Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

VBS/Autorun.worm.zo, Yuyun_Cantix and no connectivity.

Started by Greki , Mar 28 2010 04:36 PM

  • Please log in to reply

#1
Greki
Posted 28 March 2010 - 04:36 PM

Greki

    Member

  • Member
  • PipPip
  • 78 posts
Hello!

Okay, so this French friend of mine's got this nice Asus netbook in French heavily infected with various VBS/Autorun viruses.

It seems that she downloaded music from an infected machine, and passed those files to her netbook via an external drive (which is, of course, infected too, and I want to disinfect it as well) at a time when she didn't have an Antivirus.

So, some 1KB folders started magically appearing on her files with such names as: Microsoft.lnk, Harry Potter...lnk and so on and forth. Her laptop camera won't work, and everything is running awfully slow.

And... to make a long story short, I'll be the one fixing this.

So first thing I did when I discovered she didn't have an Antivirus (her previous one had expired), was, of course, install a free one(after creating a Restore Point), namely AVG and started scanning. Of course I first uninstalled the last one.

AVG discovered about 700 infected files, some of these were Droppers and Backdoors, and promptly removed them, I think (I'm afraid I didn't save the log because all this happened before I discovered geekstogo.)

Next I scanned it with BitDefender online. Discovered some more infected files and removed them.

Then I ran her already installed Spybot - Search & Destroy. I don't remember what this found.

Next thing I did was download, install and run Advanced SystemCareand IObit Security 360 (our own technician installed these at our own PC's for maintenance, so I figured I should do some mantainance in hers too, I did, however, uncheck the registry and system configuration repair options because I didn't know what damage it could do).

I then defragged and did a disk scan with the CHKDISK (not sure how this is called) and freed disk space deleting the temporary files.

And while it seemed that it speeded up a bit, the same error message at startup appeared:

Windows can't access "database.mdb" in My Documents.

Or something like that, since it was in French and no longer appearing and also has been replaced with something like (because it's in French):

Failure loading script "C:\WINDOWS\Microsoft Office Update for Windows XP.sys" (syntax filename, directory or volume error.)

Anyway, it was due to the first error message that I discovered (after investigating and before coming to this forum) what virus it was.

McAfee recognizes it as: VBS/Autorun.worm.zo, VBS/Autorun.worm.zo!lnk

But it's also got something called Yuyun_Cantix, which F-Secure recognizes as Trojan:JS/Agent.JP.

So, after this I investigated some more and tried McAfee Avert Stinger after turning off System Restore and in safe mode, and it indeed, recognized those viruses (except the Trojan), and it removed like 200 or so files of the VBS Worm, but the Yuyun_Cantix was left untouched.

Now, since that still didn't clean up all the infected stuff (although a significant number of the fake files did disappear), I considered that I needed help, and thus started wandering around the net and finally got to your site.

So I wanted to try out the Malware and Spyware Cleaning Guide, but was unable to because the laptop says that there's "No connectivity or limited connection". I was able to do all the other stuff before coming here because I did it at her house, where internet worked just fine, however now that I'm doing it from my house it won't connect wireless while all my other PC's connect just fine, and there's a strong signal too.

So I figured I could download the software from the guide to this PC and then pass it USB way to the laptop. Problem is, I don't want my USB infected because I don't know if formatting it will remove those specific viruses, plus in case you need the MBAM, GMER and OTL logs, I would need to insert the USB again to this PC which I figure is a big no, no 'cause then this PC shall be infected too.

So... what could I do to restore connectivity in the laptop? Should I go with the USB idea? If I scan it with Stinger, AVG, Flash_Disinfector, SuperAntiSpyware, Malwarebytes and whatnot everytime I connect it to this PC with the autoplay feature off, could I keep my own PC safe?

Btw, I last tried Flash_Disinfector on the External Drive.

Oh, and I have to add that AVG deleted some photos from the memory card of her camera because it seems that, too, was infected. I recovered them with Recuva with no problem. Problem is, I need to disinfect that memory card too...

Forgot to mention that her e-mail and MSN were infected too. I think they're no longer infected, but I don't know.

System Info:
Microsoft Windows XP
Home Edition
Version 2002
Service Pack 3

Model:
Asus Eee PC 1101HA

Edited by Greki, 01 April 2010 - 03:16 PM.

  • 0

Advertisements

#2
RKinner
Posted 28 March 2010 - 06:27 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Probably your friend had encryption on her wireless network and you don't or vice versa. You can usually connect directly to the router with an RJ45 cable.

If you install autorun eater v2.4 on your good PC it should protect you from infected USB drives.
http://oldmcdonald.w...orun-eater-v24/

Instructions here:
http://oldmcdonald.wordpress.com/



The virus keeps regedit from working:

Copy the text between the lines of stars by highlighting and ctrl + c

******************************************************
[Version]
Signature="$Chicago$"
Provider=Ron

[DefaultInstall]
AddReg=UnhookRegKey

[UnhookRegKey]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0


*****************************************************

Open notepad (start, Run, notepad, OK) and paste it into notepad (ctrl + v). (You may have to carefully type the above if you can't get the internet to work.)

File, Save As, (to the desktop) "fix.inf" , OK (make sure you use the quote marks around the file name or it will add .txt and won't work.)

Right click on fix.inf and Install.

regedit should now work. (Autorun Eater has a Registry Fix Option to fix regedit so you can use it instead.)

Start, Run, regedit, OK to bring up the registry editor.

Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

(Find HKEY_Local_Machine and click on the + in front of it. Now look under it for SOFTWARE then click on its + Continue until you get to Run. )

Click on Run and look in the right pane for WinUpdate. Right click on WinUpdate and select Delete. OK.

Now navigate to:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Click on Run and in the right pane find Explorer. Right click on Explorer and select Delete. OK. Close regedit.

Now navigate to:
HKCR\CLSID\{11111111-2222-3333-4444-555555555555}

click on 11111111-2222-3333-4444-555555555555 and right click and Delete it and and subvalues.

Now do a search of the whole drive including system and hidden files for autorun.inf. Delete any you find.

Repeat the search for thumb.db. Delete all. (this will kill off some good files but they should be regenerated when you access the folder with View set to icons.)

Repeat the search for auto.exe. Delete all.

Ron
  • 0

#3
Greki
Posted 28 March 2010 - 07:26 PM

Greki

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
I deleted the Registry entries as you said, however, when I performed a search for the mentioned files, no results showed up. I think McAfee stinger had already deleted them.

And the remains (I think) of the Yuyun_Cantix icon in desktop is still there, although it's showing as an unrecognized file.

Plus there are still some Microsoft.lnk files around.

Oh, btw!

Thanks a lot for your help! x3

Edited by Greki, 28 March 2010 - 07:30 PM.

  • 0

#4
RKinner
Posted 28 March 2010 - 07:47 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
I would have thought there would be at least a few thumbs.db but maybe stinger ate them all.

You should be able to search for and delete the microsoft.lnk files too.

I think it's safe now to use your USB drive and run OTL and MBAM on the sick PC per the Malware Removal Guide:
http://www.geekstogo...uide-t2852.html

Post the logs here.

Ron
  • 0

#5
Greki
Posted 28 March 2010 - 09:22 PM

Greki

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Okay, here it is:

MBAM:

Malwarebytes' Anti-Malware 1.44
Version de la base de données: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/03/2010 20:39:10
mbam-log-2010-03-28 (20-39-10).txt

Type de recherche: Examen rapide
Eléments examinés: 116517
Temps écoulé: 8 minute(s), 47 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 2
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 1
Dossier(s) infecté(s): 1
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Generic.Bot.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)
-------------------

OTL:

OTL logfile created on: 28/03/2010 20:55:13 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Utilisateur\Bureau\geeks2go
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

1 014,00 Mb Total Physical Memory | 314,00 Mb Available Physical Memory | 31,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 74,00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 82,82 Gb Total Space | 57,03 Gb Free Space | 68,86% Space Free | Partition Type: NTFS
Drive D: | 61,29 Gb Total Space | 61,22 Gb Free Space | 99,88% Space Free | Partition Type: NTFS
Drive E: | 232,88 Gb Total Space | 159,04 Gb Free Space | 68,29% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 955,73 Mb Total Space | 955,72 Mb Free Space | 100,00% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-2NALM312DA
Current User Name: Utilisateur
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/20 22:51:42 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilisateur\Bureau\geeks2go\OTL.exe
PRC - [2010/03/15 15:17:01 | 001,086,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/03/15 15:17:01 | 000,710,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/03/15 15:17:01 | 000,617,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/03/15 15:17:01 | 000,508,184 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/03/15 15:16:59 | 002,059,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/03/15 15:16:57 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/02/08 11:02:10 | 002,343,632 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/12/24 17:02:32 | 001,280,272 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360tray.exe
PRC - [2009/12/24 17:02:30 | 000,311,568 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360srv.exe
PRC - [2009/10/17 14:14:33 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
PRC - [2009/07/15 01:58:28 | 003,054,136 | ---- | M] (ASUS) -- C:\WINDOWS\AsScrPro.exe
PRC - [2009/07/05 19:34:52 | 000,096,792 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\PersistenceThread.exe
PRC - [2009/07/05 19:34:48 | 000,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2009/06/25 03:25:40 | 000,712,704 | ---- | M] () -- C:\Program Files\ASUS\LiveUpdate\LiveUpdate.exe
PRC - [2009/06/18 11:30:44 | 000,696,320 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
PRC - [2009/06/16 02:59:40 | 000,397,312 | ---- | M] () -- C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
PRC - [2009/06/08 04:23:28 | 000,079,120 | ---- | M] () -- C:\Program Files\ASUS\Eee Storage\EeeStorageUploader.exe
PRC - [2009/06/08 04:23:24 | 000,935,184 | ---- | M] (ECAREME) -- C:\Program Files\ASUS\Eee Storage\BackupService.exe
PRC - [2009/05/26 22:57:08 | 000,411,108 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\billy.exe
PRC - [2009/05/26 22:54:10 | 000,549,400 | ---- | M] (Old McDonald's Farm) -- C:\Program Files\Autorun Eater\oldmcdonald.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/05/19 10:30:00 | 003,417,336 | ---- | M] (SRS Labs, Inc.) -- C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe
PRC - [2009/05/19 10:29:58 | 000,107,744 | ---- | M] (SRS Labs, Inc.) -- C:\Program Files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe
PRC - [2009/05/08 08:54:20 | 000,098,304 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\EeePC\ACPI\AsEPCMon.exe
PRC - [2009/03/25 02:43:40 | 000,376,832 | ---- | M] (ASUSTeK Computer Inc.) -- C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
PRC - [2008/12/05 01:08:40 | 001,456,768 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2008/12/05 01:08:40 | 000,604,776 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2008/04/14 06:00:00 | 001,037,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/06 07:08:02 | 000,136,136 | ---- | M] (DT Soft Ltd.) -- C:\Program Files\DAEMON Tools Pro\DTProAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/03/20 22:51:42 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Utilisateur\Bureau\geeks2go\OTL.exe
MOD - [2009/12/24 17:02:28 | 000,237,840 | ---- | M] (IObit) -- C:\Program Files\IObit\IObit Security 360\is360mon.dll
MOD - [2008/12/05 01:07:32 | 000,094,273 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll
MOD - [2008/12/05 01:05:44 | 000,069,697 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/15 15:16:57 | 000,308,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/12/24 17:02:30 | 000,311,568 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files\IObit\IObit Security 360\is360srv.exe -- (IS360service)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/05/19 10:29:58 | 000,107,744 | ---- | M] (SRS Labs, Inc.) [Auto | Running] -- C:\Program Files\SRS Labs\SRS Premium Sound\SRS_VolSync.exe -- (SRS_VolSync_Service)
SRV - [2008/11/04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 06:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.9
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.783

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/03/15 15:16:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/21 11:44:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 08:05:16 | 000,000,000 | ---D | M]

[2009/09/18 05:25:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\Mozilla\Extensions
[2010/03/28 14:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\Mozilla\Firefox\Profiles\4xmwg7xk.default\extensions
[2009/09/23 02:35:19 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Utilisateur\Application Data\Mozilla\Firefox\Profiles\4xmwg7xk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/15 13:57:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Utilisateur\Application Data\Mozilla\Firefox\Profiles\4xmwg7xk.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2009/09/17 06:11:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/05 21:00:12 | 000,001,516 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-france.xml
[2009/10/05 21:00:12 | 000,001,822 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\cnrtl-tlfi-fr.xml
[2009/10/05 21:00:13 | 000,000,757 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-france.xml
[2009/10/05 21:00:13 | 000,001,426 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-fr.xml
[2009/10/05 21:00:13 | 000,000,652 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: ([2010/03/15 17:55:07 | 000,331,221 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11344 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Programme d'aide de l'Assistant de connexion Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ASUS Screen Saver Protector] C:\WINDOWS\AsScrPro.exe (ASUS)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe (Old McDonald's Farm)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EasyMode] C:\Program Files\ASUS\Easy Mode\Easy Mode.exe ()
O4 - HKLM..\Run: [EeeStorageBackup] C:\Program Files\ASUS\Eee Storage\BackupService.exe (ECAREME)
O4 - HKLM..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe (IObit)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [LiveUpdate] C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe ()
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe (Intel Corporation)
O4 - HKLM..\Run: [SynAsusAcpi] C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Advanced SystemCare 3] C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe (IObit)
O4 - HKCU..\Run: [DAEMON Tools Pro Agent] C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (DT Soft Ltd.)
O4 - HKCU..\Run: [Eee Docking] C:\Program Files\ASUS\Eee Docking\Eee Docking.exe ()
O4 - HKCU..\Run: [SRS Premium Sound] C:\Program Files\SRS Labs\SRS Premium Sound\SRSPremiumSoundBig_Small.exe (SRS Labs, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\ SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O8 - Extra context menu item: E&xporter vers Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Envoyer à Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Envoyer au périphérique &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1253191491827 (WUWebControl Class)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Fichiers communs\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igdlogin: DllName - igdlogin.dll - C:\WINDOWS\System32\igdlogin.dll ()
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Utilisateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Utilisateur\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/08 14:08:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/03/22 16:46:21 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/22 16:46:22 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010/03/28 20:22:51 | 000,000,000 | RHSD | M] - E:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{7b6cd18a-a42d-11de-a10f-002243f4686f}\Shell\AutoRun\command - "" = USBVAULT\sys.exe
O33 - MountPoints2\{7b6cd18a-a42d-11de-a10f-002243f4686f}\Shell\explore\command - "" = USBVAULT/sys.exe
O33 - MountPoints2\{7b6cd18a-a42d-11de-a10f-002243f4686f}\Shell\open\command - "" = USBVAULT/sys.exe
O33 - MountPoints2\{fbfe23f8-1fc7-11df-a1dd-002243f4686f}\Shell\AutoRun\command - "" = H:\bitdecoy\bitdecoy32.exe -- File not found
O33 - MountPoints2\{fbfe23f8-1fc7-11df-a1dd-002243f4686f}\Shell\explore\command - "" = H:\bitdecoy\bitdecoy32.exe -- File not found
O33 - MountPoints2\{fbfe23f8-1fc7-11df-a1dd-002243f4686f}\Shell\open\command - "" = H:\.\bitdecoy\bitdecoy32.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/06/08 14:08:13 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (13514191906275328)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/28 20:18:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2010/03/28 20:18:08 | 000,000,000 | ---D | C] -- C:\Program Files\Autorun Eater
[2010/03/28 20:14:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilisateur\Application Data\Malwarebytes
[2010/03/28 20:14:45 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/28 20:14:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/28 20:14:40 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 20:14:40 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/28 20:07:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/28 20:06:18 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/03/28 19:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilisateur\Bureau\Software Fix
[2010/03/28 19:51:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilisateur\Bureau\geeks2go
[2010/03/22 16:46:21 | 000,000,000 | RHSD | C] -- C:\autorun.inf
[2010/03/22 15:44:12 | 000,000,000 | ---D | C] -- C:\Program Files\Recuva
[2010/03/15 18:30:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilisateur\Application Data\IObit
[2010/03/15 16:24:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\IObit
[2010/03/15 16:24:28 | 000,000,000 | ---D | C] -- C:\Program Files\IObit
[2010/03/15 15:37:11 | 000,000,000 | -H-D | C] -- C:\$AVG
[2010/03/15 15:17:39 | 000,012,464 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/03/15 15:17:38 | 000,242,696 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/03/15 15:17:20 | 000,216,200 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/03/15 15:17:19 | 000,029,512 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/03/15 15:17:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2010/03/15 15:16:55 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/03/15 15:16:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2010/03/15 15:14:45 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/03/15 15:14:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/15 15:14:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/15 15:14:44 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2010/03/15 14:10:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/03/15 13:57:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Utilisateur\Application Data\QuickScan
[2010/01/30 10:54:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/29 12:13:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

========== Files - Modified Within 14 Days ==========

[2010/03/28 20:46:49 | 001,102,144 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/28 20:46:49 | 000,504,226 | ---- | M] () -- C:\WINDOWS\System32\perfh00C.dat
[2010/03/28 20:46:49 | 000,435,908 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/28 20:46:49 | 000,082,172 | ---- | M] () -- C:\WINDOWS\System32\perfc00C.dat
[2010/03/28 20:46:49 | 000,068,804 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/28 20:42:33 | 000,001,050 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/28 20:42:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/28 20:42:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/28 20:41:08 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Utilisateur\NTUSER.DAT
[2010/03/28 20:41:08 | 000,000,184 | -HS- | M] () -- C:\Documents and Settings\Utilisateur\ntuser.ini
[2010/03/28 20:41:03 | 011,825,712 | -H-- | M] () -- C:\Documents and Settings\Utilisateur\Local Settings\Application Data\IconCache.db
[2010/03/28 20:29:17 | 000,001,054 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/28 20:09:46 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/28 20:09:46 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/28 20:09:46 | 000,000,216 | RHS- | M] () -- C:\boot.ini
[2010/03/26 19:11:09 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Bureau\_Questionnaire.doc
[2010/03/26 17:46:20 | 057,871,315 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/26 10:08:08 | 000,002,257 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\Skype.lnk
[2010/03/24 11:44:33 | 006,940,160 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Mes documents\ca continue 2.doc
[2010/03/24 11:43:53 | 000,002,575 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Bureau\Raccourci vers Microsoft Office Word 2007.lnk
[2010/03/24 11:34:06 | 009,834,496 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Mes documents\Ca continue1.doc
[2010/03/24 08:44:42 | 000,842,757 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Mes documents\Ma petite vie à Monterrey1.docx
[2010/03/22 16:44:09 | 003,125,248 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Bureau\[000611].jpg
[2010/03/22 16:44:08 | 003,148,800 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Bureau\[000609].jpg
[2010/03/22 15:44:16 | 000,001,512 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Bureau\Recuva.lnk
[2010/03/21 22:09:25 | 000,000,396 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/03/19 16:37:52 | 000,033,792 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Mes documents\troisième partie du mémoire.doc
[2010/03/19 14:48:41 | 000,069,236 | ---- | M] () -- C:\Documents and Settings\Utilisateur\Mes documents\17337_446054775256_664210256_10564820_6292310_n.jpg
[2010/03/15 18:48:04 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\Smart Defrag.lnk
[2010/03/15 18:30:30 | 000,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\Advanced SystemCare.lnk
[2010/03/15 17:55:07 | 000,331,221 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/15 17:53:59 | 000,331,221 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100315-175507.backup
[2010/03/15 16:24:40 | 000,000,733 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\IObit Security 360.lnk
[2010/03/15 15:31:40 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/15 15:17:39 | 000,012,464 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2010/03/15 15:17:39 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Bureau\AVG Free 9.0.lnk
[2010/03/15 15:17:38 | 000,242,696 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2010/03/15 15:17:20 | 000,216,200 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2010/03/15 15:17:19 | 000,113,461 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/03/15 15:17:19 | 000,029,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2010/03/15 14:32:43 | 000,003,072 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

========== Files Created - No Company Name ==========

[2010/03/26 19:11:07 | 000,049,152 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Bureau\_Questionnaire.doc
[2010/03/24 11:44:32 | 006,940,160 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Mes documents\ca continue 2.doc
[2010/03/24 11:34:03 | 009,834,496 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Mes documents\Ca continue1.doc
[2010/03/24 08:44:38 | 000,842,757 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Mes documents\Ma petite vie à Monterrey1.docx
[2010/03/22 16:44:09 | 003,125,248 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Bureau\[000611].jpg
[2010/03/22 16:44:08 | 003,148,800 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Bureau\[000609].jpg
[2010/03/22 15:44:16 | 000,001,512 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Bureau\Recuva.lnk
[2010/03/19 14:48:40 | 000,069,236 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Mes documents\17337_446054775256_664210256_10564820_6292310_n.jpg
[2010/03/15 18:48:36 | 000,000,396 | ---- | C] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2010/03/15 18:48:04 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\Smart Defrag.lnk
[2010/03/15 18:30:30 | 000,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\Advanced SystemCare.lnk
[2010/03/15 16:24:40 | 000,000,733 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\IObit Security 360.lnk
[2010/03/15 15:17:39 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\All Users\Bureau\AVG Free 9.0.lnk
[2010/03/15 15:17:19 | 000,113,461 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\iavichjw.avm
[2010/03/15 15:17:10 | 057,871,315 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/12/23 19:47:01 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/10/04 20:49:46 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/09/23 06:18:18 | 000,238,712 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/09/22 10:32:59 | 000,685,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/09/21 09:09:30 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Utilisateur\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/15 01:54:31 | 000,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2009/07/15 01:54:31 | 000,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2009/07/15 01:54:11 | 000,004,343 | ---- | C] () -- C:\WINDOWS\System32\lpgun.ini
[2009/07/15 01:54:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\igdlogin.dll
[2009/06/09 08:37:10 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/06/09 08:17:13 | 000,233,512 | R--- | C] () -- C:\WINDOWS\System32\drivers\SRS_PremiumSound_i386.sys
[2009/06/08 15:50:51 | 000,000,387 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/01/05 15:46:14 | 000,000,492 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/12/05 01:07:42 | 002,854,976 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2005/02/17 03:41:32 | 000,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 03:41:30 | 000,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 04:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2010/03/28 20:21:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Autorun Eater
[2010/03/15 16:27:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/09/22 10:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
[2010/03/15 16:24:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2009/06/08 15:20:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wireless LAN Card
[2009/06/15 03:09:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\ASUS
[2009/09/22 10:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\DAEMON Tools Pro
[2009/09/17 07:57:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\EeeStorageUploader
[2010/03/15 21:59:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\IObit
[2009/10/12 10:51:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\OpenOffice.org
[2010/03/15 14:02:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Utilisateur\Application Data\QuickScan
[2010/03/21 22:09:25 | 000,000,396 | ---- | M] () -- C:\WINDOWS\Tasks\SmartDefrag.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/14 06:00:00 | 020,102,028 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/14 06:00:00 | 020,102,028 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 06:00:00 | 020,102,028 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 06:00:00 | 020,102,028 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp3.cab:atapi.sys
[2008/04/14 06:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 06:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=4EC800BDF80521B0207BD2301DFC7D14 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 06:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=4EC800BDF80521B0207BD2301DFC7D14 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=04821179C3171554C1BD1F9888A113E2 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=04821179C3171554C1BD1F9888A113E2 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 06:00:00 | 000,187,392 | ---- | M] (Microsoft Corporation) MD5=973B36634C544948C663E8269AA1B3A3 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 06:00:00 | 000,187,392 | ---- | M] (Microsoft Corporation) MD5=973B36634C544948C663E8269AA1B3A3 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2009/09/22 10:32:59 | 000,685,816 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2009/06/08 15:57:49 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/06/08 15:57:49 | 001,069,056 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/06/08 15:57:49 | 000,438,272 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

---------------

Extras:

OTL Extras logfile created on: 28/03/2010 20:55:13 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Utilisateur\Bureau\geeks2go
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

1 014,00 Mb Total Physical Memory | 314,00 Mb Available Physical Memory | 31,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 74,00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 82,82 Gb Total Space | 57,03 Gb Free Space | 68,86% Space Free | Partition Type: NTFS
Drive D: | 61,29 Gb Total Space | 61,22 Gb Free Space | 99,88% Space Free | Partition Type: NTFS
Drive E: | 232,88 Gb Total Space | 159,04 Gb Free Space | 68,29% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 955,73 Mb Total Space | 955,72 Mb Free Space | 100,00% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-2NALM312DA
Current User Name: Utilisateur
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer -- (RealNetworks, Inc.)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live FolderShare -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Outil de téléchargement Windows Live
"{2075CB0A-D26F-4DAA-B424-5079296B43BA}" = Windows Live FolderShare
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Client Installation Program
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
"{350C940c-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{38E5A3B1-ADF1-47E0-8024-76310A30EB36}" = LiveUpdate
"{3B160861-7250-451E-B5EE-8B92BF30A710}" = Microsoft Works
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FB39BED-37C8-4E60-8E02-315B8C2B07E3}" = USB2.0 UVC Camera Device
"{4634B21A-CC07-4396-890C-2B8168661FEA}" = Windows Live Writer
"{46ABBC54-1872-4AA3-95E2-F2C063A63F31}" = Installation Windows Live
"{47BACF74-5A07-48BD-BADB-A769550F0F5A}" = FontResizer
"{4B6B024F-F6D4-4A7B-8ADA-F9F8370320CC}" = SRS Premium Sound
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{5DD76286-9BE7-4894-A990-E905E91AC818}" = Windows Live Mail
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6860B340-530D-46B3-91F8-1AE1F70F7C33}" = OpenOffice.org 3.0
"{770F1BEC-2871-4E70-B837-FB8525FFA3B1}" = Windows Live Messenger
"{82C7B308-0BDD-49D8-8EA5-9CD3A3F9DF41}" = Windows Live Call
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN Card
"{90120000-0010-040C-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (French) 12
"{90120000-0015-040C-0000-0000000FF1CE}" = Microsoft Office Access MUI (French) 2007
"{90120000-0015-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-040C-0000-0000000FF1CE}" = Microsoft Office Excel MUI (French) 2007
"{90120000-0016-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-040C-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (French) 2007
"{90120000-0018-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-040C-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (French) 2007
"{90120000-0019-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-040C-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (French) 2007
"{90120000-001A-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-040C-0000-0000000FF1CE}" = Microsoft Office Word MUI (French) 2007
"{90120000-001B-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0401-0000-0000000FF1CE}" = Microsoft Office Proof (Arabic) 2007
"{90120000-001F-0401-0000-0000000FF1CE}_ENTERPRISE_{14809F99-C601-4D4A-9391-F1E8FAA964C5}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0413-0000-0000000FF1CE}" = Microsoft Office Proof (Dutch) 2007
"{90120000-001F-0413-0000-0000000FF1CE}_ENTERPRISE_{D66D5A44-E480-4BA4-B4F2-C554F6B30EBB}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-040C-0000-0000000FF1CE}" = Module de compatibilité pour Microsoft Office System 2007
"{90120000-002C-040C-0000-0000000FF1CE}" = Microsoft Office Proofing (French) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-040C-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (French) 2007
"{90120000-0044-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-040C-0000-0000000FF1CE}" = Microsoft Office Shared MUI (French) 2007
"{90120000-006E-040C-0000-0000000FF1CE}_ENTERPRISE_{B165D3C2-40AE-4D39-86F7-E5C87C4264C0}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-040C-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (French) 2007
"{90120000-00A1-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-040C-0000-0000000FF1CE}" = Microsoft Office Groove MUI (French) 2007
"{90120000-00BA-040C-0000-0000000FF1CE}_ENTERPRISE_{AE187E0D-EBA5-4EE1-A397-BF1A577CB24C}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91C25C4D-5484-411B-8891-F62EFEA02F54}_is1" = GamePark Console
"{95120000-00AF-040C-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (French)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-040C-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1036-7B44-A90000000001}" = Adobe Reader 9 - Français
"{B131E59D-202C-43C6-84C9-68F0C37541F1}" = Galerie de photos Windows Live
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C72CA49A-9237-4810-8449-45DA3BD26D64}" = EzMessenger
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5D81435-B8DE-4CAF-867F-7998F2B92CFC}" = Windows Live Contrôle parental
"{D806E63B-0C11-4061-8DA9-1E980FB9A9EB}" = Data Sync
"{DCE8CD14-FBF5-4464-B9A4-E18E473546C7}" = Assistant de connexion Windows Live
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0DE168D-39C0-4378-BD45-C7D150DC5D0E}" = Easy Mode
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7D27C70-90F5-49B9-B188-0A133C0CE353}" = Windows Live Toolbar
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Autorun Eater_is1" = Autorun Eater v2.4
"AVG9Uninstall" = AVG Free 9.0
"DynGate" = DynGate
"Eee Docking_is1" = Eee Docking 1.3.4.0
"Eee Storage" = Eee Storage
"EeePC_1101HA" = EeePC_1101HA Screen Saver
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IObit Security 360_is1" = IObit Security 360
"LPCO" = Intel® Graphics Media Accelerator 500
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 12.0" = RealPlayer
"Recuva" = Recuva
"Smart Defrag_is1" = Smart Defrag
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeamViewer" = TeamViewer
"VLC media player" = VLC media player 0.9.8a
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Lecteur Windows Media 11
"WinLiveSuite_Wave3" = Installation Windows Live
"WinRAR archiver" = Archiveur WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22/03/2010 19:29:16 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 22/03/2010 20:29:18 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 23/03/2010 15:29:15 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 23/03/2010 17:29:16 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 23/03/2010 18:29:15 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 28/03/2010 15:29:15 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 28/03/2010 16:29:14 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 28/03/2010 17:29:14 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 28/03/2010 21:29:29 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

Error - 28/03/2010 22:29:16 | Computer Name = YOUR-2NALM312DA | Source = Google Update | ID = 20
Description =

[ OSession Events ]
Error - 26/11/2009 21:31:55 | Computer Name = YOUR-2NALM312DA | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 9655
seconds with 1320 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 28/03/2010 21:57:38 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452689
Description = Fournisseur de temps NtpClient : une erreur s'est produite lors de
la recherche DNS de l'homologue manuellement configuré 'time.windows.com,0x1'. NtpClient
va essayer à nouveau la recherche DNS dans 15 minutes. L'erreur était : Une opération
a été tentée sur un hôte impossible à atteindre. (0x80072751)

Error - 28/03/2010 21:57:38 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452701
Description = Le fournisseur de temps NtpClient est configuré pour acquérir le temps
à partir d'une ou plusieurs sources de temps, cependant aucune source n'est actuellement
accessible. Aucune tentative pour en contacter une ne sera effectuée d'ici 14 minutes.
NtpClient
n'a pas de source de temps précis.

Error - 28/03/2010 22:12:24 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452689
Description = Fournisseur de temps NtpClient : une erreur s'est produite lors de
la recherche DNS de l'homologue manuellement configuré 'time.windows.com,0x1'. NtpClient
va essayer à nouveau la recherche DNS dans 15 minutes. L'erreur était : Une opération
a été tentée sur un hôte impossible à atteindre. (0x80072751)

Error - 28/03/2010 22:12:24 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452701
Description = Le fournisseur de temps NtpClient est configuré pour acquérir le temps
à partir d'une ou plusieurs sources de temps, cependant aucune source n'est actuellement
accessible. Aucune tentative pour en contacter une ne sera effectuée d'ici 14 minutes.
NtpClient
n'a pas de source de temps précis.

Error - 28/03/2010 22:27:13 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452689
Description = Fournisseur de temps NtpClient : une erreur s'est produite lors de
la recherche DNS de l'homologue manuellement configuré 'time.windows.com,0x1'. NtpClient
va essayer à nouveau la recherche DNS dans 30 minutes. L'erreur était : Une opération
a été tentée sur un hôte impossible à atteindre. (0x80072751)

Error - 28/03/2010 22:27:13 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452701
Description = Le fournisseur de temps NtpClient est configuré pour acquérir le temps
à partir d'une ou plusieurs sources de temps, cependant aucune source n'est actuellement
accessible. Aucune tentative pour en contacter une ne sera effectuée d'ici 29 minutes.
NtpClient
n'a pas de source de temps précis.

Error - 28/03/2010 22:43:36 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452689
Description = Fournisseur de temps NtpClient : une erreur s'est produite lors de
la recherche DNS de l'homologue manuellement configuré 'time.windows.com,0x1'. NtpClient
va essayer à nouveau la recherche DNS dans 15 minutes. L'erreur était : Une opération
a été tentée sur un hôte impossible à atteindre. (0x80072751)

Error - 28/03/2010 22:43:36 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452701
Description = Le fournisseur de temps NtpClient est configuré pour acquérir le temps
à partir d'une ou plusieurs sources de temps, cependant aucune source n'est actuellement
accessible. Aucune tentative pour en contacter une ne sera effectuée d'ici 14 minutes.
NtpClient
n'a pas de source de temps précis.

Error - 28/03/2010 22:58:25 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452689
Description = Fournisseur de temps NtpClient : une erreur s'est produite lors de
la recherche DNS de l'homologue manuellement configuré 'time.windows.com,0x1'. NtpClient
va essayer à nouveau la recherche DNS dans 30 minutes. L'erreur était : Une opération
a été tentée sur un hôte impossible à atteindre. (0x80072751)

Error - 28/03/2010 22:58:25 | Computer Name = YOUR-2NALM312DA | Source = W32Time | ID = 39452701
Description = Le fournisseur de temps NtpClient est configuré pour acquérir le temps
à partir d'une ou plusieurs sources de temps, cependant aucune source n'est actuellement
accessible. Aucune tentative pour en contacter une ne sera effectuée d'ici 30 minutes.
NtpClient
n'a pas de source de temps précis.


< End of report >

--------------------


Will there be problems with the language?

One more thing. I can't seem to delete all of the Microsoft.lnk files. It doesn't let me touch some of them.

Edited by Greki, 28 March 2010 - 09:37 PM.

  • 0

#6
RKinner
Posted 28 March 2010 - 10:50 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

I don't see any of the microsoft.lnk files in OTL. I assume they are older than 14 days. If you open OTL there is an option to set the File Age to 30, 60, or 90 days. Choose one that is appropriate for how long the infection has been there and then Quick Scan. Post that log too.

Ron
  • 0

#7
Greki
Posted 28 March 2010 - 11:58 PM

Greki

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Okay, I ran Combofix as requested and sometime during the middle of the scan the laptop seems to have shut down but the power button is flashing. Is that what you mean by Drive light?

Edited by Greki, 28 March 2010 - 11:58 PM.

  • 0

#8
RKinner
Posted 29 March 2010 - 12:06 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
No, sounds like the laptop decided no one was using it so shut down to save power.

The drive light is usually a small LED that shows when the hard drive is being used.

Turn it back on again. Make sure it is plugged into the wall and go into the Control Panel and make sure the Power Options are set to allow it enough time without keyboard input to finish a scan (at least an hour or two.)

Ron
  • 0

#9
Greki
Posted 29 March 2010 - 12:10 AM

Greki

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
It seems it just went into sleep mode. Combofix is still running after I started the session. Should I reboot and start again?

(Btw, it's been plugged in from the start).
  • 0

#10
RKinner
Posted 29 March 2010 - 01:13 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Best to give it a chance to finish tho normally it doesn't take but about 15 minutes.

Ron
  • 0

Advertisements

#11
Greki
Posted 29 March 2010 - 01:18 AM

Greki

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
It doesn't take that long? Hmmm... it's still running.. or something like it.

When I looked for info on Combofix (I like to learn stuff) through the internet I found that Combofix is supposed to go through stages? This one isn't.

Nothing is happening on screen, just the Combofix window with the small hyphen blinking, but nothing else appears on the blue screen.

Edited by Greki, 29 March 2010 - 01:19 AM.

  • 0

#12
RKinner
Posted 29 March 2010 - 01:40 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Could be the going to sleep killed it.

Normally it starts by asking you if you want the Recovery Console. Remember tho that if your anti-virus is running when you download or copy combofix there is a good chance it will be eaten. McAfee especially loves to kill off vital parts of combofix but it's not the only one. If you are downloading it on a good pc make sure you turn the antivirus off on it too.

Once you install the Recovery Console you get a box from Microsoft that you have to agree to then it will start the scan. It will go through a lot of steps. Don't remember how many. Then it reboots and tells you it is preparing the report. Eventually a notepad file comes up.

Ron

PS Going to bed now.

Edited by RKinner, 29 March 2010 - 01:41 AM.

  • 0

#13
Greki
Posted 29 March 2010 - 01:48 AM

Greki

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Hmmm, I still don't have access to internet through the laptop since I don't have the cable you mentioned. I've done everything via USB. Is there a way to download the Recovery Control from this PC and then pass it over via USB, or is the internet connection absolutely needed?

I did, btw, turn off the antivirus over there, and I clicked yes on all disclaimer windows that you mentioned, but I didn't realize I needed to download something else because the messages were in French.

And when I ran the Combofix it did reboot and that blue screen with the blinking hyphen appeared, but nothing else has happened since, even before going to sleep.

Should I just turn it off for now, or first reset?

PS: Going to bed too.

PPS: I just rebooted it to then shut it down and I think we may need to start over again since both error messages appeared again. It seems the worm took advantage of the temporarily disabled AVG and spread again. Tomorrow I'll post the error messages.

Edited by Greki, 29 March 2010 - 02:12 AM.

  • 0

#14
RKinner
Posted 29 March 2010 - 08:01 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Forgot about the internet. You can tell Combofix that you don't want the recovery console and just let it run. What it sounds like is that System Restore kicked in and put the registry back to an earlier state. Probably because the sleep mode confused it.

The good thing is that this virus doesn't do much more than replicate. The only damage is turning off regedit and a few other management tools.

Ron
  • 0

#15
Greki
Posted 29 March 2010 - 02:00 PM

Greki

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Problem is, I've had System Restore off ever since I ran Stinger.

And I tried regedit after I rebooted it. It worked just fine and the Registry Entries I previously deleted weren't there. Something else that appears besides the errors is the msconfig box for some reason.

I'll place the errors with a rogue translation following:

Impossible de trouver le fichier script "C:\Documents and Settings\Utilisateur\database.mdb"

Could not find script file "C:\Documents and Settings\Utilisateur\database.mdb"

Échec du chargement du script "C:\WINDOWS\:Microsoft Office Update for Windows XP.sys" (Syntaxe du nom de fichier, de répertoire ou de volume incorrecte).

Failed to load script "C:\WINDOWS\:Microsoft Office Update for Windows XP.sys" (syntax filename, directory or volume error).

DTProAgent

This program requires at least Windows 2000 with SPTD 1.43 or higher. Kernel debugger must be deactivated.

The last one appeared exactly that way.

I'll do what you said with the Combofix in a while later (so I have to turn off the antivirus here too?). Unfortunately I got a three-year-old kid in my house and running that tool while she's here is definitely a bad idea.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP