[Xav038]

Hi,

my PC (Athlon 1800, WinXP home edition SP3) is considerably slew down and I have Google redirect issue randomly happening. Something similar happened to me once some months ago and I could get rid of it thanks to MBAM, following your cleaning guide's advice. But this time it seems it's worse, MBAM finds nothing.

I've followed all the steps in the guide:
1) TFC: done, all tempo files cleaned
2) Sysrestorepoint: done, restoration point created.
3) Erunt: done, registry saved.
4) MBAM: done, it found nothing. Here is the report:

=================================================
Malwarebytes' Anti-Malware 1.41
Database version: 2844
Windows 5.1.2600 Service Pack 3

22/09/2009 23:47:13
mbam-log-2009-09-22 (23-47-13).txt

Scan type: Quick Scan
Objects scanned: 98695
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

=================================================

5) Complete scan with my antivirus Trend Micro Internet Security > Done, it found nothing.
Another complete scan on line was made with bittdefender. It found nothing either.

6) Windows update: done

7) Reboot: nothing changed, research results are still redirected.

8) Rootkit detection: done. Here is the report:

=================================================
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/22 23:57
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF59A8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A5D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB763D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: viaagp1.sys
Image Path: viaagp1.sys
Address: 0xF77C7000 Size: 27904 File Visible: - Signed: -
Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x82aa3ce0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x82aa4e80

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x82aa31e0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x82aa34a0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x82aa4b40

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x82aa4260

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x82aa4520

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x82aa4ce0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x82aa3760

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x82aa5020

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x82aa3fa0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x82aa3a20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82aa49a0

==EOF==
=================================================

9) Diagnostic with OTL: done. No extra.txt file generated.
Content of OTL.txt:
=================================================
OTL logfile created on: 23/09/2009 00:17:54 - Run 2
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Program Files\InstallationManuelle
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

767,48 Mb Total Physical Memory | 439,55 Mb Available Physical Memory | 57,27% Memory free
1,83 Gb Paging File | 1,59 Gb Available in Paging File | 86,72% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 32,30 Gb Free Space | 66,15% Space Free | Partition Type: NTFS
Drive D: | 184,06 Gb Total Space | 34,38 Gb Free Space | 18,68% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 55,91 Gb Total Space | 36,58 Gb Free Space | 65,44% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: Xavier
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
PRC - C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\InstallationManuelle\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FileZilla Server [On_Demand | Stopped]) -- C:\Program Files\FileZilla Server\FileZilla Server.exe (FileZilla Project)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (SfCtlCom [Auto | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)
SRV - (SolidWorks Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
SRV - (TMBMServer [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)
SRV - (TmProxy [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.fr"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.5
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:2.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {25F8FED8-F566-4F63-8238-C4C5644BADBF}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 4001


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/25 18:44:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/02/08 11:55:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/12 16:45:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/12 16:45:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/12 13:38:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/05/28 00:03:53 | 00,000,000 | ---D | M]

[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions
[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/22 23:36:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions
[2009/06/25 18:37:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/12 17:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2009/08/14 20:45:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/12/17 20:33:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2009/08/22 13:43:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\foxyproxy@eric.h.jung
[2009/09/21 19:26:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/03/29 02:10:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{25F8FED8-F566-4F63-8238-C4C5644BADBF}
[2009/09/12 16:45:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/08/17 18:28:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/02/08 11:55:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/21 11:57:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/08/11 15:33:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/09/12 16:44:59 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/12 16:44:59 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2007/10/20 02:54:06 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2007/10/20 02:54:50 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2007/10/11 15:17:50 | 01,435,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/09/12 16:45:02 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2001/09/10 03:47:38 | 00,103,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/03/22 14:03:59 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/09/04 00:38:32 | 00,001,516 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-france.xml
[2009/09/04 00:38:32 | 00,001,822 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\cnrtl-tlfi-fr.xml
[2009/09/04 00:38:32 | 00,000,757 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-france.xml
[2009/09/04 00:38:32 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/08/28 00:22:22 | 00,000,748 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\MediaDICO-fr.xml
[2009/09/04 00:38:32 | 00,001,426 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-fr.xml
[2009/09/04 00:38:32 | 00,000,652 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: (790 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O4 - HKLM..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe ()
O4 - HKCU..\Run: [DeeEnEs] C:\PROGRAM FILES\DEEENES\DEEENES.EXE (Peas Inc.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\MBAM\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe (Palm, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Sites de confiance)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.goo...0/uploader2.cab (UploadListView Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1243272502906 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.27.40.241 212.27.40.240
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O29 - HKLM SecurityProviders - (mcenspc.dll) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/07 19:28:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (MACHINE) - File not found
O34 - HKLM BootExecute: (BootExecut) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/09/12 19:22:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Xavier\Application Data\SunODFPluginforMicrosoftOffice
[2009/09/12 19:15:27 | 00,000,000 | ---D | C] -- C:\Program Files\Sun
[2009/09/09 12:54:03 | 00,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK

========== Files - Modified Within 14 Days ==========

[2009/09/22 23:51:40 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/22 23:24:35 | 08,405,015 | ---- | M] () -- C:\WINDOWS\TempFile
[2009/09/22 23:24:33 | 00,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/22 23:24:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/22 23:24:10 | 80,483,5328 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/21 22:46:51 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/20 22:49:42 | 00,000,030 | ---- | M] () -- C:\WINDOWS\Iedit.INI
[2009/09/16 11:24:14 | 00,000,116 | ---- | M] () -- C:\WINDOWS\ConverterCore.INI
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/09 12:54:23 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== LOP Check ==========

[2009/09/05 12:35:16 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/07 17:32:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2009/04/16 17:37:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2007/11/10 00:57:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/03/22 19:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhereIsIt
[2009/09/12 19:22:40 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Xavier\Application Data
[2007/11/09 23:46:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AccurateRip
[2009/06/06 19:24:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AdSigner
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DassaultSystemes
[2009/07/18 01:14:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\dvdcss
[2008/10/04 11:41:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DWGeditor
[2009/09/07 19:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\ImgBurn
[2007/11/10 00:54:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterTrust
[2007/11/09 02:14:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterVideo
[2007/11/20 13:15:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\JAM Software
[2007/11/08 02:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Leadertech
[2007/11/11 02:39:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\LEAPS
[2007/11/11 02:27:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Pegasys Inc
[2009/03/04 17:23:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\sldIM
[2009/09/22 23:52:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidDocuments
[2009/07/14 11:03:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidWorks
[2008/02/27 16:40:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Thunderbird
[2007/11/10 00:58:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Ulead Systems
[2008/11/04 14:21:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uniblue
[2009/09/20 00:59:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent
[2007/11/08 21:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent.old
[2006/03/02 14:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/19 10:00:00 | 00,000,194 | ---- | M] () -- C:\WINDOWS\Tasks\lame.job
[2009/04/01 10:19:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/14 04:33:24 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/14 04:33:40 | 00,187,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
< End of report >
=================================================

[handhfan]

Hello, Xav038, and welcome to GeeksToGo!

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Xav038]

Thank you for your help, handhfan. Much appreciated!

I ran combofix. It installed the recovery console and did the scan. Two concerns: after the PC was rebooted and while combofix was terminating the job, Trend Micro Internet Security was launched automatically and poped one warning message telling that a new service catchme.cfxxe was trying to be installed then a second one about a process NRCMD.exe

These popups dispeared without me confirming or forbidding them to work, so i don't know whether these processes were legit or not and, if yes, if they could work.

Here is the combofix report:

ComboFix 09-09-25.01 - Xavier 27/09/2009 13:56.1.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.767.451 [GMT 2:00]
Lancé depuis: c:\tempo\Softs\A graver\SysUtils\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\extensions\{25F8FED8-F566-4F63-8238-C4C5644BADBF}
c:\program files\Mozilla Firefox\extensions\{25F8FED8-F566-4F63-8238-C4C5644BADBF}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{25F8FED8-F566-4F63-8238-C4C5644BADBF}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{25F8FED8-F566-4F63-8238-C4C5644BADBF}\install.rdf
c:\windows\AUTOLNCH.REG
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\18d98.msi
c:\windows\Installer\49b93.msi
c:\windows\system32\Ijl11.dll
c:\windows\system32\ovfsthpappevdkriltiqjnipfuxdlmswrqxfuw.db
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ovfsthlwmiqjwbppbowfpxxnbsivbwryteptkj
-------\Service_ovfsthlwmiqjwbppbowfpxxnbsivbwryteptkj


((((((((((((((((((((((((((((( Fichiers créés du 2009-08-27 au 2009-09-27 ))))))))))))))))))))))))))))))))))))
.

2009-09-12 17:22 . 2009-09-12 17:22 -------- d-----w- c:\documents and settings\Xavier\Application Data\SunODFPluginforMicrosoftOffice
2009-09-12 17:15 . 2009-09-12 17:15 -------- d-----w- c:\program files\Sun
2009-09-12 15:31 . 2008-02-17 15:16 90112 ----a-w- c:\documents and settings\Xavier\Application Data\Mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
2009-09-12 15:31 . 2007-12-28 09:15 172032 ----a-w- c:\documents and settings\Xavier\Application Data\Mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\puttygen.exe
2009-09-12 15:31 . 2007-10-07 23:57 307200 ----a-w- c:\documents and settings\Xavier\Application Data\Mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\psftp.exe
2009-09-09 10:52 . 2009-06-21 21:47 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 17:23 . 2009-09-07 17:23 -------- d-----w- c:\program files\CCleaner
2009-09-05 10:36 . 2009-09-05 10:25 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2009-09-05 10:36 . 2009-09-05 10:25 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2009-09-05 10:36 . 2009-09-05 10:25 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-05 10:35 . 2009-09-05 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-09-05 10:30 . 2009-09-05 10:34 -------- d-----w- c:\documents and settings\Xavier\Local Settings\Application Data\Trend Micro
2009-09-05 10:25 . 2009-09-05 10:25 225808 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-09-05 10:25 . 2009-09-05 10:25 1223832 ----a-w- c:\windows\system32\drivers\vsapint.sys
2009-09-05 10:25 . 2009-09-05 10:25 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2009-09-05 10:25 . 2009-09-05 10:25 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 11:51 . 2007-11-07 20:52 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-09-27 11:39 . 2008-02-10 11:07 -------- d-----w- c:\documents and settings\Xavier\Application Data\SolidDocuments
2009-09-27 11:25 . 2008-10-20 10:02 -------- d-----w- c:\program files\InstallationManuelle
2009-09-24 23:57 . 2007-11-08 19:23 -------- d-----w- c:\documents and settings\Xavier\Application Data\uTorrent
2009-09-22 21:31 . 2009-05-25 15:52 -------- d-----w- c:\program files\MBAM
2009-09-10 12:54 . 2009-05-25 15:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2009-05-25 15:52 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 17:26 . 2007-11-11 23:25 -------- d-----w- c:\documents and settings\Xavier\Application Data\ImgBurn
2009-09-05 10:36 . 2008-11-17 11:51 -------- d-----w- c:\program files\Trend Micro
2009-08-29 09:22 . 2007-11-07 20:45 -------- d-----w- c:\program files\mpad35
2009-08-20 22:53 . 2008-07-29 13:17 -------- d-----w- c:\program files\Google
2009-08-16 10:28 . 2009-07-17 22:54 -------- d-----w- c:\documents and settings\Xavier\Application Data\vlc
2009-08-11 13:33 . 2007-11-11 22:11 -------- d-----w- c:\program files\Java
2009-08-11 13:31 . 2009-08-11 13:31 152576 ----a-w- c:\documents and settings\Xavier\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-05 09:00 . 2006-03-02 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 03:23 . 2009-02-08 09:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:03 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 08:08 . 2006-03-02 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 12:53 . 2009-07-10 12:53 0 ----a-w- c:\documents and settings\Xavier\ntuser.tmp
2009-07-09 18:28 . 2009-03-10 11:00 10752 ----a-w- c:\windows\DCEBoot.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeeEnEs"="c:\program files\DEEENES\DEEENES.EXE" [2005-01-01 151552]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-09-05 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"HP Lamp"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 42496]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-17 385024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-09-05 1020248]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-11 1519616]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2002-06-14 46592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-09-05 492808]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Alarm Manager.LNK - c:\program files\Palm\AlarmApp.exe [2002-8-16 274432]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [05/09/2009 12:25 36368]
R3 hpusbfd;Hewlett-Packard USB Filter Class;c:\windows\system32\drivers\hpusbfd.sys [07/11/2007 21:34 7552]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [05/09/2009 12:36 50704]
R3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [05/09/2009 12:36 689416]
S1 f0c80f63;f0c80f63;c:\windows\system32\drivers\f0c80f63.sys --> c:\windows\system32\drivers\f0c80f63.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]
.
Contenu du dossier 'Tâches planifiées'

2009-03-19 c:\windows\Tasks\lame.job
- c:\windows\lame.ax [2007-11-08 09:23]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\Xavier\Application Data\Mozilla\Firefox\Profiles\vfilafqj.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr
FF - component: c:\documents and settings\Xavier\Application Data\Mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 14:03
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-776561741-2000478354-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(3832)
c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEHook.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Heure de fin: 2009-09-27 14:11 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-09-27 12:09

Avant-CF: 34 678 288 384 octets libres
Après-CF: 34 609 451 008 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP �dition familiale" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
181 --- E O F --- 2009-09-09 10:54

[Xav038]

[bleep]! I just realised this...

I'm ashamed I didn't pay attention to your warning saying that combofix had to be saved on the desktop. It actually was saved in and ran from a tempo folder on drive c.

Is it OK nevertheless, or must I move it to the desktop and run it again?

Sorry for my stupidity.

Xav

[handhfan]

Nothing too major, as long as you know where it is.

Please post a new OTL log.

Are you still being redirected?

[Xav038]

It seems not, but it's hard to be sure: as I said, this redirection happened randomly. Sometimes it was "asleep" for weeks, then sudently I was being redirected half of the time.

Here is the new OTL report:


OTL logfile created on: 27/09/2009 20:15:59 - Run 3
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Program Files\InstallationManuelle
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

767,48 Mb Total Physical Memory | 453,07 Mb Available Physical Memory | 59,03% Memory free
1,83 Gb Paging File | 1,60 Gb Available in Paging File | 87,14% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 32,26 Gb Free Space | 66,06% Space Free | Partition Type: NTFS
Drive D: | 184,06 Gb Total Space | 32,77 Gb Free Space | 17,80% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 55,91 Gb Total Space | 34,95 Gb Free Space | 62,51% Space Free | Partition Type: NTFS
Drive H: | 1,95 Gb Total Space | 0,98 Gb Free Space | 50,12% Space Free | Partition Type: FAT
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: Xavier
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
PRC - C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\PROGRAM FILES\DEEENES\DEEENES.EXE (Peas Inc.)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\NetMeter\NetMeter.exe ()
PRC - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Palm\AlarmApp.exe (Palm, Inc.)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\InstallationManuelle\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FileZilla Server [On_Demand | Stopped]) -- C:\Program Files\FileZilla Server\FileZilla Server.exe (FileZilla Project)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (SfCtlCom [Auto | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)
SRV - (SolidWorks Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
SRV - (TMBMServer [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)
SRV - (TmProxy [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.fr"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.5
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:2.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 4001


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/25 18:44:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/02/08 11:55:05 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/12 16:45:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/12 16:45:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/12 13:38:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/05/28 00:03:53 | 00,000,000 | ---D | M]

[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions
[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/27 16:38:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions
[2009/06/25 18:37:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/12 17:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2009/08/14 20:45:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/12/17 20:33:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2009/08/22 13:43:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\foxyproxy@eric.h.jung
[2009/09/27 16:38:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/12 16:45:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/08/17 18:28:24 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/02/08 11:55:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/21 11:57:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/08/11 15:33:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/09/12 16:44:59 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/12 16:44:59 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2007/10/20 02:54:06 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2007/10/20 02:54:50 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2007/10/11 15:17:50 | 01,435,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/09/12 16:45:02 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2001/09/10 03:47:38 | 00,103,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/03/22 14:03:59 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/09/04 00:38:32 | 00,001,516 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-france.xml
[2009/09/04 00:38:32 | 00,001,822 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\cnrtl-tlfi-fr.xml
[2009/09/04 00:38:32 | 00,000,757 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-france.xml
[2009/09/04 00:38:32 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/08/28 00:22:22 | 00,000,748 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\MediaDICO-fr.xml
[2009/09/04 00:38:32 | 00,001,426 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-fr.xml
[2009/09/04 00:38:32 | 00,000,652 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O4 - HKLM..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe ()
O4 - HKCU..\Run: [DeeEnEs] C:\PROGRAM FILES\DEEENES\DEEENES.EXE (Peas Inc.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe (Palm, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Sites de confiance)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.goo...0/uploader2.cab (UploadListView Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1243272502906 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.27.40.241 212.27.40.240
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/07 19:28:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/09/27 14:01:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/09/27 13:55:06 | 00,000,216 | ---- | C] () -- C:\Boot.bak
[2009/09/27 13:55:01 | 00,263,488 | ---- | C] () -- C:\cmldr
[2009/09/27 13:54:58 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/27 13:53:59 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/27 13:53:59 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/27 13:53:59 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/27 13:53:59 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/27 13:53:59 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/27 13:53:59 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/27 13:53:59 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/27 13:53:59 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/27 13:53:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/27 13:52:49 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/26 18:03:12 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/09/26 18:03:12 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

========== Files - Modified Within 14 Days ==========

[2009/09/27 18:46:11 | 00,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2009/09/27 18:46:08 | 00,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/27 18:45:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/27 18:45:45 | 80,483,5328 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/27 14:03:36 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/27 14:03:20 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/27 13:55:06 | 00,000,286 | RHS- | M] () -- C:\boot.ini
[2009/09/27 12:19:28 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/26 18:03:12 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/09/26 18:03:12 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/09/23 17:32:46 | 00,000,116 | ---- | M] () -- C:\WINDOWS\ConverterCore.INI
[2009/09/21 22:46:51 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/20 22:49:42 | 00,000,030 | ---- | M] () -- C:\WINDOWS\Iedit.INI
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe

========== LOP Check ==========

[2009/09/05 12:35:16 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/07 17:32:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2009/04/16 17:37:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2007/11/10 00:57:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/03/22 19:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhereIsIt
[2009/09/12 19:22:40 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Xavier\Application Data
[2007/11/09 23:46:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AccurateRip
[2009/06/06 19:24:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AdSigner
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DassaultSystemes
[2009/07/18 01:14:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\dvdcss
[2008/10/04 11:41:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DWGeditor
[2009/09/07 19:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\ImgBurn
[2007/11/10 00:54:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterTrust
[2007/11/09 02:14:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterVideo
[2007/11/20 13:15:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\JAM Software
[2007/11/08 02:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Leadertech
[2007/11/11 02:39:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\LEAPS
[2007/11/11 02:27:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Pegasys Inc
[2009/03/04 17:23:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\sldIM
[2009/09/27 19:43:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidDocuments
[2009/09/27 17:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidWorks
[2008/02/27 16:40:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Thunderbird
[2007/11/10 00:58:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Ulead Systems
[2008/11/04 14:21:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uniblue
[2009/09/25 01:57:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent
[2007/11/08 21:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent.old
[2006/03/02 14:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/19 10:00:00 | 00,000,194 | ---- | M] () -- C:\WINDOWS\Tasks\lame.job
[2009/04/01 10:19:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/14 04:33:24 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/14 04:33:40 | 00,187,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
< End of report >

[handhfan]

Let me know if it gets any worse.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  
• Click the "Download" button to the right.
  
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  
• Click on Continue.
  
• Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java version.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
  
  
• Click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View report... at the bottom.
  
• Click the Save report... button.
  
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply along with a new OTL log.

[Xav038]

It's actually getting much better, not only I didn't notice any new google redirection but the PC came back to normal reaction speed, you wizard!

I had a hard time removing (error "could not access network location f:le d:\[some weird path]") and re-installing ("failing to decompress core files") Java. I could solve the former issue thanks to the Windows Installer CleanUp Utility http://support.microsoft.com/default.aspx?...kb;en-us;290301, and the later by pointing the process to another folder than the default one, it seems it was all correctly done.

Here are the logs.

Kaperski scan report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 29, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 28, 2009 05:22:29
Records in database: 2929460
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 158114
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 04:54:52


File name / Threat / Threats count
D:\old system\WINDOWS\system32\xplugin.dll Infected: Trojan-Downloader.Win32.Esepor.ag 1

Selected area has been scanned.

==============================================================

OTL new report:

OTL logfile created on: 29/09/2009 16:32:50 - Run 4
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Program Files\InstallationManuelle
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

767,48 Mb Total Physical Memory | 486,57 Mb Available Physical Memory | 63,40% Memory free
1,83 Gb Paging File | 1,61 Gb Available in Paging File | 88,04% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 32,00 Gb Free Space | 65,55% Space Free | Partition Type: NTFS
Drive D: | 184,06 Gb Total Space | 32,76 Gb Free Space | 17,80% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 55,91 Gb Total Space | 34,95 Gb Free Space | 62,51% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: Xavier
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
PRC - C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\instal\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\PROGRAM FILES\DEEENES\DEEENES.EXE (Peas Inc.)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\NetMeter\NetMeter.exe ()
PRC - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Palm\AlarmApp.exe (Palm, Inc.)
PRC - C:\Program Files\Java\jre6\instal\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\InstallationManuelle\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FileZilla Server [On_Demand | Stopped]) -- C:\Program Files\FileZilla Server\FileZilla Server.exe (FileZilla Project)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\instal\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (SfCtlCom [Auto | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)
SRV - (SolidWorks Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
SRV - (TMBMServer [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)
SRV - (TmProxy [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.fr"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.6
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:2.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 4001


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/25 18:44:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\instal\lib\deploy\jqs\ff [2009/09/28 20:20:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/12 16:45:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/28 20:24:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/12 13:38:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/05/28 00:03:53 | 00,000,000 | ---D | M]

[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions
[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/28 20:26:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions
[2009/06/25 18:37:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/28 20:15:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2009/08/14 20:45:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/12/17 20:33:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2009/08/22 13:43:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\foxyproxy@eric.h.jung
[2009/09/28 20:26:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/12 16:45:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/08 11:55:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/21 11:57:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/08/11 15:33:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/09/28 20:20:57 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/09/12 16:44:59 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/12 16:44:59 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/09/28 20:20:43 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2007/10/20 02:54:06 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2007/10/20 02:54:50 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2007/10/11 15:17:50 | 01,435,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/09/12 16:45:02 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2001/09/10 03:47:38 | 00,103,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/03/22 14:03:59 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/09/04 00:38:32 | 00,001,516 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-france.xml
[2009/09/04 00:38:32 | 00,001,822 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\cnrtl-tlfi-fr.xml
[2009/09/04 00:38:32 | 00,000,757 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-france.xml
[2009/09/04 00:38:32 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/08/28 00:22:22 | 00,000,748 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\MediaDICO-fr.xml
[2009/09/04 00:38:32 | 00,001,426 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-fr.xml
[2009/09/04 00:38:32 | 00,000,652 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\instal\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\instal\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O4 - HKLM..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\instal\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe ()
O4 - HKCU..\Run: [DeeEnEs] C:\PROGRAM FILES\DEEENES\DEEENES.EXE (Peas Inc.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe (Palm, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Sites de confiance)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.goo...0/uploader2.cab (UploadListView Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1243272502906 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.27.40.241 212.27.40.240
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/07 19:28:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/09/28 20:02:11 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2009/09/28 20:01:54 | 00,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2009/09/28 19:57:43 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/09/27 14:01:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/09/27 13:55:06 | 00,000,216 | ---- | C] () -- C:\Boot.bak
[2009/09/27 13:55:01 | 00,263,488 | ---- | C] () -- C:\cmldr
[2009/09/27 13:54:58 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/27 13:53:59 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/27 13:53:59 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/27 13:53:59 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/27 13:53:59 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/27 13:53:59 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/27 13:53:59 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/27 13:53:59 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/27 13:53:59 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/27 13:53:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/27 13:52:49 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/26 18:03:12 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/09/26 18:03:12 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

========== Files - Modified Within 14 Days ==========

[2009/09/29 16:27:29 | 00,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2009/09/29 16:27:28 | 00,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/29 16:27:06 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/29 16:26:59 | 80,483,5328 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/28 18:49:44 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/27 23:21:55 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/09/27 14:03:36 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/27 14:03:20 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/27 13:55:06 | 00,000,286 | RHS- | M] () -- C:\boot.ini
[2009/09/26 18:03:12 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/09/23 17:32:46 | 00,000,116 | ---- | M] () -- C:\WINDOWS\ConverterCore.INI
[2009/09/21 22:46:51 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/20 22:49:42 | 00,000,030 | ---- | M] () -- C:\WINDOWS\Iedit.INI

========== LOP Check ==========

[2009/09/05 12:35:16 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/07 17:32:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2009/04/16 17:37:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2007/11/10 00:57:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/03/22 19:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhereIsIt
[2009/09/12 19:22:40 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Xavier\Application Data
[2007/11/09 23:46:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AccurateRip
[2009/06/06 19:24:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AdSigner
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DassaultSystemes
[2009/07/18 01:14:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\dvdcss
[2008/10/04 11:41:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DWGeditor
[2009/09/07 19:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\ImgBurn
[2007/11/10 00:54:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterTrust
[2007/11/09 02:14:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterVideo
[2007/11/20 13:15:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\JAM Software
[2007/11/08 02:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Leadertech
[2007/11/11 02:39:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\LEAPS
[2007/11/11 02:27:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Pegasys Inc
[2009/03/04 17:23:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\sldIM
[2009/09/29 07:51:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidDocuments
[2009/09/27 17:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidWorks
[2008/02/27 16:40:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Thunderbird
[2007/11/10 00:58:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Ulead Systems
[2008/11/04 14:21:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uniblue
[2009/09/25 01:57:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent
[2007/11/08 21:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent.old
[2006/03/02 14:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/19 10:00:00 | 00,000,194 | ---- | M] () -- C:\WINDOWS\Tasks\lame.job
[2009/04/01 10:19:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/14 04:33:24 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/14 04:33:40 | 00,187,392 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >
< End of report >

[handhfan]

Glad things are running much better!

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :Files
  D:\old system\WINDOWS\system32\xplugin.dll
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

  
  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
  
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Xav038]

All done.

OTL's fix report:


All processes killed
========== FILES ==========
D:\old system\WINDOWS\system32\xplugin.dll NOT unregistered.
D:\old system\WINDOWS\system32\xplugin.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrateur
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Xavier
->Temp folder emptied: 82439087 bytes
->Temporary Internet Files folder emptied: 3373301 bytes
->Java cache emptied: 25621461 bytes
->FireFox cache emptied: 89396992 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 244224 bytes

Total Files Cleaned = 191,79 mb


OTL by OldTimer - Version 3.0.14.0 log created on 09302009_005141

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

=========================================================

OTL's new scan report:

OTL logfile created on: 30/09/2009 00:56:55 - Run 5
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Program Files\InstallationManuelle
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 0000040C | Country: France | Language: FRA | Date Format: dd/MM/yyyy

767,48 Mb Total Physical Memory | 489,25 Mb Available Physical Memory | 63,75% Memory free
1,83 Gb Paging File | 1,61 Gb Available in Paging File | 88,00% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48,83 Gb Total Space | 32,18 Gb Free Space | 65,91% Space Free | Partition Type: NTFS
Drive D: | 184,06 Gb Total Space | 33,41 Gb Free Space | 18,15% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 55,91 Gb Total Space | 34,95 Gb Free Space | 62,51% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: Xavier
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\instal\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
PRC - C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
PRC - C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\instal\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\PROGRAM FILES\DEEENES\DEEENES.EXE (Peas Inc.)
PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
PRC - C:\Program Files\NetMeter\NetMeter.exe ()
PRC - C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
PRC - C:\Program Files\Palm\AlarmApp.exe (Palm, Inc.)
PRC - C:\WINDOWS\System32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\InstallationManuelle\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Adobe LM Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (FileZilla Server [On_Demand | Stopped]) -- C:\Program Files\FileZilla Server\FileZilla Server.exe (FileZilla Project)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\instal\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NVSvc [Auto | Running]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (SfCtlCom [Auto | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe (Trend Micro Inc.)
SRV - (SolidWorks Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe (SolidWorks)
SRV - (TMBMServer [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\BM\TMBMSRV.exe (Trend Micro Inc.)
SRV - (TmProxy [On_Demand | Stopped]) -- C:\Program Files\Trend Micro\Internet Security\TmProxy.exe (Trend Micro Inc.)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.fr"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.6
FF - prefs.js..extensions.enabledItems: foxyproxy@eric.h.jung:2.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 4001


FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/25 18:44:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\instal\lib\deploy\jqs\ff [2009/09/28 20:20:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/12 16:45:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/28 20:24:10 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/12 13:38:59 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2009/05/28 00:03:53 | 00,000,000 | ---D | M]

[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions
[2008/08/28 00:22:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/28 20:26:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions
[2009/06/25 18:37:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/28 20:15:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2009/08/14 20:45:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2008/12/17 20:33:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
[2009/08/22 13:43:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\mozilla\Firefox\Profiles\vfilafqj.default\extensions\foxyproxy@eric.h.jung
[2009/09/29 19:57:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/12 16:45:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/08 11:55:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/04/21 11:57:49 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/08/11 15:33:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/09/28 20:20:57 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/09/12 16:44:59 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/12 16:44:59 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/09/28 20:20:43 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2007/10/20 02:54:06 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\mozilla firefox\plugins\npdivx32.dll
[2007/10/20 02:54:50 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
[2007/10/11 15:17:50 | 01,435,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/09/12 16:45:02 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2001/09/10 03:47:38 | 00,103,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/03/22 14:03:59 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/03/22 14:04:00 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2009/09/04 00:38:32 | 00,001,516 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-france.xml
[2009/09/04 00:38:32 | 00,001,822 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\cnrtl-tlfi-fr.xml
[2009/09/04 00:38:32 | 00,000,757 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-france.xml
[2009/09/04 00:38:32 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/08/28 00:22:22 | 00,000,748 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\MediaDICO-fr.xml
[2009/09/04 00:38:32 | 00,001,426 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-fr.xml
[2009/09/04 00:38:32 | 00,000,652 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\instal\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\instal\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (SolidConverter PDF) - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidConverterPDF\ExploreExtPDF.dll (VoyagerSoft, LLC)
O4 - HKLM..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\instal\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UfSeAgnt.exe] C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe ()
O4 - HKCU..\Run: [DeeEnEs] C:\PROGRAM FILES\DEEENES\DEEENES.EXE (Peas Inc.)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe (Palm, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: microsoft.com ([*.windowsupdate] https in Sites de confiance)
O15 - HKCU\..Trusted Domains: windowsupdate.com ([download] http in Sites de confiance)
O15 - HKCU\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.goo...0/uploader2.cab (UploadListView Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1243272502906 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.27.40.241 212.27.40.240
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Fichiers communs\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Ma page d'accueil) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/07 19:28:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/09/30 00:51:41 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/09/28 20:02:11 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2009/09/28 20:01:54 | 00,000,000 | ---D | C] -- C:\Program Files\MSECACHE
[2009/09/28 19:57:43 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/09/27 14:01:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/09/27 13:55:06 | 00,000,216 | ---- | C] () -- C:\Boot.bak
[2009/09/27 13:55:01 | 00,263,488 | ---- | C] () -- C:\cmldr
[2009/09/27 13:54:58 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/27 13:53:59 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/27 13:53:59 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/27 13:53:59 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/27 13:53:59 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/27 13:53:59 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/27 13:53:59 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/27 13:53:59 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/27 13:53:59 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/27 13:53:54 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/27 13:52:49 | 00,000,000 | ---D | C] -- C:\Qoobox

========== Files - Modified Within 14 Days ==========

[2009/09/30 00:54:17 | 00,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/30 00:53:33 | 00,000,000 | ---- | M] () -- C:\WINDOWS\TempFile
[2009/09/30 00:53:17 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/30 00:53:11 | 80,483,5328 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/28 18:49:44 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/27 14:03:36 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/27 14:03:20 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/27 13:55:06 | 00,000,286 | RHS- | M] () -- C:\boot.ini
[2009/09/23 17:32:46 | 00,000,116 | ---- | M] () -- C:\WINDOWS\ConverterCore.INI
[2009/09/21 22:46:51 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/20 22:49:42 | 00,000,030 | ---- | M] () -- C:\WINDOWS\Iedit.INI

========== LOP Check ==========

[2009/09/05 12:35:16 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/03/07 17:32:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DassaultSystemes
[2009/04/16 17:37:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2007/11/10 00:57:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/03/22 19:43:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhereIsIt
[2009/09/12 19:22:40 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Xavier\Application Data
[2007/11/09 23:46:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AccurateRip
[2009/06/06 19:24:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\AdSigner
[2008/11/05 12:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DassaultSystemes
[2009/07/18 01:14:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\dvdcss
[2008/10/04 11:41:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\DWGeditor
[2009/09/07 19:26:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\ImgBurn
[2007/11/10 00:54:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterTrust
[2007/11/09 02:14:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\InterVideo
[2007/11/20 13:15:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\JAM Software
[2007/11/08 02:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Leadertech
[2007/11/11 02:39:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\LEAPS
[2007/11/11 02:27:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Pegasys Inc
[2009/03/04 17:23:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\sldIM
[2009/09/29 16:53:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidDocuments
[2009/09/27 17:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\SolidWorks
[2008/02/27 16:40:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Thunderbird
[2007/11/10 00:58:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\Ulead Systems
[2008/11/04 14:21:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uniblue
[2009/09/25 01:57:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent
[2007/11/08 21:22:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Xavier\Application Data\uTorrent.old
[2006/03/02 14:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/19 10:00:00 | 00,000,194 | ---- | M] () -- C:\WINDOWS\Tasks\lame.job
[2009/04/01 10:19:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >

[handhfan]

Your logs look clean. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. If you have any questions or other problems, please let me know. Other than that, and the steps below, you should be all set.

Follow these steps to uninstall Combofix and tools used in the removal of malware

• Click START then RUN
  
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

• Make sure you have an Internet Connection.
  
• Download OTC to your desktop and run it
  
• A list of tool components used in the Cleanup of malware will be downloaded.
  
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  
• Click Yes to beging the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Please update Adobe Reader, by downloading and installing Adobe Reader 9.1.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SpywareGuard gives you realtime protection from spyware.
  
• Super Antispyware OR Malwarebytes' Anti-Malware to help remove any spyware that may have gotten on your computer.
  
• MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites.
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed.
  
• Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see this article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.

To keep your operating system up to date visit Microsoft Windows Update monthly. Remember to be aware of what emails you open and websites you visit.

Have a safe and happy computing day!

[Xav038]

Thank you so much, Handshfan. I will do everything you advice.
You and the other wizards at GeeksToGo do an incredible job.
Donation sent, well deserved!

Xav

[handhfan]

Thanks for the donation, it is very much appreciated.

Glad I could help.

[handhfan]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.