TechSpot

[A] Sirefef virus (Windows has encountered...)

By Kysban
Aug 1, 2012
  1. Hi !

    I've got the same problem as everyone else : I tried to run microsoft security essentials, and now it restarts every minute. Then, I've followed the instructions and here are my FRST.txt and services search.txt log files.

    Just a thing : as my copy/paste was apparently too strong for the forum, I had to cut the older lines of one month created and three months modified.

    Thank you very much for the help !



    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 01-08-2012 13:52:24
    Running from G:\
    Windows 7 Ultimate (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10959464 2012-01-15] (Realtek Semiconductor)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM\...\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini [301 2012-07-30] ()
    HKLM\...\Run: [TrayServer] C:\Program Files\MAGIX\Video_deluxe_MX_Premium_Version_a_telecharger\TrayServer_fr.exe [90112 2008-09-01] (Magix)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-06-11] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files\AMD AVT\bin\kdbsync.exe" aml [20992 2012-03-19] ()
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Guillaume\...\Run: [Google Update] "C:\Users\Guillaume\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-03-06] (Google Inc.)
    HKU\Guillaume\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
    HKU\Guillaume\...\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart [3297280 2007-11-20] (Google)
    HKU\Guillaume\...\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe [955392 2009-08-16] (SFX TEAM)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\Guillaume\Start Menu\Programs\Startup\EvernoteClipper.lnk
    ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)

    ================================ Services (Whitelisted) ==================

    2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [291840 2012-06-11] (Advanced Micro Devices, Inc.)
    2 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [296808 2010-08-12] (Nuance Communications, Inc.)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 Fabs; C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe /DisableUI [1840128 2011-05-24] (MAGIX AG)
    3 FirebirdServerMAGIXInstance; "C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe" [2702848 2011-04-26] (MAGIX®)
    2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-07-03] (Skype Technologies)
    3 WajamUpdater; "C:\Program Files\Wajam\Updater\WajamUpdater.exe" [109064 2012-06-14] (Wajam)

    ========================== Drivers (Whitelisted) =============

    2 AODDriver4.01; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
    2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [199528 2011-12-02] (Realtek Semiconductor Corp.)
    2 RtNdPt60; C:\Windows\System32\DRIVERS\RtNdPt60.sys [27648 2010-12-13] (Realtek )
    3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam60.sys [50280 2010-12-13] (Realtek Corporation)
    3 RTVLANPT; C:\Windows\System32\DRIVERS\RtVlan60.sys [19968 2010-12-13] (Windows (R) Codename Longhorn DDK provider)
    3 TEAM; C:\Windows\System32\DRIVERS\RtTeam60.sys [50280 2010-12-13] (Realtek Corporation)
    3 TrueSight; \??\c:\windows\system32\drivers\TrueSight.sys [14080 2012-08-01] ()
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-01 13:51 - 2012-08-01 13:52 - 00000000 ____D C:\FRST
    2012-08-01 03:22 - 2012-08-01 03:22 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\nkzzphgc.sys
    2012-08-01 03:07 - 2012-08-01 03:07 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-01 03:03 - 2012-08-01 03:03 - 10299264 ____A (Microsoft Corporation) C:\Users\Guillaume\Downloads\mseinstall (1).exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 01552384 ____A C:\Users\Guillaume\Downloads\RogueKiller-7.6.4.exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-08-01 02:47 - 2012-08-01 02:47 - 00000000 ____D C:\Users\Guillaume\AppData\Local\Wajam
    2012-08-01 02:47 - 2012-08-01 02:47 - 00000000 ____D C:\Program Files\Wajam
    2012-08-01 02:46 - 2012-08-01 02:47 - 00014572 ____A C:\INSTALLHELPER.LOG
    2012-08-01 02:46 - 2012-08-01 02:46 - 00665696 ____A (OptimumInstaller) C:\Users\Guillaume\Downloads\Setup.exe
    2012-08-01 02:34 - 2012-08-01 02:34 - 00388608 ____A (Trend Micro Inc.) C:\Users\Guillaume\Downloads\HijackThis.exe
    2012-08-01 02:31 - 2012-08-01 02:31 - 01402880 ____A C:\Users\Guillaume\Downloads\hijackthis_hijackthis_2.0.4_anglais_17891.msi
    2012-08-01 02:19 - 2012-08-01 02:19 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-01 02:16 - 2012-08-01 02:16 - 00138752 ____A C:\Users\Guillaume\AppData\Roaming\deo0_sar.exe
    2012-08-01 00:33 - 2012-08-01 00:34 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{89DE1A0B-B4DE-49E8-A511-757B47164C43}
    2012-08-01 00:33 - 2012-08-01 00:33 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{406E7CE8-4A76-45C5-B4F3-F5759F0990FE}

    ============ 3 Months Modified Files ========================

    2012-08-01 03:40 - 2012-07-15 15:00 - 00001176 ____A C:\Windows\setupact.log
    2012-08-01 03:40 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-01 03:22 - 2012-08-01 03:22 - 00043480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\nkzzphgc.sys
    2012-08-01 03:20 - 2012-03-06 19:05 - 00001094 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000UA.job
    2012-08-01 03:08 - 2012-03-06 20:33 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-01 03:08 - 2012-03-06 17:51 - 01299142 ____A C:\Windows\WindowsUpdate.log
    2012-08-01 03:07 - 2012-03-06 17:59 - 01603068 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-01 03:03 - 2012-08-01 03:03 - 10299264 ____A (Microsoft Corporation) C:\Users\Guillaume\Downloads\mseinstall (1).exe
    2012-08-01 02:59 - 2012-07-30 13:12 - 00002168 ____A C:\Windows\PFRO.log
    2012-08-01 02:53 - 2012-08-01 02:53 - 01552384 ____A C:\Users\Guillaume\Downloads\RogueKiller-7.6.4.exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-08-01 02:47 - 2012-08-01 02:46 - 00014572 ____A C:\INSTALLHELPER.LOG
    2012-08-01 02:46 - 2012-08-01 02:46 - 00665696 ____A (OptimumInstaller) C:\Users\Guillaume\Downloads\Setup.exe
    2012-08-01 02:34 - 2012-08-01 02:34 - 00388608 ____A (Trend Micro Inc.) C:\Users\Guillaume\Downloads\HijackThis.exe
    2012-08-01 02:31 - 2012-08-01 02:31 - 01402880 ____A C:\Users\Guillaume\Downloads\hijackthis_hijackthis_2.0.4_anglais_17891.msi
    2012-08-01 02:16 - 2012-08-01 02:16 - 00138752 ____A C:\Users\Guillaume\AppData\Roaming\deo0_sar.exe
    2012-08-01 02:13 - 2012-04-03 18:47 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-01 02:13 - 2012-03-06 19:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-31 21:20 - 2012-03-06 19:05 - 00001042 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000Core.job
    2012-07-31 12:51 - 2012-07-31 12:51 - 00052936 ____A C:\Users\Guillaume\.recently-used.xbel

    ZeroAccess:
    C:\Windows\Installer\{955b7c99-12db-61e4-d051-b536dcac8f4c}
    C:\Windows\Installer\{955b7c99-12db-61e4-d051-b536dcac8f4c}\U

    ZeroAccess:
    C:\Windows\assembly\GAC\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 4093.55 MB
    Available physical RAM: 3580.32 MB
    Total Pagefile: 4091.83 MB
    Available Pagefile: 3589.02 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1960.7 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:146.39 GB) (Free:26 GB) NTFS
    2 Drive e: () (Fixed) (Total:785.03 GB) (Free:155.85 GB) NTFS
    4 Drive g: () (Removable) (Total:0.94 GB) (Free:0.94 GB) FAT
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 Online 961 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 146 GB 101 MB
    Partition 3 Primary 785 GB 146 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 146 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 785 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 961 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT Removable 961 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-30 13:59

    ======================= End Of Log ==========================



    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-01 13:57:35
    Running from G:\

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

    === End Of Search ===


    Thank again a lot !
     
  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next....

    Restart normally.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     

    Attached Files:

  3. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    Here is the Fixlog.txt file :

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-02 01:13:03 Run:1
    Running from G:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\Windows\System32\Drivers\nkzzphgc.sys moved successfully.
    C:\Windows\Installer\{955b7c99-12db-61e4-d051-b536dcac8f4c} moved successfully.
    C:\Windows\assembly\GAC\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
     
  4. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    Now, I've this message when I try launching Windows 7 :

    The Windows Boot Configuration Data (BCD) store file contains some invalid information.
    Object GUID : {7ff607e0-4395-11db-b0de-0800200c9a66}
    Status : 0xc0000034
    Info : The configuration for an element within the object is invalid in the boot configuration data store
    The associated Windows Boot Loader entry may not be available for selection until the problem is rectified by an administrator.
     
  5. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Proceed with the very same steps you preformed to run FRST.
    Boot to System Recovery Options and then access Command Prompt.
    At Command Prompt enter following commands pressing "Enter" after each one (watch for "spaces"):

    • bcdedit /export C:\BCD_Backup
    • c:
    • cd boot
    • attrib bcd -s -h -r
    • ren c:\boot\bcd bcd.old
    • bootrec /RebuildBcd
    When done (let me know if there were any problems) see if you can start normally.
     
  6. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    After this :

    bcdedit /export C:\BCD_Backup

    I had this :

    The store export operation has failed.
    The system cannot find the file specified.

    And at the end, I had this :

    Scanning all disks for Windows installations.
    Please wait, since this may take a while...
    Successfully scanned Windows Installations.
    Total identified Windows installations : 1
    [1] D:\Windows
    Add installation to boot list? Yes / No / All

    (just a thing : Windows is installed on C:\ on my computer)
     
  7. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Go ahead and answer "Yes".
     
  8. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    The operation completed successfully.

    But I have a blue screen when I try to launch Windows 7 (and I can't read it).

    This is the same when I try to launch in Safe Mode...

    Maybe could I try something with my Windows 7 installation disc ?
     
  9. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can start normally afterwards.
     

    Attached Files:

  10. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    Sorry but... I don't manage to access to the System Recovery Options anymore...

    I'm on a "Windows Error Recovery" page and it invites me to insert my windows installation disc because "a recent hardware or software change might be the cause".
     
  11. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
     
  12. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    Yes, thank you !

    I just managed starting normally, then now, I suppose that I have to go back to your second post and test with combofix ?
     
  13. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good :)

    No, I'd like to see fresh FRST log.
     
  14. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-02 02:35:13 Run:3
    Running from G:\

    ==============================================

    DEFAULT hive was successfully copied to System32\config\HiveBackup
    DEFAULT hive was successfully restored from registry back up.
    SAM hive was successfully copied to System32\config\HiveBackup
    SAM hive was successfully restored from registry back up.
    SECURITY hive was successfully copied to System32\config\HiveBackup
    SECURITY hive was successfully restored from registry back up.
    SOFTWARE hive was successfully copied to System32\config\HiveBackup
    SOFTWARE hive was successfully restored from registry back up.
    SYSTEM hive was successfully copied to System32\config\HiveBackup
    SYSTEM hive was successfully restored from registry back up.

    ==== End of Fixlog ====
     
  15. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  16. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    FRST.txt


    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 02-08-2012 03:14:46
    Running from G:\
    Windows 7 Ultimate (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10959464 2012-01-15] (Realtek Semiconductor)
    HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-06-11] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM\...\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini [301 2012-07-30] ()
    HKLM\...\Run: [TrayServer] C:\Program Files\MAGIX\Video_deluxe_MX_Premium_Version_a_telecharger\TrayServer_fr.exe [90112 2008-09-01] (Magix)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Guillaume\...\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart [3297280 2007-11-20] (Google)
    HKU\Guillaume\...\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe [955392 2009-08-16] (SFX TEAM)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\Guillaume\Start Menu\Programs\Startup\EvernoteClipper.lnk
    ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)

    ================================ Services (Whitelisted) ==================

    2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [291840 2012-06-11] (Advanced Micro Devices, Inc.)
    2 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [296808 2010-08-12] (Nuance Communications, Inc.)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 Fabs; C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe /DisableUI [1840128 2011-05-24] (MAGIX AG)
    3 FirebirdServerMAGIXInstance; "C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe" [2702848 2011-04-26] (MAGIX®)
    2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-07-03] (Skype Technologies)

    ========================== Drivers (Whitelisted) =============

    2 AODDriver4.01; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
    2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [199528 2011-12-02] (Realtek Semiconductor Corp.)
    2 RtNdPt60; C:\Windows\System32\DRIVERS\RtNdPt60.sys [27648 2010-12-13] (Realtek )
    3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam60.sys [50280 2010-12-13] (Realtek Corporation)
    3 RTVLANPT; C:\Windows\System32\DRIVERS\RtVlan60.sys [19968 2010-12-13] (Windows (R) Codename Longhorn DDK provider)
    3 TEAM; C:\Windows\System32\DRIVERS\RtTeam60.sys [50280 2010-12-13] (Realtek Corporation)
    3 catchme; \??\C:\Users\GUILLA~1\AppData\Local\Temp\catchme.sys [x]
    1 MpKsl3efc1be4; \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{27D4CDEC-99C5-45F6-B3EF-7CB8881198C0}\MpKsl3efc1be4.sys [x]
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-02 02:35 - 2012-08-02 02:35 - 00000000 ____D C:\Windows\System32\config\HiveBackup
    2012-08-01 17:04 - 2012-08-01 17:04 - 00021397 ____A C:\ComboFix.txt
    2012-08-01 16:55 - 2012-08-01 17:04 - 00000000 ___AD C:\Qoobox
    2012-08-01 16:55 - 2012-08-01 17:03 - 00000000 ____D C:\Windows\erdnt
    2012-08-01 16:55 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-08-01 16:55 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-08-01 16:55 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-08-01 16:54 - 2012-08-01 16:50 - 04722680 ____R (Swearware) C:\Users\Guillaume\Desktop\ComboFix.exe
    2012-08-01 16:42 - 2012-08-01 16:43 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{C5CFD03C-C5EF-46D9-991A-647268AF32ED}
    2012-08-01 16:42 - 2012-08-01 16:42 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{6AA8AFDA-C7AC-4574-810D-BFB29B845403}
    2012-08-01 16:37 - 2012-08-01 16:37 - 00005710 ____A C:\Windows\System32\PerfStringBackup.TMP
    2012-08-01 13:51 - 2012-08-01 13:52 - 00000000 ____D C:\FRST
    2012-08-01 03:07 - 2012-08-01 03:07 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-01 03:03 - 2012-08-01 03:03 - 10299264 ____A (Microsoft Corporation) C:\Users\Guillaume\Downloads\mseinstall (1).exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 01552384 ____A C:\Users\Guillaume\Downloads\RogueKiller-7.6.4.exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-08-01 02:47 - 2012-08-01 02:47 - 00000000 ____D C:\Users\Guillaume\AppData\Local\Wajam
    2012-08-01 02:47 - 2012-08-01 02:47 - 00000000 ____D C:\Program Files\Wajam
    2012-08-01 02:46 - 2012-08-01 02:47 - 00014572 ____A C:\INSTALLHELPER.LOG
    2012-08-01 02:46 - 2012-08-01 02:46 - 00665696 ____A (OptimumInstaller) C:\Users\Guillaume\Downloads\Setup.exe
    2012-08-01 02:34 - 2012-08-01 02:34 - 00388608 ____A (Trend Micro Inc.) C:\Users\Guillaume\Downloads\HijackThis.exe
    2012-08-01 02:31 - 2012-08-01 02:31 - 01402880 ____A C:\Users\Guillaume\Downloads\hijackthis_hijackthis_2.0.4_anglais_17891.msi
    2012-08-01 02:19 - 2012-08-01 02:19 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-01 00:33 - 2012-08-01 00:34 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{89DE1A0B-B4DE-49E8-A511-757B47164C43}
    2012-08-01 00:33 - 2012-08-01 00:33 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{406E7CE8-4A76-45C5-B4F3-F5759F0990FE}
    2012-07-31 12:51 - 2012-07-31 12:51 - 00052936 ____A C:\Users\Guillaume\.recently-used.xbel
    2012-07-31 12:44 - 2012-07-31 12:44 - 00000000 ____D C:\Users\Guillaume\Desktop\boites à dents
    2012-07-31 12:33 - 2012-07-31 12:33 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{2162582A-E277-4790-8050-AD71090DCFC4}
    2012-07-31 12:32 - 2012-07-31 12:33 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{D900ED3A-0AC5-453A-96E2-E950021F4D58}
    2012-07-31 00:32 - 2012-07-31 00:32 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{E561587B-A0F8-46EF-B8D1-3F7CE44D4463}
    2012-07-31 00:32 - 2012-07-31 00:32 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{21C7AD0B-EB9D-4F63-8365-8465A2D21BB5}
    2012-07-30 15:44 - 2012-07-30 15:44 - 00000000 ____D C:\Program Files\AMD APP
    2012-07-30 15:39 - 2012-07-30 15:39 - 00000000 ____D C:\Program Files\ATI
    2012-07-30 15:33 - 2012-07-30 15:37 - 113386248 ____A (Advanced Micro Devices, Inc.) C:\Users\Guillaume\Downloads\12-6_vista_win7_32_dd_ccc.exe
    2012-07-30 13:40 - 2012-07-30 13:40 - 00000000 ____D C:\Windows\pss
    2012-07-30 13:16 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-30 13:12 - 2012-08-01 17:08 - 00003552 ____A C:\Windows\PFRO.log
    2012-07-30 13:09 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-30 13:09 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-30 13:09 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-30 13:09 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-30 13:09 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-30 13:09 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-30 13:09 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-30 13:09 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-30 13:09 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-30 13:09 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-30 13:09 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-30 13:09 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-30 13:09 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-30 13:09 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-30 13:07 - 2012-07-30 13:14 - 00000000 ____D C:\Users\Guillaume\AppData\Local\Spotify
    2012-07-30 13:07 - 2012-07-30 13:07 - 00001826 ____A C:\Users\Guillaume\Desktop\Spotify.lnk
    2012-07-30 13:06 - 2012-07-30 13:15 - 00000000 ____D C:\Users\Guillaume\AppData\Roaming\Spotify
    2012-07-30 13:06 - 2012-07-30 13:06 - 00087360 ____A (Spotify Ltd) C:\Users\Guillaume\Downloads\SpotifySetup.exe
    2012-07-30 12:52 - 2012-07-30 12:52 - 00259272 ____A C:\Windows\msxml4-KB2721691-enu.LOG
    2012-07-30 12:52 - 2012-06-11 18:40 - 02345984 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-30 12:47 - 2012-05-04 01:59 - 00514560 ____A (Microsoft Corporation) C:\Windows\System32\qdvd.dll
    2012-07-30 12:47 - 2012-04-30 20:44 - 00164352 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
    2012-07-30 12:47 - 2012-04-27 20:41 - 00919040 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
    2012-07-30 12:47 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
    2012-07-30 12:47 - 2012-04-25 20:45 - 00129536 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
    2012-07-30 12:47 - 2012-04-25 20:45 - 00058880 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
    2012-07-30 12:47 - 2012-04-25 20:41 - 00008192 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
    2012-07-30 12:47 - 2012-04-07 03:26 - 02342400 ____A (Microsoft Corporation) C:\Windows\System32\msi.dll
    2012-07-30 12:47 - 2012-03-30 20:39 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
    2012-07-30 12:47 - 2012-03-30 20:39 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
    2012-07-30 12:47 - 2012-03-16 23:27 - 00056176 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
    2012-07-30 12:47 - 2012-03-02 21:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
    2012-07-30 12:43 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-30 12:43 - 2012-04-23 20:36 - 01158656 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
    2012-07-30 12:43 - 2012-04-23 20:36 - 00140288 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
    2012-07-30 12:43 - 2012-04-23 20:36 - 00103936 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
    2012-07-30 12:31 - 2012-07-30 12:32 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{12E8F8DF-ABE9-4BC1-B90C-6E8A0E4AB106}
    2012-07-30 12:31 - 2012-07-30 12:31 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{A00F436D-A0D6-4244-8F26-23B16119B9E7}
    2012-07-30 12:29 - 2012-07-30 12:29 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{ABAF4239-D3E3-4E8C-8B82-93E3AE7CFB4F}
    2012-07-30 12:28 - 2012-07-30 12:29 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{6C2C7C97-AE36-4291-A396-20492C9B87BB}
    2012-07-30 12:27 - 2012-07-30 12:27 - 173123443 ____A C:\Windows\MEMORY.DMP
    2012-07-30 12:27 - 2012-07-30 12:27 - 00141176 ____A C:\Windows\Minidump\073012-43789-01.dmp


    ============ 3 Months Modified Files ========================

    2012-08-01 17:08 - 2012-07-30 13:12 - 00003552 ____A C:\Windows\PFRO.log
    2012-08-01 17:06 - 2012-03-06 17:51 - 01349581 ____A C:\Windows\WindowsUpdate.log
    2012-08-01 17:06 - 2009-07-13 20:34 - 00010128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-01 17:06 - 2009-07-13 20:34 - 00010128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-01 17:04 - 2012-08-01 17:04 - 00021397 ____A C:\ComboFix.txt
    2012-08-01 17:03 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
    2012-08-01 16:50 - 2012-08-01 16:54 - 04722680 ____R (Swearware) C:\Users\Guillaume\Desktop\ComboFix.exe
    2012-08-01 16:37 - 2012-08-01 16:37 - 00005710 ____A C:\Windows\System32\PerfStringBackup.TMP
    2012-08-01 16:36 - 2012-07-15 15:00 - 00002026 ____A C:\Windows\setupact.log
    2012-08-01 16:36 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-01 03:20 - 2012-03-06 19:05 - 00001094 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000UA.job
    2012-08-01 03:08 - 2012-03-06 20:33 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-01 03:07 - 2012-03-06 17:59 - 01603068 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-01 03:03 - 2012-08-01 03:03 - 10299264 ____A (Microsoft Corporation) C:\Users\Guillaume\Downloads\mseinstall (1).exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 01552384 ____A C:\Users\Guillaume\Downloads\RogueKiller-7.6.4.exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-08-01 02:47 - 2012-08-01 02:46 - 00014572 ____A C:\INSTALLHELPER.LOG
    2012-08-01 02:46 - 2012-08-01 02:46 - 00665696 ____A (OptimumInstaller) C:\Users\Guillaume\Downloads\Setup.exe
    2012-08-01 02:34 - 2012-08-01 02:34 - 00388608 ____A (Trend Micro Inc.) C:\Users\Guillaume\Downloads\HijackThis.exe
    2012-08-01 02:31 - 2012-08-01 02:31 - 01402880 ____A C:\Users\Guillaume\Downloads\hijackthis_hijackthis_2.0.4_anglais_17891.msi
    2012-08-01 02:13 - 2012-04-03 18:47 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-01 02:13 - 2012-03-06 19:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-07-31 21:20 - 2012-03-06 19:05 - 00001042 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000Core.job
    2012-07-31 12:51 - 2012-07-31 12:51 - 00052936 ____A C:\Users\Guillaume\.recently-used.xbel
    2012-07-30 15:37 - 2012-07-30 15:33 - 113386248 ____A (Advanced Micro Devices, Inc.) C:\Users\Guillaume\Downloads\12-6_vista_win7_32_dd_ccc.exe
    2012-07-30 13:12 - 2009-07-13 20:33 - 00522816 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-30 13:07 - 2012-07-30 13:07 - 00001826 ____A C:\Users\Guillaume\Desktop\Spotify.lnk
    2012-07-30 13:06 - 2012-07-30 13:06 - 00087360 ____A (Spotify Ltd) C:\Users\Guillaume\Downloads\SpotifySetup.exe
    2012-07-30 13:05 - 2009-07-13 18:04 - 00000513 ____A C:\Windows\win.ini
    2012-07-30 12:52 - 2012-07-30 12:52 - 00259272 ____A C:\Windows\msxml4-KB2721691-enu.LOG
    2012-07-30 12:50 - 2012-03-06 18:20 - 00159776 ____A C:\Users\Guillaume\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-07-30 12:27 - 2012-07-30 12:27 - 173123443 ____A C:\Windows\MEMORY.DMP
    2012-07-30 12:27 - 2012-07-30 12:27 - 00141176 ____A C:\Windows\Minidump\073012-43789-01.dmp

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 4093.55 MB
    Available physical RAM: 3568.31 MB
    Total Pagefile: 4091.83 MB
    Available Pagefile: 3576.72 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1969.4 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:146.39 GB) (Free:29.75 GB) NTFS
    2 Drive e: () (Fixed) (Total:785.03 GB) (Free:155.85 GB) NTFS
    3 Drive f: (GRMCULFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
    4 Drive g: () (Removable) (Total:0.94 GB) (Free:0.93 GB) FAT
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 Online 961 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 146 GB 101 MB
    Partition 3 Primary 785 GB 146 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 146 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 785 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 961 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT Removable 961 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-30 13:59

    ======================= End Of Log ==========================
     
  17. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    Search.txt


    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-02 03:47:09
    Running from G:\

    ================== Search: "services,exe" ===================

    === End Of Search ===
     
  18. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Looks pretty good :)

    Restart normally and run Combofix.
     
  19. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    We posted at the same time.
     
  20. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    Thank you very much ! :)

    Here is the combofix scan that I did less than one hour ago.
    Do you need another combofix.txt ?



    ComboFix 12-07-31.03 - Guillaume 02/08/2012 2:57.1.4 - x86
    Microsoft Windows 7 Édition Intégrale 6.1.7601.1.1252.33.1033.18.3326.2393 [GMT 2:00]
    Lancé depuis: c:\users\Guillaume\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Un nouveau point de restauration a été créé
    .
    .
    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\606c840c80267b8216ebbbb7f046edb27039e6b1
    c:\programdata\YbotehU
    c:\programdata\YbotehU\QifxxvM\icon6.ico
    c:\programdata\YbotehU\QifxxvM\icon8.ico
    c:\programdata\YbotehU\QifxxvM\img6l.bmp
    c:\programdata\YbotehU\QifxxvM\img6r.bmp
    c:\programdata\YbotehU\QifxxvM\img8l.bmp
    c:\programdata\YbotehU\QifxxvM\img8r.bmp
    c:\programdata\YbotehU\QifxxvM\it001.html
    c:\programdata\YbotehU\QifxxvM\it002.html
    c:\programdata\YbotehU\QifxxvM\it003.html
    c:\programdata\YbotehU\RichynC\01-md9
    c:\programdata\YbotehU\RichynC\039-md1
    c:\programdata\YbotehU\RichynC\039-md10
    c:\programdata\YbotehU\RichynC\039-md11
    c:\programdata\YbotehU\RichynC\039-md2
    c:\programdata\YbotehU\RichynC\039-md3
    c:\programdata\YbotehU\RichynC\039-md4
    c:\programdata\YbotehU\RichynC\039-md5
    c:\programdata\YbotehU\RichynC\039-md6
    c:\programdata\YbotehU\RichynC\039-md7
    c:\programdata\YbotehU\RichynC\039-md8
    c:\programdata\YbotehU\RichynC\039-md9
    c:\programdata\YbotehU\RichynC\md1-17-md1
    c:\programdata\YbotehU\RichynC\md1.bmp
    c:\programdata\YbotehU\RichynC\md1.bmpGjrcelQ
    c:\programdata\YbotehU\RichynC\md10-17-md10
    c:\programdata\YbotehU\RichynC\md10-17-md11
    c:\programdata\YbotehU\RichynC\md10.bmp
    c:\programdata\YbotehU\RichynC\md10.bmpWebsruG
    c:\programdata\YbotehU\RichynC\md11.bmp
    c:\programdata\YbotehU\RichynC\md11.bmpAdetfgU
    c:\programdata\YbotehU\RichynC\md2-17-md2
    c:\programdata\YbotehU\RichynC\md2.bmp
    c:\programdata\YbotehU\RichynC\md2.bmpImfaeqW
    c:\programdata\YbotehU\RichynC\md3-17-md3
    c:\programdata\YbotehU\RichynC\md3.bmp
    c:\programdata\YbotehU\RichynC\md3.bmpExgqasC
    c:\programdata\YbotehU\RichynC\md4-17-md4
    c:\programdata\YbotehU\RichynC\md4.bmp
    c:\programdata\YbotehU\RichynC\md4.bmpXqfxcdX
    c:\programdata\YbotehU\RichynC\md5-17-md5
    c:\programdata\YbotehU\RichynC\md5.bmp
    c:\programdata\YbotehU\RichynC\md5.bmpCensxtX
    c:\programdata\YbotehU\RichynC\md6-17-md6
    c:\programdata\YbotehU\RichynC\md6.bmp
    c:\programdata\YbotehU\RichynC\md6.bmpJupcmjL
    c:\programdata\YbotehU\RichynC\md7-17-md7
    c:\programdata\YbotehU\RichynC\md7.bmp
    c:\programdata\YbotehU\RichynC\md7.bmpEsychuW
    c:\programdata\YbotehU\RichynC\md8-17-md8
    c:\programdata\YbotehU\RichynC\md8.bmp
    c:\programdata\YbotehU\RichynC\md8.bmpJyqdhiL
    c:\programdata\YbotehU\RichynC\md9-17-md9
    c:\programdata\YbotehU\RichynC\md9.bmp
    c:\programdata\YbotehU\RichynC\QyxpqhO
    c:\programdata\YbotehU\RichynC\XrtdbhU
    c:\users\Guillaume\AppData\Roaming\deo0_sar.exe
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\regtlib.exe
    D:\install.exe
    .
    .
    ((((((((((((((((((((((((((((( Fichiers créés du 2012-07-02 au 2012-08-02 ))))))))))))))))))))))))))))))))))))
    .
    .
    2012-08-02 01:02 . 2012-08-02 01:03--------d-----w-c:\users\Guillaume\AppData\Local\temp
    2012-08-02 01:02 . 2012-08-02 01:02--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-02 00:43 . 2012-08-02 00:43713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE76F6DD-1D22-48C5-BE0D-9CC4CDCF681A}\gapaengine.dll
    2012-08-02 00:43 . 2012-06-28 23:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8184051-A898-415F-88B7-693CF584A8BB}\mpengine.dll
    2012-08-02 00:37 . 2012-08-02 00:375710----a-w-c:\windows\system32\PerfStringBackup.TMP
    2012-08-01 21:51 . 2012-08-01 21:52--------d-----w-C:\FRST
    2012-08-01 11:13 . 2012-08-01 11:3956200----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF7D067C-33EB-471B-BCFC-77E3782639B8}\offreg.dll
    2012-08-01 11:10 . 2012-02-09 12:17713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F668C2DF-6CFD-4A75-A869-80CBA2FB8A8E}\gapaengine.dll
    2012-08-01 11:09 . 2012-07-16 00:416891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF7D067C-33EB-471B-BCFC-77E3782639B8}\mpengine.dll
    2012-08-01 11:07 . 2012-08-01 11:07--------d-----w-c:\program files\Microsoft Security Client
    2012-08-01 10:53 . 2012-08-01 10:5314080----a-w-c:\windows\system32\drivers\TrueSight.sys
    2012-08-01 10:47 . 2012-08-01 10:47--------d-----w-c:\users\Guillaume\AppData\Local\Wajam
    2012-08-01 10:47 . 2012-08-01 10:47--------d-----w-c:\program files\Wajam
    2012-08-01 10:19 . 2012-08-01 10:19--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-07-30 23:44 . 2012-07-30 23:44--------d-----w-c:\program files\AMD APP
    2012-07-30 23:39 . 2012-07-30 23:39--------d-----w-c:\program files\ATI
    2012-07-30 21:16 . 2012-06-06 05:05143360----a-w-c:\program files\Common Files\System\ado\msjro.dll
    2012-07-30 21:16 . 2012-06-06 05:05212992----a-w-c:\program files\Common Files\System\msadc\msadco.dll
    2012-07-30 21:16 . 2012-06-06 05:05372736----a-w-c:\program files\Common Files\System\ado\msadox.dll
    2012-07-30 21:16 . 2012-06-06 05:0557344----a-w-c:\program files\Common Files\System\ado\msador15.dll
    2012-07-30 21:16 . 2012-06-06 05:05352256----a-w-c:\program files\Common Files\System\ado\msadomd.dll
    2012-07-30 21:16 . 2012-06-06 05:051019904----a-w-c:\program files\Common Files\System\ado\msado15.dll
    2012-07-30 21:16 . 2012-06-06 05:03805376----a-w-c:\windows\system32\cdosys.dll
    2012-07-30 21:07 . 2012-07-30 21:14--------d-----w-c:\users\Guillaume\AppData\Local\Spotify
    2012-07-30 21:06 . 2012-07-30 21:15--------d-----w-c:\users\Guillaume\AppData\Roaming\Spotify
    2012-07-30 20:52 . 2012-06-12 02:402345984----a-w-c:\windows\system32\win32k.sys
    2012-07-30 20:43 . 2012-04-24 04:36140288----a-w-c:\windows\system32\cryptsvc.dll
    2012-07-30 20:43 . 2012-04-24 04:361158656----a-w-c:\windows\system32\crypt32.dll
    2012-07-30 20:43 . 2012-04-24 04:36103936----a-w-c:\windows\system32\cryptnet.dll
    2012-07-16 22:05 . 2012-06-02 04:45134000----a-w-c:\windows\system32\drivers\ksecpkg.sys
    2012-07-16 22:05 . 2012-06-02 04:40369336----a-w-c:\windows\system32\drivers\cng.sys
    2012-07-16 22:05 . 2012-06-02 04:40225280----a-w-c:\windows\system32\schannel.dll
    2012-07-16 22:05 . 2012-06-02 04:39219136----a-w-c:\windows\system32\ncrypt.dll
    2012-07-16 22:05 . 2012-06-02 04:4567440----a-w-c:\windows\system32\drivers\ksecdd.sys
    2012-07-16 22:05 . 2012-03-30 10:231291632----a-w-c:\windows\system32\drivers\tcpip.sys
    2012-07-16 22:05 . 2012-06-06 05:051390080----a-w-c:\windows\system32\msxml6.dll
    2012-07-16 22:05 . 2012-06-06 05:051236992----a-w-c:\windows\system32\msxml3.dll
    2012-07-16 22:05 . 2010-06-26 03:242048----a-w-c:\windows\system32\msxml3r.dll
    2012-07-16 21:15 . 2012-07-16 21:15--------d-----w-c:\programdata\ATI
    2012-07-16 21:15 . 2012-07-16 21:15--------d-----w-c:\program files\AMD AVT
    .
    .
    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-01 10:13 . 2012-04-04 02:47426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-08-01 10:13 . 2012-03-07 03:4070344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-25 14:04 . 2012-06-25 14:041394248----a-w-c:\windows\system32\msxml4.dll
    2012-06-12 13:03 . 2012-06-12 13:0328706188----a-w-c:\programdata\ADPFO8MTAdE.exe
    2012-06-12 13:03 . 2012-06-12 13:0328922947----a-w-c:\programdata\z98itPM7TtP.exe
    2012-06-12 13:03 . 2012-06-12 13:0328832756----a-w-c:\programdata\W6rALkliUohj.cpl
    2012-06-12 13:03 . 2012-06-12 13:0329922198----a-w-c:\programdata\tvXe75Mr.cpl
    2012-06-12 12:21 . 2012-06-12 12:21117248----a-w-c:\programdata\CPDOY07F.lnk
    2012-06-12 12:21 . 2012-06-12 12:2127742010----a-w-c:\programdata\5q4doDrH.lnk
    2012-06-12 01:11 . 2012-06-12 01:1129340265----a-w-c:\programdata\dZvBcJ80e9T8.exe
    2012-06-12 01:11 . 2012-06-12 01:1130296909----a-w-c:\programdata\iBGxiIm11Qq.exe
    2012-06-12 01:11 . 2012-06-12 01:11117248----a-w-c:\programdata\tnUxLpV2.lnk
    2012-06-12 01:11 . 2012-06-12 01:1128226186----a-w-c:\programdata\1V8S7iUp.lnk
    2012-06-12 00:25 . 2012-06-12 00:2528550886----a-w-c:\programdata\5z8HvF3o3wE.exe
    2012-06-12 00:24 . 2012-06-12 00:2429100468----a-w-c:\programdata\cwBb5dCh.cpl
    2012-06-12 00:24 . 2012-06-12 00:2429453405----a-w-c:\programdata\1Yj6bzHV.exe
    2012-06-12 00:24 . 2012-06-12 00:24117248----a-w-c:\programdata\M5Df2IDq.lnk
    2012-06-12 00:23 . 2012-06-12 00:2328253334----a-w-c:\programdata\g58fi5I9.lnk
    2012-06-11 18:58 . 2012-06-11 18:588733696----a-w-c:\windows\system32\drivers\atikmdag.sys
    2012-06-11 18:35 . 2012-06-11 18:3558880----a-w-c:\windows\system32\coinst_8.98.dll
    2012-06-11 18:00 . 2012-06-11 18:0020467712----a-w-c:\windows\system32\atioglxx.dll
    2012-06-11 17:25 . 2012-06-11 17:25163840----a-w-c:\windows\system32\atiapfxx.exe
    2012-06-11 17:24 . 2011-12-06 03:17924160----a-w-c:\windows\system32\aticfx32.dll
    2012-06-11 17:20 . 2012-06-11 17:20442368----a-w-c:\windows\system32\ATIDEMGX.dll
    2012-06-11 17:19 . 2012-06-11 17:19468992----a-w-c:\windows\system32\atieclxx.exe
    2012-06-11 17:19 . 2012-06-11 17:19217600----a-w-c:\windows\system32\atiesrxx.exe
    2012-06-11 17:17 . 2012-06-11 17:17163840----a-w-c:\windows\system32\atitmmxx.dll
    2012-06-11 17:17 . 2012-06-11 17:1720992----a-w-c:\windows\system32\atimuixx.dll
    2012-06-11 17:17 . 2012-06-11 17:1743520----a-w-c:\windows\system32\ati2edxx.dll
    2012-06-11 17:16 . 2011-12-06 03:066301696----a-w-c:\windows\system32\atidxx32.dll
    2012-06-11 16:45 . 2012-06-11 16:4546080----a-w-c:\windows\system32\aticalrt.dll
    2012-06-11 16:45 . 2011-12-06 02:335480448----a-w-c:\windows\system32\atiumdag.dll
    2012-06-11 16:45 . 2012-06-11 16:4544032----a-w-c:\windows\system32\aticalcl.dll
    2012-06-11 16:43 . 2011-12-06 02:284729344----a-w-c:\windows\system32\atiumdva.dll
    2012-06-11 16:40 . 2012-06-11 16:4013277696----a-w-c:\windows\system32\aticaldd.dll
    2012-06-11 16:26 . 2012-06-11 16:26368640----a-w-c:\windows\system32\atiadlxx.dll
    2012-06-11 16:26 . 2012-06-11 16:2614848----a-w-c:\windows\system32\atiglpxx.dll
    2012-06-11 16:26 . 2012-06-11 16:2633280----a-w-c:\windows\system32\atigktxx.dll
    2012-06-11 16:25 . 2012-06-11 16:25295936----a-w-c:\windows\system32\drivers\atikmpag.sys
    2012-06-11 16:25 . 2011-12-06 02:1142496----a-w-c:\windows\system32\atiuxpag.dll
    2012-06-11 16:24 . 2011-12-06 02:1132768----a-w-c:\windows\system32\atiu9pag.dll
    2012-06-11 16:24 . 2012-06-11 16:2453248----a-w-c:\windows\system32\drivers\ati2erec.dll
    2012-06-11 16:23 . 2012-06-11 16:2356832----a-w-c:\windows\system32\atimpc32.dll
    2012-06-11 16:23 . 2012-06-11 16:2356832----a-w-c:\windows\system32\amdpcom32.dll
    2012-06-11 11:50 . 2012-06-11 11:50159232----a-w-c:\windows\system32\clinfo.exe
    2012-06-11 11:50 . 2012-06-11 11:5065024----a-w-c:\windows\system32\OpenVideo.dll
    2012-06-11 11:50 . 2012-06-11 11:5056320----a-w-c:\windows\system32\OVDecode.dll
    2012-06-11 11:49 . 2012-06-11 11:4913008896----a-w-c:\windows\system32\amdocl.dll
    2012-06-11 11:48 . 2012-06-11 11:4850176----a-w-c:\windows\system32\OpenCL.dll
    2012-06-02 22:19 . 2012-06-21 07:1745080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 07:1753784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 07:1735864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 07:17577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 07:171933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 07:172422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 07:1788576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 13:19 . 2012-06-21 07:17171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 13:12 . 2012-06-21 07:1733792----a-w-c:\windows\system32\wuapp.exe
    2012-05-10 14:35 . 2012-05-10 14:3529184----a-w-c:\windows\system32\kdbsdk32.dll
    2012-06-19 10:57 . 2012-03-07 03:0985472----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2012-04-04 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
    [7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
    [7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-11-21 3297280]
    "SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2009-08-16 955392]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2012-01-16 10959464]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
    "TrayServer"="c:\program files\MAGIX\Video_deluxe_MX_Premium_Version_a_telecharger\TrayServer_fr.exe" [2008-09-01 90112]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\Guillaume\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2012-6-13 1014112]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SEO Soft]
    2012-06-27 22:379683456----a-w-c:\users\Guillaume\Desktop\SEO\seosoft.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
    2012-07-30 21:071193176----a-w-c:\users\Guillaume\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    .
    R1 MpKsl3efc1be4;MpKsl3efc1be4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{27D4CDEC-99C5-45F6-B3EF-7CB8881198C0}\MpKsl3efc1be4.sys [x]
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Inspection du réseau Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
    R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
    S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
    S2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [x]
    S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [x]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [x]
    S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPServiceREG_MULTI_SZ HPSLPSVC
    hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contenu du dossier 'Tâches planifiées'
    .
    2012-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000Core.job
    - c:\users\Guillaume\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 03:05]
    .
    2012-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000UA.job
    - c:\users\Guillaume\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 03:05]
    .
    .
    ------- Examen supplémentaire -------
    .
    IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Guillaume\AppData\Roaming\Mozilla\Firefox\Profiles\7jfiaj5u.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyDtifZCv&loc=IB_TB&I=26&search=
    FF - user.js: extensions.incredibar_i.id - 82dd1dd30000000000001c6f652fedc7
    FF - user.js: extensions.incredibar_i.instlDay - 15490
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.141:00
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef -
    FF - user.js: extensions.incredibar_i.dfltLng -
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id -
    FF - user.js: extensions.incredibar_i.upn2 - 6OyDtifZCv
    FF - user.js: extensions.incredibar_i.upn2n - 92261501500262927
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10643
    FF - user.js: extensions.incredibar_i.ppd - 1
    .
    - - - - ORPHELINS SUPPRIMES - - - -
    .
    AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
    AddRemove-{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D} - c:\program files\PDFCreator\unins000.exe
    .
    .
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Heure de fin: 2012-08-02 03:04:17
    ComboFix-quarantined-files.txt 2012-08-02 01:04
    .
    Avant-CF: 31 745 818 624 octets libres
    Après-CF: 31 771 217 920 octets libres
    .
    - - End Of File - - A47A250345ED8B1E42CC7BB15D963672
     
  21. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\programdata\tnUxLpV2.lnk
    c:\programdata\iBGxiIm11Qq.exe
    c:\programdata\dZvBcJ80e9T8.exe
    c:\programdata\5q4doDrH.lnk
    c:\programdata\CPDOY07F.lnk
    c:\programdata\tvXe75Mr.cpl
    c:\programdata\W6rALkliUohj.cpl
    c:\programdata\z98itPM7TtP.exe
    c:\programdata\ADPFO8MTAdE.exe
    c:\programdata\g58fi5I9.lnk
    c:\programdata\M5Df2IDq.lnk
    c:\programdata\1Yj6bzHV.exe
    c:\programdata\cwBb5dCh.cpl
    c:\programdata\5z8HvF3o3wE.exe
    c:\programdata\1V8S7iUp.lnk
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  22. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    ComboFix 12-07-31.03 - Guillaume 02/08/2012 4:07.2.4 - x86
    Microsoft Windows 7 Édition Intégrale 6.1.7601.1.1252.33.1033.18.3326.2180 [GMT 2:00]
    Lancé depuis: c:\users\Guillaume\Desktop\ComboFix.exe
    Commutateurs utilisés :: c:\users\Guillaume\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\programdata\1V8S7iUp.lnk"
    "c:\programdata\1Yj6bzHV.exe"
    "c:\programdata\5q4doDrH.lnk"
    "c:\programdata\5z8HvF3o3wE.exe"
    "c:\programdata\ADPFO8MTAdE.exe"
    "c:\programdata\CPDOY07F.lnk"
    "c:\programdata\cwBb5dCh.cpl"
    "c:\programdata\dZvBcJ80e9T8.exe"
    "c:\programdata\g58fi5I9.lnk"
    "c:\programdata\iBGxiIm11Qq.exe"
    "c:\programdata\M5Df2IDq.lnk"
    "c:\programdata\tnUxLpV2.lnk"
    "c:\programdata\tvXe75Mr.cpl"
    "c:\programdata\W6rALkliUohj.cpl"
    "c:\programdata\z98itPM7TtP.exe"
    .
    .
    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\1V8S7iUp.lnk
    c:\programdata\1Yj6bzHV.exe
    c:\programdata\5q4doDrH.lnk
    c:\programdata\5z8HvF3o3wE.exe
    c:\programdata\ADPFO8MTAdE.exe
    c:\programdata\CPDOY07F.lnk
    c:\programdata\cwBb5dCh.cpl
    c:\programdata\dZvBcJ80e9T8.exe
    c:\programdata\g58fi5I9.lnk
    c:\programdata\iBGxiIm11Qq.exe
    c:\programdata\M5Df2IDq.lnk
    c:\programdata\tnUxLpV2.lnk
    c:\programdata\tvXe75Mr.cpl
    c:\programdata\W6rALkliUohj.cpl
    c:\programdata\z98itPM7TtP.exe
    .
    .
    ((((((((((((((((((((((((((((( Fichiers créés du 2012-07-02 au 2012-08-02 ))))))))))))))))))))))))))))))))))))
    .
    .
    2012-08-02 02:13 . 2012-08-02 02:13--------d-----w-c:\users\Guillaume\AppData\Local\temp
    2012-08-02 02:13 . 2012-08-02 02:13--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-02 01:53 . 2012-08-02 01:5356200----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8184051-A898-415F-88B7-693CF584A8BB}\offreg.dll
    2012-08-02 00:43 . 2012-08-02 00:43713784----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CE76F6DD-1D22-48C5-BE0D-9CC4CDCF681A}\gapaengine.dll
    2012-08-02 00:43 . 2012-06-28 23:446891424----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D8184051-A898-415F-88B7-693CF584A8BB}\mpengine.dll
    2012-08-02 00:37 . 2012-08-02 00:375710----a-w-c:\windows\system32\PerfStringBackup.TMP
    2012-08-01 21:51 . 2012-08-01 21:52--------d-----w-C:\FRST
    2012-08-01 11:07 . 2012-08-01 11:07--------d-----w-c:\program files\Microsoft Security Client
    2012-08-01 10:53 . 2012-08-01 10:5314080----a-w-c:\windows\system32\drivers\TrueSight.sys
    2012-08-01 10:47 . 2012-08-01 10:47--------d-----w-c:\users\Guillaume\AppData\Local\Wajam
    2012-08-01 10:47 . 2012-08-01 10:47--------d-----w-c:\program files\Wajam
    2012-08-01 10:19 . 2012-08-01 10:19--------d-sh--w-c:\windows\system32\%APPDATA%
    2012-07-30 23:44 . 2012-07-30 23:44--------d-----w-c:\program files\AMD APP
    2012-07-30 23:39 . 2012-07-30 23:39--------d-----w-c:\program files\ATI
    2012-07-30 21:16 . 2012-06-06 05:05143360----a-w-c:\program files\Common Files\System\ado\msjro.dll
    2012-07-30 21:16 . 2012-06-06 05:05212992----a-w-c:\program files\Common Files\System\msadc\msadco.dll
    2012-07-30 21:16 . 2012-06-06 05:05372736----a-w-c:\program files\Common Files\System\ado\msadox.dll
    2012-07-30 21:16 . 2012-06-06 05:0557344----a-w-c:\program files\Common Files\System\ado\msador15.dll
    2012-07-30 21:16 . 2012-06-06 05:05352256----a-w-c:\program files\Common Files\System\ado\msadomd.dll
    2012-07-30 21:16 . 2012-06-06 05:051019904----a-w-c:\program files\Common Files\System\ado\msado15.dll
    2012-07-30 21:16 . 2012-06-06 05:03805376----a-w-c:\windows\system32\cdosys.dll
    2012-07-30 21:07 . 2012-07-30 21:14--------d-----w-c:\users\Guillaume\AppData\Local\Spotify
    2012-07-30 21:06 . 2012-07-30 21:15--------d-----w-c:\users\Guillaume\AppData\Roaming\Spotify
    2012-07-30 20:52 . 2012-06-12 02:402345984----a-w-c:\windows\system32\win32k.sys
    2012-07-30 20:43 . 2012-04-24 04:36140288----a-w-c:\windows\system32\cryptsvc.dll
    2012-07-30 20:43 . 2012-04-24 04:361158656----a-w-c:\windows\system32\crypt32.dll
    2012-07-30 20:43 . 2012-04-24 04:36103936----a-w-c:\windows\system32\cryptnet.dll
    2012-07-16 22:05 . 2012-06-02 04:45134000----a-w-c:\windows\system32\drivers\ksecpkg.sys
    2012-07-16 22:05 . 2012-06-02 04:40369336----a-w-c:\windows\system32\drivers\cng.sys
    2012-07-16 22:05 . 2012-06-02 04:40225280----a-w-c:\windows\system32\schannel.dll
    2012-07-16 22:05 . 2012-06-02 04:39219136----a-w-c:\windows\system32\ncrypt.dll
    2012-07-16 22:05 . 2012-06-02 04:4567440----a-w-c:\windows\system32\drivers\ksecdd.sys
    2012-07-16 22:05 . 2012-03-30 10:231291632----a-w-c:\windows\system32\drivers\tcpip.sys
    2012-07-16 22:05 . 2012-06-06 05:051390080----a-w-c:\windows\system32\msxml6.dll
    2012-07-16 22:05 . 2012-06-06 05:051236992----a-w-c:\windows\system32\msxml3.dll
    2012-07-16 22:05 . 2010-06-26 03:242048----a-w-c:\windows\system32\msxml3r.dll
    2012-07-16 21:15 . 2012-07-16 21:15--------d-----w-c:\programdata\ATI
    2012-07-16 21:15 . 2012-07-16 21:15--------d-----w-c:\program files\AMD AVT
    .
    .
    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-01 10:13 . 2012-04-04 02:47426184----a-w-c:\windows\system32\FlashPlayerApp.exe
    2012-08-01 10:13 . 2012-03-07 03:4070344----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-25 14:04 . 2012-06-25 14:041394248----a-w-c:\windows\system32\msxml4.dll
    2012-06-11 18:58 . 2012-06-11 18:588733696----a-w-c:\windows\system32\drivers\atikmdag.sys
    2012-06-11 18:35 . 2012-06-11 18:3558880----a-w-c:\windows\system32\coinst_8.98.dll
    2012-06-11 18:00 . 2012-06-11 18:0020467712----a-w-c:\windows\system32\atioglxx.dll
    2012-06-11 17:25 . 2012-06-11 17:25163840----a-w-c:\windows\system32\atiapfxx.exe
    2012-06-11 17:24 . 2011-12-06 03:17924160----a-w-c:\windows\system32\aticfx32.dll
    2012-06-11 17:20 . 2012-06-11 17:20442368----a-w-c:\windows\system32\ATIDEMGX.dll
    2012-06-11 17:19 . 2012-06-11 17:19468992----a-w-c:\windows\system32\atieclxx.exe
    2012-06-11 17:19 . 2012-06-11 17:19217600----a-w-c:\windows\system32\atiesrxx.exe
    2012-06-11 17:17 . 2012-06-11 17:17163840----a-w-c:\windows\system32\atitmmxx.dll
    2012-06-11 17:17 . 2012-06-11 17:1720992----a-w-c:\windows\system32\atimuixx.dll
    2012-06-11 17:17 . 2012-06-11 17:1743520----a-w-c:\windows\system32\ati2edxx.dll
    2012-06-11 17:16 . 2011-12-06 03:066301696----a-w-c:\windows\system32\atidxx32.dll
    2012-06-11 16:45 . 2012-06-11 16:4546080----a-w-c:\windows\system32\aticalrt.dll
    2012-06-11 16:45 . 2011-12-06 02:335480448----a-w-c:\windows\system32\atiumdag.dll
    2012-06-11 16:45 . 2012-06-11 16:4544032----a-w-c:\windows\system32\aticalcl.dll
    2012-06-11 16:43 . 2011-12-06 02:284729344----a-w-c:\windows\system32\atiumdva.dll
    2012-06-11 16:40 . 2012-06-11 16:4013277696----a-w-c:\windows\system32\aticaldd.dll
    2012-06-11 16:26 . 2012-06-11 16:26368640----a-w-c:\windows\system32\atiadlxx.dll
    2012-06-11 16:26 . 2012-06-11 16:2614848----a-w-c:\windows\system32\atiglpxx.dll
    2012-06-11 16:26 . 2012-06-11 16:2633280----a-w-c:\windows\system32\atigktxx.dll
    2012-06-11 16:25 . 2012-06-11 16:25295936----a-w-c:\windows\system32\drivers\atikmpag.sys
    2012-06-11 16:25 . 2011-12-06 02:1142496----a-w-c:\windows\system32\atiuxpag.dll
    2012-06-11 16:24 . 2011-12-06 02:1132768----a-w-c:\windows\system32\atiu9pag.dll
    2012-06-11 16:24 . 2012-06-11 16:2453248----a-w-c:\windows\system32\drivers\ati2erec.dll
    2012-06-11 16:23 . 2012-06-11 16:2356832----a-w-c:\windows\system32\atimpc32.dll
    2012-06-11 16:23 . 2012-06-11 16:2356832----a-w-c:\windows\system32\amdpcom32.dll
    2012-06-11 11:50 . 2012-06-11 11:50159232----a-w-c:\windows\system32\clinfo.exe
    2012-06-11 11:50 . 2012-06-11 11:5065024----a-w-c:\windows\system32\OpenVideo.dll
    2012-06-11 11:50 . 2012-06-11 11:5056320----a-w-c:\windows\system32\OVDecode.dll
    2012-06-11 11:49 . 2012-06-11 11:4913008896----a-w-c:\windows\system32\amdocl.dll
    2012-06-11 11:48 . 2012-06-11 11:4850176----a-w-c:\windows\system32\OpenCL.dll
    2012-06-02 22:19 . 2012-06-21 07:1745080----a-w-c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 07:1753784----a-w-c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 07:1735864----a-w-c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 07:17577048----a-w-c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 07:171933848----a-w-c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-21 07:172422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-21 07:1788576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 13:19 . 2012-06-21 07:17171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 13:12 . 2012-06-21 07:1733792----a-w-c:\windows\system32\wuapp.exe
    2012-05-10 14:35 . 2012-05-10 14:3529184----a-w-c:\windows\system32\kdbsdk32.dll
    2012-06-19 10:57 . 2012-03-07 03:0985472----a-w-c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2012-04-04 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
    [7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
    [7] 2009-07-14 . 34B7E222E81FAFA885F0C5F2CFA56861 . 811520 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-11-21 3297280]
    "SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2009-08-16 955392]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2012-01-16 10959464]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-06-11 641704]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
    "TrayServer"="c:\program files\MAGIX\Video_deluxe_MX_Premium_Version_a_telecharger\TrayServer_fr.exe" [2008-09-01 90112]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
    .
    c:\users\Guillaume\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2012-6-13 1014112]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SEO Soft]
    2012-06-27 22:379683456----a-w-c:\users\Guillaume\Desktop\SEO\seosoft.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spotify Web Helper]
    2012-07-30 21:071193176----a-w-c:\users\Guillaume\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
    .
    R1 MpKsl3efc1be4;MpKsl3efc1be4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{27D4CDEC-99C5-45F6-B3EF-7CB8881198C0}\MpKsl3efc1be4.sys [x]
    R2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\Common Files\MAGIX Services\Database\bin\fbserver.exe [x]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Inspection du réseau Microsoft;c:\program files\Microsoft Security Client\NisSrv.exe [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
    R3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
    R3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\DRIVERS\RtVlan60.sys [x]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\DRIVERS\RtTeam60.sys [x]
    R3 TsUsbFlt;TsUsbFlt; [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
    S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [x]
    S2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [x]
    S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files\Common Files\MAGIX Services\Database\bin\FABS.exe [x]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [x]
    S3 amdiox86;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox86.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    .
    .
    --- Autres Services/Pilotes en mémoire ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPServiceREG_MULTI_SZ HPSLPSVC
    hpdevmgmtREG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contenu du dossier 'Tâches planifiées'
    .
    2012-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000Core.job
    - c:\users\Guillaume\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 03:05]
    .
    2012-08-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000UA.job
    - c:\users\Guillaume\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-07 03:05]
    .
    .
    ------- Examen supplémentaire -------
    .
    IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Guillaume\AppData\Roaming\Mozilla\Firefox\Profiles\7jfiaj5u.default\
    FF - prefs.js: browser.startup.homepage - about:home
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyDtifZCv&loc=IB_TB&I=26&search=
    FF - user.js: extensions.incredibar_i.id - 82dd1dd30000000000001c6f652fedc7
    FF - user.js: extensions.incredibar_i.instlDay - 15490
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.141:00
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef -
    FF - user.js: extensions.incredibar_i.dfltLng -
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id -
    FF - user.js: extensions.incredibar_i.upn2 - 6OyDtifZCv
    FF - user.js: extensions.incredibar_i.upn2n - 92261501500262927
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10643
    FF - user.js: extensions.incredibar_i.ppd - 1
    .
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Heure de fin: 2012-08-02 04:14:32
    ComboFix-quarantined-files.txt 2012-08-02 02:14
    ComboFix2.txt 2012-08-02 01:04
    .
    Avant-CF: 31 865 892 864 octets libres
    Après-CF: 31 818 104 832 octets libres
    .
    - - End Of File - - A5EC587E330C8E8EC9E529BCE435455D
     
  23. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Good :)

    How is computer doing?

    ==============================

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    ==============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  24. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    I thought that computer was doing fine until this morning... Apparently, according to Microsoft Security Essentials, Sirefef.AN/AO/AG...
     
  25. Kysban

    Kysban TS Rookie Topic Starter Posts: 17

    This time, I identified which website is infected... Sorry again and thank you for your help...
    For the moment, it doesn't restart my computer every one minute.

    Here are frst.txt and search.txt :



    Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
    Ran by SYSTEM at 02-08-2012 13:29:35
    Running from G:\
    Windows 7 Ultimate (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s [10959464 2012-01-15] (Realtek Semiconductor)
    HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641704 2012-06-11] (Advanced Micro Devices, Inc.)
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
    HKLM\...\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard)
    HKLM\...\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM\...\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking11\Ereg.ini [301 2012-07-30] ()
    HKLM\...\Run: [TrayServer] C:\Program Files\MAGIX\Video_deluxe_MX_Premium_Version_a_telecharger\TrayServer_fr.exe [90112 2008-09-01] (Magix)
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2012-01-17] (Sun Microsystems, Inc.)
    HKLM\...\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
    HKU\Guillaume\...\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart [3297280 2007-11-20] (Google)
    HKU\Guillaume\...\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe [955392 2009-08-16] (SFX TEAM)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Startup: C:\Users\Guillaume\Start Menu\Programs\Startup\EvernoteClipper.lnk
    ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)

    ================================ Services (Whitelisted) ==================

    2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [291840 2012-06-11] (Advanced Micro Devices, Inc.)
    2 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [296808 2010-08-12] (Nuance Communications, Inc.)
    2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
    2 Fabs; C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe /DisableUI [1840128 2011-05-24] (MAGIX AG)
    3 FirebirdServerMAGIXInstance; "C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe" [2702848 2011-04-26] (MAGIX®)
    2 MDM; "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe" [335872 2006-10-26] (Microsoft Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [11552 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [214952 2012-03-26] (Microsoft Corporation)
    2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [160944 2012-07-03] (Skype Technologies)

    ========================== Drivers (Whitelisted) =============

    2 AODDriver4.01; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
    2 AODDriver4.1; \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\i386\AODDriver2.sys [45184 2012-03-05] (Advanced Micro Devices)
    0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    3 RTHDMIAzAudService; C:\Windows\System32\drivers\RtHDMIV.sys [199528 2011-12-02] (Realtek Semiconductor Corp.)
    2 RtNdPt60; C:\Windows\System32\DRIVERS\RtNdPt60.sys [27648 2010-12-13] (Realtek )
    3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam60.sys [50280 2010-12-13] (Realtek Corporation)
    3 RTVLANPT; C:\Windows\System32\DRIVERS\RtVlan60.sys [19968 2010-12-13] (Windows (R) Codename Longhorn DDK provider)
    3 TEAM; C:\Windows\System32\DRIVERS\RtTeam60.sys [50280 2010-12-13] (Realtek Corporation)
    3 catchme; \??\C:\Users\GUILLA~1\AppData\Local\Temp\catchme.sys [x]
    3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
    3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
    3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-02 03:23 - 2012-08-02 03:25 - 00000112 ____A C:\Windows\setupact.log
    2012-08-02 03:23 - 2012-08-02 03:23 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-02 02:35 - 2012-08-02 02:35 - 00000000 ____D C:\Windows\System32\config\HiveBackup
    2012-08-01 18:14 - 2012-08-01 18:14 - 00018188 ____A C:\ComboFix.txt
    2012-08-01 16:55 - 2012-08-01 18:14 - 00000000 ___AD C:\Qoobox
    2012-08-01 16:55 - 2012-08-01 17:03 - 00000000 ____D C:\Windows\erdnt
    2012-08-01 16:55 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-08-01 16:55 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-08-01 16:55 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-08-01 16:55 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-08-01 16:54 - 2012-08-01 16:50 - 04722680 ____R (Swearware) C:\Users\Guillaume\Desktop\ComboFix.exe
    2012-08-01 16:42 - 2012-08-01 16:43 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{C5CFD03C-C5EF-46D9-991A-647268AF32ED}
    2012-08-01 16:42 - 2012-08-01 16:42 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{6AA8AFDA-C7AC-4574-810D-BFB29B845403}
    2012-08-01 16:37 - 2012-08-01 16:37 - 00005710 ____A C:\Windows\System32\PerfStringBackup.TMP
    2012-08-01 13:51 - 2012-08-01 13:52 - 00000000 ____D C:\FRST
    2012-08-01 03:07 - 2012-08-01 03:07 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-01 03:03 - 2012-08-01 03:03 - 10299264 ____A (Microsoft Corporation) C:\Users\Guillaume\Downloads\mseinstall (1).exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 01552384 ____A C:\Users\Guillaume\Downloads\RogueKiller-7.6.4.exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-08-01 02:47 - 2012-08-01 02:47 - 00000000 ____D C:\Users\Guillaume\AppData\Local\Wajam
    2012-08-01 02:47 - 2012-08-01 02:47 - 00000000 ____D C:\Program Files\Wajam
    2012-08-01 02:46 - 2012-08-01 02:47 - 00014572 ____A C:\INSTALLHELPER.LOG
    2012-08-01 02:46 - 2012-08-01 02:46 - 00665696 ____A (OptimumInstaller) C:\Users\Guillaume\Downloads\Setup.exe
    2012-08-01 02:34 - 2012-08-01 02:34 - 00388608 ____A (Trend Micro Inc.) C:\Users\Guillaume\Downloads\HijackThis.exe
    2012-08-01 02:31 - 2012-08-01 02:31 - 01402880 ____A C:\Users\Guillaume\Downloads\hijackthis_hijackthis_2.0.4_anglais_17891.msi
    2012-08-01 02:19 - 2012-08-01 02:19 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-08-01 00:33 - 2012-08-01 00:34 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{89DE1A0B-B4DE-49E8-A511-757B47164C43}
    2012-08-01 00:33 - 2012-08-01 00:33 - 00000000 ____D C:\Users\Guillaume\AppData\Local\{406E7CE8-4A76-45C5-B4F3-F5759F0990FE}

    ============ 3 Months Modified Files ========================

    2012-08-02 03:25 - 2012-08-02 03:23 - 00000112 ____A C:\Windows\setupact.log
    2012-08-02 03:25 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-02 03:23 - 2012-08-02 03:23 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-02 03:21 - 2012-03-06 17:51 - 01406417 ____A C:\Windows\WindowsUpdate.log
    2012-08-02 03:20 - 2012-03-06 19:05 - 00001094 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000UA.job
    2012-08-01 21:29 - 2012-03-06 19:05 - 00001042 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1266765766-3627827974-3855528514-1000Core.job
    2012-08-01 18:59 - 2012-03-07 16:23 - 00409088 ____A (Microsoft Corporation) C:\Windows\System32\systemcpl.dll
    2012-08-01 18:59 - 2009-07-13 20:34 - 00010128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-01 18:59 - 2009-07-13 20:34 - 00010128 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-01 18:14 - 2012-08-01 18:14 - 00018188 ____A C:\ComboFix.txt
    2012-08-01 18:13 - 2009-07-13 18:04 - 00000215 ____A C:\Windows\system.ini
    2012-08-01 16:50 - 2012-08-01 16:54 - 04722680 ____R (Swearware) C:\Users\Guillaume\Desktop\ComboFix.exe
    2012-08-01 16:37 - 2012-08-01 16:37 - 00005710 ____A C:\Windows\System32\PerfStringBackup.TMP
    2012-08-01 03:08 - 2012-03-06 20:33 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-01 03:07 - 2012-03-06 17:59 - 01603068 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-01 03:03 - 2012-08-01 03:03 - 10299264 ____A (Microsoft Corporation) C:\Users\Guillaume\Downloads\mseinstall (1).exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 01552384 ____A C:\Users\Guillaume\Downloads\RogueKiller-7.6.4.exe
    2012-08-01 02:53 - 2012-08-01 02:53 - 00014080 ____A C:\Windows\System32\Drivers\TrueSight.sys
    2012-08-01 02:47 - 2012-08-01 02:46 - 00014572 ____A C:\INSTALLHELPER.LOG
    2012-08-01 02:46 - 2012-08-01 02:46 - 00665696 ____A (OptimumInstaller) C:\Users\Guillaume\Downloads\Setup.exe
    2012-08-01 02:34 - 2012-08-01 02:34 - 00388608 ____A (Trend Micro Inc.) C:\Users\Guillaume\Downloads\HijackThis.exe
    2012-08-01 02:31 - 2012-08-01 02:31 - 01402880 ____A C:\Users\Guillaume\Downloads\hijackthis_hijackthis_2.0.4_anglais_17891.msi
    2012-08-01 02:13 - 2012-04-03 18:47 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-08-01 02:13 - 2012-03-06 19:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

    ZeroAccess:
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\@
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\L
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\n
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\U
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\L\00000004.@
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\U\00000004.@
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\U\00000008.@
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\U\000000cb.@
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\U\80000000.@
    C:\Users\Guillaume\AppData\Local\{955b7c99-12db-61e4-d051-b536dcac8f4c}\U\80000032.@

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 12%
    Total physical RAM: 4093.55 MB
    Available physical RAM: 3567.92 MB
    Total Pagefile: 4091.83 MB
    Available Pagefile: 3576.46 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1969.4 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:146.39 GB) (Free:29.12 GB) NTFS
    2 Drive e: () (Fixed) (Total:785.03 GB) (Free:155.85 GB) NTFS
    3 Drive f: (GRMCULFRER_EN_DVD) (CDROM) (Total:2.33 GB) (Free:0 GB) UDF
    4 Drive g: () (Removable) (Total:0.94 GB) (Free:0.93 GB) FAT
    5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    6 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 Online 961 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 146 GB 101 MB
    Partition 3 Primary 785 GB 146 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    ==================================================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 146 GB Healthy

    ==================================================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 E NTFS Partition 785 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 961 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 G FAT Removable 961 MB Healthy

    ==================================================================================

    ==========================================================

    Last Boot: 2012-07-30 13:59

    ======================= End Of Log ==========================






    Farbar Recovery Scan Tool Version: 25-07-2012 01
    Ran by SYSTEM at 2012-08-02 13:31:16
    Running from G:\

    ================== Search: "services,exe" ===================

    === End Of Search ===
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...