[Résolu] Analyse de log HijackThis

[ThePilot]

Bonsoir !

 

Le log de mon spysweeper m'inquiète un peu, en voici quelques lignes:

20:39: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

20:39: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

20:39: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

20:39: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

[...]

Operation: Code Injection

Target: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Source: C:\Windows\System32\svchost.exe

11:02: Tamper Detection

Operation: Code Injection

Target: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Source: C:\Windows\System32\svchost.exe

11:02: Tamper Detection

Operation: Code Injection

Target: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Source: C:\Windows\System32\svchost.exe

11:02: Tamper Detection

Operation: Code Injection

Target: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Source: C:\Windows\System32\svchost.exe

[...]

19:32: The Internet Communication shield has blocked access to: XUL93.PUBDOMAINSTR.COM

19:32: The Internet Communication shield has blocked access to: XUL93.PUBDOMAINSTR.COM

19:32: The Internet Communication shield has blocked access to: XUL93.PUBDOMAINSTR.COM

19:32: The Internet Communication shield has blocked access to: XUL93.PUBDOMAINSTR.COM

19:32: The Internet Communication shield has blocked access to: XUL93.PUBDOMAINSTR.COM

19:32: The Internet Communication shield has blocked access to: WWW.XPSECURITYCENTER.COM

19:32: The Internet Communication shield has blocked access to: WWW.XPSECURITYCENTER.COM

19:32: The Internet Communication shield has blocked access to: WWW.XPSECURITYCENTER.COM

19:32: The Internet Communication shield has blocked access to: WWW.XPSECURITYCENTER.COM

19:31: The Internet Communication shield has blocked access to: WWW.XPSECURITYCENTER.COM

[...]

 

Je me demande si je ne me suis pas pris une saloperiware, même si à part ça, RAS. Je fait des scan avec différents anti-spyware regulierement (spysweeper, spybot S/D), j'ai un bon antivirus (NOD32), tout ça à jour.

 

Voilà mon log HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:06:11, on 22/12/2008

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

O:\Progs\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - MRI_DISABLED - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"

O4 - HKLM\..\Run: [igfxTray] "C:\Windows\system32\igfxtray.exe"

O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe"

O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe"

O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)

O13 - Gopher Prefix:

O15 - Trusted Zone: http://www.pilotcms.info

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Look 'n' Stop Service (lnssvcVista) - Unknown owner - C:\Program Files\Soft4Ever\looknstop\LnsSvcVista.exe

O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (file missing)

O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 6616 bytes

 

Alors, des raisons de m'inquiéter?

 

Merci d'avance pour votre analyse !

Modifié le 26 décembre 2008 par ThePilot

[ThePilot]

Petit up:

 

D'après SpySweeper:

 

13:16: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

13:16: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

13:16: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

13:16: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

13:16: Warning: DoInject :\Device\HarddiskVolume1\Windows\System32\svchost.exe

[ThePilot]

On se contente de ce qu'on a.

 

Alors j'ai fait ce que tu as dit, styx (à priori, rien de dangereux...), je poste donc le log de malwarebytes:

 

Malwarebytes' Anti-Malware 1.31

Version de la base de données: 1541

Windows 6.0.6001 Service Pack 1

 

12/24/2008 7:52:52 PM

mbam-log-2008-12-24 (19-52-52).txt

 

Type de recherche: Examen complet (C:\|D:\|)

Eléments examinés: 166810

Temps écoulé: 1 hour(s), 18 minute(s), 34 second(s)

 

Processus mémoire infecté(s): 0

Module(s) mémoire infecté(s): 0

Clé(s) du Registre infectée(s): 0

Valeur(s) du Registre infectée(s): 0

Elément(s) de données du Registre infecté(s): 1

Dossier(s) infecté(s): 0

Fichier(s) infecté(s): 0

 

Processus mémoire infecté(s):

(Aucun élément nuisible détecté)

 

Module(s) mémoire infecté(s):

(Aucun élément nuisible détecté)

 

Clé(s) du Registre infectée(s):

(Aucun élément nuisible détecté)

 

Valeur(s) du Registre infectée(s):

(Aucun élément nuisible détecté)

 

Elément(s) de données du Registre infecté(s):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

 

Dossier(s) infecté(s):

(Aucun élément nuisible détecté)

 

Fichier(s) infecté(s):

(Aucun élément nuisible détecté)

 

-> menace supprimée

 

Joyeux Noël à tous !

Modifié le 24 décembre 2008 par ThePilot

[Falkra]

Bonsoir, ça n'a fait qu'un réglage de base de registre, sans plus.

 

Spysweeper n'est de toute façon pas un foudre de guerre.

La machine n'a peut-être rien, d'ailleurs. Vérifions, en détail :

 

Télécharge random's system information tool (RSIT) par random/random et sauvegarde-le sur le Bureau.

• Double-clique sur RSIT.exe afin de lancer RSIT.
  
• Clique Continue à l'écran Disclaimer.
  
• Si l'outil HijackThis (version à jour) n'est pas présent ou non détecté sur l'ordinateur, RSIT le téléchargera (autorise l'accès dans ton pare-feu, si demandé) et tu devras accepter la licence.
  
• Lorsque l'analyse sera terminée, deux fichiers texte s'ouvriront. Poste le contenu de log.txt (<<qui sera affiché) ainsi que de info.txt (<<qui sera réduit dans la Barre des Tâches).
  
• NB : Les rapports sont sauvegardés dans le dossier C:\rsit
  Ca fait deux rapports donc.
  

[ThePilot]

Merci de vous occuper de mon cas

Voila les logs:

 

log.txt:

 

Logfile of random's system information tool 1.05 (written by random/random)

Run by Administrator at 2008-12-25 00:19:30

Microsoft® Windows Vista™ Home Premium Service Pack 1

System drive C: has 106 GB (59%) free of 179 GB

Total RAM: 3061 MB (71% free)

 

 

======Scheduled tasks folder======

 

C:\Windows\tasks\HPCeeScheduleForowner.job

C:\Windows\tasks\User_Feed_Synchronization-{C162C5DA-B469-4EAD-86EA-198F3EC7567E}.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

Java Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-15 320920]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-15 34816]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-10-03 178712]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-15 136600]

"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-21 1008184]

"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-07-01 1447168]

"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2007-10-25 212992]

"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-12 141848]

"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-12 166424]

"Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-12 133656]

"Look 'n' Stop"=C:\Program Files\Soft4Ever\looknstop\looknstop.exe [2008-08-18 557056]

"SpySweeper"=C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 5418864]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-12-03 399504]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2008-12-03 1265296]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"HPADVISOR"=C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun []

"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-08-24 455968]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]

C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-10-04 480560]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

[]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

[]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]

C:\Program Files\HP\QuickPlay\QPService.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunSpySweeperScheduleAtStartup]

[]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]

C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe C:\Program Files\CyberLink\YouCam update Software\CyberLink\YouCam\1.0 []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\CCleaner.exe]

CCleaner.exe []

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\uninst.exe]

uninst.exe []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]

C:\Windows\system32\igfxdev.dll [2008-02-11 204800]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WebrootSpySweeperService]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"EnableUIADesktopToggle"=0

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDesktopCleanupWizard"=1

"NoDriveTypeAutoRun"=145

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"

"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

======List of files/folders created in the last 1 months======

 

2008-12-25 00:19:30 ----D---- C:\rsit

2008-12-25 00:19:30 ----D---- \rsit

2008-12-24 18:29:51 ----D---- C:\Users\Administrator\AppData\Roaming\Malwarebytes

2008-12-24 18:29:39 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2008-12-24 18:21:41 ----A---- C:\Windows\ntbtlog.txt

2008-12-23 11:44:53 ----D---- C:\Users\Administrator\AppData\Roaming\Webroot

2008-12-23 11:44:53 ----D---- C:\Users\Administrator\AppData\Roaming\Notepad++

2008-12-23 11:44:53 ----D---- C:\Users\Administrator\AppData\Roaming\Mozilla

2008-12-23 11:44:53 ----D---- C:\Users\Administrator\AppData\Roaming\Identities

2008-12-23 11:38:47 ----SD---- C:\Users\Administrator\AppData\Roaming\Microsoft

2008-12-23 11:38:47 ----D---- C:\Users\Administrator\AppData\Roaming\Media Center Programs

2008-12-23 10:27:34 ----D---- C:\Program Files\EVEREST

2008-12-23 01:43:56 ----D---- C:\perflogs

2008-12-23 01:43:56 ----D---- \perflogs

2008-12-18 18:31:58 ----A---- C:\Windows\system32\mshtml.dll

2008-12-15 20:00:37 ----A---- C:\Windows\system32\javaws.exe

2008-12-15 20:00:37 ----A---- C:\Windows\system32\javaw.exe

2008-12-15 20:00:37 ----A---- C:\Windows\system32\java.exe

2008-12-15 20:00:37 ----A---- C:\Windows\system32\deploytk.dll

2008-12-14 19:06:29 ----D---- C:\!KillBox

2008-12-14 19:06:29 ----D---- \!KillBox

2008-12-12 18:29:06 ----A---- C:\Windows\system32\tzres.dll

2008-12-11 23:21:39 ----A---- C:\Windows\system32\mf.dll

2008-12-11 23:21:38 ----A---- C:\Windows\system32\WMVCORE.DLL

2008-12-11 23:21:38 ----A---- C:\Windows\system32\WMNetMgr.dll

2008-12-11 23:21:37 ----A---- C:\Windows\system32\logagent.exe

2008-12-11 23:21:33 ----A---- C:\Windows\system32\gdi32.dll

2008-12-11 23:21:28 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll

2008-12-11 23:21:28 ----A---- C:\Windows\system32\Apphlpdm.dll

2008-12-11 23:21:20 ----A---- C:\Windows\system32\shell32.dll

2008-12-11 23:21:09 ----A---- C:\Windows\explorer.exe

2008-12-11 23:21:03 ----A---- C:\Windows\system32\urlmon.dll

2008-12-11 23:21:03 ----A---- C:\Windows\system32\ieframe.dll

2008-12-11 23:21:02 ----A---- C:\Windows\system32\wininet.dll

2008-12-11 23:21:02 ----A---- C:\Windows\system32\mstime.dll

2008-12-11 23:21:01 ----A---- C:\Windows\system32\iertutil.dll

2008-12-11 23:21:00 ----A---- C:\Windows\system32\jsproxy.dll

2008-11-26 20:16:15 ----A---- C:\Windows\system32\PortableDeviceApi.dll

2008-11-26 19:56:09 ----A---- C:\Windows\system32\WindowsCodecsExt.dll

2008-11-26 19:56:09 ----A---- C:\Windows\system32\WindowsCodecs.dll

2008-11-26 19:56:09 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll

2008-11-26 19:56:08 ----A---- C:\Windows\system32\connect.dll

 

======List of files/folders modified in the last 1 months======

 

2008-12-25 00:19:38 ----D---- C:\Windows\Temp

2008-12-24 20:25:34 ----SHD---- C:\System Volume Information

2008-12-24 20:25:34 ----SHD---- \System Volume Information

2008-12-24 19:59:01 ----D---- C:\Windows\System32

2008-12-24 19:59:01 ----D---- C:\Windows\inf

2008-12-24 19:59:01 ----A---- C:\Windows\system32\PerfStringBackup.INI

2008-12-24 18:29:44 ----D---- C:\Windows\system32\drivers

2008-12-24 18:29:40 ----HD---- C:\ProgramData

2008-12-24 18:29:40 ----HD---- \ProgramData

2008-12-24 18:29:39 ----D---- C:\Program Files

2008-12-24 18:29:39 ----D---- \Program Files

2008-12-24 18:25:15 ----D---- C:\Windows

2008-12-24 18:25:15 ----D---- \Windows

2008-12-24 15:06:45 ----D---- C:\Program Files\Steam

2008-12-23 12:02:17 ----D---- C:\Program Files\Mozilla Firefox

2008-12-23 11:55:27 ----RD---- C:\Users

2008-12-23 11:55:27 ----RD---- \Users

2008-12-23 00:46:25 ----SHD---- C:\$RECYCLE.BIN

2008-12-23 00:46:25 ----SHD---- \$RECYCLE.BIN

2008-12-21 18:47:03 ----D---- C:\Windows\Tasks

2008-12-20 02:19:44 ----D---- C:\Windows\system32\catroot2

2008-12-18 18:32:24 ----D---- C:\Windows\winsxs

2008-12-18 18:32:11 ----D---- C:\Windows\system32\catroot

2008-12-15 20:00:56 ----SHD---- C:\Windows\Installer

2008-12-15 20:00:50 ----SHD---- C:\Config.Msi

2008-12-15 20:00:50 ----SHD---- \Config.Msi

2008-12-15 20:00:16 ----D---- C:\Program Files\Java

2008-12-14 22:55:20 ----D---- C:\Windows\Debug

2008-12-14 21:32:33 ----D---- C:\Program Files\Common Files\Steam

2008-12-12 19:50:08 ----D---- C:\Windows\rescache

2008-12-12 19:31:54 ----D---- C:\Windows\AppPatch

2008-12-12 19:31:54 ----D---- C:\Program Files\Windows Mail

2008-12-12 19:31:53 ----D---- C:\Windows\system32\en-US

2008-12-10 00:24:37 ----A---- C:\Windows\system32\mrt.exe

2008-12-06 16:26:24 ----D---- C:\Program Files\Spybot - Search & Destroy

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys [2008-07-01 53256]

R1 epfwtdir;epfwtdir; C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]

R1 lnsfw1;lnsfw1; C:\Windows\system32\drivers\lnsfw1.sys [2008-08-18 79232]

R1 SCDEmu;SCDEmu; C:\Windows\system32\drivers\SCDEmu.sys [2008-07-07 56108]

R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys [2008-07-01 39944]

R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]

R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 8704]

R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\Windows\system32\DRIVERS\Apfiltr.sys [2007-10-29 162088]

R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-05-30 735232]

R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-21 14208]

R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDRT32.sys [2008-02-27 201728]

R3 HBtnKey;HBtnKey; C:\Windows\system32\DRIVERS\cpqbttn.sys [2005-09-19 9344]

R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-11-01 985600]

R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-11-01 208896]

R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-12 2302976]

R3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2008-07-22 51200]

R3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2008-06-23 62464]

R3 SFilter;Look 'n' Stop Driver; C:\Windows\system32\DRIVERS\lnsfw.sys [2008-08-18 58232]

R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter; C:\Windows\System32\Drivers\sskbfd.sys [2008-01-05 23920]

R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-21 134016]

R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-11-01 661504]

R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-21 11264]

S3 adipfusb;ADI USB RNDIS Compatible Network Device - AD6489; C:\Windows\system32\DRIVERS\adipfusb.sys [2005-05-12 28182]

S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]

S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-21 5632]

S3 EagleNT;EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys []

S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDART.sys [2007-10-11 176640]

S3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-19 16768]

S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-21 200704]

S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-21 8192]

S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-21 5888]

S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-21 5504]

S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-21 6016]

S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvm60x32.sys [2006-11-02 429056]

S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-21 35328]

S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-21 39936]

S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-21 83328]

S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-21 6656]

S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-21 386616]

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]

R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2007-12-06 144688]

R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-10-03 358936]

R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-08-24 79136]

R2 lnssvcVista;Look 'n' Stop Service; C:\Program Files\Soft4Ever\looknstop\LnsSvcVista.exe [2008-08-18 14848]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine; C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [2008-08-09 3585384]

R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-10-18 386560]

R3 usnjsvc;Service Messenger Sharing Folders USN Journal Reader; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-07-01 19200]

S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]

S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE []

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE []

S3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2008-10-14 79360]

S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2008-12-08 104944]

S3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-02-22 1245064]

S3 wampapache;wampapache; c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe [2008-01-18 24635]

S3 wampmysqld;wampmysqld; c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe [2008-04-18 5750784]

 

-----------------EOF-----------------

 

Et info.txt:

 

info.txt logfile of random's system information tool 1.05 2008-12-25 00:20:24

 

======Uninstall list======

 

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

-->C:\Program Files\Conexant\SmartAudio\SETUP.EXE -U -ISmartAudio -SM=SMAUDIO.EXE,1801

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}

3DVIA player 4.1-->MsiExec.exe /X{4E868D3D-6EEB-4273-926C-2287236B5B79}

Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}

Adobe Shockwave Player-->MsiExec.exe /X{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}

Archiveur WinRAR-->C:\Program Files\WinRAR\uninstall.exe

Atheros Driver Installation Program-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9 -removeonly

Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -ILEOHERza.INF

Counter-Strike: Source-->MsiExec.exe /I{9580813D-94B1-4C28-9426-A441E2BB29A5}

ESET NOD32 Antivirus-->MsiExec.exe /I{6229EFBA-A122-490C-B660-A5409FA15A31}

FileZilla Client 3.1.5-->C:\Program Files\FileZilla FTP Client\uninstall.exe

GIMP 2.4.6-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"

HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_HERMOSA_HSF\UIU32m.exe -U -IHPQHERzm.inf

HijackThis 2.0.2-->"O:\Progs\HijackThis.exe" /uninstall

HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}

HP User Guides 0092-->MsiExec.exe /I{85833A03-476B-43B3-B61C-5EB946DBF6E4}

HP Wireless Assistant-->MsiExec.exe /I{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}

Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall

Intel® Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe

Intel® TV Wizard-->C:\Windows\system32\TVWizudlg.exe -uninstall

Java 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}

Java 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}

Java 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}

Java 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}

Look 'n' Stop 2.06p3-->"C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -uninst

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Maple 12-->"C:\Program Files\Maple 12\Uninstall_Maple 12\Uninstall Maple 12.exe"

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

Notepad++-->C:\Program Files\Notepad++\uninstall.exe

OpenOffice.org 2.4-->MsiExec.exe /I{A122962F-331A-4C2E-93DB-AD92D8A4FB14}

PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"

QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}

RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{AE46ABD3-D625-467F-B5A7-8D3FFF077F0D}\setup.exe -runfromtemp -l0x0009 -removeonly

Realtek USB 2.0 Card Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC24971E-1946-445D-8A82-CE685433FA7D}\setup.exe" -l0x9 -removeonly

Recuva (remove only)-->"C:\Program Files\Recuva\uninst.exe"

Security Update for 2007 Microsoft Office System (KB951596)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {1AFF2298-CC00-4A3B-866A-C62B8373794E}

Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}

Security Update for Microsoft Office Excel 2007 (KB951546)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7399DD71-8E24-4E60-B6A8-6CED89C0AC26}

Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}

Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}

Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}

Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}

Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}

SolidWorks 2008 SP0-->MsiExec.exe /I{CE3DA0AA-6784-4548-84B6-E0F89637E407}

Spy Sweeper Core-->MsiExec.exe /I{3F5B6210-0903-4DC6-8034-8F488AA3A782}

Spy Sweeper-->"C:\Program Files\Webroot\Spy Sweeper\unins000.exe"

Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}

TBS WMP Plug-in-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{13515135-48BB-4184-8C1F-2FAE0138E200}

Touch Pad Driver-->C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE

Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}

VideoLAN VLC media player 0.8.6i-->C:\Program Files\VideoLAN\VLC\uninstall.exe

WampServer 2.0-->"c:\wamp\unins000.exe"

WeatherBug Gadget-->MsiExec.exe /I{209CDA54-D390-46A2-A97C-7BF61734418D}

Winamp-->"C:\Program Files\Winamp\UninstWA.exe"

Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}

Windows Live Messenger-->MsiExec.exe /X{BADF6744-3787-48F6-B8C9-4C4995401D65}

Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}

 

=====HijackThis Backups=====

 

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra 'Tools' menuitem: &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O2 - BHO: (no name) - MRI_DISABLED - (no file)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O9 - Extra button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

 

======Hosts File======

 

127.0.0.1 localhost

127.0.0.1 rad.msn.com

127.0.0.1 rad.live.com

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

 

======Security center information======

 

AV: ESET NOD32 Antivirus 3.0

FW: Look 'n' Stop 2.06p3 (Soft4Ever)

AS: ESET NOD32 Antivirus 3.0

AS: Windows Defender

AS: Webroot Spy Sweeper

 

System event log

 

Computer Name: FADEC

Event Code: 4201

Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.

Record Number: 62328

Source Name: Tcpip

Time Written: 20081224230735.560806-000

Event Type: Information

User:

 

Computer Name: FADEC

Event Code: 4201

Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.

Record Number: 62329

Source Name: Tcpip

Time Written: 20081224230735.560806-000

Event Type: Information

User:

 

Computer Name: FADEC

Event Code: 4201

Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.

Record Number: 62330

Source Name: Tcpip

Time Written: 20081224230906.680406-000

Event Type: Information

User:

 

Computer Name: FADEC

Event Code: 4201

Message: The system detected that network adapter Wireless Network Connection was connected to the network, and has initiated normal operation.

Record Number: 62331

Source Name: Tcpip

Time Written: 20081224230906.680406-000

Event Type: Information

User:

 

Computer Name: FADEC

Event Code: 1003

Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001FE11C3585. The following error occurred:

The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Record Number: 62332

Source Name: Microsoft-Windows-Dhcp-Client

Time Written: 20081224230932.000000-000

Event Type: Warning

User:

 

Application event log

 

Computer Name: FADEC

Event Code: 3083

Message: The protocol handler Search.OneIndexHandler.1 cannot be loaded. Error description: Class not registered

.

 

Record Number: 13670

Source Name: Microsoft-Windows-Search

Time Written: 20081224215501.000000-000

Event Type: Error

User:

 

Computer Name: FADEC

Event Code: 8224

Message: The VSS service is shutting down due to idle timeout.

Record Number: 13671

Source Name: VSS

Time Written: 20081224230305.000000-000

Event Type: Information

User:

 

Computer Name: FADEC

Event Code: 3083

Message: The protocol handler Search.OneIndexHandler.1 cannot be loaded. Error description: Class not registered

.

 

Record Number: 13672

Source Name: Microsoft-Windows-Search

Time Written: 20081224231935.000000-000

Event Type: Error

User:

 

Computer Name: FADEC

Event Code: 5

Message: Unsupported service control request (see data below)

Record Number: 13673

Source Name: LightScribeService

Time Written: 20081224232024.000000-000

Event Type: Information

User:

 

Computer Name: FADEC

Event Code: 102

Message: msnmsgr (1204) \\.\C:\Users\owner\AppData\Local\Microsoft\Messenger\MONADRESSE\SharingMetadata\Working\database_DF3_7209_8C6_AAC2\dfsr.db: The database engine (6.00.6001.0000) started a new instance (0).

Record Number: 13674

Source Name: ESENT

Time Written: 20081224232049.000000-000

Event Type: Information

User:

 

Security event log

 

Computer Name: FADEC

Event Code: 5032

Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

 

Error Code: 2

Record Number: 17669

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20081224230909.956406-000

Event Type: Audit Failure

User:

 

Computer Name: FADEC

Event Code: 5032

Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

 

Error Code: 2

Record Number: 17670

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20081224230909.956406-000

Event Type: Audit Failure

User:

 

Computer Name: FADEC

Event Code: 4648

Message: A logon was attempted using explicit credentials.

 

Subject:

Security ID: S-1-5-18

Account Name: FADEC$

Account Domain: HOME

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

 

Account Whose Credentials Were Used:

Account Name: Administrator

Account Domain: FADEC

Logon GUID: {00000000-0000-0000-0000-000000000000}

 

Target Server:

Target Server Name: localhost

Additional Information: localhost

 

Process Information:

Process ID: 0x9ec

Process Name: C:\Windows\System32\consent.exe

 

Network Information:

Network Address: ::1

Port: 0

 

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Record Number: 17671

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20081224231909.958206-000

Event Type: Audit Success

User:

 

Computer Name: FADEC

Event Code: 4624

Message: An account was successfully logged on.

 

Subject:

Security ID: S-1-5-18

Account Name: FADEC$

Account Domain: HOME

Logon ID: 0x3e7

 

Logon Type: 2

 

New Logon:

Security ID: S-1-5-21-3870714522-2822382875-2873144690-500

Account Name: Administrator

Account Domain: FADEC

Logon ID: 0x3a765c

Logon GUID: {00000000-0000-0000-0000-000000000000}

 

Process Information:

Process ID: 0x9ec

Process Name: C:\Windows\System32\consent.exe

 

Network Information:

Workstation Name: FADEC

Source Network Address: ::1

Source Port: 0

 

Detailed Authentication Information:

Logon Process: CredPro

Authentication Package: Negotiate

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

 

This event is generated when a logon session is created. It is generated on the computer that was accessed.

 

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

 

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

 

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

 

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

 

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Record Number: 17672

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20081224231909.958206-000

Event Type: Audit Success

User:

 

Computer Name: FADEC

Event Code: 4672

Message: Special privileges assigned to new logon.

 

Subject:

Security ID: S-1-5-21-3870714522-2822382875-2873144690-500

Account Name: Administrator

Account Domain: FADEC

Logon ID: 0x3a765c

 

Privileges: SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeDebugPrivilege

SeSystemEnvironmentPrivilege

SeImpersonatePrivilege

Record Number: 17673

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20081224231909.958206-000

Event Type: Audit Success

User:

 

======Environment variables======

 

"ComSpec"=%SystemRoot%\system32\cmd.exe

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"Path"=C:\watcom-1.3\binnt;C:\watcom-1.3\binw;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\CyberLink\Power2Go\;C:\Program Files\QuickTime\QTSystem\

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

"PROCESSOR_ARCHITECTURE"=x86

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"USERNAME"=SYSTEM

"windir"=%SystemRoot%

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel

"PROCESSOR_REVISION"=0f0d

"NUMBER_OF_PROCESSORS"=2

"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat

"DFSTRACINGON"=FALSE

"PLATFORM"=MCD

"PCBRAND"=Presario

"OnlineServices"=Online Services

"USERPART"=E:

"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

"KMP_DUPLICATE_LIB_OK"=TRUE

"WATCOM"=C:\watcom-1.3

 

-----------------EOF-----------------

[Falkra]

Oups, tu as dû interdire au firewall que RSIT se connecte, on n'a pas le rapport HijackTHis dedans.

 

Une petite vérification, dans ton disque C:\ tu as un ou deux dossiers nommés "RSIT" ?

 

 

Ton rapport n'est pas inquiétant, mais autant aller au bout des choses.

 

Télécharge Gmer.

Dézippe le dans un dossier ou sur ton bureau.

 

Double-clique sur Gmer.exe.

 

NB : Si une alerte de ton antivirus apparaît pour le fichier gmer.sys ou gmer.exe, laisse le s'exécuter.

 

Clique sur l'onglet rootkit/malware (déjà actif).

A droite, coche Files et Services uniquement.

Clique maintenant sur Scan.

 

Lorsque le scan est terminé, clique sur Copy.

 

Ouvre le Bloc-notes puis clique sur le Menu Edition / Coller.

Le rapport doit alors apparaître.

Enregistre le fichier sur ton bureau et copie/colle son contenu dans ta prochaine réponse.

[ThePilot]

Un seul dossier RSIT dans C:\.

 

Le rapport de GMER est vide. Rien à copier.

 

Rassurant?

[Falkra]

Rassurant oui.

 

Il a dit "Gmer hasn't found any system modification" ?

[ThePilot]

Oui, c'était ça, il me semble.

 

Merci de votre aide !

[Falkra]

La machine est ok, en dehors de spysweeper et ses messages, tu ne constates pas de symptômes anormaux ?