Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Microsoft Safety Scanner says I have Bumat!rts

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Microsoft Safety Scanner says I have Bumat!rts

Unread postby Robert Daoust » October 24th, 2011, 12:33 pm

Hello!

Microsoft Safety Scanner says I have Tojan: Win32/Bumat!rts. I tried to get rid of it with various means, e.g. Dr. Web CureIt, but to no avail. Malwarebytes' Anti-Malware did not find anything either, but it keeps telling me that ingoing or outgoing IPs are blocked by its IP protection function. I have also installed HijackThis: it is via their log analysis recommendations that I found your forum. Here follow DDS.txt and Attach.txt. Thank you, have a nice day.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by client at 12:15:59 on 2011-10-24
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.1014.428 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MozyHome\mozystat.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\MAGIX Services\Database\bin\FABS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
c:\d\s\zi\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://en.wikipedia.org/wiki/Special:Watchlist
uURLSearchHooks: H - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 9787720946
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 2466217578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
TCP: Interfaces\{8F5F9F19-96CC-429F-861B-B0BB971BE460} : DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-12-1 183824]
R0 iaStor5;Intel RAID Controller;c:\windows\system32\drivers\iastor5.sys [2008-12-1 874240]
R0 iaStor7;Intel AHCI Controller 7;c:\windows\system32\drivers\iastor7.sys [2008-12-1 277784]
R0 iaStor8;Intel AHCI Controller 8;c:\windows\system32\drivers\iastor8.sys [2008-12-1 327192]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [2008-12-1 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [2008-12-1 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2008-12-1 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2008-12-1 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2008-12-1 52480]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\si3112r.sys [2008-12-1 102528]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2008-12-1 68864]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-12-1 17968]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-10-22 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-10-22 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-10-22 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-10-22 44768]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\fichiers communs\magix services\database\bin\FABS.exe [2009-8-27 1253376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-22 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-22 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-3 136176]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\fichiers communs\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-3 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-5 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-10-24 15:19:59 388096 ----a-r- c:\documents and settings\client\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-24 15:19:58 -------- d-----w- c:\program files\Trend Micro
2011-10-22 18:15:37 -------- d-----w- c:\documents and settings\client\DoctorWeb
2011-10-22 13:59:30 -------- d-----w- c:\documents and settings\client\application data\Malwarebytes
2011-10-22 13:59:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-22 13:59:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-22 13:59:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-22 06:41:09 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-22 06:40:49 41184 ----a-w- c:\windows\avastSS.scr
2011-10-22 06:03:29 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
.
==================== Find3M ====================
.
2011-10-03 09:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 06:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 15:41:40 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-09 09:12:01 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:41:31 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:41:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:41:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:53 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-03 22:14:10 163644 ----a-w- c:\windows\system32\drivers\secdrv.sys
.
============= FINISH: 12:17:05,39 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Édition familiale
Boot Device: \Device\HarddiskVolume1
Install Date: 2011-08-03 15:58:06
System Uptime: 2011-10-24 11:43:02 (1 hours ago)
.
Motherboard: Dell Inc. | | 0JC474
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 91 GiB total, 53,905 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2: 2011-10-22 12:24:23 - Point de vérification système
RP3: 2011-10-23 12:40:33 - Point de vérification système
RP4: 2011-10-24 11:19:57 - Installed HiJackThis
.
==== Installed Programs ======================
.
Adobe Reader X (10.1.1) - Français
avast! Free Antivirus
Belarc Advisor 8.2
CCleaner
CDBurnerXP
CoffeeCup Free FTP
Conexant D850 56K V.9x DFVc Modem
Correctif pour Windows XP (KB2443685)
Correctif pour Windows XP (KB2570791)
Correctif pour Windows XP (KB942288-v3)
Correctif pour Windows XP (KB970653-v3)
DScaler 5 Mpeg Decoders
EPSON Logiciel imprimante
Firebird SQL Server - MAGIX Edition
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet 3050 J610 series Aide
HP Photo Creations
HP Update
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections Drivers
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 29
Lecteur Windows Media 11
Logiciel de base du périphérique HP Deskjet 3050 J610 series
MAGIX Photo Clinic 4.5 (US)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - FRA
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - FRA
Microsoft .NET Framework 3.5 Language Pack SP1 - fra
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile FRA Language Pack
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended FRA Language Pack
Microsoft Office XP Professional avec FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mise à jour de sécurité pour Lecteur Windows Media (KB952069)
Mise à jour de sécurité pour Lecteur Windows Media (KB968816)
Mise à jour de sécurité pour Lecteur Windows Media (KB973540)
Mise à jour de sécurité pour Lecteur Windows Media 11 (KB954154)
Mise à jour de sécurité pour Microsoft Windows (KB2564958)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2360131)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2510531)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2530548)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2544521)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2559049)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2586448)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB971961)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB972260)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB974455)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB976325)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB981332)
Mise à jour de sécurité pour Windows XP (KB2393802)
Mise à jour de sécurité pour Windows XP (KB2412687)
Mise à jour de sécurité pour Windows XP (KB2419632)
Mise à jour de sécurité pour Windows XP (KB2423089)
Mise à jour de sécurité pour Windows XP (KB2440591)
Mise à jour de sécurité pour Windows XP (KB2443105)
Mise à jour de sécurité pour Windows XP (KB2476490)
Mise à jour de sécurité pour Windows XP (KB2478960)
Mise à jour de sécurité pour Windows XP (KB2478971)
Mise à jour de sécurité pour Windows XP (KB2479943)
Mise à jour de sécurité pour Windows XP (KB2481109)
Mise à jour de sécurité pour Windows XP (KB2483185)
Mise à jour de sécurité pour Windows XP (KB2485663)
Mise à jour de sécurité pour Windows XP (KB2503665)
Mise à jour de sécurité pour Windows XP (KB2506212)
Mise à jour de sécurité pour Windows XP (KB2507618)
Mise à jour de sécurité pour Windows XP (KB2507938)
Mise à jour de sécurité pour Windows XP (KB2508272)
Mise à jour de sécurité pour Windows XP (KB2508429)
Mise à jour de sécurité pour Windows XP (KB2509553)
Mise à jour de sécurité pour Windows XP (KB2524375)
Mise à jour de sécurité pour Windows XP (KB2535512)
Mise à jour de sécurité pour Windows XP (KB2536276-v2)
Mise à jour de sécurité pour Windows XP (KB2536276)
Mise à jour de sécurité pour Windows XP (KB2544893)
Mise à jour de sécurité pour Windows XP (KB2555917)
Mise à jour de sécurité pour Windows XP (KB2562937)
Mise à jour de sécurité pour Windows XP (KB2566454)
Mise à jour de sécurité pour Windows XP (KB2567053)
Mise à jour de sécurité pour Windows XP (KB2567680)
Mise à jour de sécurité pour Windows XP (KB2570222)
Mise à jour de sécurité pour Windows XP (KB2570947)
Mise à jour de sécurité pour Windows XP (KB2592799)
Mise à jour de sécurité pour Windows XP (KB923561)
Mise à jour de sécurité pour Windows XP (KB923789)
Mise à jour de sécurité pour Windows XP (KB938464-v2)
Mise à jour de sécurité pour Windows XP (KB946648)
Mise à jour de sécurité pour Windows XP (KB950762)
Mise à jour de sécurité pour Windows XP (KB950974)
Mise à jour de sécurité pour Windows XP (KB951066)
Mise à jour de sécurité pour Windows XP (KB951376-v2)
Mise à jour de sécurité pour Windows XP (KB951748)
Mise à jour de sécurité pour Windows XP (KB952004)
Mise à jour de sécurité pour Windows XP (KB952954)
Mise à jour de sécurité pour Windows XP (KB954459)
Mise à jour de sécurité pour Windows XP (KB954600)
Mise à jour de sécurité pour Windows XP (KB955069)
Mise à jour de sécurité pour Windows XP (KB956572)
Mise à jour de sécurité pour Windows XP (KB956744)
Mise à jour de sécurité pour Windows XP (KB956802)
Mise à jour de sécurité pour Windows XP (KB956803)
Mise à jour de sécurité pour Windows XP (KB956844)
Mise à jour de sécurité pour Windows XP (KB957097)
Mise à jour de sécurité pour Windows XP (KB958644)
Mise à jour de sécurité pour Windows XP (KB958687)
Mise à jour de sécurité pour Windows XP (KB959426)
Mise à jour de sécurité pour Windows XP (KB960225)
Mise à jour de sécurité pour Windows XP (KB960803)
Mise à jour de sécurité pour Windows XP (KB960859)
Mise à jour de sécurité pour Windows XP (KB961371-v2)
Mise à jour de sécurité pour Windows XP (KB961371)
Mise à jour de sécurité pour Windows XP (KB961501)
Mise à jour de sécurité pour Windows XP (KB968537)
Mise à jour de sécurité pour Windows XP (KB970238)
Mise à jour de sécurité pour Windows XP (KB971557)
Mise à jour de sécurité pour Windows XP (KB971633)
Mise à jour de sécurité pour Windows XP (KB971657)
Mise à jour de sécurité pour Windows XP (KB971961)
Mise à jour de sécurité pour Windows XP (KB972260)
Mise à jour de sécurité pour Windows XP (KB973346)
Mise à jour de sécurité pour Windows XP (KB973354)
Mise à jour de sécurité pour Windows XP (KB973507)
Mise à jour de sécurité pour Windows XP (KB973869)
Mise à jour pour Windows Internet Explorer 8 (KB2362765)
Mise à jour pour Windows Internet Explorer 8 (KB973874)
Mise à jour pour Windows Internet Explorer 8 (KB975364)
Mise à jour pour Windows Internet Explorer 8 (KB976662)
Mise à jour pour Windows Internet Explorer 8 (KB976749)
Mise à jour pour Windows Internet Explorer 8 (KB980182)
Mise à jour pour Windows Internet Explorer 8 (KB980302)
Mise à jour pour Windows XP (KB2541763)
Mise à jour pour Windows XP (KB2607712)
Mise à jour pour Windows XP (KB2616676)
Mise à jour pour Windows XP (KB971029)
Mise à jour pour Windows XP (KB973815)
Module de compatibilité pour Microsoft Office System 2007
Module linguistique Microsoft .NET Framework 3.5 SP1- fra
Module linguistique Microsoft .NET Framework 4 Client Profile FRA
Module linguistique Microsoft .NET Framework 4 Extended FRA
MozyHome
MSXML 6.0 Parser
OpenOffice.org 3.3
PDFCreator
Sauvegarde des Dossiers personnels Microsoft Outlook
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2478663)
Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2518870)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
2011-10-22 15:17:07, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}
2011-10-22 14:13:37, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}
2011-10-22 14:13:22, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service netman avec les arguments "" pour démarrer le serveur : {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2011-10-22 14:13:09, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}
2011-10-22 14:12:04, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service StiSvc avec les arguments "" pour démarrer le serveur : {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2011-10-22 14:11:55, error: Service Control Manager [7026] - Le pilote de démarrage système ou d'amorçage suivant n'a pas pu se charger : Aavmker4 AFD aswRdr aswSnx aswSP aswTdi BANTExt Fips intelppm IPSec mozyFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
2011-10-22 14:11:55, error: Service Control Manager [7001] - Le service Services IPSEC dépend du service Pilote IPSEC qui n'a pas pu démarrer en raison de l'erreur : Un périphérique attaché au système ne fonctionne pas correctement.
2011-10-22 14:11:55, error: Service Control Manager [7001] - Le service Client DNS dépend du service Pilote du protocole TCP/IP qui n'a pas pu démarrer en raison de l'erreur : Un périphérique attaché au système ne fonctionne pas correctement.
2011-10-22 14:11:55, error: Service Control Manager [7001] - Le service Client DHCP dépend du service NetBIOS sur TCP/IP qui n'a pas pu démarrer en raison de l'erreur : Un périphérique attaché au système ne fonctionne pas correctement.
2011-10-22 14:11:55, error: Service Control Manager [7001] - Le service Assistance TCP/IP NetBIOS dépend du service AFD qui n'a pas pu démarrer en raison de l'erreur : Un périphérique attaché au système ne fonctionne pas correctement.
2011-10-22 14:11:48, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service StiSvc avec les arguments "" pour démarrer le serveur : {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2011-10-22 14:11:13, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service netman avec les arguments "" pour démarrer le serveur : {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2011-10-22 14:11:06, error: DCOM [10005] - DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}
.
==== End Of File ===========================
Robert Daoust
Active Member
 
Posts: 7
Joined: October 24th, 2011, 12:04 pm
Advertisement
Register to Remove

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby maxi » October 26th, 2011, 6:03 am

Hello Robert Daoust,

Welcome to the forum!

My name is maxi and I'll be helping you with any malware problems.

Currently I am working under the guidance of the MRU teachers and everything I post to you, must first be approved by them.
This additional review process can add some extra time to my responses, but I will post back with instructions for you as soon as possible.


Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so!
  4. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  5. Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  6. Print each set of instructions if possible - your Internet connection will not be available during some fix processes.
  7. Only reply to this thread, do not start another one. Please, continue responding, until I give you the "All Clean!"
    Absence of symptoms does not mean that everything is clear.

I am currently reviewing your log and will return, as soon as possible, with additional instructions. In the meantime...
Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Please read all instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions or problems, executing these instructions, <<STOP>> do not proceed, post back with the question or problem.
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby Robert Daoust » October 26th, 2011, 9:19 am

Thank you maxi. I'll do everything you ask.
Robert Daoust
Active Member
 
Posts: 7
Joined: October 24th, 2011, 12:04 pm

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby maxi » October 26th, 2011, 6:37 pm

Hi Robert Daoust,

I dont see too much in your log but we'll have a closer look. Does Microsoft Safety Scanner give you the file and filepath of the file their dectecting ? If so could you post it in your next post please.

Step 1
Please download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Step 2
Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All << (don't miss this one)
    See image below, Click the image to enlarge it
    Image

  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.


In your next reply please include:
The OTL logs.
The Gmer log.
The file and filepath of the file dectected by Microsoft Safety Scanner.

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby Robert Daoust » October 27th, 2011, 2:46 pm

Thanxs, maxi. Here are the logs you ask. About Microsoft Safety Scanner, it only says that I have one infected file, and when I ask to see the detailed scan results it only says, without giving filename or filepath :
Logiciels malveillants: Trojan:Win32/Bumat!rts
Résultats de l'analyse: Partiellement supprimé
I may add that in the result above, "Trojan:Win32/Bumat!rts" is a clickable word with an hyperlink that leads to http://www.microsoft.com/security/porta ... fBumat!rts

OTL logfile created on: 2011-10-27 12:44:26 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\client\Bureau
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

1014,08 Mb Total Physical Memory | 529,94 Mb Available Physical Memory | 52,26% Memory free
1,65 Gb Paging File | 1,28 Gb Available in Paging File | 77,51% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90,76 Gb Total Space | 53,33 Gb Free Space | 58,77% Space Free | Partition Type: NTFS

Computer Name: CLIEN | User Name: client | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\client\Bureau\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Fichiers communs\MAGIX Services\Database\bin\FABS.exe (MAGIX AG)
PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - c:\D\S\zi\stacsv.exe (IDT, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\AVAST Software\Avast\defs\11102700\algo.dll ()
MOD - C:\Program Files\AVAST Software\Avast\defs\11102700\aswRep.dll ()
MOD - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.FRA ()
MOD - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
MOD - C:\WINDOWS\system32\pdfcmnnt.dll ()


========== Win32 Services (SafeList) ==========

SRV - (AppMgmt) -- File not found
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (Fabs) -- C:\Program Files\Fichiers communs\MAGIX Services\Database\bin\FABS.exe (MAGIX AG)
SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (FirebirdServerMAGIXInstance) -- C:\Program Files\Fichiers communs\MAGIX Services\Database\bin\fbserver.exe (MAGIX®)
SRV - (STacSV) -- c:\D\S\zi\stacsv.exe (IDT, Inc.)


========== Driver Services (SafeList) ==========

DRV - (aswSnx) -- C:\WINDOWS\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (AVAST Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (AVAST Software)
DRV - (aswFsBlk) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys (AVAST Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (AVAST Software)
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (iaStor8) -- C:\WINDOWS\system32\drivers\iastor8.sys (Intel Corporation)
DRV - (ahcix86) -- C:\WINDOWS\system32\drivers\ahcix86.sys (AMD Technologies Inc.)
DRV - (nvgts) -- C:\WINDOWS\system32\DRIVERS\nvgts.sys (NVIDIA Corporation)
DRV - (nvrd32) -- C:\WINDOWS\system32\DRIVERS\nvrd32.sys (NVIDIA Corporation)
DRV - (JRAID) -- C:\WINDOWS\system32\DRIVERS\jraid.sys (JMicron Technology Corp.)
DRV - (BANTExt) -- C:\WINDOWS\System32\Drivers\BANTExt.sys ()
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (nvatabus) -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys (NVIDIA Corporation)
DRV - (vmscsi) -- C:\WINDOWS\system32\DRIVERS\vmscsi.sys (VMware, Inc.)
DRV - (iaStor7) -- C:\WINDOWS\system32\drivers\iastor7.sys (Intel Corporation)
DRV - (SI3112r) -- C:\WINDOWS\system32\DRIVERS\SI3112r.sys (Silicon Image, Inc)
DRV - (SiFilter) -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys (Silicon Image, Inc.)
DRV - (m5288) -- C:\WINDOWS\system32\DRIVERS\m5288.sys (ULi Electronics Inc.)
DRV - (iaStor5) -- C:\WINDOWS\system32\drivers\iastor5.sys (Intel Corporation)
DRV - (m5287) -- C:\WINDOWS\system32\DRIVERS\m5287.sys (ULi Electronics Inc.)
DRV - (m5289) -- C:\WINDOWS\system32\DRIVERS\m5289.sys (ULi Electronics Inc.)
DRV - (SiSRaid) -- C:\WINDOWS\system32\DRIVERS\SiSRaid.sys (Silicon Integrated Systems)
DRV - (m5281) -- C:\WINDOWS\system32\DRIVERS\m5281.sys (ALi Corporation)
DRV - (m5228) -- C:\WINDOWS\system32\DRIVERS\m5228.sys (ALi Corporation.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3897032687-2156569484-1011630684-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.weatheroffice.gc.ca/city/pag ... ric_f.html
IE - HKU\S-1-5-21-3897032687-2156569484-1011630684-1004\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-3897032687-2156569484-1011630684-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2004-08-05 08:00:00 | 000,000,790 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\MozyHome Etat.lnk = C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3897032687-2156569484-1011630684-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windows ... 9787720946 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microso ... 2466217578 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8F5F9F19-96CC-429F-861B-B0BB971BE460}: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Fichiers communs\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\client\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\client\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-09-15 12:14:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{aeb58df9-bebe-11e0-bb5b-001676a14cbe}\Shell - "" = AutoRun
O33 - MountPoints2\{aeb58df9-bebe-11e0-bb5b-001676a14cbe}\Shell\AutoRun\command - "" = E:\laucher.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011-10-27 12:38:16 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\client\Bureau\OTL.exe
[2011-10-25 08:31:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Google Chrome
[2011-10-24 12:16:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\client\Menu Démarrer\Programmes\Outils d'administration
[2011-10-24 12:16:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\client\Mes documents\Mes vidéos
[2011-10-24 12:16:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\client\Mes documents\Mes images
[2011-10-24 12:16:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\client\Mes documents\Ma musique
[2011-10-24 12:11:18 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\client\Bureau\dds.scr
[2011-10-24 11:42:12 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\client\Recent
[2011-10-24 11:19:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\client\Menu Démarrer\Programmes\HiJackThis
[2011-10-24 11:19:58 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011-10-22 14:15:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\client\DoctorWeb
[2011-10-22 10:53:15 | 000,000,000 | ---D | C] -- C:\Program Files\Fichiers communs\Java
[2011-10-22 10:52:48 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011-10-22 10:52:48 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011-10-22 10:52:48 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011-10-22 09:59:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\client\Application Data\Malwarebytes
[2011-10-22 09:59:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Malwarebytes' Anti-Malware
[2011-10-22 09:59:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011-10-22 09:59:16 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011-10-22 09:59:15 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011-10-22 02:41:13 | 000,020,568 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011-10-22 02:41:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\avast! Free Antivirus
[2011-10-22 02:41:12 | 000,320,856 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011-10-22 02:41:10 | 000,034,392 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011-10-22 02:41:09 | 000,442,200 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011-10-22 02:41:09 | 000,052,568 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011-10-22 02:41:08 | 000,110,552 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011-10-22 02:41:08 | 000,104,536 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011-10-22 02:41:08 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011-10-22 02:40:49 | 000,041,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011-10-22 02:40:48 | 000,199,304 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011-10-22 02:07:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011-10-22 02:03:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011-10-27 12:47:00 | 000,000,434 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1DA70E43-7BEC-4BBD-A96C-EC98C3A02EAC}.job
[2011-10-27 12:38:51 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\client\Bureau\ztlw0wzh.exe
[2011-10-27 12:38:24 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\client\Bureau\OTL.exe
[2011-10-27 12:34:47 | 000,002,577 | ---- | M] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word (2).lnk
[2011-10-27 12:06:01 | 000,001,056 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011-10-27 11:35:53 | 000,001,052 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011-10-27 11:35:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011-10-27 06:17:59 | 000,069,638 | ---- | M] () -- C:\Documents and Settings\client\Mes documents\Another Description of the Geodemocracy.mht
[2011-10-26 09:09:50 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011-10-25 20:24:04 | 000,122,089 | ---- | M] () -- C:\Documents and Settings\client\Mes documents\Unpleasantness.pdf
[2011-10-25 08:31:24 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\Google Chrome.lnk
[2011-10-24 14:39:59 | 000,009,390 | ---- | M] () -- C:\WINDOWS\mozy.flt
[2011-10-24 14:39:59 | 000,004,632 | ---- | M] () -- C:\WINDOWS\mozy.blk
[2011-10-24 12:37:12 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\client\Bureau\HiJackThis.lnk
[2011-10-24 12:11:25 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\client\Bureau\dds.scr
[2011-10-23 18:13:22 | 000,452,813 | ---- | M] () -- C:\Documents and Settings\client\Mes documents\Journal of Consciousness Studies -Pain 111023.mht
[2011-10-22 14:05:58 | 079,451,872 | ---- | M] () -- C:\Documents and Settings\client\Bureau\cureit-201110222232.exe
[2011-10-22 11:10:28 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Démarrer Internet Explorer.lnk
[2011-10-22 11:09:55 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook (2).lnk
[2011-10-22 11:09:45 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\client\Bureau\Microsoft Outlook (2).lnk
[2011-10-22 09:59:21 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\Malwarebytes' Anti-Malware.lnk
[2011-10-22 02:41:13 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\avast! Free Antivirus.lnk
[2011-10-22 02:41:09 | 000,003,120 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011-10-22 02:12:18 | 000,649,312 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011-10-21 23:05:15 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\CCleaner.lnk
[2011-10-18 09:59:39 | 001,213,710 | ---- | M] () -- C:\Documents and Settings\client\Mes documents\Why did Wikipedia succeed while other encyclopedias failed111020.mht
[2011-10-17 17:31:48 | 000,214,016 | ---- | M] () -- C:\Documents and Settings\client\Application Data\SharedSettings.ccs
[2011-10-17 17:31:23 | 000,002,377 | ---- | M] () -- C:\Documents and Settings\client\Bureau\CoffeeCup Free FTP.lnk
[2011-10-17 17:28:45 | 000,002,553 | ---- | M] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft FrontPage.lnk
[2011-10-12 09:37:06 | 000,566,214 | ---- | M] () -- C:\WINDOWS\System32\perfh00C.dat
[2011-10-12 09:37:06 | 000,493,950 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011-10-12 09:37:06 | 000,100,670 | ---- | M] () -- C:\WINDOWS\System32\perfc00C.dat
[2011-10-12 09:37:06 | 000,084,494 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011-10-11 18:30:48 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\MozyHome Etat.lnk
[2011-10-11 17:07:08 | 000,160,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011-10-05 09:36:48 | 000,000,402 | ---- | M] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Raccourci (2) vers Connexion au réseau local.lnk
[2011-10-03 05:06:16 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011-10-03 05:06:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011-10-03 05:06:14 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011-10-03 05:06:03 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011-10-03 04:34:10 | 005,971,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011-10-03 02:37:52 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011-09-28 19:57:13 | 000,000,030 | ---- | M] () -- C:\WINDOWS\rcwin.ini
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011-10-27 12:38:50 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\client\Bureau\ztlw0wzh.exe
[2011-10-27 06:17:58 | 000,069,638 | ---- | C] () -- C:\Documents and Settings\client\Mes documents\Another Description of the Geodemocracy.mht
[2011-10-25 20:24:04 | 000,122,089 | ---- | C] () -- C:\Documents and Settings\client\Mes documents\Unpleasantness.pdf
[2011-10-25 08:31:24 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\Google Chrome.lnk
[2011-10-24 11:19:59 | 000,002,449 | ---- | C] () -- C:\Documents and Settings\client\Bureau\HiJackThis.lnk
[2011-10-23 18:13:21 | 000,452,813 | ---- | C] () -- C:\Documents and Settings\client\Mes documents\Journal of Consciousness Studies -Pain 111023.mht
[2011-10-22 14:05:51 | 079,451,872 | ---- | C] () -- C:\Documents and Settings\client\Bureau\cureit-201110222232.exe
[2011-10-22 11:10:28 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Démarrer Internet Explorer.lnk
[2011-10-22 11:09:55 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook (2).lnk
[2011-10-22 11:09:45 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\client\Bureau\Microsoft Outlook (2).lnk
[2011-10-22 09:59:21 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\Malwarebytes' Anti-Malware.lnk
[2011-10-22 02:41:13 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\avast! Free Antivirus.lnk
[2011-10-22 02:12:11 | 000,649,312 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011-10-18 09:59:36 | 001,213,710 | ---- | C] () -- C:\Documents and Settings\client\Mes documents\Why did Wikipedia succeed while other encyclopedias failed111020.mht
[2011-10-05 09:36:48 | 000,000,402 | ---- | C] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Raccourci (2) vers Connexion au réseau local.lnk
[2011-10-02 13:55:18 | 000,002,553 | ---- | C] () -- C:\Documents and Settings\client\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft FrontPage.lnk
[2011-09-21 18:05:57 | 000,005,729 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
[2011-09-18 18:09:58 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2011-09-13 21:10:47 | 000,214,016 | ---- | C] () -- C:\Documents and Settings\client\Application Data\SharedSettings.ccs
[2011-08-09 22:36:55 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2011-08-03 22:01:56 | 000,000,385 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011-08-03 18:16:13 | 000,000,030 | ---- | C] () -- C:\WINDOWS\rcwin.ini
[2010-11-02 14:21:08 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009-12-21 10:50:15 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4764.dll
[2009-09-15 15:22:56 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2009-09-15 14:22:30 | 000,000,555 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2009-09-15 12:16:08 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009-09-15 12:13:03 | 000,021,892 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009-09-15 08:08:51 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009-09-15 08:08:23 | 000,160,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007-04-27 10:43:58 | 000,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2004-08-05 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004-08-05 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004-08-05 08:00:00 | 000,566,214 | ---- | C] () -- C:\WINDOWS\System32\perfh00C.dat
[2004-08-05 08:00:00 | 000,493,950 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004-08-05 08:00:00 | 000,322,810 | ---- | C] () -- C:\WINDOWS\System32\perfi00C.dat
[2004-08-05 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004-08-05 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004-08-05 08:00:00 | 000,100,670 | ---- | C] () -- C:\WINDOWS\System32\perfc00C.dat
[2004-08-05 08:00:00 | 000,084,494 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004-08-05 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004-08-05 08:00:00 | 000,034,108 | ---- | C] () -- C:\WINDOWS\System32\perfd00C.dat
[2004-08-05 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004-08-05 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004-08-05 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004-08-05 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004-08-05 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

OTL Extras logfile created on: 2011-10-27 12:44:26 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\client\Bureau
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

1014,08 Mb Total Physical Memory | 529,94 Mb Available Physical Memory | 52,26% Memory free
1,65 Gb Paging File | 1,28 Gb Available in Paging File | 77,51% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90,76 Gb Total Space | 53,33 Gb Free Space | 58,77% Space Free | Partition Type: NTFS

Computer Name: CLIEN | User Name: client | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*:Disabled:Gestion à distance de Windows
"80:TCP" = 80:TCP:*:Disabled:Gestion à distance de Windows - Mode de compatibilité (HTTP-Entrée)
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\DeviceSetup.exe" = C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\DeviceSetup.exe:LocalSubNet:Enabled:Configuration du périphérique HP -- (Hewlett-Packard Co.)
"C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\HPNetworkCommunicator.exe" = C:\Program Files\HP\HP Deskjet 3050 J610 series\Bin\HPNetworkCommunicator.exe:LocalSubNet:Enabled:Communicateur réseau HP -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{043F86B7-EE12-3399-B2CA-D0B603D87963}" = Microsoft .NET Framework 4 Extended FRA Language Pack
"{05653DE1-6567-40C6-B930-39D399B64369}" = OpenOffice.org 3.3
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0BD83598-C2EF-3343-847B-7D2E84599128}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - FRA
"{0F5B4A82-9DAF-3D13-8CB8-AEB25E4A614E}" = Microsoft .NET Framework 4 Client Profile FRA Language Pack
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java(TM) 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java(TM) 6 Update 29
"{34EB6245-C8D0-4D8A-B8D8-EEBFF7A91485}" = Firebird SQL Server - MAGIX Edition
"{350C940c-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3E31821C-7917-367E-938E-E65FC413EA31}" = Microsoft .NET Framework 3.5 Language Pack SP1 - fra
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{66F43DBE-6D46-4BCE-831D-0D4C13639BE8}" = CoffeeCup Free FTP
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{72AD53CC-CCC0-3757-8480-9EE176866A7C}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - FRA
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{90120000-0020-040C-0000-0000000FF1CE}" = Module de compatibilité pour Microsoft Office System 2007
"{9028040C-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional avec FrontPage
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1036-7B44-AA1000000001}" = Adobe Reader X (10.1.1) - Français
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{BD88845C-00DF-43F2-97D1-E71C408FB5CC}" = Logiciel de base du périphérique HP Deskjet 3050 J610 series
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}" = Sauvegarde des Dossiers personnels Microsoft Outlook
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5F02102-C0FD-D252-FA0F-45936D3B66B4}" = MozyHome
"{EA2D9BC0-75E9-4975-9A0A-DD82198DDC53}" = MSXML 6.0 Parser
"{F7632A9B-661E-4FD9-B1A4-3B86BC99847F}" = HP Deskjet 3050 J610 series Aide
"avast" = avast! Free Antivirus
"Belarc Advisor" = Belarc Advisor 8.2
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders
"EPSON Printer and Utilities" = EPSON Logiciel imprimante
"Google Chrome" = Google Chrome
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HP Photo Creations" = HP Photo Creations
"ie8" = Windows Internet Explorer 8
"MAGIX Photo Clinic 4.5 US" = MAGIX Photo Clinic 4.5 (US)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 3.5 Language Pack SP1 - fra" = Module linguistique Microsoft .NET Framework 3.5 SP1- fra
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile FRA Language Pack" = Module linguistique Microsoft .NET Framework 4 Client Profile FRA
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended FRA Language Pack" = Module linguistique Microsoft .NET Framework 4 Extended FRA
"PROSet" = Intel(R) Network Connections Drivers
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Lecteur Windows Media 11
"Windows XP Service" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2011-08-31 10:17:37 | Computer Name = CLIEN | Source = Application Error | ID = 1000
Description = Application défaillante iexplore.exe, version 8.0.6001.18702, module
défaillant shlwapi.dll, version 6.0.2900.5912, adresse de défaillance 0x00006fc4.

Error - 2011-09-06 19:53:26 | Computer Name = CLIEN | Source = Application Hang | ID = 1002
Description = Application bloquée AcroRd32.exe, version 10.1.0.534, module bloqué
hungapp, version 0.0.0.0, adresse de blocage 0x00000000.

Error - 2011-09-18 18:33:37 | Computer Name = CLIEN | Source = Application Error | ID = 1000
Description = Application défaillante iexplore.exe, version 8.0.6001.18702, module
défaillant mshtml.dll, version 8.0.6001.19120, adresse de défaillance 0x000de3dd.

Error - 2011-09-21 17:49:07 | Computer Name = CLIEN | Source = MsiInstaller | ID = 11931
Description = Produkt: MSXML 6.0 Parser -- Fehler 1931. Der Windows Installer-Dienst
kann die Systemdatei C:\WINDOWS\system32\msxml6r.dll nicht aktualisieren, weil
die Datei von Windows geschützt wird. Sie müssen möglicherweise das Betriebssystem
aktualisieren, damit dieses Programm korrekt funktionieren kann. Paketversion:
6.0.3883.0, vom System geschützte Version: 6.0.3883.0

Error - 2011-09-22 10:27:07 | Computer Name = CLIEN | Source = VSS | ID = 12289
Description = Erreur du service de cliché instantané des volumes : erreur inattendue
CreateFileW(\\?\Volume{e61350db-be08-11e0-bb52-806d6172696f},0xc0000000,0x00000003,...).
hr = 0x80070005.

Error - 2011-09-23 10:07:47 | Computer Name = CLIEN | Source = VSS | ID = 12289
Description = Erreur du service de cliché instantané des volumes : erreur inattendue
CreateFileW(\\?\Volume{e61350db-be08-11e0-bb52-806d6172696f},0xc0000000,0x00000003,...).
hr = 0x80070005.

Error - 2011-09-25 09:12:56 | Computer Name = CLIEN | Source = VSS | ID = 12289
Description = Erreur du service de cliché instantané des volumes : erreur inattendue
CreateFileW(\\?\Volume{e61350db-be08-11e0-bb52-806d6172696f},0xc0000000,0x00000003,...).
hr = 0x80070005.

Error - 2011-09-26 12:20:26 | Computer Name = CLIEN | Source = VSS | ID = 12289
Description = Erreur du service de cliché instantané des volumes : erreur inattendue
CreateFileW(\\?\Volume{e61350db-be08-11e0-bb52-806d6172696f},0xc0000000,0x00000003,...).
hr = 0x80070005.

Error - 2011-09-27 06:50:32 | Computer Name = CLIEN | Source = VSS | ID = 12289
Description = Erreur du service de cliché instantané des volumes : erreur inattendue
CreateFileW(\\?\Volume{e61350db-be08-11e0-bb52-806d6172696f},0xc0000000,0x00000003,...).
hr = 0x80070005.

Error - 2011-09-27 22:17:58 | Computer Name = CLIEN | Source = VSS | ID = 12289
Description = Erreur du service de cliché instantané des volumes : erreur inattendue
CreateFileW(\\?\Volume{e61350db-be08-11e0-bb52-806d6172696f},0xc0000000,0x00000003,...).
hr = 0x80070005.

[ System Events ]
Error - 2011-10-22 14:11:55 | Computer Name = CLIEN | Source = Service Control Manager | ID = 7001
Description = Le service Client DHCP dépend du service NetBIOS sur TCP/IP qui n'a
pas pu démarrer en raison de l'erreur : %%31

Error - 2011-10-22 14:11:55 | Computer Name = CLIEN | Source = Service Control Manager | ID = 7001
Description = Le service Client DNS dépend du service Pilote du protocole TCP/IP
qui n'a pas pu démarrer en raison de l'erreur : %%31

Error - 2011-10-22 14:11:55 | Computer Name = CLIEN | Source = Service Control Manager | ID = 7001
Description = Le service Assistance TCP/IP NetBIOS dépend du service AFD qui n'a
pas pu démarrer en raison de l'erreur : %%31

Error - 2011-10-22 14:11:55 | Computer Name = CLIEN | Source = Service Control Manager | ID = 7001
Description = Le service Services IPSEC dépend du service Pilote IPSEC qui n'a pas
pu démarrer en raison de l'erreur : %%31

Error - 2011-10-22 14:11:55 | Computer Name = CLIEN | Source = Service Control Manager | ID = 7026
Description = Le pilote de démarrage système ou d'amorçage suivant n'a pas pu se
charger : Aavmker4 AFD aswRdr aswSnx aswSP aswTdi BANTExt Fips intelppm IPSec mozyFilter MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Error - 2011-10-22 14:12:04 | Computer Name = CLIEN | Source = DCOM | ID = 10005
Description = DCOM a reçu l'erreur "%1084" lors de la mise en route du service StiSvc
avec les arguments "" pour démarrer le serveur : {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 2011-10-22 14:13:09 | Computer Name = CLIEN | Source = DCOM | ID = 10005
Description = DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem
avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2011-10-22 14:13:22 | Computer Name = CLIEN | Source = DCOM | ID = 10005
Description = DCOM a reçu l'erreur "%1084" lors de la mise en route du service netman
avec les arguments "" pour démarrer le serveur : {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2011-10-22 14:13:37 | Computer Name = CLIEN | Source = DCOM | ID = 10005
Description = DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem
avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2011-10-22 15:17:07 | Computer Name = CLIEN | Source = DCOM | ID = 10005
Description = DCOM a reçu l'erreur "%1084" lors de la mise en route du service EventSystem
avec les arguments "" pour démarrer le serveur : {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-27 14:06:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD1600JS-75NCB3 rev.10.02E04
Running: ztlw0wzh.exe; Driver: C:\DOCUME~1\client\LOCALS~1\Temp\axtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA357374]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA3BE2B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA37B829]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA359996]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA3599EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA359B04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA37B1DD]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA3598EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA359A3E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA359940]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA359AB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA357398]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA37BEEF]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA37C1A5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA359D88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA37BD5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA37BBC5]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA3BE368]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA357162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA3573BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA359EFC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA357E54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA3599C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA359A16]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA359B2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA37B539]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA359918]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA359BC0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA359A7E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA35996E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA359CA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA359ADC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA3BE400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA37BA40]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA357D1A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA37B892]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA3C66E2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA37A850]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA3573E0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA357404]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA3571BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA3572F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA37BFF6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA3572D4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA35731C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA357428]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA3D39A6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\ACPI_HAL \Device\00000051 halaacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----
Robert Daoust
Active Member
 
Posts: 7
Joined: October 24th, 2011, 12:04 pm

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby maxi » October 28th, 2011, 3:16 pm

Hi Robert, your doing very well. I have a few more steps for you to follow :)

Step 1
Run OTL Script

We need to run an OTL Fix

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    :otl
    SRV - (AppMgmt) -- File not found
    IE - HKU\S-1-5-21-3897032687-2156569484-1011630684-1004\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_29)
    @Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [2011-09-21 18:05:57 | 000,005,729 | ---- | C] () -- C:\WINDOWS\mgxoschk.ini
    
    :files
    ipconfig /flushdns /c
    
    :commands
    [purity]
    [emptyflash]
    [emptytemp]
    [emptyjava]
    [resethosts]
    [createrestorepoint]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.



Step 2
ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
  • Select the option YES, I accept the Terms of Use then click on Start.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

In your next reply please include:
The OTL log.
The ESET online scan.
Any Problems you had with the instructions.

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby Robert Daoust » October 30th, 2011, 3:48 pm

Thanks, maxi. Here are the OTL log and the ESET online scan.

All processes killed
========== PROCESSES ==========
========== OTL ==========
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
File File not found not found.
Registry value HKEY_USERS\S-1-5-21-3897032687-2156569484-1011630684-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
C:\WINDOWS\000001_.tmp deleted successfully.
C:\WINDOWS\000002_.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\mgxoschk.ini moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Configuration IP de Windows
Cache de résolution DNS vidé.
C:\Documents and Settings\client\Bureau\cmd.bat deleted successfully.
C:\Documents and Settings\client\Bureau\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrateur

User: All Users

User: client
->Flash cache emptied: 1295 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0,00 mb


[EMPTYTEMP]

User: Administrateur
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: client
->Temp folder emptied: 4196671 bytes
->Temporary Internet Files folder emptied: 52888311 bytes
->Java cache emptied: 2410798 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33664 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2872783 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23163980 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4041 bytes

Total Files Cleaned = 82,00 mb


[EMPTYJAVA]

User: Administrateur

User: All Users

User: client
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0,00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 10292011_143739

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_d2c.dat moved successfully.

Registry entries deleted on Reboot...


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=07741e2961b85f45a309263c19d44210
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-29 08:21:03
# local_time=2011-10-29 04:21:03 (-0500, Est (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=72539
# found=2
# cleaned=0
# scan_time=5115
C:\Robert Daoust\Application Data\Sun\Java\Deployment\cache\6.0\34\2a6aca2-56c7dbca multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Newprep.exe Win32/Packed.Autoit.D.Gen application (unable to clean) 00000000000000000000000000000000 I
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=07741e2961b85f45a309263c19d44210
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-30 07:37:43
# local_time=2011-10-30 03:37:43 (-0500, Est (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=78833
# found=2
# cleaned=0
# scan_time=5347
C:\Robert Daoust\Application Data\Sun\Java\Deployment\cache\6.0\34\2a6aca2-56c7dbca multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Newprep.exe Win32/Packed.Autoit.D.Gen application (unable to clean) 00000000000000000000000000000000 I
Robert Daoust
Active Member
 
Posts: 7
Joined: October 24th, 2011, 12:04 pm

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby maxi » November 1st, 2011, 9:35 am

Hi robert,
Step 1
Upload File/Files for testing

Please go to Virustotal or jotti.org

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\Newprep.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.
Example of web address :
Image

Step 2
Please download aswMBR and save it to your Desktop.

  • Double click aswMBR.exe to run it.
  • Click the Scan button.
  • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
  • Click OK > Exit.
  • Note: Do not attempt to fix anything at this stage!
  • Two files will be created, aswMBR.txt & a file named MBR.dat.
  • MBR.dat is a backup of the MBR(master boot record), do not delete it..
  • I strongly suggest you keep a copy of this backup stored on an external device.
  • Copy & Paste the contents of aswMBR.txt into your next reply.

In your next file please include:
The results of the online file scan.
The log from aswMBR.exe
How your computer is behaving now.

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby Robert Daoust » November 1st, 2011, 12:27 pm

Hi maxi, your work is much appreciated. My computer is behaving all right, seemingly, but I don't trust it. Microsoft Safety Scanner still says I have Tojan: Win32/Bumat!rts. Malwarebytes' Anti-Malware logs show that last outgoing IP was blocked on October 23, and that since then only ingoing IPs are blocked, which is reassuring. Last summer I have had big troubles with some virus-malware-hacking and had to reinstall Windows from scratch. I guess I have been infected again, and I do not dare go into the server of my website hosting service with Windows-XP because I fear to put that server down again like last summer. I use instead Linux-Ubuntu, but with difficulty. Here are the results and log you asked for.

Submitting my Newprep.exe to Virustotal gave the following page at first :

http://www.virustotal.com/file-scan/rea ... 1320160524

Content of that page:
File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis:
MD5: fc69ee2954491ec06e5cfa5abadc1720
Date first seen: 2010-10-28 21:24:02 (UTC)
Date last seen: 2011-08-16 02:15:43 (UTC)
Detection ratio: 24/43
What do you wish to do?
Reanalyse View last report

I chose “Reanalyse”, which gave me the following report :

http://www.virustotal.com/file-scan/rep ... 1320160524

Here is the log from aswMBR.exe:

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-01 11:38:15
-----------------------------
11:38:15.875 OS Version: Windows 5.1.2600 Service Pack 3
11:38:15.875 Number of processors: 1 586 0x409
11:38:15.875 ComputerName: CLIEN UserName:
11:38:16.750 Initialize success
11:38:17.593 AVAST engine defs: 11110102
11:38:38.578 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:38:38.578 Disk 0 Vendor: WDC_WD1600JS-75NCB3 10.02E04 Size: 152587MB BusType: 3
11:38:38.687 Disk 0 MBR read successfully
11:38:38.687 Disk 0 MBR scan
11:38:38.765 Disk 0 unknown MBR code
11:38:38.765 Disk 0 scanning sectors +312498176
11:38:38.843 Disk 0 scanning C:\WINDOWS\system32\drivers
11:38:53.062 Service scanning
11:38:54.000 Modules scanning
11:38:59.562 Disk 0 trace - called modules:
11:38:59.578 ntkrnlup.exe CLASSPNP.SYS disk.sys atapi.sys halaacpi.dll pciide.sys PCIIDEX.SYS
11:38:59.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b59030]
11:38:59.578 3 CLASSPNP.SYS[f75edfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86b5db00]
11:39:00.328 AVAST engine scan C:\WINDOWS
11:39:02.906 AVAST engine scan C:\WINDOWS\system32
11:40:27.828 AVAST engine scan C:\WINDOWS\system32\drivers
11:40:39.828 AVAST engine scan C:\Documents and Settings\client
11:45:46.671 AVAST engine scan C:\Documents and Settings\All Users
11:46:11.921 Scan finished successfully
11:47:50.843 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\client\Bureau\MBR.dat"
11:47:50.843 The log file has been saved successfully to "C:\Documents and Settings\client\Bureau\aswMBR.txt"
Robert Daoust
Active Member
 
Posts: 7
Joined: October 24th, 2011, 12:04 pm

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby maxi » November 2nd, 2011, 3:12 pm

Hi Robert Daoust, Good work :) Hopefully not too long to go.


Step 1
Run OTL Script

We need to run an OTL Fix

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :processes
    :otl
    :files
    C:\Robert Daoust\Application Data\Sun\Java\Deployment\cache\6.0\34\2a6aca2-56c7dbca
    C:\WINDOWS\Newprep.exe 
    
    ipconfig /flushdns /c
    :commands
    [purity]
    
    
    [emptyflash]
    [emptytemp]
    [emptyjava]
    [resethosts]
    [createrestorepoint]
    [REBOOT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
Step 2
After you have ran the fix check to see if Microsoft Safety Scanner still detects Win32/Bumat!rts.
Step 3
In your next reply please include:
The OTL log.
If Microsoft Safety Scanner still detects Win32/Bumat!rts.

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby Robert Daoust » November 2nd, 2011, 6:36 pm

Yes maxi, Microsoft Security Scanner now says that I have no file infected! Good! Here is the OTL log:

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== FILES ==========
C:\Robert Daoust\Application Data\Sun\Java\Deployment\cache\6.0\34\2a6aca2-56c7dbca moved successfully.
C:\WINDOWS\Newprep.exe moved successfully.
< ipconfig /flushdns /c >
Configuration IP de Windows
Cache de résolution DNS vidé.
C:\Documents and Settings\client\Bureau\cmd.bat deleted successfully.
C:\Documents and Settings\client\Bureau\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrateur

User: All Users

User: client
->Flash cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0,00 mb


[EMPTYTEMP]

User: Administrateur
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: client
->Temp folder emptied: 2226490 bytes
->Temporary Internet Files folder emptied: 24805744 bytes
->Java cache emptied: 268267 bytes
->Google Chrome cache emptied: 12279753 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1928126 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1903961 bytes

Total Files Cleaned = 42,00 mb


[EMPTYJAVA]

User: Administrateur

User: All Users

User: client
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0,00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 11022011_152121

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_9a4.dat moved successfully.

Registry entries deleted on Reboot...
Robert Daoust
Active Member
 
Posts: 7
Joined: October 24th, 2011, 12:04 pm

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby maxi » November 3rd, 2011, 9:09 am

Hi Robert Daoust, Hopefully the problem is gone but we'll make sure now :)


Step 1
Run another scan with DDS.

Step 2
please run a full scan with Malwarebytes. (note) Make sure to update the
program first.

Step 3
Run the Eset online scan again.

In your next reply please include:
The DDS log.
The Malwarebytes log.
The new Eset log.
How your computer is running now.

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby Robert Daoust » November 3rd, 2011, 12:24 pm

Hi maxi, we seem to be coming safely to the shore now! Computer is running fine. Here are the 3 logs you asked, with also the DDS attach.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by client at 9:31:41 on 2011-11-03
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.1014.549 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MozyHome\mozystat.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\MAGIX Services\Database\bin\FABS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
c:\d\s\zi\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 9787720946
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 2466217578
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
TCP: Interfaces\{8F5F9F19-96CC-429F-861B-B0BB971BE460} : DhcpNameServer = 24.201.245.77 24.200.241.37 24.200.243.189
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-12-1 183824]
R0 iaStor5;Intel RAID Controller;c:\windows\system32\drivers\iastor5.sys [2008-12-1 874240]
R0 iaStor7;Intel AHCI Controller 7;c:\windows\system32\drivers\iastor7.sys [2008-12-1 277784]
R0 iaStor8;Intel AHCI Controller 8;c:\windows\system32\drivers\iastor8.sys [2008-12-1 327192]
R0 m5228;m5228;c:\windows\system32\drivers\m5228.sys [2008-12-1 45069]
R0 m5281;m5281;c:\windows\system32\drivers\m5281.sys [2008-12-1 51072]
R0 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2008-12-1 103680]
R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [2008-12-1 210304]
R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2008-12-1 52480]
R0 SI3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\si3112r.sys [2008-12-1 102528]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2008-12-1 68864]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-12-1 17968]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-10-22 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-10-22 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-10-22 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-10-22 44768]
R2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\fichiers communs\magix services\database\bin\FABS.exe [2009-8-27 1253376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-22 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-22 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-3 136176]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\fichiers communs\magix services\database\bin\fbserver.exe [2008-8-7 3276800]
S3 gupdatem;Service Google Update (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-3 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-5 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-10-29 18:51:25 -------- d-----w- c:\program files\ESET
2011-10-29 18:37:39 -------- d-----w- C:\_OTL
2011-10-24 15:19:59 388096 ----a-r- c:\documents and settings\client\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-24 15:19:58 -------- d-----w- c:\program files\Trend Micro
2011-10-22 18:15:37 -------- d-----w- c:\documents and settings\client\DoctorWeb
2011-10-22 13:59:30 -------- d-----w- c:\documents and settings\client\application data\Malwarebytes
2011-10-22 13:59:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-22 13:59:16 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-22 13:59:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-22 06:41:09 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-10-22 06:40:49 41184 ----a-w- c:\windows\avastSS.scr
2011-10-22 06:03:29 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
.
==================== Find3M ====================
.
2011-10-03 09:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 06:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 15:41:40 614400 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:40 22528 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-09 09:12:01 606208 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 14:10:01 1859072 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:41:31 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:41:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:41:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:53 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 9:35:01,29 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Édition familiale
Boot Device: \Device\HarddiskVolume1
Install Date: 2011-08-03 15:58:06
System Uptime: 2011-11-03 09:09:42 (0 hours ago)
.
Motherboard: Dell Inc. | | 0JC474
Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 91 GiB total, 52,173 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP2: 2011-10-22 12:24:23 - Point de vérification système
RP3: 2011-10-23 12:40:33 - Point de vérification système
RP4: 2011-10-24 11:19:57 - Installed HiJackThis
RP5: 2011-10-25 12:23:34 - Point de vérification système
RP6: 2011-10-26 13:14:53 - Point de vérification système
RP7: 2011-10-27 19:19:09 - Point de vérification système
RP8: 2011-10-29 13:09:08 - Point de vérification système
RP9: 2011-10-29 14:38:52 - OTL Restore Point
RP10: 2011-10-30 17:23:57 - Point de vérification système
RP11: 2011-10-31 18:18:45 - Point de vérification système
RP12: 2011-11-02 13:38:57 - Point de vérification système
RP13: 2011-11-02 15:21:58 - OTL Restore Point
.
==== Installed Programs ======================
.
Adobe Reader X (10.1.1) - Français
avast! Free Antivirus
Belarc Advisor 8.2
CCleaner
CDBurnerXP
CoffeeCup Free FTP
Conexant D850 56K V.9x DFVc Modem
Correctif pour Windows XP (KB2443685)
Correctif pour Windows XP (KB2570791)
Correctif pour Windows XP (KB942288-v3)
Correctif pour Windows XP (KB970653-v3)
DScaler 5 Mpeg Decoders
EPSON Logiciel imprimante
ESET Online Scanner v3
Firebird SQL Server - MAGIX Edition
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet 3050 J610 series Aide
HP Photo Creations
HP Update
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections Drivers
Java Auto Updater
Java(TM) 6 Update 22
Java(TM) 6 Update 29
Lecteur Windows Media 11
Logiciel de base du périphérique HP Deskjet 3050 J610 series
MAGIX Photo Clinic 4.5 (US)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - FRA
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - FRA
Microsoft .NET Framework 3.5 Language Pack SP1 - fra
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile FRA Language Pack
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended FRA Language Pack
Microsoft Office XP Professional avec FrontPage
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mise à jour de sécurité pour Lecteur Windows Media (KB952069)
Mise à jour de sécurité pour Lecteur Windows Media (KB968816)
Mise à jour de sécurité pour Lecteur Windows Media (KB973540)
Mise à jour de sécurité pour Lecteur Windows Media 11 (KB954154)
Mise à jour de sécurité pour Microsoft Windows (KB2564958)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2360131)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2510531)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2530548)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2544521)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2559049)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB2586448)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB971961)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB972260)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB974455)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB976325)
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB981332)
Mise à jour de sécurité pour Windows XP (KB2393802)
Mise à jour de sécurité pour Windows XP (KB2412687)
Mise à jour de sécurité pour Windows XP (KB2419632)
Mise à jour de sécurité pour Windows XP (KB2423089)
Mise à jour de sécurité pour Windows XP (KB2440591)
Mise à jour de sécurité pour Windows XP (KB2443105)
Mise à jour de sécurité pour Windows XP (KB2476490)
Mise à jour de sécurité pour Windows XP (KB2478960)
Mise à jour de sécurité pour Windows XP (KB2478971)
Mise à jour de sécurité pour Windows XP (KB2479943)
Mise à jour de sécurité pour Windows XP (KB2481109)
Mise à jour de sécurité pour Windows XP (KB2483185)
Mise à jour de sécurité pour Windows XP (KB2485663)
Mise à jour de sécurité pour Windows XP (KB2503665)
Mise à jour de sécurité pour Windows XP (KB2506212)
Mise à jour de sécurité pour Windows XP (KB2507618)
Mise à jour de sécurité pour Windows XP (KB2507938)
Mise à jour de sécurité pour Windows XP (KB2508272)
Mise à jour de sécurité pour Windows XP (KB2508429)
Mise à jour de sécurité pour Windows XP (KB2509553)
Mise à jour de sécurité pour Windows XP (KB2524375)
Mise à jour de sécurité pour Windows XP (KB2535512)
Mise à jour de sécurité pour Windows XP (KB2536276-v2)
Mise à jour de sécurité pour Windows XP (KB2536276)
Mise à jour de sécurité pour Windows XP (KB2544893)
Mise à jour de sécurité pour Windows XP (KB2555917)
Mise à jour de sécurité pour Windows XP (KB2562937)
Mise à jour de sécurité pour Windows XP (KB2566454)
Mise à jour de sécurité pour Windows XP (KB2567053)
Mise à jour de sécurité pour Windows XP (KB2567680)
Mise à jour de sécurité pour Windows XP (KB2570222)
Mise à jour de sécurité pour Windows XP (KB2570947)
Mise à jour de sécurité pour Windows XP (KB2592799)
Mise à jour de sécurité pour Windows XP (KB923561)
Mise à jour de sécurité pour Windows XP (KB923789)
Mise à jour de sécurité pour Windows XP (KB938464-v2)
Mise à jour de sécurité pour Windows XP (KB946648)
Mise à jour de sécurité pour Windows XP (KB950762)
Mise à jour de sécurité pour Windows XP (KB950974)
Mise à jour de sécurité pour Windows XP (KB951066)
Mise à jour de sécurité pour Windows XP (KB951376-v2)
Mise à jour de sécurité pour Windows XP (KB951748)
Mise à jour de sécurité pour Windows XP (KB952004)
Mise à jour de sécurité pour Windows XP (KB952954)
Mise à jour de sécurité pour Windows XP (KB954459)
Mise à jour de sécurité pour Windows XP (KB954600)
Mise à jour de sécurité pour Windows XP (KB955069)
Mise à jour de sécurité pour Windows XP (KB956572)
Mise à jour de sécurité pour Windows XP (KB956744)
Mise à jour de sécurité pour Windows XP (KB956802)
Mise à jour de sécurité pour Windows XP (KB956803)
Mise à jour de sécurité pour Windows XP (KB956844)
Mise à jour de sécurité pour Windows XP (KB957097)
Mise à jour de sécurité pour Windows XP (KB958644)
Mise à jour de sécurité pour Windows XP (KB958687)
Mise à jour de sécurité pour Windows XP (KB959426)
Mise à jour de sécurité pour Windows XP (KB960225)
Mise à jour de sécurité pour Windows XP (KB960803)
Mise à jour de sécurité pour Windows XP (KB960859)
Mise à jour de sécurité pour Windows XP (KB961371-v2)
Mise à jour de sécurité pour Windows XP (KB961371)
Mise à jour de sécurité pour Windows XP (KB961501)
Mise à jour de sécurité pour Windows XP (KB968537)
Mise à jour de sécurité pour Windows XP (KB970238)
Mise à jour de sécurité pour Windows XP (KB971557)
Mise à jour de sécurité pour Windows XP (KB971633)
Mise à jour de sécurité pour Windows XP (KB971657)
Mise à jour de sécurité pour Windows XP (KB971961)
Mise à jour de sécurité pour Windows XP (KB972260)
Mise à jour de sécurité pour Windows XP (KB973346)
Mise à jour de sécurité pour Windows XP (KB973354)
Mise à jour de sécurité pour Windows XP (KB973507)
Mise à jour de sécurité pour Windows XP (KB973869)
Mise à jour pour Windows Internet Explorer 8 (KB2362765)
Mise à jour pour Windows Internet Explorer 8 (KB973874)
Mise à jour pour Windows Internet Explorer 8 (KB975364)
Mise à jour pour Windows Internet Explorer 8 (KB976662)
Mise à jour pour Windows Internet Explorer 8 (KB976749)
Mise à jour pour Windows Internet Explorer 8 (KB980182)
Mise à jour pour Windows Internet Explorer 8 (KB980302)
Mise à jour pour Windows XP (KB2541763)
Mise à jour pour Windows XP (KB2607712)
Mise à jour pour Windows XP (KB2616676)
Mise à jour pour Windows XP (KB971029)
Mise à jour pour Windows XP (KB973815)
Module de compatibilité pour Microsoft Office System 2007
Module linguistique Microsoft .NET Framework 3.5 SP1- fra
Module linguistique Microsoft .NET Framework 4 Client Profile FRA
Module linguistique Microsoft .NET Framework 4 Extended FRA
MozyHome
MSXML 6.0 Parser
OpenOffice.org 3.3
PDFCreator
Sauvegarde des Dossiers personnels Microsoft Outlook
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2478663)
Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2518870)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
2011-11-02 15:21:24, error: Service Control Manager [7034] - Le service NMSAccessU s'est terminé de façon inattendue pour la 1ème fois.
2011-11-02 15:21:24, error: Service Control Manager [7034] - Le service MBAMService s'est terminé de façon inattendue pour la 1ème fois.
2011-11-02 15:21:24, error: Service Control Manager [7034] - Le service Java Quick Starter s'est terminé de façon inattendue pour la 1ème fois.
2011-11-02 15:21:24, error: Service Control Manager [7034] - Le service Audio Service s'est terminé de façon inattendue pour la 1ème fois.
2011-11-02 15:21:24, error: Service Control Manager [7031] - Le service Service de sauvegarde MozyHome s'est terminé de manière inattendue. Ceci s'est produit 1 fois. L'action corrective suivante va être effectuée dans 1000 millisecondes : Redémarrer le service.
2011-11-02 15:21:23, error: Service Control Manager [7034] - Le service FABS - Helping agent for MAGIX media database s'est terminé de façon inattendue pour la 1ème fois.
2011-10-29 14:37:42, error: Service Control Manager [7031] - Le service Service de sauvegarde MozyHome s'est terminé de manière inattendue. Ceci s'est produit 1 fois. L'action corrective suivante va être effectuée dans 1000 millisecondes : Redémarrer le service.
2011-10-29 14:37:41, error: Service Control Manager [7034] - Le service NMSAccessU s'est terminé de façon inattendue pour la 1ème fois.
2011-10-29 14:37:41, error: Service Control Manager [7034] - Le service MBAMService s'est terminé de façon inattendue pour la 1ème fois.
2011-10-29 14:37:41, error: Service Control Manager [7034] - Le service Java Quick Starter s'est terminé de façon inattendue pour la 1ème fois.
2011-10-29 14:37:41, error: Service Control Manager [7034] - Le service FABS - Helping agent for MAGIX media database s'est terminé de façon inattendue pour la 1ème fois.
2011-10-29 14:37:41, error: Service Control Manager [7034] - Le service Audio Service s'est terminé de façon inattendue pour la 1ème fois.
2011-10-27 13:00:53, error: atapi [9] - Le périphérique \Device\Ide\IdePort1 n'a pas répondu dans le délai imparti.
.
==== End Of File ===========================


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Version de la base de données: 8075

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2011-11-03 10:08:36
mbam-log-2011-11-03 (10-08-36).txt

Type d'examen: Examen complet (C:\|)
Elément(s) analysé(s): 244580
Temps écoulé: 30 minute(s), 32 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=07741e2961b85f45a309263c19d44210
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-29 08:21:03
# local_time=2011-10-29 04:21:03 (-0500, Est (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=72539
# found=2
# cleaned=0
# scan_time=5115
C:\Robert Daoust\Application Data\Sun\Java\Deployment\cache\6.0\34\2a6aca2-56c7dbca multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Newprep.exe Win32/Packed.Autoit.D.Gen application (unable to clean) 00000000000000000000000000000000 I
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=07741e2961b85f45a309263c19d44210
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-30 07:37:43
# local_time=2011-10-30 03:37:43 (-0500, Est (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=78833
# found=2
# cleaned=0
# scan_time=5347
C:\Robert Daoust\Application Data\Sun\Java\Deployment\cache\6.0\34\2a6aca2-56c7dbca multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\Newprep.exe Win32/Packed.Autoit.D.Gen application (unable to clean) 00000000000000000000000000000000 I
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=07741e2961b85f45a309263c19d44210
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-11-03 04:09:47
# local_time=2011-11-03 12:09:47 (-0500, Est (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=81089
# found=2
# cleaned=0
# scan_time=5381
C:\_OTL\MovedFiles\11022011_152121\C_Robert Daoust\Application Data\Sun\Java\Deployment\cache\6.0\34\2a6aca2-56c7dbca multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\11022011_152121\C_WINDOWS\Newprep.exe Win32/Packed.Autoit.D.Gen application (unable to clean) 00000000000000000000000000000000 I
Robert Daoust
Active Member
 
Posts: 7
Joined: October 24th, 2011, 12:04 pm

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby maxi » November 4th, 2011, 3:03 pm

Hi Robert and congrats, I believe your system is now free from Malware. Below are some steps that will help you stay clean.

Step 1
OTL-Cleanup
You should still have this on your desktop.
  1. Double click on OTL.exe to run it.
  2. Press the CleanUp button.
  3. When done, you will be prompted to reboot your system to finish file removal... please select OK to reboot your computer.
If you did not reboot your computer normally, please do so now, before continuing.



Create a new - clean SRP (System Restore Point)
Now that you're clean, it's a great time to create a new, clean SRP and remove any old, possibly compromised, entries.
Create a new SRP
  1. Go to Start > All Programs > Accessories > System Tools > System Restore
  2. Select Create a restore point... then press the Next...button.
  3. Type a name for the new SRP... like All Clean... then press the Create... button.
  4. When finished... press the Close...button.
Remove old SRP entries
  1. Now... Go to Start > Run... type in: cleanmgr...press the OK...button.
    The Disk Cleanup begins "calculating" space savings by compressing old files. This could take several minutes.
  2. When available... select the More Options... tab.
  3. In the System Restore section... Press the Clean up...button.
  4. Reply Yes to the prompt. Press the X to close and exit.
    All existing restore points will be deleted... except the new one you just created.

Please follow these simple guidelines in order to help keep your computer more secure:

Update your Antivirus programs and other programs regularly.
Secunia Personal Software Inspector - Copyright © Secunia. F-secure Health Check - Copyright © F-Secure Corporation.

Visit Microsoft often
Keep on top of critical updates, as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP
Using Windows Update for Windows XP
Microsoft Update Home

Install additional (free) programs, that can help improve security.
Many feel that having a "layered" protection scheme is beneficial, you'll have to decide what works best for your situation.
Here are a few you can look into, if you want. :)

Malwarebytes' Anti-Malware
You have this installed already, run scans weekly (at least)... make sure you check for updates before running scans.


WinPatrol
Download it from Copyright © BillP Studios
Information about how WinPatrol works, is available Here.
(The free version of WinPatrol... provides limited real-time protection)



Read, stay informed.
To help minimize the chances of becoming re-infected, please read.
Computer Security - a short guide to staying safer online

If your computer is running slowly after your clean up, please read.
What to do if your Computer is running slowly

Please let me know that you completed the cleanup steps, the create/purge System Restore point steps and reviewed the rest of the post. Once I receive your reply, unless there are other malware questions or concerns, I will have this topic closed as resolved.

Regards maxi :)
User avatar
maxi
Retired Graduate
 
Posts: 1262
Joined: September 25th, 2009, 10:17 am
Location: Cork, Ireland.

Re: Microsoft Safety Scanner says I have Bumat!rts

Unread postby deltalima » November 6th, 2011, 1:07 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware