~1\EUSING~1\UNWISE.EXE C:\PROGRA~1\EUSING~1\INSTALL.LOG
Foxit Creator-->C:\Program Files\Foxit Software\PDF Creator\uninstall.exe
Foxit PDF Editor-->C:\Program Files\Foxit Software\PDF Editor\uninstall.exe
Foxit Phantom-->C:\Program Files\Foxit Software\Foxit Phantom\Uninstall.exe
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Installation Windows Live-->C:\Program Files\Windows Live\Installer\wlarp.exe
Installation Windows Live-->MsiExec.exe /I{46ABBC54-1872-4AA3-95E2-F2C063A63F31}
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Lecteur Windows Media 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Lexmark Z600 Series-->C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBCUN5C.EXE -dLexmark Z600 Series
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Media Key Uninstaller-->MKUninst.exe C:\Program Files\Media Key
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Mise à jour de sécurité pour Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Mozilla Firefox (3.5.9)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
Nero 7 Lite 7.9.6.0-->"C:\Program Files\Nero\unins000.exe"
OpenOffice.org 2.0-->MsiExec.exe /I{E2055AB2-D1C7-4147-A384-2B4B1C04282B}
Opera 9.63-->MsiExec.exe /X{2C0CD17D-0B06-4700-83FA-7344B868B0A2}
Outil de téléchargement Windows Live-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
PowerDVD-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Fichiers communs\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe -runfromtemp -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0xc0c -removeonly
RealUpgrade 1.0-->MsiExec.exe /I{F4F4F84E-804F-4E9A-84D7-C34283F0088F}
Revo Uninstaller 1.88-->C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab for Intel-->MsiExec.exe /I{F7FC9307-374E-4017-8E9D-DE1154780480}
TUGZip 3.4-->"C:\Program Files\TUGZip\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
Veoh Web Player Beta-->"C:\Program Files\Veoh Networks\VeohWebPlayer\uninst.exe"
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WinDjView 1.0.1-->C:\Program Files\WinDjView\uninstall.exe
Windows Live Call-->MsiExec.exe /I{82C7B308-0BDD-49D8-8EA5-9CD3A3F9DF41}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Messenger-->MsiExec.exe /X{770F1BEC-2871-4E70-B837-FB8525FFA3B1}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: DENYS
Event Code: 4226
Message: TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Record Number: 26687
Source Name: Tcpip
Time Written: 20100414233452.000000-240
Event Type: warning
User:

Computer Name: DENYS
Event Code: 1002
Message: Le bail de l'adresse IP 192.168.2.11 pour la carte réseau dont l'adresse réseau est 001CC066A278
a été refusé par le serveur DHCP 192.168.2.1 (celui-ci a envoyé un message DHCPNACK).

Record Number: 26666
Source Name: Dhcp
Time Written: 20100414191742.000000-240
Event Type: error
User:

Computer Name: DENYS
Event Code: 4226
Message: TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Record Number: 26510
Source Name: Tcpip
Time Written: 20100409003036.000000-240
Event Type: warning
User:

Computer Name: DENYS
Event Code: 1003
Message: Votre ordinateur n'a pas pu renouveler son adresse à partir du réseau (à partir
du serveur DHCP) pour la carte réseau dont l'adresse réseau est 001CC066A278. Il s'est
produit l'erreur suivante :
L'opération a été annulée par l'utilisateur.
.
Votre ordinateur va continuer à essayer d'obtenir sa propre adresse auprès du
serveur d'adresse réseau (DHCP).

Record Number: 26437
Source Name: Dhcp
Time Written: 20100408190254.000000-240
Event Type: warning
User:

Computer Name: DENYS
Event Code: 4226
Message: TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Record Number: 26370
Source Name: Tcpip
Time Written: 20100406233117.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: DENYS
Event Code: 3011
Message: Le déchargement des chaînes de compteurs de performances pour le service ASP.NET_2.0.50727 (ASP.NET_2.0.50727) a échoué. Le
code d'erreur est le premier DWORD de la section Data.

Record Number: 5320
Source Name: LoadPerf
Time Written: 20091016191350.000000-240
Event Type: error
User:

Computer Name: DENYS
Event Code: 3001
Message: La valeur de la chaîne du nom de compteur de performance n'est pas formatée
correctement dans le Registre. La chaîne erronée est 4622, la valeur d'index erronée
est le premier DWORD de la section Data, et les dernières valeurs d'index valides sont
le second et le troisième DWORD de la section Data.

Record Number: 5319
Source Name: LoadPerf
Time Written: 20091016191350.000000-240
Event Type: error
User:

Computer Name: DENYS
Event Code: 3001
Message: La valeur de la chaîne du nom de compteur de performance n'est pas formatée
correctement dans le Registre. La chaîne erronée est 4622, la valeur d'index erronée
est le premier DWORD de la section Data, et les dernières valeurs d'index valides sont
le second et le troisième DWORD de la section Data.

Record Number: 5318
Source Name: LoadPerf
Time Written: 20091016191350.000000-240
Event Type: error
User:

Computer Name: DENYS
Event Code: 1020
Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

Record Number: 5269
Source Name: ASP.NET 2.0.50727.0
Time Written: 20091013195227.000000-240
Event Type: warning
User:

Computer Name: DENYS
Event Code: 7
Message:
Record Number: 5248
Source Name: WindowsLiveMessenger
Time Written: 20091012184653.000000-240
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SYSTEMROOT%\SYSTEM32;%SYSTEMROOT%;%SYSTEMROOT%\SYSTEM32\WBEM;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"DEVMGR_SHOW_DETAILS"=1
"DEVMGR_SHOW_NONPRESENT_DEVICES"=1
"KTD"=C:\WINDOWS\DriverPacks
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------

And finally the GMER.txt (which was so painfully acquired)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-19 16:12:40
Windows 5.1.2600 Service Pack 3
Running: f8gqz1g1.exe; Driver: C:\Temp\kxtdapob.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[352] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 0084000A
.text C:\WINDOWS\system32\wuauclt.exe[352] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\wuauclt.exe[352] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 003E000C
.text C:\WINDOWS\Explorer.EXE[884] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[884] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00B0000A
.text C:\WINDOWS\Explorer.EXE[884] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 007E000C
.text C:\WINDOWS\System32\svchost.exe[1016] ole32.dll!CoCreateInstance 774C057E 5 Bytes JMP 00D7000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@LastTraceFailure 0

---- EOF - GMER 1.0.15 ----

:| Good luck
Joebanane
Active Member
 
Posts: 7
Joined: May 18th, 2010, 1:07 pm

Re: Trojan.Dropper

Unread postby Airscape » May 21st, 2010, 7:53 am

Hi,

Is Windows update still having problems?


Download/Run ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe ---- use Internet Explorer for this link -> right click and select "save target as"


**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please post the following in your next reply:
C:\ComboFix.txt
Update on how the computer is running
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Trojan.Dropper

Unread postby Joebanane » May 21st, 2010, 11:29 am

Here are the updates on the computer.

After running the Combo Fix, I can now access Windows Update... Yeah for that.

HOWEVER,

- I still get popup windows in whichever browser I use (IE even asked to become the default browser and it wasn't even running).

ALSO

- The sound keeps going off. I set all my cursors to maximum (Volume - Wave - Synth - CD) and then after a while the "Wave" cursor goes down to zero all by itself and there's no more sound. And this happens whether I'm listening to something using one of the browsers or whether I'm listening to a .avi file or a cd and all the browsers are closed.

ALSO

- After the combofix, I lost the AVG system tray icon. Avg is still running properly but there is no icon in the system tray. I checked in msconfig because the systray might have been unchecked but there is NO AVG tray at startup in the list. But I suppose it's no big deal, I could uninstall AVG and reinstall it properly if we can clean up the comp of the malware.

Here is the log file of the Combofix:

ComboFix 10-05-20.A2 - Denis 2010-05-21 10:06:59.1.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.2036.1576 [GMT -4:00]
Lancé depuis: c:\documents and settings\Denis\Bureau\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Denis\Application Data\ATManager
c:\documents and settings\Denis\Application Data\ATManager\languages\English.lng
c:\documents and settings\Denis\Application Data\ATManager\languages\template.lng
c:\documents and settings\Denis\Application Data\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent
c:\documents and settings\Denis\Application Data\ATManager\settings.ini
c:\documents and settings\Denis\Application Data\E0BC07F01DB3F5532C5EA7D79F2D0521
c:\documents and settings\Denis\Application Data\E0BC07F01DB3F5532C5EA7D79F2D0521\enemies-names.txt
c:\documents and settings\Denis\Application Data\E0BC07F01DB3F5532C5EA7D79F2D0521\lsrslt.ini
c:\windows\msv1_0.dll

Une copie infectée de c:\windows\system32\drivers\disk.sys a été trouvée et désinfectée
Copie restaurée à partir de - Kitty had a snack :p
.
((((((((((((((((((((((((((((( Fichiers créés du 2010-04-21 au 2010-05-21 ))))))))))))))))))))))))))))))))))))
.

2010-05-21 14:11 . 2010-05-21 14:11 53248 ----a-w- c:\temp\catchme.dll
2010-05-19 10:58 . 2010-05-19 10:58 -------- d-----w- C:\rsit
2010-05-18 17:12 . 2010-05-18 17:12 388096 ----a-r- c:\documents and settings\Denis\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-17 18:24 . 2010-05-17 18:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-17 16:44 . 2010-05-18 16:27 63488 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-17 16:44 . 2010-05-17 16:44 52224 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-17 16:44 . 2010-05-18 16:27 117760 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com
2010-05-17 16:43 . 2010-05-17 16:43 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-05-17 16:38 . 2010-05-19 10:58 -------- d-----w- c:\program files\Trend Micro
2010-05-17 04:13 . 2010-05-17 04:13 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-17 01:09 . 2010-05-20 01:03 -------- d-----w- c:\documents and settings\Denis\Local Settings\Application Data\ghqmlhbjp
2010-05-14 22:36 . 2010-05-14 22:37 -------- d-----w- c:\program files\real
2010-05-14 22:34 . 2010-05-14 22:37 -------- d-----w- c:\temp\~rnsetup
2010-04-24 21:22 . 2010-04-24 21:22 -------- d-----w- c:\program files\Defraggler

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 13:45 . 2009-12-18 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-17 03:52 . 2008-12-27 16:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 20:10 . 2009-04-03 00:21 -------- d-----w- c:\documents and settings\Denis\Application Data\dvdcss
2010-05-16 19:42 . 2009-03-06 01:05 -------- d-----w- c:\documents and settings\Denis\Application Data\CyberLink
2010-05-16 19:42 . 2008-11-22 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-05-14 22:37 . 2010-05-14 22:37 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-14 22:37 . 2010-05-14 22:37 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-14 22:37 . 2010-05-14 22:37 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-14 22:37 . 2010-05-14 22:37 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-14 22:37 . 2010-05-14 22:37 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-14 22:37 . 2008-11-25 02:56 -------- d-----w- c:\program files\Fichiers communs\Real
2010-05-14 22:37 . 2010-05-14 22:37 -------- d-----w- c:\program files\Fichiers communs\xing shared
2010-05-14 22:36 . 2008-05-12 21:20 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-14 22:36 . 2008-05-12 21:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-29 19:39 . 2008-12-27 16:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-12-27 16:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 21:23 . 2009-06-17 14:38 -------- d-----w- c:\program files\CCleaner
2010-04-20 22:45 . 2009-10-14 00:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 23:41 . 2010-03-23 23:37 -------- d-----w- c:\program files\Realtek
2010-03-23 23:41 . 2008-05-12 21:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 23:30 . 2010-03-23 23:30 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-23 23:30 . 2010-03-23 23:30 84480 ----a-w- c:\documents and settings\Denis\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-03-23 23:30 . 2010-03-23 23:30 -------- d-----w- c:\documents and settings\Denis\Application Data\SystemRequirementsLab
2010-03-22 03:43 . 2008-05-12 11:05 95632 ----a-w- c:\windows\system32\perfc00C.dat
2010-03-22 03:43 . 2008-05-12 11:05 534606 ----a-w- c:\windows\system32\perfh00C.dat
2010-03-16 23:02 . 2010-03-16 23:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 23:02 . 2009-10-14 00:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 23:02 . 2009-10-14 00:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 11:10 . 2008-05-12 11:05 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 04:48 . 2008-11-22 21:24 20888 ----a-w- c:\documents and settings\Denis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-26 05:42 . 2008-05-12 11:05 671232 ----a-w- c:\windows\system32\wininet.dll
2010-02-25 20:32 . 2008-05-12 17:04 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-02-24 13:11 . 2008-05-12 11:05 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-16 18782720]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2010-05-14 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-05-12 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 23:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Denis^Menu Démarrer^Programmes^Démarrage^Antimalware Doctor.lnk]
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-01-13 15:46 166912 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-01-13 15:46 134656 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 02:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-01-13 15:46 135680 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 19:10 56928 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-17 11:40 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-06 21:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-14 22:36 202256 ----a-w- c:\program files\Fichiers communs\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Versato]
2002-12-25 13:10 733184 ----a-w- c:\program files\Media Key\Versato.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-13 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-13 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-06 68168]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-16 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-03-23 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
.
Contenu du dossier 'Tâches planifiées'

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Denis\Application Data\Mozilla\Firefox\Profiles\khyotjsh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.poodwaddle.com/index.htm
FF - prefs.js: keyword.URL - hxxp://cf.yhs.search.yahoo.com/avg/sear ... -web_cf&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHELINS SUPPRIMES - - - -

MSConfigStartUp-gotnewupdate000 - c:\documents and settings\Denis\Application Data\E0BC07F01DB3F5532C5EA7D79F2D0521\gotnewupdate000.exe
MSConfigStartUp-M5T8QL3YW3 - c:\docume~1\Denis\LOCALS~1\Temp\Vj1.exe
MSConfigStartUp-symubodd - c:\documents and settings\Denis\Local Settings\Application Data\ghqmlhbjp\ouruqybtssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 10:11
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Heure de fin: 2010-05-21 10:12:27
ComboFix-quarantined-files.txt 2010-05-21 14:12

Avant-CF: 68 972 032 000 octets libres
Après-CF: 69 012 406 272 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect

- - End Of File - - 59DCCDD1472D6EE0F65B790BB702B9A2

Thanks again for your time on this.
Joebanane
Active Member
 
Posts: 7
Joined: May 18th, 2010, 1:07 pm

Re: Trojan.Dropper

Unread postby Airscape » May 22nd, 2010, 10:11 am

The AVG icon should come back after you restart the computer.


Uninstall programs
Click Start > Control Panel > Add/Remove Programs
Right-click on the programs listed below
Click Remove etc...

Eusing Free Registry Cleaner
Java(TM) 6 Update 13


Note: Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into keeping the program.

Note on Registry Cleaners:
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference.
If it doesn't work properly you may end up with an expensive doorstop.

Please read this link for more information:
http://miekiemoes.blogspot.com/2008/02/ ... ng_13.html

--------------------------------------

Run CFScript
  • Click > Start > Run > type Notepad > click OK
  • Copy/Paste the following text inside the code box into Notepad: (don't include the word code)

    Code: Select all
    KillAll::
    File::
    c:\windows\pss\Antimalware Doctor.lnk
    
    Folder::
    C:\PROGRA~1\EUSING~1
    c:\documents and settings\Denis\Local Settings\Application Data\ghqmlhbjp
    c:\temp\~rnsetup
    
    Registry::
    [-HKLM\~\startupfolder\C:^Documents and Settings^Denis^Menu Démarrer^Programmes^Démarrage^Antimalware Doctor.lnk]
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    

  • Goto File > Save as... and save it CFScript.txt
  • Now drag the CFScript.txt file into ComboFix.exe as shown in the animation below... This will start ComboFix again.
    Image
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • The tool may require a reboot - this is normal.
  • Please post the log in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------

Your Java is out of date.
  • Older versions have vulnerabilities that malware can use to infect your system.
  • Click Here to download the latest version of Java.
  • Click Windows 7/XP/Vista/2003/2008 offline
  • Save jre-6u20-windows-i586-S.exe to a convenient location.
  • Run this file and follow the on screen instructions to install java.

--------------------------------------

Update Internet Explorer
You are using an outdated version of Internet Explorer, keeping you browser up to date will enhance your web experience.
The newer browsers are faster and more secure than the older ones. Even if you don't use IE still please update it.
  • The IE update is here
  • Save it to a place where you can find it later.
  • Install the new version by running the newly-downloaded file. Please follow the on-screen instructions.

--------------------------------------

Kaspersky online scan
Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases

  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with the ComboFix log and a fresh HijackThis log.
This online tutorial will help explain how to use the aforementioned online scan.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Trojan.Dropper

Unread postby Joebanane » May 22nd, 2010, 3:48 pm

Hello,

Thank you again for your patience and resilience.

I did everything you said in the order that you described.

- Directly after the Combofix scan using your code, I thought the computer was cured. There were no popups, and the sound seemed stable and the "Wave" cursor stayed where I put it (ie at the maximum level).

- Then I got Java 6 update 20, and IE 8 and did the online Kaspersky scan and saved the report.

- Then I left the computer on without any programs running and when I came back, about one hour later, there was a popup window asking me if IE was my default browser, and the "Wave" cursor had gone down by itself to the lowest level.

- The AVG systray never came back, but AVG is running as it should.

**** Edited to add: We now get actual AUDIO POPUPS (the sound of either a video file or a music file is replaced by a jingle or an audio commercial of some sort).

Here are the logs and reports requested:

COMBOFIX LOG

ComboFix 10-05-20.A2 - Denis 2010-05-22 10:44:02.2.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.2036.1560 [GMT -4:00]
Lancé depuis: c:\documents and settings\Denis\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Denis\Bureau\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\pss\Antimalware Doctor.lnk"
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Denis\Local Settings\Application Data\ghqmlhbjp
c:\system volume information\_restore{d5fffa500b1b}
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\temp\~rnsetup

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-04-22 au 2010-05-22 ))))))))))))))))))))))))))))))))))))
.

2010-05-22 14:48 . 2010-05-22 14:48 53248 ----a-w- c:\temp\catchme.dll
2010-05-19 10:58 . 2010-05-19 10:58 -------- d-----w- C:\rsit
2010-05-18 17:12 . 2010-05-18 17:12 388096 ----a-r- c:\documents and settings\Denis\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-17 18:24 . 2010-05-17 18:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-17 16:44 . 2010-05-18 16:27 63488 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-17 16:44 . 2010-05-17 16:44 52224 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-17 16:44 . 2010-05-18 16:27 117760 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com
2010-05-17 16:43 . 2010-05-17 16:43 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-05-17 16:38 . 2010-05-19 10:58 -------- d-----w- c:\program files\Trend Micro
2010-05-17 04:13 . 2010-05-17 04:13 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-14 22:36 . 2010-05-14 22:37 -------- d-----w- c:\program files\real
2010-04-24 21:22 . 2010-04-24 21:22 -------- d-----w- c:\program files\Defraggler

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 14:34 . 2008-05-12 21:22 -------- d-----w- c:\program files\Java
2010-05-22 14:28 . 2009-12-18 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-17 03:52 . 2008-12-27 16:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 20:10 . 2009-04-03 00:21 -------- d-----w- c:\documents and settings\Denis\Application Data\dvdcss
2010-05-16 19:42 . 2009-03-06 01:05 -------- d-----w- c:\documents and settings\Denis\Application Data\CyberLink
2010-05-16 19:42 . 2008-11-22 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-05-14 22:37 . 2010-05-14 22:37 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-14 22:37 . 2010-05-14 22:37 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-14 22:37 . 2010-05-14 22:37 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-14 22:37 . 2010-05-14 22:37 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-14 22:37 . 2010-05-14 22:37 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-14 22:37 . 2008-11-25 02:56 -------- d-----w- c:\program files\Fichiers communs\Real
2010-05-14 22:37 . 2010-05-14 22:37 -------- d-----w- c:\program files\Fichiers communs\xing shared
2010-05-14 22:36 . 2008-05-12 21:20 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-14 22:36 . 2008-05-12 21:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-29 19:39 . 2008-12-27 16:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-12-27 16:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 21:23 . 2009-06-17 14:38 -------- d-----w- c:\program files\CCleaner
2010-04-20 22:45 . 2009-10-14 00:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 23:41 . 2010-03-23 23:37 -------- d-----w- c:\program files\Realtek
2010-03-23 23:41 . 2008-05-12 21:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 23:30 . 2010-03-23 23:30 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-23 23:30 . 2010-03-23 23:30 84480 ----a-w- c:\documents and settings\Denis\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-03-23 23:30 . 2010-03-23 23:30 -------- d-----w- c:\documents and settings\Denis\Application Data\SystemRequirementsLab
2010-03-22 03:43 . 2008-05-12 11:05 95632 ----a-w- c:\windows\system32\perfc00C.dat
2010-03-22 03:43 . 2008-05-12 11:05 534606 ----a-w- c:\windows\system32\perfh00C.dat
2010-03-16 23:02 . 2010-03-16 23:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 23:02 . 2009-10-14 00:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 23:02 . 2009-10-14 00:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 11:10 . 2008-05-12 11:05 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 04:48 . 2008-11-22 21:24 20888 ----a-w- c:\documents and settings\Denis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-26 05:42 . 2008-05-12 11:05 671232 ----a-w- c:\windows\system32\wininet.dll
2010-02-25 20:32 . 2008-05-12 17:04 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-02-24 13:11 . 2008-05-12 11:05 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-21_14.11.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-12 21:13 . 2010-05-22 14:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-05-12 21:13 . 2010-05-21 14:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-12 21:13 . 2010-05-22 14:43 196608 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2008-11-22 21:24 . 2010-05-22 14:34 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
- 2008-11-22 21:24 . 2008-11-12 16:26 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-16 18782720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-05-12 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 23:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-01-13 15:46 166912 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-01-13 15:46 134656 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 02:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-01-13 15:46 135680 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 19:10 56928 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-06 21:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-14 22:36 202256 ----a-w- c:\program files\Fichiers communs\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Versato]
2002-12-25 13:10 733184 ----a-w- c:\program files\Media Key\Versato.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-13 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-13 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-06 68168]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-16 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-03-23 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
.
Contenu du dossier 'Tâches planifiées'

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Denis\Application Data\Mozilla\Firefox\Profiles\khyotjsh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.poodwaddle.com/index.htm
FF - prefs.js: keyword.URL - hxxp://cf.yhs.search.yahoo.com/avg/sear ... -web_cf&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHELINS SUPPRIMES - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 10:48
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2792)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\system volume information\_restore{d5fffa500b1b}\svchost.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\system volume information\_restore{d5fffa500b1b}\smss.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Heure de fin: 2010-05-22 10:51:11 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-05-22 14:51
ComboFix2.txt 2010-05-21 14:12

Avant-CF: 68 963 979 264 octets libres
Après-CF: 68 934 197 248 octets libres

- - End Of File - - C12591610D15B688E104BBBAB16FB8B4


________________________________________________________

KASPERSKY SCAN REPORT:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, May 22, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, May 22, 2010 14:11:31
Records in database: 4162443
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 73049
Threats found: 2
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 01:21:18


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\smss.exe.vir Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\svchost.exe.vir Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_smss_.exe.zip Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_svchost_.exe.zip Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe Infected: Trojan-Clicker.Win32.Cycler.ajnt 1

Selected area has been scanned.


________________________________________________________________

FRESH HIJACKtHIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:14:02, on 2010-05-22
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infoclick.ca
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 6804 bytes

Have a nice weekend.
Joebanane
Active Member
 
Posts: 7
Joined: May 18th, 2010, 1:07 pm

Re: Trojan.Dropper

Unread postby Airscape » May 23rd, 2010, 9:45 pm

Sorry for the delay.


Print out these instructions to use while in the Recovery Console: (This is for XP only)

1.Restart your computer.
2.Before Windows loads, you will be prompted to choose which Operating System to start.
3.Use the up and down arrow key to select Microsoft Windows Recovery Console
4.You must enter which Windows installation to log onto. Type 1 and press 'Enter'.
5.At the C:\Windows prompt, type the following bolded entries, and press 'Enter':

fixmbr
6.Type exit and press 'Enter'. Your computer should reboot.

---------------------------------

Delete the ComboFix you have and download/run a new one, make sure it's on the desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

Please post back with the ComboFix log along with a new HijackThis log.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Trojan.Dropper

Unread postby Joebanane » May 24th, 2010, 3:24 pm

Hi again,

I did the last fix early this morning and my husband has been using the computer ever since to surf, read, listen to music and watch videos and he didn't notice anything wrong at all. I wanted the comp to run a bit before I posted the updates. Is it too early to say hourray ? :cheers:

- There are no more popups, neither visual or audio.

- The sound level is stable.

- Surfing is without any hiccups at all and we can access Windows update.

However, since the fix we have lost 2 things:

- The AVGsystray icon is nowhere to be seen.
also
- We seem to have lost the auto-play or auto-run (not sure what it's called) feature on the dvd-rom and on the USB drives. When we insert an audio cd, a video dvd or a data dvd, as well as a usb flash drive, nothing happens. In order to access the data we need to access the drive though "My Computer" and open it manually.

Here are the latest logs you asked for:

COMBOFIX LOG

ComboFix 10-05-23.06 - Denis 2010-05-24 6:48.3.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.2036.1458 [GMT -4:00]
Lancé depuis: c:\documents and settings\Denis\Bureau\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system volume information\_restore{d5fffa500b1b}

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-04-24 au 2010-05-24 ))))))))))))))))))))))))))))))))))))
.

2010-05-24 10:51 . 2010-05-24 10:51 53248 ----a-w- c:\temp\catchme.dll
2010-05-22 15:08 . 2010-05-22 15:08 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-05-22 15:07 . 2010-05-22 15:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-05-22 15:07 . 2010-05-22 15:07 -------- d-sh--w- c:\documents and settings\Denis\PrivacIE
2010-05-22 15:06 . 2010-05-22 15:06 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-22 15:06 . 2010-05-22 15:06 -------- d-sh--w- c:\documents and settings\Denis\IETldCache
2010-05-22 15:04 . 2010-05-22 15:04 -------- d-----w- c:\windows\ie8updates
2010-05-22 15:02 . 2010-05-22 15:03 -------- dc-h--w- c:\windows\ie8
2010-05-22 15:01 . 2010-02-25 06:17 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-05-22 15:01 . 2010-02-25 06:17 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-05-22 15:00 . 2010-02-16 04:50 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-05-22 14:59 . 2010-05-22 14:59 -------- d-----w- C:\0dfaff62c1700dc1531fdeef0221
2010-05-22 14:58 . 2010-05-22 14:58 503808 ----a-w- c:\documents and settings\Denis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-37c215e5-n\msvcp71.dll
2010-05-22 14:58 . 2010-05-22 14:58 499712 ----a-w- c:\documents and settings\Denis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-37c215e5-n\jmc.dll
2010-05-22 14:58 . 2010-05-22 14:58 348160 ----a-w- c:\documents and settings\Denis\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-37c215e5-n\msvcr71.dll
2010-05-22 14:58 . 2010-05-22 14:58 61440 ----a-w- c:\documents and settings\Denis\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f8e1ffa-n\decora-sse.dll
2010-05-22 14:58 . 2010-05-22 14:58 12800 ----a-w- c:\documents and settings\Denis\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f8e1ffa-n\decora-d3d.dll
2010-05-22 14:58 . 2010-05-22 14:58 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-19 10:58 . 2010-05-19 10:58 -------- d-----w- C:\rsit
2010-05-18 17:12 . 2010-05-18 17:12 388096 ----a-r- c:\documents and settings\Denis\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-17 18:24 . 2010-05-17 18:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-17 16:44 . 2010-05-18 16:27 63488 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-17 16:44 . 2010-05-17 16:44 52224 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-17 16:44 . 2010-05-18 16:27 117760 ----a-w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-17 16:44 . 2010-05-17 16:44 -------- d-----w- c:\documents and settings\Denis\Application Data\SUPERAntiSpyware.com
2010-05-17 16:43 . 2010-05-17 16:43 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-05-17 16:38 . 2010-05-19 10:58 -------- d-----w- c:\program files\Trend Micro
2010-05-17 04:13 . 2010-05-17 04:13 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-14 22:36 . 2010-05-14 22:37 -------- d-----w- c:\program files\real
2010-04-24 21:22 . 2010-04-24 21:22 -------- d-----w- c:\program files\Defraggler

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 10:41 . 2009-12-18 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-22 15:07 . 2009-10-14 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-22 14:58 . 2008-05-12 21:22 -------- d-----w- c:\program files\Java
2010-05-17 03:52 . 2008-12-27 16:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 20:10 . 2009-04-03 00:21 -------- d-----w- c:\documents and settings\Denis\Application Data\dvdcss
2010-05-16 19:42 . 2009-03-06 01:05 -------- d-----w- c:\documents and settings\Denis\Application Data\CyberLink
2010-05-16 19:42 . 2008-11-22 23:34 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-05-14 22:37 . 2010-05-14 22:37 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-14 22:37 . 2010-05-14 22:37 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-14 22:37 . 2010-05-14 22:37 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-14 22:37 . 2010-05-14 22:37 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-14 22:37 . 2010-05-14 22:37 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-14 22:37 . 2010-05-14 22:37 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-14 22:37 . 2008-11-25 02:56 -------- d-----w- c:\program files\Fichiers communs\Real
2010-05-14 22:37 . 2010-05-14 22:37 -------- d-----w- c:\program files\Fichiers communs\xing shared
2010-05-14 22:36 . 2008-05-12 21:20 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-05-14 22:36 . 2008-05-12 21:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-29 19:39 . 2008-12-27 16:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2008-12-27 16:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 21:23 . 2009-06-17 14:38 -------- d-----w- c:\program files\CCleaner
2010-04-20 22:45 . 2009-10-14 00:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-23 23:30 . 2010-03-23 23:30 84480 ----a-w- c:\documents and settings\Denis\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-03-22 03:43 . 2008-05-12 11:05 95632 ----a-w- c:\windows\system32\perfc00C.dat
2010-03-22 03:43 . 2008-05-12 11:05 534606 ----a-w- c:\windows\system32\perfh00C.dat
2010-03-16 23:02 . 2010-03-16 23:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 23:02 . 2009-10-14 00:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 23:02 . 2009-10-14 00:46 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 06:16 . 2008-05-12 11:05 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 04:48 . 2008-11-22 21:24 20888 ----a-w- c:\documents and settings\Denis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 20:32 . 2008-05-12 17:04 1002008 ----a-w- c:\windows\system32\igxpun.exe
2010-02-25 06:17 . 2008-05-12 11:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-05-12 11:05 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-21_14.11.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-24 10:41 . 2010-05-24 10:41 16384 c:\windows\temp\Perflib_Perfdata_d4.dat
+ 2008-05-12 21:17 . 2009-01-07 22:21 26144 c:\windows\system32\spupdsvc.exe
+ 2009-11-07 01:06 . 2009-01-07 22:20 16928 c:\windows\system32\spmsg.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 46592 c:\windows\system32\pngfilt.dll
+ 2006-06-29 13:05 . 2009-01-07 22:20 23552 c:\windows\system32\normaliz.dll
- 2006-06-29 13:05 . 2006-06-29 13:05 23552 c:\windows\system32\normaliz.dll
+ 2006-06-28 22:59 . 2009-01-07 22:20 24576 c:\windows\system32\nlsdl.dll
- 2006-06-28 22:59 . 2006-06-28 22:59 24576 c:\windows\system32\nlsdl.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 48128 c:\windows\system32\mshtmler.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 66560 c:\windows\system32\mshtmled.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 45568 c:\windows\system32\mshta.exe
+ 2009-03-08 08:31 . 2009-03-08 08:31 13312 c:\windows\system32\msfeedssync.exe
+ 2009-03-08 08:31 . 2010-02-25 06:17 55296 c:\windows\system32\msfeedsbs.dll
+ 2008-05-12 11:05 . 2009-03-08 08:34 43008 c:\windows\system32\licmgr10.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 25600 c:\windows\system32\jsproxy.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 94720 c:\windows\system32\inseng.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 34816 c:\windows\system32\imgutil.dll
+ 2007-08-13 23:39 . 2009-03-08 08:32 36864 c:\windows\system32\ieudinit.exe
+ 2008-05-12 11:05 . 2009-03-08 08:32 71680 c:\windows\system32\iesetup.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 55808 c:\windows\system32\iernonce.dll
- 2006-06-29 13:05 . 2006-06-29 13:05 26112 c:\windows\system32\idndl.dll
+ 2006-06-29 13:05 . 2009-01-07 22:20 26112 c:\windows\system32\idndl.dll
+ 2009-03-08 08:31 . 2009-03-08 08:31 59904 c:\windows\system32\icardie.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 46592 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 45568 c:\windows\system32\dllcache\mshta.exe
+ 2010-01-02 15:50 . 2010-02-25 06:17 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-05-12 11:05 . 2009-03-08 08:34 43008 c:\windows\system32\dllcache\licmgr10.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 94720 c:\windows\system32\dllcache\inseng.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 34816 c:\windows\system32\dllcache\imgutil.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 71680 c:\windows\system32\dllcache\iesetup.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 55808 c:\windows\system32\dllcache\iernonce.dll
+ 2010-01-02 15:50 . 2009-03-08 08:31 59904 c:\windows\system32\dllcache\icardie.dll
+ 2008-05-12 21:09 . 2009-03-08 08:24 68608 c:\windows\system32\dllcache\hmmapi.dll
+ 2008-05-12 11:05 . 2009-03-08 08:33 18944 c:\windows\system32\dllcache\corpol.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 72704 c:\windows\system32\dllcache\admparse.dll
+ 2008-05-12 11:05 . 2009-03-08 08:33 18944 c:\windows\system32\corpol.dll
+ 2010-05-23 02:11 . 2010-05-23 04:44 25088 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{86A0B75A-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:19 . 2010-05-22 19:24 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FF2D48AF-65D6-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 01:53 . 2010-05-23 01:57 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FA080CA7-660D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:57 . 2010-05-23 03:02 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F6BE2799-6616-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:43 . 2010-05-23 02:48 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F5E69474-6614-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:30 . 2010-05-23 04:35 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F5C32661-6623-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:33 . 2010-05-22 19:37 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EC30ED59-65D8-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 02:07 . 2010-05-23 02:10 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E744E9C1-660F-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:11 . 2010-05-23 03:15 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E449B24D-6618-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:43 . 2010-05-22 18:47 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DC93EC3B-65D1-11DF-AB2C-001CC066A278}.dat
+ 2010-05-22 19:47 . 2010-05-22 19:51 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D9B2EEA5-65DA-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 03:39 . 2010-05-23 03:43 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D22287C1-661C-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:25 . 2010-05-23 03:30 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D16EB7E3-661A-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:56 . 2010-05-22 19:01 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C9500A59-65D3-11DF-AB2C-001CC066A278}.dat
+ 2010-05-23 01:44 . 2010-05-23 01:48 13312 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C15E2A03-660C-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:07 . 2010-05-23 04:12 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C023E52E-6620-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:20 . 2010-05-23 02:24 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BF5DACCF-6611-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:53 . 2010-05-23 03:57 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BF157BF5-661E-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:10 . 2010-05-22 19:14 13312 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B3054C39-65D5-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 00:03 . 2010-05-23 00:07 13312 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AE78D13F-65FE-11DF-AB2E-001CC066A278}.dat
+ 2010-05-23 02:48 . 2010-05-23 02:52 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AE4B130A-6615-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:21 . 2010-05-23 04:25 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AD0628ED-6622-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:34 . 2010-05-23 02:38 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{ACD624B3-6613-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:24 . 2010-05-22 19:28 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A38702B5-65D7-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 01:58 . 2010-05-23 02:02 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9E452A75-660E-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:02 . 2010-05-23 03:06 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9B406999-6617-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:35 . 2010-05-23 04:39 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9A7052B4-6624-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:38 . 2010-05-22 19:42 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8D5B4326-65D9-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 03:30 . 2010-05-23 03:34 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{89894D93-661B-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:16 . 2010-05-23 03:20 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{88C0088A-6619-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:11 . 2010-05-23 02:15 13312 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{86A0B75B-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:47 . 2010-05-22 18:51 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{80C2BBED-65D2-11DF-AB2C-001CC066A278}.dat
+ 2010-05-22 19:52 . 2010-05-22 19:56 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7E0F0B05-65DB-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 03:44 . 2010-05-23 03:48 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{76777D13-661D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:01 . 2010-05-22 19:05 13312 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6D96B18F-65D4-11DF-AB2C-001CC066A278}.dat
+ 2010-05-23 04:12 . 2010-05-23 04:16 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{64577995-6621-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:25 . 2010-05-23 02:29 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{63BE8DE3-6612-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:58 . 2010-05-23 04:02 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{63955B9B-661F-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:15 . 2010-05-22 19:19 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5AB22DBD-65D6-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 01:48 . 2010-05-23 01:53 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{55DE01A9-660D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:53 . 2010-05-23 02:57 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{52620B39-6616-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:26 . 2010-05-23 04:30 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{51696C5B-6623-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:38 . 2010-05-23 02:43 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{51560459-6614-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:38 . 2010-05-22 18:42 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{48C6E4F3-65D1-11DF-AB2C-001CC066A278}.dat
+ 2010-05-22 19:29 . 2010-05-22 19:33 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{47DBF807-65D8-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 02:02 . 2010-05-23 02:06 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{42C2A7C1-660F-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 00:08 . 2010-05-23 00:12 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{42BAABC1-65FF-11DF-AB2E-001CC066A278}.dat
+ 2010-05-23 03:06 . 2010-05-23 03:11 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3FC9D2A7-6618-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:40 . 2010-05-23 04:44 31744 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3EC54807-6625-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:57 . 2010-05-22 20:00 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3629A0B5-65DC-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 19:42 . 2010-05-22 19:47 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{35546FEB-65DA-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 03:35 . 2010-05-23 03:39 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2DDBE08B-661C-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:20 . 2010-05-23 03:24 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2D044D67-661A-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:52 . 2010-05-22 18:56 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{24E80237-65D3-11DF-AB2C-001CC066A278}.dat
+ 2010-05-23 02:15 . 2010-05-23 02:20 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1AF34252-6611-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:48 . 2010-05-23 03:53 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1AC086A3-661E-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:17 . 2010-05-23 04:21 14336 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{08D0322C-6622-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:29 . 2010-05-23 02:33 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{08518059-6613-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:02 . 2010-05-23 04:07 15360 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{07FFC617-6620-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 17:46 . 2010-05-23 15:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2010-05-22 15:08 . 2010-05-23 03:27 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2008-05-12 21:13 . 2010-05-21 14:07 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-12 21:13 . 2010-05-23 15:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-12 11:05 . 2009-03-08 08:32 72704 c:\windows\system32\admparse.dll
+ 2010-05-22 15:04 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB980182-IE8\xpshims.dll
+ 2010-05-22 15:04 . 2009-03-08 08:31 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll
+ 2010-05-22 15:04 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 37888 c:\windows\ie8\url.dll
+ 2010-05-22 15:03 . 2009-03-08 18:23 58464 c:\windows\ie8\spuninst\iecustom.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 39424 c:\windows\ie8\pngfilt.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 97280 c:\windows\ie8\occache.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 57344 c:\windows\ie8\mshtmler.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 29184 c:\windows\ie8\mshta.exe
+ 2010-05-22 15:02 . 2009-10-29 07:44 52224 c:\windows\ie8\msfeedsbs.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 22528 c:\windows\ie8\licmgr10.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 15872 c:\windows\ie8\jsproxy.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 96768 c:\windows\ie8\inseng.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 35840 c:\windows\ie8\imgutil.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 93184 c:\windows\ie8\iexplore.exe
+ 2010-05-22 15:02 . 2008-05-12 11:05 63488 c:\windows\ie8\iesetup.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 49152 c:\windows\ie8\iernonce.dll
+ 2010-05-22 15:02 . 2009-10-29 07:44 78336 c:\windows\ie8\ieencode.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 34304 c:\windows\ie8\ie4uinit.exe
+ 2010-05-22 15:02 . 2009-10-29 07:44 63488 c:\windows\ie8\icardie.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 38912 c:\windows\ie8\hmmapi.dll
+ 2010-05-22 15:02 . 2009-10-29 07:44 17408 c:\windows\ie8\corpol.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 61440 c:\windows\ie8\admparse.dll
+ 2010-05-22 19:13 . 2010-05-23 04:07 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{19F5B406-65D6-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 04:07 . 2010-05-23 04:07 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{AF56D2F6-6620-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 15:50 . 2010-05-23 15:51 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F3BFE3AC-6682-11DF-AB30-001CC066A278}.dat
+ 2010-05-23 01:44 . 2010-05-23 02:08 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{C15E2A02-660C-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:10 . 2010-05-22 20:00 9728 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B3054C38-65D5-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 17:51 . 2010-05-22 18:33 9728 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B0C1383E-65CA-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 00:03 . 2010-05-23 00:12 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{AE78D13E-65FE-11DF-AB2E-001CC066A278}.dat
+ 2010-05-23 02:11 . 2010-05-23 02:11 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8335B854-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:11 . 2010-05-23 02:11 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{722381EA-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:11 . 2010-05-23 02:11 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{6E81ACCE-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:38 . 2010-05-22 19:05 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{48C6E4F2-65D1-11DF-AB2C-001CC066A278}.dat
+ 2010-05-22 15:38 . 2010-05-22 15:38 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{02840AC4-65B8-11DF-AB29-001CC066A278}.dat
+ 2010-05-23 02:07 . 2010-05-23 02:08 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FDDCF2A4-660F-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 15:51 . 2010-05-23 15:51 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FAE48F57-6682-11DF-AB30-001CC066A278}.dat
+ 2010-05-23 15:51 . 2010-05-23 15:51 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FAE48F56-6682-11DF-AB30-001CC066A278}.dat
+ 2010-05-23 15:50 . 2010-05-23 15:50 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F3BFE3AD-6682-11DF-AB30-001CC066A278}.dat
+ 2010-05-23 02:14 . 2010-05-23 02:14 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F0173C6E-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:16 . 2010-05-23 04:16 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EF14B0CE-6621-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:14 . 2010-05-23 02:14 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E9D2ADD7-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:14 . 2010-05-23 02:14 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E9D2ADD5-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:00 . 2010-05-22 18:00 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E8FB0C5D-65CB-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 04:16 . 2010-05-23 04:16 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E8ECBE6F-6621-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:16 . 2010-05-23 04:16 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E8ECBE6D-6621-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 00:12 . 2010-05-23 00:12 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E74D9E37-65FF-11DF-AB2E-001CC066A278}.dat
+ 2010-05-23 04:44 . 2010-05-23 04:44 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E336D990-6625-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:40 . 2010-05-22 19:40 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E19A9B5E-65D9-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 18:21 . 2010-05-22 18:21 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DF24760B-65CE-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 18:21 . 2010-05-22 18:21 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DF24760A-65CE-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 19:40 . 2010-05-22 19:40 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DB6B81F1-65D9-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 19:40 . 2010-05-22 19:40 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DB6B81EF-65D9-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 18:21 . 2010-05-22 18:21 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D929D04F-65CE-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 02:42 . 2010-05-23 02:42 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D9184B13-6614-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:14 . 2010-05-22 18:14 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D78A7763-65CD-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 18:28 . 2010-05-22 18:32 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D7596581-65CF-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 02:42 . 2010-05-23 02:42 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D2F2BB0C-6614-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:42 . 2010-05-23 02:42 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D2F2BB0B-6614-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:43 . 2010-05-23 04:43 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C2164D0E-6625-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:43 . 2010-05-23 04:43 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BBD1BE77-6625-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:43 . 2010-05-23 04:43 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{BBD1BE75-6625-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 17:51 . 2010-05-22 17:51 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B0C1383F-65CA-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 03:45 . 2010-05-23 03:45 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{AF0DCD2A-661D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:45 . 2010-05-23 03:45 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A8E83D25-661D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:45 . 2010-05-23 03:45 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A8E83D23-661D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:06 . 2010-05-23 04:07 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A1909D01-6620-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:12 . 2010-05-23 02:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9ED9FBC0-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:12 . 2010-05-23 02:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{989A31DD-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:12 . 2010-05-23 02:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{989A31DB-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:52 . 2010-05-22 19:53 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{94750286-65DB-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 19:38 . 2010-05-22 19:38 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{939183A0-65D9-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 02:47 . 2010-05-23 02:48 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8F98CC4B-6615-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:19 . 2010-05-22 18:19 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8DE4D303-65CE-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 18:19 . 2010-05-22 18:19 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8DE4D302-65CE-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 18:05 . 2010-05-22 18:05 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8D821311-65CC-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 19:38 . 2010-05-22 19:38 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8D5B4325-65D9-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 19:38 . 2010-05-22 19:38 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8D5B4323-65D9-11DF-AB2D-001CC066A278}.dat
+ 2010-05-23 04:13 . 2010-05-23 04:13 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{87EFD540-6621-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:11 . 2010-05-23 02:11 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8335B855-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:19 . 2010-05-22 18:19 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{82455C41-65CE-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 04:13 . 2010-05-23 04:13 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{81DAF5B0-6621-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 04:13 . 2010-05-23 04:13 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{81DAF5AE-6621-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 18:18 . 2010-05-22 18:19 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7C438F79-65CE-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 18:33 . 2010-05-22 18:33 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7BBF0B49-65D0-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 02:11 . 2010-05-23 02:11 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{722381EB-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:15 . 2010-05-23 03:15 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6E993D5A-6619-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:11 . 2010-05-23 02:11 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6E81ACCF-6610-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:15 . 2010-05-23 03:15 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6873AD55-6619-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:15 . 2010-05-23 03:15 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6873AD53-6619-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:43 . 2010-05-23 03:43 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4DA59A2D-661D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:43 . 2010-05-23 03:43 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{478BF5E8-661D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:42 . 2010-05-23 03:42 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{478BF5E7-661D-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 17:55 . 2010-05-22 17:56 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{449EEFFD-65CB-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 18:24 . 2010-05-22 18:24 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{32A9D6D3-65CF-11DF-AB2B-001CC066A278}.dat
+ 2010-05-22 18:09 . 2010-05-22 18:09 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{31E7B8D9-65CD-11DF-AB2B-001CC066A278}.dat
+ 2010-05-23 02:45 . 2010-05-23 02:45 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{30F9786A-6615-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:45 . 2010-05-23 02:45 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2AADC2C5-6615-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 02:44 . 2010-05-23 02:44 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2AADC2C3-6615-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:27 . 2010-05-23 03:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{190391FF-661B-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:12 . 2010-05-23 03:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1370D442-6619-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:12 . 2010-05-23 03:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0D4B443D-6619-11DF-AB2F-001CC066A278}.dat
+ 2010-05-23 03:12 . 2010-05-23 03:12 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0D4B443B-6619-11DF-AB2F-001CC066A278}.dat
+ 2010-05-22 19:13 . 2010-05-22 19:13 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0AE41733-65D6-11DF-AB2D-001CC066A278}.dat
+ 2010-05-22 15:38 . 2010-05-22 15:38 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{08BCAD98-65B8-11DF-AB29-001CC066A278}.dat
+ 2010-05-22 15:38 . 2010-05-22 15:38 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{02840AC7-65B8-11DF-AB29-001CC066A278}.dat
+ 2010-05-22 15:38 . 2010-05-22 15:38 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{02840AC5-65B8-11DF-AB29-001CC066A278}.dat
+ 2010-05-22 17:46 . 2010-05-22 17:46 7028 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\frameiconcache.dat
+ 2010-05-22 15:04 . 2009-03-08 08:35 2048 c:\windows\ie8updates\KB980302-IE8\iecompat.dll
+ 2008-05-12 11:05 . 2009-01-07 22:21 121856 c:\windows\system32\xmllite.dll
- 2008-05-12 11:05 . 2008-05-12 11:05 121856 c:\windows\system32\xmllite.dll
+ 2009-03-08 08:34 . 2009-03-08 08:34 208384 c:\windows\system32\WinFXDocObj.exe
+ 2008-05-12 11:05 . 2009-03-08 08:34 236544 c:\windows\system32\webcheck.dll
+ 2008-05-12 11:05 . 2009-03-08 08:34 105984 c:\windows\system32\url.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 206848 c:\windows\system32\occache.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 611840 c:\windows\system32\mstime.dll
+ 2008-05-12 11:05 . 2009-03-08 08:34 193536 c:\windows\system32\msrating.dll
+ 2008-05-12 11:05 . 2009-03-08 08:22 156160 c:\windows\system32\msls31.dll
+ 2009-03-08 08:32 . 2010-02-25 06:17 594432 c:\windows\system32\msfeeds.dll
+ 2009-01-07 22:20 . 2009-01-07 22:20 265720 c:\windows\system32\msdbg2.dll
+ 2008-05-12 11:05 . 2009-12-09 05:54 726528 c:\windows\system32\jscript.dll
+ 2010-05-22 14:58 . 2010-05-22 14:58 153376 c:\windows\system32\javaws.exe
+ 2010-05-22 14:58 . 2010-05-22 14:58 145184 c:\windows\system32\javaw.exe
+ 2010-05-22 14:58 . 2010-05-22 14:58 145184 c:\windows\system32\java.exe
+ 2009-03-08 08:22 . 2009-03-08 08:22 164352 c:\windows\system32\ieui.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 184320 c:\windows\system32\iepeers.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 387584 c:\windows\system32\iedkcs32.dll
+ 2009-03-08 08:11 . 2009-03-08 08:11 445952 c:\windows\system32\ieapfltr.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 163840 c:\windows\system32\ieakui.dll
+ 2008-05-12 11:05 . 2009-03-08 08:33 229376 c:\windows\system32\ieaksie.dll
+ 2008-05-12 11:05 . 2009-03-08 08:33 125952 c:\windows\system32\ieakeng.dll
+ 2008-05-12 11:05 . 2010-02-24 09:55 173056 c:\windows\system32\ie4uinit.exe
+ 2008-05-12 11:05 . 2009-03-08 08:31 216064 c:\windows\system32\dxtrans.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 348160 c:\windows\system32\dxtmsft.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-05-12 11:05 . 2009-03-08 08:34 236544 c:\windows\system32\dllcache\webcheck.dll
+ 2008-05-12 21:09 . 2009-03-08 08:33 759296 c:\windows\system32\dllcache\VGX.dll
+ 2008-05-12 11:05 . 2010-03-10 06:16 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-12 11:05 . 2009-03-08 08:34 105984 c:\windows\system32\dllcache\url.dll
+ 2009-01-07 22:20 . 2009-01-07 22:20 134144 c:\windows\system32\dllcache\sqmapi.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 611840 c:\windows\system32\dllcache\mstime.dll
+ 2008-05-12 11:05 . 2009-03-08 08:34 193536 c:\windows\system32\dllcache\msrating.dll
+ 2008-05-12 11:05 . 2009-03-08 08:22 156160 c:\windows\system32\dllcache\msls31.dll
+ 2010-01-02 15:50 . 2010-02-25 06:17 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-05-12 11:05 . 2009-12-09 05:54 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-12 21:09 . 2009-03-08 18:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2008-05-12 11:05 . 2010-02-25 06:17 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2010-01-02 15:50 . 2009-03-08 08:11 445952 c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 163840 c:\windows\system32\dllcache\ieakui.dll
+ 2008-05-12 11:05 . 2009-03-08 08:33 229376 c:\windows\system32\dllcache\ieaksie.dll
+ 2008-05-12 11:05 . 2009-03-08 08:33 125952 c:\windows\system32\dllcache\ieakeng.dll
+ 2008-05-12 11:05 . 2010-02-24 09:55 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-05-12 11:05 . 2009-03-08 08:31 216064 c:\windows\system32\dllcache\dxtrans.dll
+ 2008-05-12 11:05 . 2009-03-08 08:31 348160 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-05-12 11:05 . 2009-03-08 08:32 128512 c:\windows\system32\dllcache\advpack.dll
+ 2010-05-22 15:07 . 2010-05-23 15:51 278528 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2008-05-12 21:13 . 2010-05-23 15:49 262144 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2008-11-22 21:24 . 2008-11-12 16:26 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-11-22 21:24 . 2010-05-22 14:34 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-05-12 11:05 . 2009-03-08 08:32 128512 c:\windows\system32\advpack.dll
+ 2010-05-22 14:58 . 2010-05-22 14:58 180224 c:\windows\Installer\387e7.msi
+ 2010-05-22 14:58 . 2010-05-22 14:58 576000 c:\windows\Installer\387e2.msi
+ 2010-05-22 17:43 . 2009-03-08 08:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-05-22 17:43 . 2009-05-26 11:40 406392 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-05-22 17:43 . 2009-05-26 11:40 234872 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2010-05-22 15:04 . 2009-05-26 11:40 406392 c:\windows\ie8updates\KB980302-IE8\spuninst\updspapi.dll
+ 2010-05-22 15:04 . 2009-05-26 11:40 234872 c:\windows\ie8updates\KB980302-IE8\spuninst\spuninst.exe
+ 2010-05-22 15:04 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB980182-IE8\wininet.dll
+ 2010-05-22 15:04 . 2009-05-26 11:40 406392 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll
+ 2010-05-22 15:04 . 2009-05-26 11:40 234872 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe
+ 2010-05-22 15:04 . 2009-03-08 08:34 109568 c:\windows\ie8updates\KB980182-IE8\occache.dll
+ 2010-05-22 15:04 . 2009-03-08 08:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll
+ 2010-05-22 15:04 . 2009-03-08 08:32 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll
+ 2010-05-22 15:04 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll
+ 2010-05-22 15:04 . 2009-03-08 08:31 183808 c:\windows\ie8updates\KB980182-IE8\iepeers.dll
+ 2010-05-22 15:04 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll
+ 2010-05-22 15:04 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe
+ 2010-05-22 17:43 . 2008-07-08 13:04 406392 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-05-22 17:43 . 2008-07-08 13:03 234872 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-05-22 17:43 . 2009-06-22 06:47 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
+ 2010-05-22 17:42 . 2008-07-08 13:04 406392 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2010-05-22 17:42 . 2008-07-08 13:03 234872 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2010-05-22 17:42 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2010-05-22 15:02 . 2010-02-26 05:42 671232 c:\windows\ie8\wininet.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 281600 c:\windows\ie8\webcheck.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 851968 c:\windows\ie8\vgx.dll
+ 2010-05-22 15:02 . 2010-03-09 11:10 430080 c:\windows\ie8\vbscript.dll
+ 2010-05-22 15:02 . 2010-02-26 05:42 628736 c:\windows\ie8\urlmon.dll
+ 2010-05-22 15:03 . 2009-01-07 22:21 382496 c:\windows\ie8\spuninst\updspapi.dll
+ 2010-05-22 15:03 . 2009-01-07 22:20 231456 c:\windows\ie8\spuninst\spuninst.exe
+ 2010-05-22 15:02 . 2008-05-12 11:05 532480 c:\windows\ie8\mstime.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 146432 c:\windows\ie8\msrating.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 146432 c:\windows\ie8\msls31.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 449024 c:\windows\ie8\mshtmled.dll
+ 2010-05-22 15:02 . 2009-10-29 07:44 459264 c:\windows\ie8\msfeeds.dll
+ 2010-05-22 15:02 . 2009-08-13 15:20 512000 c:\windows\ie8\jscript.dll
+ 2010-05-22 15:02 . 2009-10-29 07:44 268288 c:\windows\ie8\iertutil.dll
+ 2010-05-22 15:02 . 2010-02-26 05:42 251904 c:\windows\ie8\iepeers.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 323584 c:\windows\ie8\iedkcs32.dll
+ 2010-05-22 15:02 . 2009-10-29 07:44 380928 c:\windows\ie8\ieapfltr.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 245760 c:\windows\ie8\ieakui.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 221184 c:\windows\ie8\ieaksie.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 143360 c:\windows\ie8\ieakeng.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 205312 c:\windows\ie8\dxtrans.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 357888 c:\windows\ie8\dxtmsft.dll
+ 2010-05-22 15:02 . 2008-05-12 11:05 101888 c:\windows\ie8\advpack.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 1209344 c:\windows\system32\urlmon.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 5944832 c:\windows\system32\mshtml.dll
+ 2009-03-08 08:32 . 2010-02-25 06:17 1985536 c:\windows\system32\iertutil.dll
+ 2009-02-07 01:07 . 2009-02-07 01:07 3698584 c:\windows\system32\ieapfltr.dat
+ 2008-05-12 11:05 . 2010-02-25 06:17 1209344 c:\windows\system32\dllcache\urlmon.dll
+ 2008-05-12 11:05 . 2010-02-25 06:17 5944832 c:\windows\system32\dllcache\mshtml.dll
+ 2010-01-02 15:50 . 2010-02-25 06:17 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2010-01-02 15:50 . 2009-02-07 01:07 3698584 c:\windows\system32\dllcache\ieapfltr.dat
+ 2010-05-22 14:49 . 2010-05-23 15:49 1884160 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-22 15:04 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB980182-IE8\urlmon.dll
+ 2010-05-22 15:04 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB980182-IE8\mshtml.dll
+ 2010-05-22 15:04 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB980182-IE8\iertutil.dll
+ 2010-05-22 15:02 . 2010-02-26 05:42 3094016 c:\windows\ie8\mshtml.dll
+ 2010-05-22 15:02 . 2009-10-29 07:44 6067200 c:\windows\ie8\ieframe.dll
+ 2010-05-22 15:02 . 2009-06-29 08:33 2452872 c:\windows\ie8\ieapfltr.dat
+ 2009-03-08 08:39 . 2010-02-25 15:47 11070976 c:\windows\system32\ieframe.dll
+ 2010-01-02 15:50 . 2010-02-25 15:47 11070976 c:\windows\system32\dllcache\ieframe.dll
+ 2010-05-22 15:04 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB980182-IE8\ieframe.dll
.
-- Instantané actualisé --
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-01-13 134656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-01-13 135680]
"RTHDCPL"="RTHDCPL.EXE" [2009-10-16 18782720]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-05-12 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-16 23:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2010-01-13 15:46 166912 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2010-01-13 15:46 134656 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-06 02:55 54832 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2010-01-13 15:46 135680 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 20:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 19:10 56928 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-05-06 21:04 2017280 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-14 22:36 202256 ----a-w- c:\program files\Fichiers communs\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Versato]
2002-12-25 13:10 733184 ----a-w- c:\program files\Media Key\Versato.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-13 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-13 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-06 68168]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-16 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-03-23 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]
.
Contenu du dossier 'Tâches planifiées'

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2171255754-1408336027-2481167137-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Examen supplémentaire -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Denis\Application Data\Mozilla\Firefox\Profiles\khyotjsh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.poodwaddle.com/index.htm
FF - prefs.js: keyword.URL - hxxp://cf.yhs.search.yahoo.com/avg/sear ... -web_cf&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 06:51
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,9e,5c,dc,f3,c1,ba,4f,92,85,20,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,64,9e,5c,dc,f3,c1,ba,4f,92,85,20,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1432)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2010-05-24 06:51:57
ComboFix-quarantined-files.txt 2010-05-24 10:51
ComboFix2.txt 2010-05-22 14:51
ComboFix3.txt 2010-05-21 14:12

Avant-CF: 68 294 967 296 octets libres
Après-CF: 68 380 475 392 octets libres

- - End Of File - - B2F07C75EB5187741F74353B5FD69345


----------------------------------------------------------------------


HIJACKTHIS LOGS

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:19:55, on 2010-05-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veryquiet.com/midnews.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infoclick.ca
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 6790 bytes


And again... thank you thank you thank you for all the time and effort you're putting into this.

Joanne
Joebanane
Active Member
 
Posts: 7
Joined: May 18th, 2010, 1:07 pm

Re: Trojan.Dropper

Unread postby Airscape » May 25th, 2010, 10:52 am

I wouldn't worry too much about the AVG systray icon. As long as everything is green in the security center it should be ok.




Backup the Registry
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe

------------------------------------------

Fix.reg
  • Open Notepad by clicking Start>Run then type Notepad
  • Copy the contents of the Code Box below to Notepad
  • Make sure there is NO blank line before REGEDIT4
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • Save the file to your Desktop. It will look like this Image
Code: Select all
 REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"*{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=-

[-HKEY_CLASSES_ROOT\CLSID\_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

 

Double click on the fix.reg file & when it prompts to Merge click Yes.

------------------------------------------

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on do a system scan only
  • Place a checkmark next to these lines(if still present):

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)


  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.

------------------------------------------

TFC(Temp File Cleaner):
  • This should still be on your desktop.
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted.
It should not take longer than a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

------------------------------------------

Kaspersky online scan
Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
        Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases

  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
This online tutorial will help explain how to use the aforementioned online scan.
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Trojan.Dropper

Unread postby Joebanane » May 25th, 2010, 5:53 pm

Dear Airscape,

The comp is doing fine. It may not be "clean" yet (hey, what do I know) but there are NO symptoms that I can perceive. The Kaspersky Scan found an additionnal infection using today's virus definitions -one that's not already quarantined. Is it me or do some people need to find more constructive hobbies ? Oh well...

Here are the logs requested:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, May 25, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 25, 2010 13:22:10
Records in database: 4171357
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 70578
Threats found: 3
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 01:28:29


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\smss.exe.vir Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\svchost.exe.vir Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_smss_.exe.zip Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\System Volume Information\_restore{d5fffa500b1b}\_svchost_.exe.zip Infected: Trojan-Clicker.Win32.Cycler.ajnt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{B4A36781-60CF-4084-A330-A557601C6547}\RP1\A0000020.exe Infected: Packed.Win32.Krap.hc 1

Selected area has been scanned.

___________________________________________________


... and the fresh HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:08:35, on 2010-05-25
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veryquiet.com/midnews.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infoclick.ca
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Pré-chargeur Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Démon de cache des catégories de composant - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Journal des événements (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Service COM de gravage de CD IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Plug-and-Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Gestionnaire de session d'aide sur le Bureau à distance (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Carte à puce (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Journaux et alertes de performance (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Cliché instantané de volume (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Carte de performance WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 6559 bytes

Thanks...

Joanne
Joebanane
Active Member
 
Posts: 7
Joined: May 18th, 2010, 1:07 pm

Re: Trojan.Dropper

Unread postby Airscape » May 25th, 2010, 9:24 pm

Well done your pc now appears to be Malware free. Please advise on any problems you still have.

Don't forget to re-enable any protection programs you may have disabled during the fix.

Please delete the Gmer random.exe file. It should look like this f8gqz1g1.exe on your desktop.
Remove the Kaspersky online scanner and also HijackThis through Control Panel > Add/Remove Programs (if present)
You can keep TFC.exe to clean out temporary files. I recommend running it once or twice a week.

Uninstall ComboFix
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image

The above will implement some cleanup procedures as well as reset System Restore points.

Clean up with OTC
  • Download OTC by Old Timer here and save it to your desktop.
  • Double click on OTC.exe. Click on CleanUp!.
  • You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
  • It will restart your computer automatically. If it doesn't, please restart your computer manually.

The above will remove the majority of tools/logs used in the removal process. If any still exist, please delete them yourself.

----------------------------------------------------------

Now some advice for keeping your pc safe and secure for the future:

  • Malwarebytes' Anti-Malware
    This is an excellent application and I advise you keep this installed. Check for updates and run a scan once a week.
  • Other installed security software
    Your presently installed security application AVG automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing an internet connection is active. I advise you also run a complete scan with this also once per week.
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note:The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.

Recommended Programs

I would recommend the download and installation of some or all of the following programs and the updating of them on a regular basis.

  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. You can download SpywareBlaster from HERE
  • Analog X Script Defender
    This will prevent malicious scripts from running on your pc by giving you the option to allow a script or not. Download it HERE
  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE
  • Download and Install a HOSTS File
    A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.
    Install MVPS Hosts File From Here
    The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    You can Find the Tutorial HERE

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it, and if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
Airscape
Regular Member
 
Posts: 1858
Joined: November 1st, 2008, 11:06 pm

Re: Trojan.Dropper

Unread postby Joebanane » May 26th, 2010, 7:57 am

Thank you again for all your hard work and patience. You actually managed to make this whole ordeal very pleasant - even though I would really prefer not to have to come back ever again.

I applied all your suggestions on my husbands computer and on mine.

Is there anything else I can do to show my appreciation apart from telling everyone how professionnal you (all of you) are ?

:D

Joanne C.
Joebanane
Active Member
 
Posts: 7
Joined: May 18th, 2010, 1:07 pm

Re: Trojan.Dropper

Unread postby jmw3 » May 26th, 2010, 12:54 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: SpecialEd19, wannabeageek and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware