[Max321]

Bad news, the blue screen came back =\

Here's the log

Thank you for all your help, I hope we'll find a way soon.

C:\Documents and Settings\Christelle MaŒtre\Bureau\HelpAsst_mebroot_fix.exe
15/05/2010 at 14:10:09,87

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 15/05/2010 at 14:28:05,84

Compteÿ: actif Oui
Appartient aux groupes locaux *Administrateurs

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8459D128]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv32.dll

~~ Checking profile list ~~

S-1-5-21-2117864970-1572576979-72312267-1005
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant
HelpAssistant.EMACHINE-2E2F05

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9255:TCP"=9255:TCP:*:Enabled:Services
"9256:TCP"=9256:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"9255:TCP"=9255:TCP:*:Enabled:Services
"9256:TCP"=9256:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop


~~ EOF ~~

[Advertisements]

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them
  
  Click me
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Rorschach112]

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them
  
  Click me
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Max321]

Here's the combo fix log.Thank you!

ComboFix 10-05-16.01 - Christelle Maître 16/05/2010 14:21:54.4.1 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.894.457 [GMT -4:00]
Lancé depuis: c:\documents and settings\Christelle Maître\Bureau\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-16 au 2010-05-16 ))))))))))))))))))))))))))))))))))))
.

2010-05-15 18:25 . 2010-05-16 18:25 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-05-15 18:18 . 2010-05-16 18:19 -------- d-----w- c:\documents and settings\HelpAssistant
2010-05-12 21:18 . 2010-05-12 21:18 -------- d-----w- c:\program files\ESET
2010-05-10 15:34 . 2010-05-10 15:34 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Voisinage réseau
2010-05-10 15:34 . 2010-05-10 15:34 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Voisinage d'impression
2010-05-10 15:34 . 2010-05-10 15:34 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Tracing
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Option
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Modèles
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Mes documents
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Menu Démarrer
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Favoris
2010-05-07 14:08 . 2010-05-15 09:42 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05
2010-05-07 13:32 . 2010-05-07 13:32 -------- d-----w- C:\HelpAsst_backup
2010-05-05 11:16 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-05 11:16 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-05 11:16 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-05 11:16 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-05 11:16 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-05 11:16 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-05 11:16 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-05 11:16 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-05 11:16 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-05 11:16 . 2010-05-05 11:16 -------- d-----w- c:\program files\Alwil Software
2010-05-05 11:16 . 2010-05-05 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-04 21:36 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 21:36 . 2010-05-04 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 21:36 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 21:36 . 2010-05-04 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 21:29 . 2010-05-04 21:29 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 18:21 . 2008-09-03 12:55 86240 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-16 18:21 . 2008-09-03 12:55 514778 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-16 18:17 . 2010-02-24 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-13 00:48 . 2008-09-03 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-04 00:43 . 2009-12-14 23:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-27 21:16 . 2010-03-21 18:15 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-03-21 18:15 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-03-21 18:15 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-03-21 18:15 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-03-21 18:15 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-03-21 18:15 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-03-21 18:15 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-03-21 18:15 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-03-21 18:15 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-03-21 18:15 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-14 15:34 . 2010-04-14 15:34 79428 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-14 03:21 . 2010-03-21 18:14 -------- d-----w- c:\program files\McAfee
2010-04-08 16:12 . 2010-03-10 22:14 -------- d-----w- c:\program files\Celtx
2010-04-07 18:47 . 2009-08-17 20:32 104296 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-04-07 18:46 . 2010-04-07 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-07 17:39 . 2008-09-03 13:03 -------- d-----w- c:\program files\Fichiers communs\Adobe
2010-04-07 17:36 . 2010-04-07 17:36 -------- d-----w- c:\program files\Adobe Media Player
2010-04-07 17:32 . 2010-04-07 17:32 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2010-04-07 17:21 . 2010-04-07 17:21 -------- d-----w- c:\program files\Fichiers communs\Macrovision Shared
2010-03-31 15:55 . 2009-08-27 21:46 -------- d-----w- c:\program files\MessengerDiscovery 2
2010-03-31 14:45 . 2009-04-06 16:33 -------- d-----w- c:\program files\Windows Live
2010-03-31 13:30 . 2009-05-19 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-31 13:29 . 2009-05-19 12:48 -------- d-----w- c:\program files\Lavasoft
2010-03-31 13:01 . 2008-09-03 12:05 -------- d-----w- c:\program files\Google
2010-03-29 13:35 . 2010-02-23 16:04 132 ----a-w- c:\documents and settings\Charlotte\Local Settings\Application Data\fusioncache.dat
2010-03-21 21:16 . 2010-03-21 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-21 18:15 . 2010-03-21 18:15 -------- d-----w- c:\program files\Fichiers communs\Mcafee
2010-03-21 18:15 . 2010-03-21 18:15 -------- d-----w- c:\program files\McAfee.com
2010-03-21 18:04 . 2009-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-21 18:01 . 2008-09-03 12:27 -------- d-----w- c:\program files\Fichiers communs\Symantec Shared
2010-03-11 12:34 . 2007-08-13 16:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:34 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:34 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:10 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 22:37 . 2010-02-24 22:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:41 . 2010-02-23 16:41 104296 ----a-w- c:\documents and settings\Charlotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 16:10 . 2010-02-23 16:14 368640 ----a-w- c:\documents and settings\Charlotte\Application Data\InstallShield Installation Information\{5256C695-CEE8-4BB9-BCE4-E3215C80B8AA}\_setup.dll
2010-02-23 16:10 . 2010-02-23 16:10 192644 ----a-w- c:\documents and settings\Charlotte\Application Data\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll
2010-02-23 16:10 . 2010-02-23 16:10 323716 ----a-w- c:\documents and settings\Charlotte\Application Data\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll
2010-02-16 19:06 . 2008-04-14 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:06 . 2008-04-14 12:00 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-27 21:16 . 2010-04-28 20:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-09_19.33.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-16 18:17 . 2010-05-16 18:17 16384 c:\windows\Temp\Perflib_Perfdata_344.dat
- 2008-09-03 12:55 . 2010-05-09 19:19 72576 c:\windows\system32\perfc009.dat
+ 2008-09-03 12:55 . 2010-05-16 18:21 72576 c:\windows\system32\perfc009.dat
+ 2010-05-10 23:53 . 2010-05-15 14:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-07 18:34 . 2010-05-07 18:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-05 09:24 . 2010-05-07 18:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2009-04-05 09:24 . 2010-05-15 14:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2009-04-05 09:24 . 2010-05-07 18:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-10 23:53 . 2010-05-15 14:17 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-06 23:38 . 2010-04-15 07:06 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-04-06 23:38 . 2010-05-13 00:48 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-09-03 12:55 . 2010-05-09 19:19 445370 c:\windows\system32\perfh009.dat
+ 2008-09-03 12:55 . 2010-05-16 18:21 445370 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2008-04-11 19:05 691712 c:\windows\system32\inetcomm.dll
+ 2008-04-14 12:00 . 2010-01-29 15:00 691712 c:\windows\system32\inetcomm.dll
- 2008-04-14 12:00 . 2008-04-11 19:05 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-14 12:00 . 2010-01-29 15:00 691712 c:\windows\system32\dllcache\inetcomm.dll
- 2009-04-06 23:38 . 2010-04-15 07:06 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2008-04-14 12:00 . 2010-01-29 15:00 1315328 c:\windows\system32\dllcache\msoe.dll
- 2008-04-14 12:00 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-10-16 11:08 . 2009-10-16 11:08 2237952 c:\windows\Installer\c6e18a.msp
+ 2010-04-09 19:21 . 2010-04-09 19:21 5025792 c:\windows\Installer\c6e176.msp
+ 2009-04-06 23:38 . 2010-05-13 00:47 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-08-26 03:50 . 2008-08-26 03:50 2585592 c:\windows\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6425\VBE6.DLL
+ 2009-04-05 23:42 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ISUSPM"="c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-24 8491008]
"nwiz"="nwiz.exe" [2008-02-24 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-24 81920]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-06 34040]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-15 16862720]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SSBkgdUpdate"="c:\program files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"AdobeCS4ServiceManager"="c:\program files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2009-10-14 198160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-11-21 151552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-08 20:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 17:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-14 19:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-14 06:39 198160 ----a-w- c:\program files\Fichiers communs\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Fichiers communs\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Fichiers communs\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9255:TCP"= 9255:TCP:Services
"9256:TCP"= 9256:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [24/02/2010 13:17 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/05/2010 07:16 162768]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [21/03/2010 14:15 82952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/05/2010 07:16 19024]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [24/02/2010 13:20 112592]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [03/03/2008 07:11 16384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Fichiers communs\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [21/03/2010 14:15 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Fichiers communs\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [21/03/2010 14:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Fichiers communs\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [21/03/2010 14:15 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Fichiers communs\Mcafee\SystemCore\mfefire.exe [21/03/2010 14:15 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Fichiers communs\Mcafee\SystemCore\mfevtps.exe [21/03/2010 14:15 141792]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [06/04/2008 16:42 50424]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [21/03/2010 14:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [21/03/2010 14:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [21/03/2010 14:15 88480]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1ca0eea4bf5122e;Service Google Update (gupdate1ca0eea4bf5122e);c:\program files\Google\Update\GoogleUpdate.exe [27/07/2009 14:44 133104]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [03/04/2008 21:03 131072]
S3 Dz3s2kxp;Dz3s2kxp;c:\windows\system32\drivers\Dz3s2kxp.sys [21/11/2009 18:12 10496]
S3 Dz3u2kxp;Dz3u2kxp;c:\windows\system32\drivers\Dz3u2kxp.sys [21/11/2009 18:12 11392]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [21/03/2010 14:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [21/03/2010 14:15 83496]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [24/02/2010 13:16 365280]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [26/04/2009 20:07 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [26/04/2009 20:08 234888]

--- Autres Services/Pilotes en mémoire ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contenu du dossier 'Tâches planifiées'

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-27 18:44]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-27 18:44]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=040c&s=0&o=xph&d=0409&m=el1200-01h
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Fichiers communs\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Christelle Maître\Application Data\Mozilla\Firefox\Profiles\s1xxum27.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 14:36
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x837CE7D0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735dcb8
\Driver\atapi -> atapi.sys @ 0xf72f5852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: NVIDIA nForce 10/100/1000 Mbps Networking Controller -> SendCompleteHandler -> 0x8338f5c0
PacketIndicateHandler -> NDIS.sys @ 0xf719aa21
SendHandler -> NDIS.sys @ 0xf717887b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1072)
c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\NTMARTA.DLL

- - - - - - - > 'lsass.exe'(1128)
c:\program files\Fichiers communs\PC Tools\Lsp\PCTLsp.dll
.
Heure de fin: 2010-05-16 14:42:11
ComboFix-quarantined-files.txt 2010-05-16 18:42
ComboFix2.txt 2010-05-10 16:12
ComboFix3.txt 2010-05-09 19:38

Avant-CF: 30 635 536 384 octets libres
Après-CF: 31 925 424 128 octets libres

- - End Of File - - 58ECAA8E5CD69E64DBA524518F603C34

[Rorschach112]

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the Avenger folder to your desktop
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Folders to delete:
c:\documents and settings\HelpAssistant

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

[Max321]

Hi!
Here's the log!
Thanks a lot!



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "c:\documents and settings\HelpAssistant" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[Rorschach112]

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them
  
  Click me
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Max321]

Here's the log!

Thank you!

ComboFix 10-05-16.06 - Christelle Maître 18/05/2010 16:30:37.5.1 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.894.559 [GMT -4:00]
Lancé depuis: c:\documents and settings\Christelle Maître\Bureau\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-18 au 2010-05-18 ))))))))))))))))))))))))))))))))))))
.

2010-05-17 20:38 . 2010-05-18 20:32 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-05-17 20:38 . 2010-05-17 20:38 -------- d-----w- c:\documents and settings\HelpAssistant\Option
2010-05-12 21:18 . 2010-05-12 21:18 -------- d-----w- c:\program files\ESET
2010-05-10 15:34 . 2010-05-10 15:34 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Voisinage réseau
2010-05-10 15:34 . 2010-05-10 15:34 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Voisinage d'impression
2010-05-10 15:34 . 2010-05-10 15:34 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Tracing
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Option
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Modèles
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Mes documents
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Menu Démarrer
2010-05-10 15:33 . 2010-05-10 15:33 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05\Favoris
2010-05-07 14:08 . 2010-05-15 09:42 -------- d-----w- c:\documents and settings\HelpAssistant.EMACHINE-2E2F05
2010-05-07 13:32 . 2010-05-07 13:32 -------- d-----w- C:\HelpAsst_backup
2010-05-05 11:16 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-05 11:16 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-05 11:16 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-05 11:16 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-05 11:16 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-05 11:16 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-05 11:16 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-05 11:16 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-05 11:16 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-05 11:16 . 2010-05-05 11:16 -------- d-----w- c:\program files\Alwil Software
2010-05-05 11:16 . 2010-05-05 11:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-04 21:36 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 21:36 . 2010-05-04 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 21:36 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-04 21:36 . 2010-05-04 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 21:29 . 2010-05-04 21:29 -------- d-----w- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-18 20:13 . 2008-09-03 12:55 86240 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-18 20:13 . 2008-09-03 12:55 514778 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-18 20:09 . 2010-02-24 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-13 00:48 . 2008-09-03 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-04 00:43 . 2009-12-14 23:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-27 21:16 . 2010-03-21 18:15 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 21:16 . 2010-03-21 18:15 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 21:16 . 2010-03-21 18:15 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 21:16 . 2010-03-21 18:15 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 21:16 . 2010-03-21 18:15 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 21:16 . 2010-03-21 18:15 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 21:16 . 2010-03-21 18:15 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 21:16 . 2010-03-21 18:15 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 21:16 . 2010-03-21 18:15 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 21:16 . 2010-03-21 18:15 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-14 15:34 . 2010-04-14 15:34 79428 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-14 03:21 . 2010-03-21 18:14 -------- d-----w- c:\program files\McAfee
2010-04-08 16:12 . 2010-03-10 22:14 -------- d-----w- c:\program files\Celtx
2010-04-07 18:47 . 2009-08-17 20:32 104296 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-04-07 18:46 . 2010-04-07 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-04-07 17:39 . 2008-09-03 13:03 -------- d-----w- c:\program files\Fichiers communs\Adobe
2010-04-07 17:36 . 2010-04-07 17:36 -------- d-----w- c:\program files\Adobe Media Player
2010-04-07 17:32 . 2010-04-07 17:32 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2010-04-07 17:21 . 2010-04-07 17:21 -------- d-----w- c:\program files\Fichiers communs\Macrovision Shared
2010-03-31 15:55 . 2009-08-27 21:46 -------- d-----w- c:\program files\MessengerDiscovery 2
2010-03-31 14:45 . 2009-04-06 16:33 -------- d-----w- c:\program files\Windows Live
2010-03-31 13:30 . 2009-05-19 12:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-31 13:29 . 2009-05-19 12:48 -------- d-----w- c:\program files\Lavasoft
2010-03-31 13:01 . 2008-09-03 12:05 -------- d-----w- c:\program files\Google
2010-03-29 13:35 . 2010-02-23 16:04 132 ----a-w- c:\documents and settings\Charlotte\Local Settings\Application Data\fusioncache.dat
2010-03-21 21:16 . 2010-03-21 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-03-21 18:15 . 2010-03-21 18:15 -------- d-----w- c:\program files\Fichiers communs\Mcafee
2010-03-21 18:15 . 2010-03-21 18:15 -------- d-----w- c:\program files\McAfee.com
2010-03-21 18:04 . 2009-04-05 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-03-21 18:01 . 2008-09-03 12:27 -------- d-----w- c:\program files\Fichiers communs\Symantec Shared
2010-03-11 12:34 . 2007-08-13 16:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:34 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:34 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:10 . 2008-04-14 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 22:37 . 2010-02-24 22:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:41 . 2010-02-23 16:41 104296 ----a-w- c:\documents and settings\Charlotte\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 16:10 . 2010-02-23 16:14 368640 ----a-w- c:\documents and settings\Charlotte\Application Data\InstallShield Installation Information\{5256C695-CEE8-4BB9-BCE4-E3215C80B8AA}\_setup.dll
2010-02-23 16:10 . 2010-02-23 16:10 192644 ----a-w- c:\documents and settings\Charlotte\Application Data\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll
2010-02-23 16:10 . 2010-02-23 16:10 323716 ----a-w- c:\documents and settings\Charlotte\Application Data\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll
2010-04-27 21:16 . 2010-04-28 20:05 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-05-09_19.33.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-18 20:09 . 2010-05-18 20:09 16384 c:\windows\Temp\Perflib_Perfdata_384.dat
- 2008-09-03 12:55 . 2010-05-09 19:19 72576 c:\windows\system32\perfc009.dat
+ 2008-09-03 12:55 . 2010-05-18 20:13 72576 c:\windows\system32\perfc009.dat
+ 2010-05-10 23:53 . 2010-05-18 18:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-07 18:34 . 2010-05-07 18:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-05 09:24 . 2010-05-07 18:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2009-04-05 09:24 . 2010-05-18 18:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2009-04-05 09:24 . 2010-05-07 18:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-05-17 12:46 . 2010-05-18 18:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-04-06 23:38 . 2010-04-15 07:06 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-04-06 23:38 . 2010-05-13 00:48 35088 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 18704 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 20240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-09-03 12:55 . 2010-05-09 19:19 445370 c:\windows\system32\perfh009.dat
+ 2008-09-03 12:55 . 2010-05-18 20:13 445370 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2008-04-11 19:05 691712 c:\windows\system32\inetcomm.dll
+ 2008-04-14 12:00 . 2010-01-29 15:00 691712 c:\windows\system32\inetcomm.dll
- 2008-04-14 12:00 . 2008-04-11 19:05 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-14 12:00 . 2010-01-29 15:00 691712 c:\windows\system32\dllcache\inetcomm.dll
- 2009-04-06 23:38 . 2010-04-15 07:06 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 888080 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 272648 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 922384 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 845584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 217864 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2008-04-14 12:00 . 2010-01-29 15:00 1315328 c:\windows\system32\dllcache\msoe.dll
- 2008-04-14 12:00 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-10-16 11:08 . 2009-10-16 11:08 2237952 c:\windows\Installer\c6e18a.msp
+ 2010-04-09 19:21 . 2010-04-09 19:21 5025792 c:\windows\Installer\c6e176.msp
+ 2009-04-06 23:38 . 2010-05-13 00:47 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 1172240 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-04-06 23:38 . 2010-04-15 07:06 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-04-06 23:38 . 2010-05-13 00:47 1165584 c:\windows\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-08-26 03:50 . 2008-08-26 03:50 2585592 c:\windows\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.6425\VBE6.DLL
+ 2009-04-05 23:42 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ISUSPM"="c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-24 8491008]
"nwiz"="nwiz.exe" [2008-02-24 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-24 81920]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-06 34040]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-15 16862720]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SSBkgdUpdate"="c:\program files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"AdobeCS4ServiceManager"="c:\program files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2009-10-14 198160]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-04-14 2790472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2009-11-21 151552]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 13:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 20:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-08 20:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 17:45 75304 ----a-w- c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-14 19:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-14 06:39 198160 ----a-w- c:\program files\Fichiers communs\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Fichiers communs\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Fichiers communs\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9255:TCP"= 9255:TCP:Services
"9256:TCP"= 9256:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"8941:TCP"= 8941:TCP:Services
"8942:TCP"= 8942:TCP:Services

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [24/02/2010 13:17 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/05/2010 07:16 162768]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [21/03/2010 14:15 82952]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/05/2010 07:16 19024]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [24/02/2010 13:20 112592]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [03/03/2008 07:11 16384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Fichiers communs\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [21/03/2010 14:15 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Fichiers communs\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [21/03/2010 14:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Fichiers communs\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [21/03/2010 14:15 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Fichiers communs\Mcafee\SystemCore\mfefire.exe [21/03/2010 14:15 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Fichiers communs\Mcafee\SystemCore\mfevtps.exe [21/03/2010 14:15 141792]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [06/04/2008 16:42 50424]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [21/03/2010 14:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [21/03/2010 14:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [21/03/2010 14:15 88480]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1ca0eea4bf5122e;Service Google Update (gupdate1ca0eea4bf5122e);c:\program files\Google\Update\GoogleUpdate.exe [27/07/2009 14:44 133104]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [03/04/2008 21:03 131072]
S3 Dz3s2kxp;Dz3s2kxp;c:\windows\system32\drivers\Dz3s2kxp.sys [21/11/2009 18:12 10496]
S3 Dz3u2kxp;Dz3u2kxp;c:\windows\system32\drivers\Dz3u2kxp.sys [21/11/2009 18:12 11392]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [21/03/2010 14:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [21/03/2010 14:15 83496]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [24/02/2010 13:16 365280]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [26/04/2009 20:07 464264]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [26/04/2009 20:08 234888]

--- Autres Services/Pilotes en mémoire ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contenu du dossier 'Tâches planifiées'

2010-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-27 18:44]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-27 18:44]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=040c&s=0&o=xph&d=0409&m=el1200-01h
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Fichiers communs\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Christelle Maître\Application Data\Mozilla\Firefox\Profiles\s1xxum27.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 16:43
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x84F8F2A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf735dcb8
\Driver\atapi -> atapi.sys @ 0xf72f5852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
NDIS: NVIDIA nForce 10/100/1000 Mbps Networking Controller -> SendCompleteHandler -> 0x835bc5c0
PacketIndicateHandler -> NDIS.sys @ 0xf719aa21
SendHandler -> NDIS.sys @ 0xf717887b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1072)
c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1128)
c:\program files\Fichiers communs\PC Tools\Lsp\PCTLsp.dll
.
Heure de fin: 2010-05-18 16:49:53
ComboFix-quarantined-files.txt 2010-05-18 20:49
ComboFix2.txt 2010-05-16 18:42
ComboFix3.txt 2010-05-10 16:12
ComboFix4.txt 2010-05-09 19:38

Avant-CF: 31 917 174 784 octets libres
Après-CF: 31 882 637 312 octets libres

- - End Of File - - 54B191C4510FF6BECE73D223B3FE217F

[Rorschach112]

not sure why this is being so aggressive


can you run this

Please download Dr.Web CureIt . Save it to your desktop:

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
• This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
• Please post the Dr.Web.txt report in your next reply
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

[Max321]

Hello!

Here's the (small) log.

Av-test.txt C:\Documents and Settings\HelpAssistant\Local Settings\Temp EICAR Test File (NOT a Virus!) Irréparable.Quarantaine.
o.dat C:\Program Files\Mozilla Firefox Trojan.Packed.20024 - erreur de lecture Supprimé.


For a quick French to english translation:

Irréparable.Quarantaine. = Unreparable, Quarantine.
erreur de lecture Supprimé. = Error reading (or Could not be read, I guess)Deleted

thank you!

[Rorschach112]

bit of work for you

Hiren's BootCD

• *** Please print these instructions ***
  
  
  • Download Hiren's BootCD 10.2 Iso to the desktop of a clean computer.
  • Extract the zipped HirensBootCD.zip to your desktop.
  • Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
  • Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
  • Insert a blank CD in your drive.
  • Press Start. This will burn the image to disc. After it has completed...
  • Restart your sick computer and boot from the HBCD you created.
    • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
    • If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your CD.
  • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
• When the CD boots choose "DOS BootCD".

At the Hiren's BootCD main menu, select Next and hit Enter.



At the second menu select 1 MBR (Master Boot Record)Tools



In the list of MBR Tools select 1 MBR Work 1.08



This screen will show the hard drive configuration.



Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine

[Max321]

Hello!

Just a quick question...

The computer seems to be running quite well right now. No more re-directing, no more blue screen, and seems to be going at a normal speed...
So is that last step necessary? Should we still do it as a precaution?

Thank you!

[Rorschach112]

if you are having no problems then you can skip that step


Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
• Please follow the prompts to uninstall Combofix.
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

• Open OTL
• Under the Custom Scans/Fixes box at the bottom, paste the following:
  

  :Commands
  [clearallrestorepoints]

• Click the Run Fix button at the top
• It might ask you to reboot, if so click YES

• Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
• Click on the CleanUp button.
• Click Yes to begin the cleanup process and remove tools, including this application
• You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes

• Please read my guide on how to prevent malware and about safe computing here

Thank you for your patience, and performing all of the procedures requested.

[Rorschach112]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.