TechSpot

Infected with Virtumonde - followed the 7 steps, wanna know if I'm clean :)

By nnf
Jun 14, 2011
  1. Hi everyone!

    Firstly, thanks so much to all the volunteers who help us poor souls with our virus problems - it's very appreciated :)

    So basically, here's my problem. I have an old computer running Windows XP, but it felt ridiculously slow lately... and like it was always loading something (fan is really loud, CPU is often maxed out). Like... worse than normal !

    I looked at my task manager and found nothing out of the ordinary (not that I know of), except this xdc.exe program, which is supposedly Xtreme Desktops. Now, I believe this might have been a program my sister installed (I don't recall ever getting something liek this), but I couldn't find it anywhere, so could be spyware or whatnot.

    Anyway, I ran a virus scan (Nod32) and it found several minor things (cookies) but also Virtumonde :/ which from previous knowledge, can be a pain in the buttocks to remove!

    So, followed the 7 steps and got rid of some nasties, but I wanna know if everything is ok now or if I should take other measures to get my good old PC back to its normal state :)

    Logs upcoming in following posts! Thanks!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot I will be glad to check the logs for any 'left overs.'

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Reminder to be patient
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. nnf

    nnf TS Rookie Topic Starter

    Here we go, sorry for the delay - I couldn't copy and paste in the same post because my computer was incredibly slow. Thanks in advance !

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6851

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2011-06-13 23:47:16
    mbam-log-2011-06-13 (23-47-16).txt

    Scan type: Quick scan
    Objects scanned: 223511
    Time elapsed: 14 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ----------------------------------------------

    GMER


    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-14 18:58:47
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD800JD-60JRC0 rev.05.01C05
    Running: 1z6z34ih.exe; Driver: C:\DOCUME~1\LISA-L~1\LOCALS~1\Temp\pwldrpob.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 MBR read error
    Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

    ---- System - GMER 1.0.15 ----

    SSDT spob.sys ZwEnumerateKey [0xF74FCDA4]
    SSDT spob.sys ZwEnumerateValueKey [0xF74FD132]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-19 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\aupygx3u \Device\Scsi\aupygx3u1 8A2D71F8
    Device \Driver\aupygx3u \Device\Scsi\aupygx3u1Port4Path0Target0Lun0 8A2D71F8
    Device \FileSystem\Ntfs \Ntfs 8A66B1F8

    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

    Device \FileSystem\Fastfat \Fat 89F451F8

    AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
    AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

    ---- EOF - GMER 1.0.15 ----


    ---------------------

    DDS.txt




    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Run by LL HH at 19:06:46 on 2011-06-14
    Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2039.1019 [GMT -4:00]
    .
    AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    svchost.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\WINDOWS\system32\acs.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe
    C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\msfeedssync.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.viago.net/
    uSearch Page =
    uSearch Bar =
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant =
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {27a5d50d-dc44-4c67-8c2b-10f4e8dc5972} - No File
    BHO: {3017FB3E-9A77-4396-88C5-0EC9548FB42F} - No File
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - No File
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {98950321-5624-4a16-9e29-9f8c8941cc5d} - No File
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: {FF7C3CF0-4B15-11D1-ABED-709549C10000} - No File
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
    mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [HPPQVideo] "c:\program files\hp\scheduledlaunch\hp color laserjet cp1510 series\bin\hppschlnch.exe" -r software\hewlett-packard\scheduledlaunch\CLJ_CP1510_Series -f PQOptimizerVideo.xml -o remindLater
    mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
    mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [XDc] c:\program files\xtreme desktop\xdc\startxdc.exe
    mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimageenterpriseserver\TrueImageMonitor.exe
    mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:eek:n /alerts:eek:n /notifications:eek:n /fl:eek:n /fr:eek:n /appData:eek:n
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimageenterpriseserver\TimounterMonitor.exe
    mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    IE: Ajouter au fichier PDF existant - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir en Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir la cible du lien en Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir la cible du lien en un fichier PDF existant - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir la sélection en Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir la sélection en un fichier PDF existant - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir les liens sélectionnés en fichier Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convertir les liens sélectionnés en un fichier PDF existant - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpnssl.telenetinfo.com/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235403714312
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235403695281
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {C2BBEA20-1F2B-492F-8A06-B1C5FFEACE3B} - hxxp://certificat.telenetinfo.net/CertControl/x86/scrdenrl.dll
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\wupobolo.dll dmjzro.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    LSA: Authentication Packages = msv1_0 relog_ap
    LSA: Notification Packages = scecli scecli
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\LL HH\application data\mozilla\firefox\profiles\awlygrzc.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - www.google.ca
    FF - component: c:\documents and settings\LL HH\application data\mozilla\firefox\profiles\awlygrzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: c:\documents and settings\LL HH\application data\mozilla\firefox\profiles\awlygrzc.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\LL HH\application data\facebook\npfbplugin_1_0_0.dll
    FF - plugin: c:\documents and settings\LL HH\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\fotopedia\fotopedia.app\contents\windows\np_Fotopedia.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\real\rave\nprave187.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 35168]
    .
    =============== Created Last 30 ================
    .
    2011-06-14 01:10:56 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 01:10:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-14 01:10:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-24 02:08:33 -------- d-----w- C:\Las Vegas
    .
    ==================== Find3M ====================
    .
    2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    .
    ============= FINISH: 19:18:27,32 ===============


    -------------

    Attach.txt



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2007-05-30 09:04:56
    System Uptime: 2011-06-14 18:48:58 (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 0968h
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | XU1 PROCESSOR | 3194/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 75 GiB total, 10,332 GiB free.
    D: is CDROM ()
    E: is FIXED (FAT32) - 279 GiB total, 30,728 GiB free.
    F: is CDROM ()
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== Installed Programs ======================
    .
    .
    32 Bit HP BiDi Channel Components Installer
    3ivx MPEG-4 5.0.3 (remove only)
    Acronis True Image Enterprise Server
    Adobe Acrobat 8 Professional - English, Français, Deutsch
    Adobe Acrobat 8.1.2 Professional
    Adobe Acrobat 8.1.2 Security Update 1 (KB403742)
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.0.1)
    Adobe Shockwave Player
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Broadcom Management Programs
    Broadcom NetXtreme Ethernet Controller
    BufferChm
    calibre
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera WIA Driver
    Canon EOS 5D WIA Driver
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 3.4
    Canon Utilities EOS Utility
    Canon Utilities MyCamera
    Canon Utilities Original Data Security Tools
    Canon Utilities PhotoStitch
    Canon Utilities Picture Style Editor
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities WFT-E1/E2/E3 Utility
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    CCleaner
    Coffret de pilotes Logitech Legacy USB Camera
    Coffret de pilotes Logitech QuickCam
    Compatibility Pack for the 2007 Office system
    Corel Paint Shop Pro X
    CustomerResearchQFolder
    DeviceDiscovery
    DeviceManagementQFolder
    DivX Content Uploader
    DivX Converter
    DivX Setup
    ESET NOD32 Antivirus
    eSupportQFolder
    Facebook Plug-In
    FlipShare
    Fotopedia - Images for Humanity
    Free Audio CD Burner version 1.2
    Free DVD Video Converter version 1.5.12
    Free iPod Video Converter 1.34
    Free PDF to Word Doc Converter v1.1
    Free Studio version 4.2
    Free Video Dub version 1.8.10
    Free YouTube Download 2.3
    Free YouTube to iPod Converter version 3.1
    Free YouTube to MP3 Converter version 3.2
    FUJIFILM USB Driver
    GIMP 2.6.8
    Google Earth
    Google Earth Plug-in
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Color LaserJet CP1510 Series 2.0
    HP Customer Participation Program 9.0
    HP Imaging Device Functions 9.0
    HP Solution Center 9.0
    hppCLJCP1510
    hppFonts
    hppManualsCP1510
    hppPQVideoCP1510
    HPProductAssistant
    hppTLBXFXCP1510
    hppusgCP1510
    HPSSupply
    hpzTLBXFX
    ImgBurn
    Installation Windows Live
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Junk Mail filter update
    Logitech Audio Echo Cancellation Component
    Logitech QuickCam
    Los Sims™ 2 y Las Cuatro Estaciones
    Malwarebytes' Anti-Malware version 1.51.0.1200
    MarketResearch
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Live Add-in 1.3
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Miranda IM 0.6.8
    Motorola Phone Tools
    Mozilla Firefox 4.0.1 (x86 en-GB)
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    MVision
    Nero 6 Ultra Edition
    Nero Digital
    NewsLeecher v3.9 Beta 3
    Outil de téléchargement Windows Live
    Poladroid
    PowerDVD
    Product_SF_Full_QFolder
    Product_SF_Min_QFolder
    QuickPar 0.9
    QuickTime
    ra/ve 1.1.0.187
    Safari
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Skype Toolbars
    Skype™ 5.1
    SolutionCenter
    SoundMAX
    SPSS Data Access Pack 4.5 for Windows
    SPSS Student Version 16.0 for Windows
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.4
    The Sims 2 Family Fun Stuff
    The Sims 2 Glamour Life Stuff
    The Sims 2 Open For Business
    The Sims 2 Pets
    The Sims 2 University
    The Sims™ 2 Apartment Life
    The Sims™ 2 Bon Voyage
    The Sims™ 2 Double Deluxe
    The Sims™ 2 FreeTime
    The Sims™ 2 H&M® Fashion Stuff
    The Sims™ 2 Teen Style Stuff
    TrayApp
    TreeSize Professional 4.3.2
    TRENDnet TEW-441PC/TEW-443PI 802.11g Wireless Cardbus/PCI Adapter Driver and Utility
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    USB Driver Vers. 3.2
    VC80CRTRedist - 8.0.50727.4053
    VideoLAN VLC media player 0.8.6b
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    WebReg
    Winamp (remove only)
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Mail
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows PowerShell(TM) 1.0
    Windows Presentation Foundation
    Windows XP Service Pack 3
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0
    Zero Assumption Digital Image Recovery 1.2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2011-06-13 20:04:21, error: Service Control Manager [7034] - The FlipShare Service service terminated unexpectedly. It has done this 1 time(s).
    2011-06-13 18:33:33, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Lbd
    2011-06-13 18:33:30, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
    2011-06-12 20:15:41, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
    2011-06-12 20:15:41, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL. Reference error message: The operation completed successfully. .
    2011-06-12 20:15:41, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
    2011-06-12 14:34:48, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80.DLL. Reference error message: The operation completed successfully. .
    .
    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have got a great many processes running that probably started on boot. Processes for cameras, and photo editing, printer, scanners, imaging programs, media players, burning software do not have to start on boot!
    ==========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================
    How much installed RAM do you have for this old bear?

    Logs for the Eset scan and Combofix in next reply please.
     
  5. nnf

    nnf TS Rookie Topic Starter

    Thanks for the info :) how do I stop them from starting on boot? I honestly never thought about this.. !

    As for RAM, eh... says I have 1,99 GB of RAM. But the thing is, I haven't done much lately, or made any changes.. it wasn't that ridiculously slow in the past few months/weeks! Anyway... guess I'll need a new one sooner or later.

    No logs for Eset - all clean.

    Combofix... my bad, it's all in French, IDK how that happened..... if you need it, I can translate it or try to download again. My OS is in English and so is my browser... ?!!! Odd.

    ComboFix 11-06-15.02 - LLH 2011-06-15 22:58:08.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2039.993 [GMT -4:00]
    Lancé depuis: c:\documents and settings\LLH\My Documents\Downloads\ComboFix.exe
    AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    .
    .
    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\LLH\Application Data\inst.exe
    c:\documents and settings\LLH\Application Data\Local
    c:\documents and settings\LLH\Application Data\Local\Temp\DDM\Settings\.ddr
    c:\documents and settings\LLH\Application Data\Local\Temp\DDM\Settings\0.ddi
    c:\documents and settings\LLH\Application Data\Local\Temp\DDM\Settings\settings.ddi
    c:\documents and settings\LLH\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
    c:\documents and settings\LLH\Local Settings\Application Data\.#
    c:\windows\system32\winlogon.bak
    .
    .
    ((((((((((((((((((((((((((((( Fichiers créés du 2011-05-16 au 2011-06-16 ))))))))))))))))))))))))))))))))))))
    .
    .
    2011-06-14 01:10 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 01:10 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-14 01:10 . 2011-06-14 01:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-29 09:07 . 2011-05-29 09:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-05-24 02:08 . 2011-05-24 02:08 -------- d-----w- C:\Las Vegas
    .
    .
    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-02 15:31 . 2009-02-23 16:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 16:19 . 2009-02-23 16:39 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-29 16:04 . 2011-03-22 21:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
    "DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe" [2006-03-17 1102171]
    "ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2007-08-28 53248]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe" [2006-03-17 1827640]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-03-17 126976]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Outil de mise à jour Google.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Outil de mise à jour Google.lnk
    backup=c:\windows\pss\Outil de mise à jour Google.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
    backup=c:\windows\pss\PalTalk.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Universite Laval Client VPN ULaval.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Universite Laval Client VPN ULaval.lnk
    backup=c:\windows\pss\Universite Laval Client VPN ULaval.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=3 (0x3)
    "SDhelper"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=
    "c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
    "c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-05-30 691696]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 35168]
    R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-10-07 472280]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 136176]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-08-10 13224]
    S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 136176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contenu du dossier 'Tâches planifiées'
    .
    2011-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 22:52]
    .
    2011-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 22:52]
    .
    2011-06-16 c:\windows\Tasks\User_Feed_Synchronization-{823A24B4-0F4D-4C33-96BE-9C5B266FC13D}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    2011-06-16 c:\windows\Tasks\User_Feed_Synchronization-{D662A78C-BE11-4DFB-BA98-4118A5A86CA9}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.viago.net/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Ajouter au fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir la cible du lien en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir la cible du lien en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir la sélection en Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convertir la sélection en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convertir les liens sélectionnés en fichier Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convertir les liens sélectionnés en un fichier PDF existant - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 24.200.243.189 24.200.241.37 24.201.245.77
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpnssl.telenetinfo.com/CACHE/stc/1/binaries/vpnweb.cab
    FF - ProfilePath - c:\documents and settings\LLH\Application Data\Mozilla\Firefox\Profiles\awlygrzc.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - www.google.ca
    .
    - - - - ORPHELINS SUPPRIMES - - - -
    .
    BHO-{27a5d50d-dc44-4c67-8c2b-10f4e8dc5972} - (no file)
    BHO-{3017FB3E-9A77-4396-88C5-0EC9548FB42F} - (no file)
    BHO-{389943B0-C3A2-4E69-82CB-8596A84CB3DC} - (no file)
    BHO-{98950321-5624-4a16-9e29-9f8c8941cc5d} - (no file)
    HKCU-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    HKCU-Run-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
    HKLM-Run-HPPQVideo - c:\program files\HP\ScheduledLaunch\HP Color LaserJet CP1510 Series\bin\hppschlnch.exe -r SOFTWARE\Hewlett-Packard\ScheduledLaunch\CLJ_CP1510_Series -f PQOptimizerVideo.xml
    HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    HKLM-Run-XDc - c:\program files\Xtreme Desktop\xdc\startxdc.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-15 23:09
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    Recherche de processus cachés ...
    .
    Recherche d'éléments en démarrage automatique cachés ...
    .
    Recherche de fichiers cachés ...
    .
    Scan terminé avec succès
    Fichiers cachés: 0
    .
    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------
    .
    - - - - - - - > 'winlogon.exe'(852)
    c:\windows\system32\WINSPOOL.DRV
    .
    - - - - - - - > 'explorer.exe'(8968)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Autres processus actifs ------------------------
    .
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    c:\windows\system32\acs.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Flip Video\FlipShare\FlipShareService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\SearchProtocolHost.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\windows\system32\SearchFilterHost.exe
    .
    **************************************************************************
    .
    Heure de fin: 2011-06-15 23:18:37 - La machine a redémarré
    ComboFix-quarantined-files.txt 2011-06-16 03:18
    .
    Avant-CF: 10*991*050*752 bytes free
    Après-CF: 12*191*326*208 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 33DD2FCCEA62B63B85C92CD29D4ECFE0
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I will give you instructions to use the msconfig utility to take programs off of the Startup Menu when we finish the cleaning.
    ===========================================
    I think I can get through the Combofix entries okay, but you will have to clarify this for me:

    1. The Start page is set to viago.net. IP 74.122.246.133
    OrgName: TELENET Informatique Inc.
    OrgId: TELEN-15
    Address: 930 Jacques-Cartier Est
    Address: Bureau A-103
    City: Chicoutimi
    StateProv: QC
    PostalCode: G7H-7K9
    Country: CA

    2. TCP: DhcpNameServer = 24.200.243.189 24.200.241.37 24.201.245.77
    Organization Le Groupe Videotron Ltee (VLCA)

    3. Active X Object:
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpnssl.telenetinfo.com/CACHE/stc/1/binaries/vpnweb.cab>> appears to be related to Cisco VPN

    You will need to resolve this for me. Telenet is something I am always wary of.

    Are you in Canada?
    ===================================================
    Adobe Reader is outdated. Please update:Adobe Reader site Uninstall any earlier updates as they are vulnerabilities. (v8)
    =======================================
    I'm finishing reviewing the Combofix log. I have some script for you to run through Combofix but I need the information about the entries above.
     
  7. nnf

    nnf TS Rookie Topic Starter

    Ok sounds good re boot.

    Telenet is fine, they take care of my PC problems and I had VPN access with them, so it's not odd that it would come up. I do live in Canada :)
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Your place of residency might explain the logs showing in French- also three entries I needed to verify.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    Folder::
    
    DDS::
    uSearch Page =
    uSearch Bar =
    mSearchAssistant =
    BHO: {27a5d50d-dc44-4c67-8c2b-10f4e8dc5972} - No File
    BHO: {3017FB3E-9A77-4396-88C5-0EC9548FB42F} - No File
    BHO: {389943B0-C3A2-4E69-82CB-8596A84CB3DC} - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: {98950321-5624-4a16-9e29-9f8c8941cc5d} - No File
    BHO: {FF7C3CF0-4B15-11D1-ABED-709549C10000} - No File
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enumn /alertsn /notificationsn /fln /frn /appDatan
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    AppInit_DLLs: c:\windows\system32\wupobolo.dll dmjzro.dll 
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"=-
    "Adobe ARM"=-
    "iTunesHelper"=-
    "ToolBoxFX"=-
    "SunJavaUpdateSched"=-
    "RemoteControl"=-
    "HP Software Update"=-
    "DivXUpdate"=-
    "Acrobat Assistant 8.0"=-
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I have removed some of the registry entries for processes you can take off of the Startup menu.
    ====================================
    The only processes you need to have on the Startup Menu are: Antivirus program, Firewall if using 3rd party firewall, touchpad if on laptop and network processes if you have a network set up through Pure Magic/Citrix. Nothing else.
    To remove entries from the Startup Menu using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
      [​IMG]
    • Click on Selective Startup
    • Choose the Startup tab:
      [​IMG]
      All images courtesy NetSquirrel
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Uncheck any processes you do not need to start on boot.
    • Click on Apply> OK when finished.
    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.' Remain in Selective Startup to retain those changes.
    ------------------------------
    Some processes to cosider unchecking:
    =============================================
    Click on Start> Run> Type in services.msc> enter.> Find each of the Following Services. Double click on each to open> Change the Startup type to Disabled> Stop the Service:Scroll down to Indexing
    JavaQuickStrter (jqs)

    Exit Services when through.
     
  9. nnf

    nnf TS Rookie Topic Starter

    Alright, thanks!! Here's the log :) let me know if you need help with translation!

    ComboFix 11-06-17.04 - LLH 2011-06-17 18:01:11.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2039.1483 [GMT -4:00]
    Lancé depuis: c:\documents and settings\LLH\Desktop\ComboFix.exe
    Commutateurs utilisés :: c:\documents and settings\LLH\Desktop\CFScript.txt
    AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    .
    .
    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\divx\divx update\DivXUpdate.exe
    c:\program files\hp\hp software update\HPWuSchd2.exe
    c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe
    c:\windows\system32\hkcmd.exe
    .
    .
    ((((((((((((((((((((((((((((( Fichiers créés du 2011-05-17 au 2011-06-17 ))))))))))))))))))))))))))))))))))))
    .
    .
    2011-06-15 22:03 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-06-14 01:10 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 01:10 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-14 01:10 . 2011-06-14 01:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
    2011-05-29 09:07 . 2011-05-29 09:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-05-24 02:08 . 2011-05-24 02:08 -------- d-----w- C:\Las Vegas
    .
    .
    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-02 15:31 . 2009-02-23 16:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 16:19 . 2009-02-23 16:39 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2009-02-23 16:40 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2009-02-23 16:39 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-29 16:04 . 2011-03-22 21:02 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-10-07 1461080]
    "DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
    "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEnterpriseServer\TrueImageMonitor.exe" [2006-03-17 1102171]
    "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
    "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
    "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEnterpriseServer\TimounterMonitor.exe" [2006-03-17 1827640]
    "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-03-17 126976]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Outil de mise à jour Google.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Outil de mise à jour Google.lnk
    backup=c:\windows\pss\Outil de mise à jour Google.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
    backup=c:\windows\pss\PalTalk.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Universite Laval Client VPN ULaval.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Universite Laval Client VPN ULaval.lnk
    backup=c:\windows\pss\Universite Laval Client VPN ULaval.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=c:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "gusvc"=3 (0x3)
    "SDhelper"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\SPSSInc\\SPSS16Student\\spss.exe"=
    "c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
    "c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-05-30 691696]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 35168]
    R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-10-07 472280]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 136176]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-08-10 13224]
    S3 gupdatem;Service Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 136176]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contenu du dossier 'Tâches planifiées'
    .
    2011-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 22:52]
    .
    2011-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-14 22:52]
    .
    2011-06-17 c:\windows\Tasks\User_Feed_Synchronization-{823A24B4-0F4D-4C33-96BE-9C5B266FC13D}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    2011-06-17 c:\windows\Tasks\User_Feed_Synchronization-{D662A78C-BE11-4DFB-BA98-4118A5A86CA9}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.viago.net/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Convertir les liens sélectionnés en fichier Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 24.200.243.189 24.200.241.37 24.201.245.77
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpnssl.telenetinfo.com/CACHE/stc/1/binaries/vpnweb.cab
    FF - ProfilePath - c:\documents and settings\LLH\Application Data\Mozilla\Firefox\Profiles\awlygrzc.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - www.google.ca
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-17 18:09
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    Recherche de processus cachés ...
    .
    Recherche d'éléments en démarrage automatique cachés ...
    .
    Recherche de fichiers cachés ...
    .
    Scan terminé avec succès
    Fichiers cachés: 0
    .
    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------
    .
    - - - - - - - > 'winlogon.exe'(848)
    c:\windows\system32\ACTIVEDS.dll
    .
    Heure de fin: 2011-06-17 18:11:35
    ComboFix-quarantined-files.txt 2011-06-17 22:11
    ComboFix2.txt 2011-06-16 03:18
    .
    Avant-CF: 13*827*231*744 bytes free
    Après-CF: 13*801*558*016 bytes free
    .
    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 812EABB640BCF0CB44126B2068BFE543
     
  10. nnf

    nnf TS Rookie Topic Starter

    Oh, also followed your other instructions, but I wasn't able to find all of these in services.... any ideas as to how I should proceed?

    "QuickTime Task"> QTTask.exe
    "Adobe ARM"> AdobeArm.exe
    "iTunesHelper"> iTunesHelper.exe
    "ToolBoxFX"> HPTLBXFX.exe
    "SunJavaUpdateSched"> jusched.exe
    "RemoteControl"> PDVDServ.exe
    "HP Software Update"> HPWuSchd2.exe
    "DivXUpdate"> DivXUpdate.exe
    "Acrobat Assistant 8.0"=-
    HP Digital Imaging Monitor.


    Thanks so much for help, it's really appreciated over here :) computer already feels a bit faster ;)
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Only one of the entries I listed has a Service: Java QuickStarter The instructions I gave for you to use msconfig was to uncheck the progresses on the Startup Menu, not Services.

    I listed the process name first, followed by > name of process on the Startup Menu. For instance:
    "QuickTime Task"> QTTask.exe
    QuickTime Task is the process name. It will be listed as QTTask./exe.
    ========================================
    Do you have any idea what this entry is? I put script to unlock the registry jey, but nothing happened. and I tried to translate the FM20ENU.DLL French to English and also got nothing:
    [[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\User Data\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~*]
    "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
    .
     
  12. nnf

    nnf TS Rookie Topic Starter

    Oops sorry, my mistake... I did mean msconfig!!! I couldn't uncheck these from the startup menu. should I just load the programs individually instead and toggle with preferences?

    As for FM20ENU.DLL ... no idea... :/ i did a quick google search and it seems there are others (with portuguese or spanish versions of Windows) who had this weird file come up... Something to do with Forms for Microsoft...
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The entry on the right should be what you see using the msconfig utility to access the Startup menu:
    I'm nor sure how you mean you "couldn't uncheck these". If you got an error message when attempting to do this, do the following first:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Now use msconfig to access the start Menu and uncheck the entries.

    I will set up the script to remove the registry entry for FM20ENU.DLL. Sometimes, when there is another language on the system, we see symbols like that because the scan can't read the entry. I'll be back shortly with the script for you to run.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This Service is a huge resource user! Contrary to what you might read, it does not need to run in the background! The HP peripherals put many processes on a system and most of them don't need to run unless you are actively using the printer.

    HP Service PML Driver HPZ12 It isn't even noticed in the TaskManager because it runs under svchost.exe There are 2 entries in the log. Before I have you change the Service startup type I want to take a look at both entries:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :file
      C:\WINDOWS\System32\svchost.exe -k HPZ12
      C:\WINDOWS\System32\svchost.exe -k HPZ12
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  15. nnf

    nnf TS Rookie Topic Starter

    I can't uncheck them because they don't show up in the list... there aren't that many processes that show up in the startup tab. Would these processes show up anywhere else?

    [​IMG]
     
  16. nnf

    nnf TS Rookie Topic Starter

    As for SystemLook.... well...

    SystemLook 04.09.10 by jpshortstuff
    Log created at 00:21 on 25/06/2011
    Administrator - Elevation successful

    ========== file ==========

    C:\WINDOWS\System32\svchost.exe -k HPZ12 - Unable to find/read file.

    C:\WINDOWS\System32\svchost.exe -k HPZ12 - Unable to find/read file.

    -= EOF =-
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What you see in the Startup folder in Windows Explorer is not what you see in the msconfig utility. Which one are you looking in?

    Are you having any problems with the printer?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...