Hello,
my pc is infected by antivirus pro 2010. I've tried ad aware, but it did'nt found anything. I uninstalled ad aware because aewservice.exe was using all my cpu and I could'nt use my pc (had to shut down this service with ctrl+alt+suppr).

I've tried Spybot search and destroy and he found something.
I dont have anymore Antivirus pro 2010, but my PC is still running slowly. And some applications (Explorer, Internet explorer, acrobat Pdf reader) "block" (I can't close them and can't even restart the computer - had to reset it with the button on the tower).

I've tried Hijackthis 2.0.2 and when I do a system scan + log, I got the following message:This action cannot be completed because the other application is busy. Choose "swith to" to activate the busy application and correct the problem".
And when I click "switch to" it's not working (same message again).

What can i do then ?

I'm using windows Xp sp2

Thank you for your help

fred

Hi fred,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt

Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log in your reply.

Hello,
Thank you for your help but it doesn't work !!!!! When I run DDS, nothing is happening. It just explain what is DDS (even when I press enter). GMER works and scan ..... and closes. So, I can't copy any log because I have'nt any. So, What can I do then ???? Please, HELP ME !!!!

fred

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Hello,

Here are the contents :

Running from: H:\Documents and Settings\Propriétaire\Bureau\Win32kDiag.exe

Log file at : H:\Documents and Settings\Propriétaire\Bureau\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'H:\WINDOWS'...





Finished!



What else ?

Thank you for your help

fred

Hi,

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Hi,

Here are the contents :

exeHelper by Raktor - 09
Build 20090925
Run at 18:16:59 on 10/01/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Is that help you ?

Fred

Possibly. Are you able to run DDS now?

No, it doesn't work.

What can I do ? Uninstall and install Windows XP ?

Fred

Hi,

Let's not give up yet. Did you try all those three DDS links and it does same thing with each one? If so, name DDS as iexplore.exe and see if that works.

Hi,

I've tried The 3 DDS. I rename them but .... it doesn't work


fred

Hi,

Have tried to run DDS in safe mode? Please do if you haven't attempted it yet.

If no help, then we'll try other tool.

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized, if not you'll find it in c:\rsit folder)

Hi,
In safe mode; DDS doesn't work.
Here's log.txt :
Logfile of random's system information tool 1.06 (written by random/random)
Run by Propriétaire at 2009-10-02 17:15:22
Microsoft Windows XP Édition familiale Service Pack 3
System drive H: has 62 GB (81%) free of 76 GB
Total RAM: 990 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:25, on 02/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\Analog Devices\SoundMAX\Smax4.exe
H:\Program Files\TechCity Solutions\AliceSAV\AliceAgent.exe
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\Microsoft Office\Office\OSA.EXE
H:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\usbctl.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\msfeedssync.exe
H:\Documents and Settings\Propriétaire\Bureau\RSIT.exe
H:\hijackthis\Propriétaire.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "H:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AliceSAV] H:\Program Files\TechCity Solutions\AliceSAV\AliceAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus DX5000 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE /FU "H:\WINDOWS\TEMP\E_S91.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Démarrage d'Office.lnk = H:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} (AdVerifierADPCtrl Class) - https://static.impots.gouv.fr/tdir/static/a...gnerADP-1.1.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.photoservice.com/telechargement...geUploader4.cab
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - H:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - H:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - H:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7606 bytes

======Scheduled tasks folder======

H:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
H:\WINDOWS\tasks\User_Feed_Synchronization-{2ADE88E7-5FBA-423E-909C-DF47D4EB5FDA}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Aide pour le lien d'Adobe PDF Reader - H:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Programme d'aide de l'Assistant de connexion Windows Live - H:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]
EpsonToolBandKicker Class - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-21 368640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} - EPSON Web-To-Page - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll [2005-02-21 368640]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"=H:\WINDOWS\system32\HDAShCut.exe [2004-10-27 61952]
"SoundMAXPnP"=H:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"SoundMAX"=H:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2005-09-07 716800]
"AliceSAV"=H:\Program Files\TechCity Solutions\AliceSAV\AliceAgent.exe [2005-12-16 81408]
"Adobe Reader Speed Launcher"=H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"QuickTime Task"=H:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=H:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Symantec PIF AlertEng"=H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
"NvCplDaemon"=H:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=H:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"KernelFaultCheck"=H:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=H:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=H:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"EPSON Stylus DX5000 Series"=H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE [2006-09-22 139264]
"SpybotSD TeaTimer"=H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

H:\Documents and Settings\Propriétaire\Menu Démarrer\Programmes\Démarrage
Démarrage d'Office.lnk - H:\Program Files\Microsoft Office\Office\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
kbcmclol.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"H:\Program Files\iTunes\iTunes.exe"="H:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"H:\Program Files\eMule\emule.exe"="H:\Program Files\eMule\emule.exe:*:Disabled:eMule"
"H:\Program Files\Bonjour\mDNSResponder.exe"="H:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"H:\Program Files\uTorrent\uTorrent.exe"="H:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-10-02 17:15:22 ----D---- H:\rsit
2009-10-01 11:13:09 ----D---- H:\Program Files\Notepad++
2009-10-01 11:13:09 ----D---- H:\Documents and Settings\Propriétaire\Application Data\Notepad++
2009-09-30 19:04:19 ----D---- H:\WINDOWS\Minidump
2009-09-25 20:25:35 ----A---- H:\WINDOWS\wininit.ini
2009-09-25 18:57:11 ----AD---- H:\Documents and Settings\All Users\Application Data\TEMP
2009-09-25 18:47:58 ----D---- H:\Documents and Settings\Propriétaire\Application Data\GetRightToGo
2009-09-25 17:22:43 ----A---- H:\WINDOWS\system32\tmp.txt
2009-09-25 17:21:09 ----A---- H:\rapport.txt
2009-09-25 17:17:53 ----A---- H:\WINDOWS\ntbtlog.txt
2009-09-25 11:42:05 ----A---- H:\WINDOWS\xybogatu.vbs
2009-09-25 11:42:05 ----A---- H:\WINDOWS\socesege.dll
2009-09-25 11:42:05 ----A---- H:\Program Files\Fichiers communs\wymitozoha.vbs
2009-09-25 11:08:01 ----A---- H:\WINDOWS\system32\usbctl.exe
2009-09-10 19:01:29 ----HDC---- H:\WINDOWS\$NtUninstallKB968816_WM9$
2009-09-10 19:01:25 ----HDC---- H:\WINDOWS\$NtUninstallKB956844$

======List of files/folders modified in the last 1 months======

2009-10-02 17:15:23 ----D---- H:\hijackthis
2009-10-02 17:13:40 ----D---- H:\WINDOWS\Temp
2009-10-02 16:56:31 ----D---- H:\WINDOWS
2009-10-02 14:19:16 ----D---- H:\WINDOWS\system32
2009-10-02 09:17:36 ----D---- H:\WINDOWS\Prefetch
2009-10-01 20:32:17 ----A---- H:\WINDOWS\SchedLgU.Txt
2009-10-01 11:13:09 ----RD---- H:\Program Files
2009-09-25 20:29:35 ----D---- H:\Program Files\Fichiers communs
2009-09-25 19:42:15 ----D---- H:\WINDOWS\system32\drivers
2009-09-25 18:37:42 ----D---- H:\Program Files\Lavasoft
2009-09-25 18:37:34 ----SHD---- H:\WINDOWS\Installer
2009-09-25 17:30:33 ----SHD---- H:\RECYCLER
2009-09-25 17:18:19 ----D---- H:\Documents and Settings
2009-09-25 16:48:27 ----D---- H:\Program Files\Spybot - Search & Destroy
2009-09-25 15:31:32 ----SD---- H:\WINDOWS\Tasks
2009-09-25 15:20:33 ----D---- H:\WINDOWS\WinSxS
2009-09-14 15:13:57 ----D---- H:\WINDOWS\system32\CatRoot2
2009-09-11 10:35:36 ----D---- H:\Program Files\Microsoft Silverlight
2009-09-10 19:01:31 ----RSHDC---- H:\WINDOWS\system32\dllcache
2009-09-10 19:01:31 ----HD---- H:\WINDOWS\inf
2009-09-10 19:01:28 ----A---- H:\WINDOWS\imsins.BAK
2009-09-10 19:01:24 ----HD---- H:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;Pilote de processeur AMD; H:\WINDOWS\System32\DRIVERS\AmdK8.sys [2005-03-09 43008]
R1 AsIO;AsIO; H:\WINDOWS\system32\drivers\AsIO.sys [2005-12-22 5685]
R1 WS2IFSL;Environnement de prise en charge de Fournisseur de services non-IFS Windows Sockets 2.0; H:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-30 12032]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; H:\WINDOWS\system32\drivers\ADIHdAud.sys [2005-10-05 141312]
R3 AEAudioService;AEAudio Service; H:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]
R3 Arp1394;Protocole client ARP 1394; H:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; H:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; H:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; H:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2004-10-27 138240]
R3 MTsensor;ATK0110 ACPI UTILITY; H:\WINDOWS\System32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NIC1394;Pilote réseau 1394; H:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; H:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; H:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; H:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 SenFiltService;SenFilt Service; H:\WINDOWS\system32\drivers\Senfilt.sys [2005-08-11 393088]
R3 usbccgp;Pilote parent générique USB Microsoft; H:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Pilote miniport de contrôleur hôte amélioré USB 2.0 Microsoft; H:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Concentrateur USB2; H:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Pilote miniport de contrôleur hôte ouvert USB Microsoft; H:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Classe d'imprimantes USB Microsoft; H:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;Pilote de scanneur USB; H:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbstor;Pilote de stockage de masse USB; H:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Bridge;Pont MAC; H:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;Miniport de pont MAC; H:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; H:\WINDOWS\system32\drivers\HdAudio.sys [2004-10-27 145920]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; H:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; H:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; H:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; H:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; H:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-07-25 100032]
R2 Bonjour Service;Service Bonjour; H:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); H:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE [2006-04-18 102400]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
R2 NVSvc;NVIDIA Display Driver Service; H:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
R2 usbctl;Microsoft USB Bus Controller; H:\WINDOWS\system32\usbctl.exe [2009-09-25 67072]
R3 iPod Service;Service de l’iPod; H:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; H:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-02-20 654848]
S3 IDriverT;InstallDriver Table Manager; H:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LiveUpdate;LiveUpdate; H:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-07-25 2119360]
S3 WLSetupSvc;Windows Live Setup Service; H:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Service Partage réseau du Lecteur Windows Media; H:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; H:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------



and info.txt :

info.txt logfile of random's system information tool 1.06 2009-10-02 17:15:28

======Uninstall list======

-->H:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 H:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 ActiveX-->H:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->H:\Program Files\Fichiers communs\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.2 - Français-->MsiExec.exe /I{AC76BA86-7AD7-1036-7B44-A81200000003}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Alice Auto-diagnostic-->H:\Program Files\TechCity Solutions\AliceSAV\uninstall.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Assistant de connexion Windows Live-->MsiExec.exe /I{D3116CC7-24DC-4CA3-9CE1-23FED836E9F2}
ASUS_Ai_Proactive_Screensaver (E)-->H:\WINDOWS\ASUS_Ai_Proactive_Screensaver (E).scr /u
AsusUpdate-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\setup.exe" -l0x40c
Athlon 64 Processor Driver-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime91\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x40c
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Camera RAW Plug-In for EPSON Creativity Suite-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{8DAC1AE4-33D1-4A78-8A42-00E09EDECC3E}\SETUP.EXE" -l0x40c UNINST
Cool & Quiet-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\setup.exe" -l0x40c
Correctif pour Lecteur Windows Media 11 (KB939683)-->"H:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Correctif pour Windows Internet Explorer 7 (KB947864)-->"H:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Correctif pour Windows XP (KB952287)-->"H:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Correctif pour Windows XP (KB970653-v3)-->"H:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
DivX Codec-->H:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->H:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->H:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->H:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decoder Pak for Windows XP-->MsiExec.exe /X{92C5DB3D-9D6F-4324-BB11-57825F4C2635}
EPSON Attach To Email-->H:\Program Files\Fichiers communs\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x40c -UnInstall
EPSON Easy Photo Print-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{B66E665A-DF96-4C38-9422-C7F74BC1B4E5}\SETUP.EXE" -l0x40c UNINST
EPSON File Manager-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe" -l0x40c UNINST
EPSON Logiciel imprimante-->H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x40c -u
EPSON Scan-->H:\Program Files\epson\escndv\setup\setup.exe /r
EPSON Web-To-Page-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x40c -anything
ESDX5000_CX4900 Guide d’utilisation-->H:\Program Files\EPSON\TPMANUAL\ESDX5000_CX4900\USE_G\DOCUNINS.EXE
GPL Ghostscript 8.61-->H:\Program Files\gs\uninstgs.exe "H:\Program Files\gs\gs8.61\uninstal.txt"
GPL Ghostscript Fonts-->H:\Program Files\gs\uninstgs.exe "H:\Program Files\gs\fonts\uninstal.txt"
GSview 4.9-->H:\Program Files\Ghostgum\gsview\uninstgs.exe "H:\Program Files\Ghostgum\gsview\uninstal.txt"
HijackThis 2.0.2-->"H:\hijackthis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"H:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Kit de Connexion Alice ADSL-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{3A0221AD-D30B-4320-8F9B-1D0F0E6C6843}\setup.exe" -l0x40c ControlPanel
Lecteur Windows Media 11-->"H:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
LiveUpdate 3.0 (Symantec Corporation)-->"H:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Compression Client Pack 1.0 for Windows XP-->"H:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"H:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"H:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 97 Professional-->H:\Program Files\Microsoft Office\Office\Install\Acme.exe /w Off97Pro.STF
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"H:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection H:\WINDOWS\INF\DECCHECK.inf,Uninstall
Mise à jour critique pour Lecteur Windows Media 11 (KB959772)-->"H:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media (KB952069)-->"H:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media (KB968816)-->"H:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media (KB973540)-->"H:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 11 (KB936782)-->"H:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 11 (KB954154)-->"H:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 8 (KB917734)-->"H:\WINDOWS\$NtUninstallKB917734_WMP8$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Lecteur Windows Media 9 (KB917734)-->"H:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB937143)-->"H:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127)-->"H:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB939653)-->"H:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB942615)-->"H:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB944533)-->"H:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB950759)-->"H:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB953838)-->"H:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB956390)-->"H:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB958215)-->"H:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB960714)-->"H:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 7 (KB961260)-->"H:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB969897)-->"H:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB971961)-->"H:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows Internet Explorer 8 (KB972260)-->"H:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB923561)-->"H:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB938464)-->"H:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB938464-v2)-->"H:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB941569)-->"H:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB946648)-->"H:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB950760)-->"H:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB950762)-->"H:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB950974)-->"H:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB951066)-->"H:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB951376)-->"H:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB951376-v2)-->"H:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB951698)-->"H:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB951748)-->"H:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB952004)-->"H:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB952954)-->"H:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB953839)-->"H:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB954211)-->"H:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB954459)-->"H:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB954600)-->"H:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB955069)-->"H:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB956391)-->"H:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB956572)-->"H:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB956744)-->"H:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB956802)-->"H:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB956803)-->"H:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB956841)-->"H:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB956844)-->"H:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB957095)-->"H:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB957097)-->"H:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB958644)-->"H:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB958687)-->"H:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB958690)-->"H:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB959426)-->"H:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB960225)-->"H:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB960715)-->"H:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB960803)-->"H:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB960859)-->"H:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB961371)-->"H:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB961373)-->"H:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB961501)-->"H:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB968537)-->"H:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB969898)-->"H:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB970238)-->"H:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB971557)-->"H:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB971633)-->"H:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB971657)-->"H:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB973346)-->"H:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB973354)-->"H:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB973507)-->"H:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Mise à jour de sécurité pour Windows XP (KB973869)-->"H:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Mise à jour pour Windows Internet Explorer 8 (KB971180)-->"H:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB951072-v2)-->"H:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB951978)-->"H:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB955839)-->"H:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB967715)-->"H:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Mise à jour pour Windows XP (KB973815)-->"H:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.2)-->H:\Program Files\Mozilla Firefox\uninstall\helper.exe
Notepad++-->H:\Program Files\Notepad++\uninstall.exe
NVIDIA Drivers-->H:\WINDOWS\system32\nvunrm.exe UninstallGUI
PC Probe II-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x40c
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuarkXPress 7.0-->MsiExec.exe /I{A38048C6-89D1-44EC-BC95-E95DD4A19B5E}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
SoundMAX-->RunDll32 H:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\10\Intel32\Ctor.dll,LaunchSetup "H:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x40c -removeonly
Spybot - Search & Destroy-->"H:\Program Files\Spybot - Search & Destroy\unins000.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->H:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Internet Explorer 8-->"H:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /X{FD44E544-E7D0-4DBA-9FA0-8AE1A1300390}
Windows Live Mail-->MsiExec.exe /I{C514C594-23AA-4F13-A070-DB8BDB27594F}
Windows Media Format 11 runtime-->"H:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"H:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"H:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"H:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

FW: Norton Internet Worm Protection (disabled)

======System event log======

Computer Name: FRED
Event Code: 7036
Message: Le service Compatibilité avec le Changement rapide d'utilisateur est entré dans l'état : en cours d'exécution.

Record Number: 5
Source Name: Service Control Manager
Time Written: 20090925151837.000000+120
Event Type: Informations
User:

Computer Name: FRED
Event Code: 7035
Message: Un contrôle Démarrer a correctement été envoyé au service Compatibilité avec le Changement rapide d'utilisateur.

Record Number: 4
Source Name: Service Control Manager
Time Written: 20090925151837.000000+120
Event Type: Informations
User: AUTORITE NT\SYSTEM

Computer Name: FRED
Event Code: 7036
Message: Le service Services Terminal Server est entré dans l'état : en cours d'exécution.

Record Number: 3
Source Name: Service Control Manager
Time Written: 20090925151837.000000+120
Event Type: Informations
User:

Computer Name: FRED
Event Code: 6005
Message: Le service d'Enregistrement d'événement a démarré.

Record Number: 2
Source Name: EventLog
Time Written: 20090925151810.000000+120
Event Type: Informations
User:

Computer Name: FRED
Event Code: 6009
Message: Microsoft ® Windows ® 5.01. 2600 Service Pack 3 Uniprocessor Free.

Record Number: 1
Source Name: EventLog
Time Written: 20090925151810.000000+120
Event Type: Informations
User:

=====Application event log=====

Computer Name: FRED
Event Code: 223
Message: wlmail (3072) WindowsLiveMail0: Début de la sauvegarde des fichiers journaux (H:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows Live Mail\edb00186.log à H:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows Live Mail\edb00186.log).

Record Number: 19810
Source Name: ESENT
Time Written: 20090720092421.000000+120
Event Type: Informations
User:

Computer Name: FRED
Event Code: 221
Message: wlmail (3072) WindowsLiveMail0: Fin de la sauvegarde du fichier H:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows Live Mail\Mail.MSMessageStore.

Record Number: 19809
Source Name: ESENT
Time Written: 20090720092421.000000+120
Event Type: Informations
User:

Computer Name: FRED
Event Code: 220
Message: wlmail (3072) WindowsLiveMail0: Début de la sauvegarde du fichier H:\Documents and Settings\Propriétaire\Local Settings\Application Data\Microsoft\Windows Live Mail\Mail.MSMessageStore (taille 10 Mb).

Record Number: 19808
Source Name: ESENT
Time Written: 20090720092419.000000+120
Event Type: Informations
User:

Computer Name: FRED
Event Code: 210
Message: wlmail (3072) WindowsLiveMail0: Une sauvegarde complète démarre.

Record Number: 19807
Source Name: ESENT
Time Written: 20090720092419.000000+120
Event Type: Informations
User:

Computer Name: FRED
Event Code: 102
Message: wlmail (3072) WindowsLiveMail0: Le moteur de base de données a démarré une nouvelle instance (0).

Record Number: 19806
Source Name: ESENT
Time Written: 20090720092418.000000+120
Event Type: Informations
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;H:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 79 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=4f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;H:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=H:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------


Fred

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

H:\ComboFix.txt

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.


See if you're able to run DDS now.

Hi,

I had 1 error message when ComboFix was running :

CF314.exe damaged file
The file or the folder H:\DOCUME~1\PROPRI~~1LOCALS~1\Temp\~DF90D9.tmp is damaged or unreadable
Use the tool CHKDSK

Here is the ComboFix.txt :
ComboFix 09-10-01.05 - Propriétaire 02/10/2009 18:15.1.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.990.751 [GMT 2:00]
Lancé depuis: h:\documents and settings\Propriétaire\Bureau\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\documents and settings\LocalService\Application Data\lizkavd.exe
h:\documents and settings\LocalService\Application Data\qelykoro.scr
h:\documents and settings\LocalService\Application Data\seres.exe
h:\documents and settings\LocalService\Application Data\ynugun.inf
h:\documents and settings\LocalService\Cookies\semopotuz.bat
h:\documents and settings\LocalService\Cookies\xofyduculy.pif
h:\documents and settings\LocalService\Local Settings\Application Data\buqetelaf.bat
h:\documents and settings\LocalService\Local Settings\Application Data\nysojydewu.dl
h:\documents and settings\LocalService\Local Settings\Application Data\setykenifa.bin
h:\documents and settings\LocalService\Local Settings\Application Data\vepelociv.inf
h:\documents and settings\LocalService\Local Settings\Temporary Internet Files\kediqude.ban
h:\documents and settings\Propriétaire\Local Settings\Application Data\kgcao_nav.dat
h:\documents and settings\Propriétaire\Local Settings\Application Data\kgcao_navps.dat
h:\program files\Fichiers communs\sibusuvenu.bin
h:\program files\Fichiers communs\wymitozoha.vbs
h:\program files\Fichiers communs\yfyma.ban
h:\windows\afimilo.reg
h:\windows\pefozekigy.sys
h:\windows\socesege.dll
h:\windows\system32\drivers\gasfkyopxgftiq.sys
h:\windows\system32\gasfkyknlxmosi.dat
h:\windows\system32\gasfkypnuifohw.dll
h:\windows\system32\gasfkyrvimovym.dll
h:\windows\system32\gasfkysdpqxdpk.dll
h:\windows\system32\gasfkyvbxjkvdk.dat
h:\windows\system32\kufyxo.dl
h:\windows\system32\tmp.reg
h:\windows\system32\vaxyzo.inf
h:\windows\system32\zeqeputek.reg
h:\windows\ufewyga.scr
h:\windows\xybogatu.vbs
h:\windows\ylawegecuh.dl

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkylyfwbxxn
-------\Legacy_gasfkylyfwbxxn


((((((((((((((((((((((((((((( Fichiers créés du 2009-09-02 au 2009-10-02 ))))))))))))))))))))))))))))))))))))
.

2009-10-02 15:15 . 2009-10-02 15:15 -------- d-----w- H:\rsit
2009-10-01 09:13 . 2009-10-01 09:13 -------- d-----w- h:\program files\Notepad++
2009-09-25 16:57 . 2009-09-25 17:42 -------- d---a-w- h:\documents and settings\All Users\Application Data\TEMP
2009-09-25 15:19 . 2009-09-25 15:19 -------- d-sh--w- h:\documents and settings\Administrateur\IETldCache
2009-09-25 13:43 . 2009-09-25 13:43 -------- d-----w- h:\documents and settings\LocalService\Bureau
2009-09-25 09:42 . 2009-09-25 09:42 13770 ----a-w- h:\windows\system32\kuvi.dat
2009-09-25 09:13 . 2009-09-25 09:13 -------- d-sh--w- h:\windows\system32\config\systemprofile\IETldCache
2009-09-25 09:08 . 2009-09-25 09:08 -------- d-sh--w- h:\documents and settings\LocalService\IETldCache
2009-09-25 09:08 . 2009-09-25 09:08 67072 ----a-w- h:\windows\system32\usbctl.exe
2009-09-10 08:01 . 2009-06-21 21:47 153088 -c----w- h:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 16:37 . 2007-10-17 19:04 -------- d-----w- h:\program files\Lavasoft
2009-09-25 14:48 . 2009-04-01 11:54 -------- d-----w- h:\program files\Spybot - Search & Destroy
2009-09-11 08:35 . 2009-04-13 10:29 -------- d-----w- h:\program files\Microsoft Silverlight
2009-08-05 09:00 . 2002-08-30 12:00 205312 ----a-w- h:\windows\system32\mswebdvd.dll
2009-07-17 19:03 . 2002-08-30 12:00 58880 ----a-w- h:\windows\system32\atl.dll
2009-07-13 21:43 . 2004-08-19 23:09 286208 ------w- h:\windows\system32\wmpdxm.dll
2007-02-21 22:13 . 2007-09-19 12:44 66672 ----a-w- h:\program files\mozilla firefox\components\jar50.dll
2007-02-21 22:13 . 2007-09-19 12:44 54376 ----a-w- h:\program files\mozilla firefox\components\jsd3250.dll
2007-02-21 22:13 . 2007-09-19 12:44 34952 ----a-w- h:\program files\mozilla firefox\components\myspell.dll
2007-02-21 22:13 . 2007-09-19 12:44 46720 ----a-w- h:\program files\mozilla firefox\components\spellchk.dll
2007-02-21 22:13 . 2007-09-19 12:44 172144 ----a-w- h:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="h:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="h:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="h:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"AliceSAV"="h:\program files\TechCity Solutions\AliceSAV\AliceAgent.exe" [2005-12-16 81408]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Symantec PIF AlertEng"="h:\program files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - h:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - h:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

h:\documents and settings\Propri‚taire\Menu D‚marrer\Programmes\D‚marrage\
D‚marrage d'Office.lnk - h:\program files\Microsoft Office\Office\OSA.EXE [1996-12-17 51984]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli kbcmclol.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 usbctl;Microsoft USB Bus Controller;h:\windows\system32\usbctl.exe [25/09/2009 11:08 67072]
.
Contenu du dossier 'Tâches planifiées'

2009-10-02 h:\windows\Tasks\User_Feed_Synchronization-{2ADE88E7-5FBA-423E-909C-DF47D4EB5FDA}.job
- h:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://h:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://h:\windows\Java\classes\xmldso.cab
DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} - hxxps://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP-1.1.cab
FF - ProfilePath - h:\documents and settings\Propriétaire\Application Data\Mozilla\Firefox\Profiles\rl5axxgu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: h:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: h:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 18:31
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AliceSAV = h:\program files\TechCity Solutions\AliceSAV\AliceAgent.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'lsass.exe'(704)
h:\windows\kbcmclol.dll
.
Heure de fin: 2009-10-02 18:33
ComboFix-quarantined-files.txt 2009-10-02 16:32

Avant-CF: 64 516 739 072 octets libres
Après-CF: 66 509 955 072 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
h:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /fastdetect /NoExecute=OptIn

179 --- E O F --- 2009-09-10 17:03




DDS worked, here is DDS.txt


DDS (Ver_09-09-29.01) - NTFSx86
Run by Propriétaire at 19:01:35,10 on 02/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.990.616 [GMT 2:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
svchost.exe
H:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\WINDOWS\system32\usbctl.exe
H:\WINDOWS\system32\notepad.exe
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Documents and Settings\Propriétaire\Bureau\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.fr/
uInternet Settings,ProxyOverride = *.local
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\program files\spybot - search & destroy\SDHelper.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - h:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - h:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] h:\program files\analog devices\core\smax4pnp.exe
mRun: [AliceSAV] h:\program files\techcity solutions\alicesav\AliceAgent.exe
mRun: [Adobe Reader Speed Launcher] "h:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "h:\program files\fichiers communs\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "h:\program files\fichiers communs\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE h:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [CTFMON.EXE] h:\windows\system32\CTFMON.EXE
StartupFolder: h:\docume~1\propri~1\menudm~1\progra~1\dmarra~1\dmarra~1.lnk - h:\program files\microsoft office\office\OSA.EXE
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://h:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://h:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} - hxxps://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP-1.1.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.photoservice.com/telechargement/ImageUploader4.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli kbcmclol.dll

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\propri~1\applic~1\mozilla\firefox\profiles\rl5axxgu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: h:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R2 usbctl;Microsoft USB Bus Controller;h:\windows\system32\usbctl.exe [2009-9-25 67072]

=============== Created Last 30 ================

2009-10-02 18:01 <DIR> a-dshr-- H:\cmdcons
2009-10-02 17:59 229,888 a------- h:\windows\PEV.exe
2009-10-02 17:59 161,792 a------- h:\windows\SWREG.exe
2009-10-02 17:59 98,816 a------- h:\windows\sed.exe
2009-09-25 20:25 796 a------- h:\windows\wininit.ini
2009-09-25 18:47 <DIR> --d----- h:\docume~1\propri~1\applic~1\GetRightToGo
2009-09-25 11:42 14,177 a------- h:\windows\system32\pugibitiru.db
2009-09-25 11:42 13,770 a------- h:\windows\system32\kuvi.dat
2009-09-25 11:08 67,072 a------- h:\windows\system32\usbctl.exe
2009-09-10 10:01 153,088 -c------ h:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-08-05 11:00 205,312 a------- h:\windows\system32\mswebdvd.dll
2009-07-17 21:03 58,880 a------- h:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- h:\windows\system32\wmpdxm.dll
2008-04-01 10:06 263,192 a------- h:\docume~1\propri~1\applic~1\setup_fr[1].exe
2009-02-22 14:15 32,768 a--sh--- h:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012009022220090223\index.dat

============= FINISH: 19:01:43,20 ===============




Fred

Hi,

You seem to have P2P file sharing software installed there. While it may not be infection source in this case I still want to warn you about threats of P2P and strongly recommend you uninstall all P2P filesharing programs you have there.



Open notepad and copy/paste the text in the quotebox below into it:




Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. You'll be asked to submit samples. Follow the instructions given.
Then post the resultant log.


Get update 8.1.6 for Adobe Reader here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.




Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Download the latest version of Kaspersky Virus Removal Tool Kaspersky Virus Removal Tool

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
* Post also a fresh dds.txt log and above mentioned ComboFix resultant log.



Please do as instructed in method 2 (Manual steps to run Chkdsk from My Computer or Windows Explorer) here to run check for your hard drive.

Hi,
Here are the file :

- combofix log.txt :
ComboFix 09-10-01.05 - Propriétaire 02/10/2009 22:12.2.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.990.608 [GMT 2:00]
Lancé depuis: h:\documents and settings\Propriétaire\Bureau\ComboFix.exe
Commutateurs utilisés :: h:\documents and settings\Propriétaire\Bureau\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

file zipped: h:\windows\kbcmclol.dll
file zipped: h:\windows\system32\kuvi.dat
file zipped: h:\windows\system32\pugibitiru.db
file zipped: h:\windows\system32\usbctl.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\kbcmclol.dll
h:\windows\system32\kuvi.dat
h:\windows\system32\pugibitiru.db
h:\windows\system32\usbctl.exe

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USBCTL
-------\Service_usbctl


((((((((((((((((((((((((((((( Fichiers créés du 2009-09-02 au 2009-10-02 ))))))))))))))))))))))))))))))))))))
.

2009-10-02 20:19 . 2009-10-02 20:19 -------- d-----w- H:\found.000
2009-10-02 15:15 . 2009-10-02 15:15 -------- d-----w- H:\rsit
2009-10-01 09:13 . 2009-10-01 09:13 -------- d-----w- h:\program files\Notepad++
2009-09-25 16:57 . 2009-09-25 17:42 -------- d---a-w- h:\documents and settings\All Users\Application Data\TEMP
2009-09-25 15:19 . 2009-09-25 15:19 -------- d-sh--w- h:\documents and settings\Administrateur\IETldCache
2009-09-25 13:43 . 2009-09-25 13:43 -------- d-----w- h:\documents and settings\LocalService\Bureau
2009-09-25 09:13 . 2009-09-25 09:13 -------- d-sh--w- h:\windows\system32\config\systemprofile\IETldCache
2009-09-25 09:08 . 2009-09-25 09:08 -------- d-sh--w- h:\documents and settings\LocalService\IETldCache
2009-09-10 08:01 . 2009-06-21 21:47 153088 -c----w- h:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-25 16:37 . 2007-10-17 19:04 -------- d-----w- h:\program files\Lavasoft
2009-09-25 14:48 . 2009-04-01 11:54 -------- d-----w- h:\program files\Spybot - Search & Destroy
2009-09-11 08:35 . 2009-04-13 10:29 -------- d-----w- h:\program files\Microsoft Silverlight
2009-08-05 09:00 . 2002-08-30 12:00 205312 ----a-w- h:\windows\system32\mswebdvd.dll
2009-07-17 19:03 . 2002-08-30 12:00 58880 ----a-w- h:\windows\system32\atl.dll
2009-07-13 21:43 . 2004-08-19 23:09 286208 ------w- h:\windows\system32\wmpdxm.dll
2007-02-21 22:13 . 2007-09-19 12:44 66672 ----a-w- h:\program files\mozilla firefox\components\jar50.dll
2007-02-21 22:13 . 2007-09-19 12:44 54376 ----a-w- h:\program files\mozilla firefox\components\jsd3250.dll
2007-02-21 22:13 . 2007-09-19 12:44 34952 ----a-w- h:\program files\mozilla firefox\components\myspell.dll
2007-02-21 22:13 . 2007-09-19 12:44 46720 ----a-w- h:\program files\mozilla firefox\components\spellchk.dll
2007-02-21 22:13 . 2007-09-19 12:44 172144 ----a-w- h:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="h:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="h:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="h:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"AliceSAV"="h:\program files\TechCity Solutions\AliceSAV\AliceAgent.exe" [2005-12-16 81408]
"Adobe Reader Speed Launcher"="h:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="h:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Symantec PIF AlertEng"="h:\program files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - h:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - h:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="h:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

h:\documents and settings\Propri‚taire\Menu D‚marrer\Programmes\D‚marrage\
D‚marrage d'Office.lnk - h:\program files\Microsoft Office\Office\OSA.EXE [1996-12-17 51984]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

.
Contenu du dossier 'Tâches planifiées'

2009-10-02 h:\windows\Tasks\User_Feed_Synchronization-{2ADE88E7-5FBA-423E-909C-DF47D4EB5FDA}.job
- h:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uInternet Settings,ProxyOverride = *.local
DPF: DirectAnimation Java Classes - file://h:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://h:\windows\Java\classes\xmldso.cab
DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} - hxxps://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP-1.1.cab
FF - ProfilePath - h:\documents and settings\Propriétaire\Application Data\Mozilla\Firefox\Profiles\rl5axxgu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: h:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: h:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 22:22
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AliceSAV = h:\program files\TechCity Solutions\AliceSAV\AliceAgent.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(2300)
h:\windows\system32\eappprxy.dll
h:\windows\system32\webcheck.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Autres processus actifs ------------------------
.
h:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
h:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
h:\program files\Bonjour\mDNSResponder.exe
h:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
h:\windows\system32\nvsvc32.exe
h:\windows\system32\wscntfy.exe
h:\windows\system32\rundll32.exe
h:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Heure de fin: 2009-10-02 22:26 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-10-02 20:26
ComboFix2.txt 2009-10-02 16:33

Avant-CF: 66 519 318 528 octets libres
Après-CF: 66 435 235 840 octets libres

158 --- E O F --- 2009-09-10 17:03



avpt.txt :

Scan
----
Scanned: 463586
Detected: 11
Untreated: 11
Start time: 03/10/2009 10:12:18
Duration: 03:37:03
Finish time: 03/10/2009 13:49:21


Detected
--------
Status Object
------ ------
detected: Trojan program Trojan-Downloader.Win32.Mufanom.dia File: H:\Qoobox\Quarantine\[4]-Submit_2009-10-02_22.12.03.zip/kbcmclol.dll
detected: Trojan program Trojan-Downloader.Win32.FraudLoad.wsqq File: H:\Qoobox\Quarantine\H\Documents and Settings\LocalService\Application Data\seres.exe.vir
detected: Trojan program Packed.Win32.TDSS.z File: H:\Qoobox\Quarantine\H\WINDOWS\system32\gasfkypnuifohw.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: H:\Qoobox\Quarantine\H\WINDOWS\system32\gasfkyrvimovym.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: H:\Qoobox\Quarantine\H\WINDOWS\system32\gasfkysdpqxdpk.dll.vir
detected: Trojan program Packed.Win32.TDSS.z File: H:\Qoobox\Quarantine\H\WINDOWS\system32\drivers\gasfkyopxgftiq.sys.vir
detected: Trojan program Packed.Win32.TDSS.z File: H:\System Volume Information\_restore{2CC42C2C-2CFC-4945-A8C4-B96E06800F35}\RP755\A0036607.sys
detected: Trojan program Packed.Win32.TDSS.z File: H:\System Volume Information\_restore{2CC42C2C-2CFC-4945-A8C4-B96E06800F35}\RP755\A0036608.dll
detected: Trojan program Packed.Win32.TDSS.z File: H:\System Volume Information\_restore{2CC42C2C-2CFC-4945-A8C4-B96E06800F35}\RP755\A0036609.dll
detected: Trojan program Packed.Win32.TDSS.z File: H:\System Volume Information\_restore{2CC42C2C-2CFC-4945-A8C4-B96E06800F35}\RP755\A0036610.dll
detected: Trojan program Trojan-Downloader.Win32.FraudLoad.wsqq File: H:\System Volume Information\_restore{2CC42C2C-2CFC-4945-A8C4-B96E06800F35}\RP756\A0036636.exe


Events
------
Time Name Status Reason
---- ---- ------ ------


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----




dds.txt :


DDS (Ver_09-09-29.01) - NTFSx86
Run by Propri‚taire at 13:53:08,48 on 03/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.990.612 [GMT 2:00]

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\TechCity Solutions\AliceSAV\AliceAgent.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft Office\Office\OSA.EXE
svchost.exe
H:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
H:\Program Files\Fichiers communs\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\Program Files\iPod\bin\iPodService.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Documents and Settings\Propriétaire\Bureau\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.fr/
uInternet Settings,ProxyOverride = *.local
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - h:\program files\spybot - search & destroy\SDHelper.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - h:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - h:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - h:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "h:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] h:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] h:\program files\analog devices\core\smax4pnp.exe
mRun: [AliceSAV] h:\program files\techcity solutions\alicesav\AliceAgent.exe
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "h:\program files\fichiers communs\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "h:\program files\fichiers communs\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE h:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "h:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] h:\windows\system32\CTFMON.EXE
StartupFolder: h:\docume~1\propri~1\menudm~1\progra~1\dmarra~1\dmarra~1.lnk - h:\program files\microsoft office\office\OSA.EXE
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - h:\program files\spybot - search & destroy\SDHelper.dll
DPF: DirectAnimation Java Classes - file://h:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://h:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {88764F69-3831-4EC1-B40B-FF21D8381345} - hxxps://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP-1.1.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.photoservice.com/telechargement/ImageUploader4.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\propri~1\applic~1\mozilla\firefox\profiles\rl5axxgu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: h:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-02 23:02 759,840 a--sh--- h:\windows\system32\drivers\fidbox.dat
2009-10-02 23:02 9,980 a--sh--- h:\windows\system32\drivers\fidbox.idx
2009-10-02 22:19 <DIR> --d----- H:\found.000
2009-10-02 18:01 <DIR> a-dshr-- H:\cmdcons
2009-10-02 17:59 229,888 a------- h:\windows\PEV.exe
2009-10-02 17:59 161,792 a------- h:\windows\SWREG.exe
2009-10-02 17:59 98,816 a------- h:\windows\sed.exe
2009-09-25 20:25 796 a------- h:\windows\wininit.ini
2009-09-25 18:47 <DIR> --d----- h:\docume~1\propri~1\applic~1\GetRightToGo
2009-09-10 10:01 153,088 -c------ h:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-03 13:51 5,242,880 a---h--- h:\documents and settings\propriétaire\NTUSER.DAT
2009-08-05 11:00 205,312 a------- h:\windows\system32\mswebdvd.dll
2009-07-17 21:03 58,880 a------- h:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- h:\windows\system32\wmpdxm.dll
2008-04-01 10:06 263,192 a------- h:\docume~1\propri~1\applic~1\setup_fr[1].exe
2009-02-22 14:15 32,768 a--sh--- h:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012009022220090223\index.dat

============= FINISH: 13:53:35,70 ===============


what else ?

Thank you for your help

fred

Hi,

Upload following file here:
H:\Qoobox\Quarantine\[4]-Submit_2009-10-02_22.12.03.zip

Kindly include a link to this topic in the message.

Let me know when that has been done.

Hi,

It is ok. The file is uploaded.

Thank you

Fred

Thanks for the upload

How's your system running now?

it seems to be OK.

Thank you very much

Fred

You're welcome Here are some final steps to follow.

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

• Click START then RUN
• Now copy-paste Combofix /u in the runbox and click OK

Please download OTC and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  1. Click the start button (at the lower left hand corner of your screen)
  2. Click run
  3. In the dialog box, type services.msc
  4. hit enter, then locate dns client
  5. Highlight it, then double-click it.
  6. On the dropdown box, change the setting from automatic to manual.
  7. Click ok

Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
Antivir
Avast!
Good commercial ones are from:
Kaspersky and
ESET

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

Hi,

System Restore has been reset. Combofix is uninstalled and OTC has cleaned the files.
But there is a big problem : I can't use Windows update. It's very long to access to the service and when I want to download any updates, it reports an error :

"The files needed to use Windows Update are no longer enrolled in the registry or installed on your computer."

If I follow the recomanded action (re-install the files) and press continue, It says:

"The website has encountered an error and can not display the requested page. The options provided below can help you solve the problem (error number : 0x8007041D)"

And I can't find any help on the problem in their support/help files.

What can I do ?

Thank you

Fred

Hi,

There're some Norton remnants there. Use this removal tool to get rid of them. Reboot and see if the issue still appears.

Hi,

Sorry, but I don't know which Norton I've had ......

Fred

Hi,

Though there're big amount of links there most lead to same Norton removal tool.

Hi,

Norton has removed and windows is update;

Thank you very much for your help



Fred

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !