[Résolu] Infection PC généralisée par sality.y

croquis · le 4 janvier 2009

Salut

En tentant de désinstaller Antivir, j'ai téléchargé le pack que tu m'as indiqué, l'ai dézippé sur le bureau. Le problème est que tous les fichiers d'Antivir ne sont pas partis.

D'autre part, n'ayant pas reçu de message de redémarrage, j'ai tout de même décidé de rebooter et là, paf! Avant l'apparition des icônes de mon bureau, je reçois le message portant le titre suivant: C:\docume~1\Ahmed\LOCALS~1\Temp\delus.exe.

Le message en lui-même : """Windows cannot find 'C:\docume~1\Ahmed\LOCALS~1\Temp\delus.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.""" Je n'ai que le choix d'appuyer sur OK mais je préfère ne rien faire sans avoir ton aval.

Cordialement,

Croquis

Thanos · le 4 janvier 2009

re!

PAs grave: ignore ce message et passe à la suite: installation de l'antivirus puis lance RSIT

croquis · le 4 janvier 2009

Bonsoir Thanos,

Je n'ai effectivement plus le message susmentionné. Malheureusement, le prog pour désinstaller Antivir ne fait semble-t-il pas son travail car un message apparaît me disant qu'il reste des parties du programmes et que je dois fermer tous les programmes (ils le sont, fermés!); je clique ok pour poursuivre la désinstallation qui semble s'opérer. Mais, premièrement, le programme ne me demande pas de redémarrer l'ordi (ce qui m'étonne). Ensuite, et surtout, lorsque je clique sur ton raccourci "Antivir", l'exe s'installe (extraction de plusieurs fichiers) puis une fenêtre s'ouvre me disant que:

"Un produit de Avira Gmbh est déjà installé sur votre système. Ce produit n'est pas compatible avec le produit que vous souhaitez installer. Vous pouvez désinstaller le produit installé automatiquement et le remplacer par le nouveau. Cette procédure peut prendre quelques minutes et nécessite le redémarrage de votre ordinateur. Souhaitez-vous le faire maintenant?"

Ce à quoi je réponds "yes". Quelques secondes plus tard, nouveau message d'Avira:

"Votre ordinateur va être redémarré."

Je clique donc sur OK. (Jusqu'ici, c'est plutôt une belle histoire) Mais le souci, c'est que j'ai beau attendre, rien ne se passe, absolument rien. J'ai attendu une heure et rien. J'ai tenté de redésinstaller la précédente version, toujours en suivant tes instructions mais j'aboutis toujours aux mêmes messages...

Qu'en penses-tu?

A+

Croquis

Thanos · le 5 janvier 2009

re!

Ok pas grave: on va faire le ménage autrement!

Poste stp le rapport de RSIT pour voir ce qu'il reste d'Antivir sur le pc.

Modifié le 5 janvier 2009 par Thanos

croquis · le 5 janvier 2009

Bonjour Thanos,

Voici les deux logs generes par RSIT. (Au fait, Safe Mode semble maintenant foncionner! )

Logfile of random's system information tool 1.05 (written by random/random)

Run by Ahmed at 2009-01-05 15:42:44

Microsoft Windows XP Professional Service Pack 2

System drive C: has 184 MB (4%) free of 5 GB

Total RAM: 319 MB (40% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:42:56 PM, on 1/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\MSTMON_N.EXE

D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\atievxx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Ahmed\Local Settings\Temporary Internet Files\Content.IE5\OH23S9YB\RSIT[1].exe

C:\Program Files\Trend Micro\HijackThis\Ahmed.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay] C:\WINDOWS\system32\MSTMON_N.EXE

O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\RunOnce: [AVSetup] C:\DOCUME~1\Ahmed\LOCALS~1\Temp\AVSETUP_4961dac1\basic\setup.exe /CLEANUPSRCFILES /NOTEMPCLEANUP

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688

O17 - HKLM\System\CCS\Services\Tcpip\..\{9368B0B3-40BE-406A-AA63-5B2BB2ACE365}: NameServer = 213.131.66.246,213.131.65.20

O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 4707 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Tune-up Application Start.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

Java Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-04 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-04 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-04 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"KONICA MINOLTA PagePro 1300WStatusDisplay"=C:\WINDOWS\system32\MSTMON_N.EXE [2009-01-03 151552]

"VirtualCloneDrive"=D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [2006-04-29 94208]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-04 136600]

"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2004-08-04 158208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"AVSetup"=C:\DOCUME~1\Ahmed\LOCALS~1\Temp\AVSETUP_4961dac1\basic\setup.exe [2008-06-27 635137]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ahmed^Start Menu^Programs^Startup^Sality_off.exe-m.lnk]

C:\PROGRA~1\SALITY~1\SALITY~1.EXE [2008-12-04 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"EnableLUA"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=177

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"

"C:\Program Files\MESfone Dialer\sgtlpcph.exe"="C:\Program Files\MESfone Dialer\sgtlpcph.exe:*:Disabled:msptfone Module"

"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

"G:\inbjbn.pif"="G:\inbjbn.pif:*:Enabled:ipsec"

"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"

"C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe"="C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe:*:Enabled:ipsec"

"C:\Program Files\CCleaner\ccleaner.exe"="C:\Program Files\CCleaner\ccleaner.exe:*:Enabled:ipsec"

"D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe"="D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe:*:Enabled:ipsec"

"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe:*:Enabled:ipsec"

"G:\jnnuil.pif"="G:\jnnuil.pif:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winimhb.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winimhb.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\rufjmw.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\rufjmw.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winptrkul.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winptrkul.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winebusjq.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winebusjq.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjesbwu.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjesbwu.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nheqf.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nheqf.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\mgjx.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\mgjx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winehvl.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winehvl.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oasbv.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oasbv.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winlffyf.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winlffyf.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmxkfko.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmxkfko.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ljas.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ljas.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvtbg.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvtbg.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\emxay.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\emxay.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\qpnppb.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\qpnppb.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\jxaxw.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\jxaxw.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winpish.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winpish.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjuuj.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjuuj.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winuqdamk.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winuqdamk.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wngm.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wngm.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ghab.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ghab.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvucfcy.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvucfcy.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxisbb.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxisbb.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nusuou.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nusuou.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\sifjqp.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\sifjqp.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\solpmm.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\solpmm.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winkhmlgh.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winkhmlgh.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\vtvb.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\vtvb.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\donbtp.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\donbtp.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winrkkq.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winrkkq.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\xsubf.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\xsubf.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaouyb.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaouyb.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\untla.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\untla.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oham.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oham.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winnjwfyc.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winnjwfyc.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaqukrj.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaqukrj.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\munony.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\munony.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oifkrs.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oifkrs.exe:*:Enabled:ipsec"

"C:\WINDOWS\system32\MSTMON_N.EXE"="C:\WINDOWS\system32\MSTMON_N.EXE:*:Enabled:ipsec"

"G:\peig.exe"="G:\peig.exe:*:Enabled:ipsec"

"C:\EmergencyUtils\Copy_of_MSConfig.exe"="C:\EmergencyUtils\Copy_of_MSConfig.exe:*:Enabled:ipsec"

"C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe:*:Enabled:ipsec"

"C:\Program Files\D-Link\DSL-210\CnxDslTb.exe"="C:\Program Files\D-Link\DSL-210\CnxDslTb.exe:*:Enabled:ipsec"

"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe:*:Enabled:ipsec"

"C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe"="C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe:*:Enabled:ipsec"

"C:\WINDOWS\TEMP\okxr.exe"="C:\WINDOWS\TEMP\okxr.exe:*:Enabled:ipsec"

"C:\WINDOWS\TEMP\winmkosm.exe"="C:\WINDOWS\TEMP\winmkosm.exe:*:Enabled:ipsec"

"C:\WINDOWS\TEMP\yugfs.exe"="C:\WINDOWS\TEMP\yugfs.exe:*:Enabled:ipsec"

"C:\WINDOWS\TEMP\winllumow.exe"="C:\WINDOWS\TEMP\winllumow.exe:*:Enabled:ipsec"

"C:\WINDOWS\TEMP\xngem.exe"="C:\WINDOWS\TEMP\xngem.exe:*:Enabled:ipsec"

"C:\WINDOWS\TEMP\wintbtiim.exe"="C:\WINDOWS\TEMP\wintbtiim.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxuqfr.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxuqfr.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\fhmxgh.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\fhmxgh.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winabxjdx.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winabxjdx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\icymt.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\icymt.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmsrvs.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmsrvs.exe:*:Enabled:ipsec"

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winoradjt.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winoradjt.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wincvdmwp.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wincvdmwp.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\windqcx.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\windqcx.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wppi.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wppi.exe:*:Enabled:ipsec"

"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\curly.exe"="C:\DOCUME~1\Ahmed\LOCALS~1\Temp\curly.exe:*:Enabled:ipsec"

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:ipsec"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda16d90-925e-11da-8a73-b21743fdc8a4}]

shell\auToPlaY\command - G:\inbjbn.pif

shell\AutoRun\command - G:\inbjbn.pif

shell\EXplOre\command - G:\inbjbn.pif

shell\OPeN\command - G:\inbjbn.pif

======List of files/folders created in the last 1 months======

2009-01-05 15:42:44 ----D---- C:\rsit

2009-01-04 02:10:03 ----A---- C:\WINDOWS\system32\javaws.exe

2009-01-04 02:10:03 ----A---- C:\WINDOWS\system32\javaw.exe

2009-01-04 02:10:03 ----A---- C:\WINDOWS\system32\java.exe

2009-01-04 02:10:03 ----A---- C:\WINDOWS\system32\deploytk.dll

2009-01-04 01:25:55 ----D---- C:\_OTMoveIt

2009-01-04 00:18:39 ----A---- C:\WINDOWS\ntbtlog.txt

2009-01-03 23:20:33 ----A---- C:\FindyKill.txt

2009-01-03 03:12:05 ----D---- C:\Program Files\sality_regkeys

2009-01-03 03:01:13 ----D---- C:\Program Files\sality_off

2009-01-02 22:51:07 ----D---- C:\Documents and Settings\Ahmed\Application Data\Malwarebytes

2009-01-02 22:50:58 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2009-01-02 22:50:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-01-02 22:31:52 ----D---- C:\Program Files\Trend Micro

2009-01-02 13:02:49 ----HD---- C:\WINDOWS\$NtUninstallKB955839$

2009-01-02 13:01:46 ----HD---- C:\WINDOWS\$NtUninstallKB956841$

2009-01-02 13:01:29 ----HD---- C:\WINDOWS\$NtUninstallKB957097$

2009-01-02 13:01:15 ----HD---- C:\WINDOWS\$NtUninstallKB954600$

2009-01-02 13:00:57 ----HD---- C:\WINDOWS\$NtUninstallKB955069$

2009-01-02 13:00:43 ----A---- C:\WINDOWS\imsins.BAK

2009-01-02 13:00:35 ----HD---- C:\WINDOWS\$NtUninstallKB956802$

2009-01-02 00:59:54 ----RASH---- C:\boot.ini

2009-01-01 22:44:54 ----D---- C:\EmergencyUtils

======List of files/folders modified in the last 1 months======

2009-01-05 11:49:32 ----A---- C:\WINDOWS\SchedLog.Txt

2009-01-05 11:49:06 ----A---- C:\WINDOWS\win.ini

2009-01-05 11:49:06 ----A---- C:\WINDOWS\system.ini

2009-01-03 23:23:12 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2009-01-03 02:42:44 ----A---- C:\WINDOWS\system32\ZSHP1018.EXE

2009-01-03 02:42:40 ----A---- C:\WINDOWS\system32\SpoonUninstall.exe

2009-01-03 02:42:40 ----A---- C:\WINDOWS\system32\MUINST_N.EXE

2009-01-03 02:42:06 ----A---- C:\WINDOWS\iun6002ev.exe

2009-01-03 02:42:06 ----A---- C:\WINDOWS\IsUn040c.exe

2009-01-03 02:42:04 ----A---- C:\WINDOWS\CDPLAYER.EXE

2009-01-03 02:42:00 ----A---- C:\WINDOWS\system32\MSTMON_N.EXE

2009-01-02 18:06:06 ----A---- C:\WINDOWS\NeroDigital.ini

2008-12-28 01:34:20 ----A---- C:\WINDOWS\PhotoSnapViewer.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-04 37376]

R1 avgio;avgio; \??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys []

R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-04-30 79424]

R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]

R2 ANIO;ANIO Service; \??\C:\WINDOWS\system32\ANIO.SYS []

R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2006-04-22 8064]

R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]

R2 MLPTDR_N;MLPTDR_N; \??\C:\WINDOWS\system32\MLPTDR_N.SYS []

R3 atimpab;atimpab; C:\WINDOWS\system32\DRIVERS\atimpab.sys [2001-08-17 289664]

R3 CB102;Linksys EtherFast Integrated 10/100 CardBus PC Card(PCM200); C:\WINDOWS\system32\DRIVERS\cb102.sys [2001-09-14 42752]

R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]

R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2005-05-03 27392]

R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2005-04-12 4608]

R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]

R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]

R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]

R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]

R3 VIAudio;VIA AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\ac97via.sys [2004-08-03 84480]

R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]

S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB); C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 450400]

S3 abp470n5;abp470n5; \??\C:\WINDOWS\system32\drivers\jgqkkm.sys []

S3 avgntflt;avgntflt; \??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys []

S3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver; C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2003-09-12 60288]

S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver; C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2003-09-12 646784]

S3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver; C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2003-10-29 108675]

S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]

S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]

S3 Ser2pl;IndianZZ2 Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2003-12-01 43136]

S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-03 59264]

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]

S3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]

S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]

S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]

S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]

S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ANIWZCSdService;ANIWZCSd Service; C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [2009-01-03 49152]

R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler; C:\Program Files\AntiVir PersonalEdition Classic\sched.exe [2008-04-30 68865]

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\atievxx.exe [2001-08-17 37376]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-04 152984]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]

S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2009-01-03 913408]

S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2009-01-05 15:42:58

======Uninstall list======

-->"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

Adobe Reader 7.0.9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}

AirPlus XtremeG-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{79B92240-9C65-4DD7-B1AD-59910D2C1353} /l1033

ANIO Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"

ANIWZCS2 Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"

Avira AntiVir Personal – Free Antivirus-->C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE

CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

CloneCD-->"D:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="D:\Program Files\SlySoft\CloneCD"

D-Link DSL-210 USB ADSL WAN Adapter-->C:\Program Files\D-Link\DSL-210 Wizard\Setup.exe -u

eMule-->"D:\Program Files\eMule\Uninstall.exe"

Exact Audio Copy 0.95b3-->D:\Program Files\Exact Audio Copy\uninst.exe

Extreme Chess-->E:\Extreme\uninst.exe

FindyKill-->C:\Program Files\FindyKill\Uninstal.exe

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

InFlac 1.1.1-->"D:\Program Files\Winamp\InFlac-Uninstall.exe"

Java 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}

Java 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

QuickTime for Windows (32-bit)-->C:\WINDOWS\QTW32DEL.EXE

RTCUpdate-->MsiExec.exe /I{06D5B2E1-BB2D-4B77-A40E-A12D8E2FBC36}

Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"

Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"

Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"

Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"

Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"

Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"

Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"

Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"

Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"

Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"

Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"

Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"

Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"

Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"

Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"

Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"

Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"

Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"

Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"

Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"

Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"

Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"

Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"

Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"

Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"

Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"

Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"

Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"

Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"

Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"

Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"

Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"

Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"

Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"

Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"

Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

STOIK Video Converter 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A8DF8593-F619-47DE-AD27-BCABF233433A}\setup.exe" -l0x9 -removeonly

Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"

Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"

Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"

Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"

Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"

Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"

Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"

Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"

Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"

Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"

Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"

VirtualCloneDrive-->"D:\Program Files\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe" /D="D:\Program Files\Elaborate Bytes\VirtualCloneDrive"

Winamp (remove only)-->"D:\Program Files\Winamp\UninstWA.exe"

Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"

WinRAR archiver-->D:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

======Security center information======

AV: Avira AntiVir PersonalEdition (disabled) (outdated)

System event log

Computer Name: AA

Event Code: 7

Message: The device, \Device\CdRom0, has a bad block.

Record Number: 15893

Source Name: Cdrom

Time Written: 20081228165119.000000+120

Event Type: error

User:

Computer Name: AA

Event Code: 7

Message: The device, \Device\CdRom0, has a bad block.

Record Number: 15892

Source Name: Cdrom

Time Written: 20081228165106.000000+120

Event Type: error

User:

Computer Name: AA

Event Code: 7

Message: The device, \Device\CdRom0, has a bad block.

Record Number: 15891

Source Name: Cdrom

Time Written: 20081228165106.000000+120

Event Type: error

User:

Computer Name: AA

Event Code: 7

Message: The device, \Device\CdRom0, has a bad block.

Record Number: 15890

Source Name: Cdrom

Time Written: 20081228165105.000000+120

Event Type: error

User:

Computer Name: AA

Event Code: 7

Message: The device, \Device\CdRom0, has a bad block.

Record Number: 15889

Source Name: Cdrom

Time Written: 20081228165105.000000+120

Event Type: error

User:

Application event log

Computer Name: AA

Event Code: 1517

Message: Windows saved user AA\Ahmed registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 5

Source Name: Userenv

Time Written: 20070121170231.000000+120

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: AA

Event Code: 1800

Message: The Windows Security Center Service has started.

Record Number: 4

Source Name: SecurityCenter

Time Written: 20070120113616.000000+120

Event Type: information

User:

Computer Name: AA

Event Code: 5000

Message:

Record Number: 3

Source Name: McLogEvent

Time Written: 20070120113605.000000+120

Event Type: information

User: NT AUTHORITY\SYSTEM

Computer Name: AA

Event Code: 1001

Message: Checking file system on D:

The type of the file system is FAT32.

One of your disks needs to be checked for consistency. You

may cancel the disk check, but it is strongly recommended

that you continue.

Windows will now check the disk.

Volume Serial Number is 64D7-666F

14291872 KB total disk space.

1497984 KB in 126 hidden files.

8176 KB in 869 folders.

10516192 KB in 13569 files.

2269512 KB are available.

8192 bytes in each allocation unit.

1786484 total allocation units on disk.

283689 allocation units available on disk.

Record Number: 2

Source Name: Winlogon

Time Written: 20070120113542.000000+120

Event Type: information

User:

Computer Name: AA

Event Code: 1001

Message: Checking file system on C:

The type of the file system is FAT32.

One of your disks needs to be checked for consistency. You

may cancel the disk check, but it is strongly recommended

that you continue.

Windows will now check the disk.

Volume Serial Number is 1DD1-1F80

\Documents and Settings\Ahmed\Application Data\Real\rnadmin\rnsystem.dat first allocation unit is not valid. The entry will be truncated.

\WINDOWS\Prefetch\KPF4GUI.EXE-00F42A12.pf first allocation unit is not valid. The entry will be truncated.

\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf first allocation unit is not valid. The entry will be truncated.

\WINDOWS\Prefetch\OASCLNT.EXE-3B482479.pf first allocation unit is not valid. The entry will be truncated.

Convert lost chains to files (Y/N)? Yes

120 KB in 4 recovered files.

Windows has made corrections to the file system.

5210896 KB total disk space.

847264 KB in 621 hidden files.

9472 KB in 2111 folders.

3618056 KB in 26644 files.

736100 KB are available.

4096 bytes in each allocation unit.

1302724 total allocation units on disk.

184025 allocation units available on disk.

Record Number: 1

Source Name: Winlogon

Time Written: 20070120113542.000000+120

Event Type: information

User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SYSTEMROOT%\system32;%SYSTEMROOT%;%SYSTEMROOT%\system32\WBEM

"windir"=C:\WINDOWS

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 6 Stepping 1, AuthenticAMD

"PROCESSOR_REVISION"=0601

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=C:\WINDOWS\TEMP

"TMP"=C:\WINDOWS\TEMP

"PROMPT"=$p$g

"winbootdir"=C:\WINDOWS

-----------------EOF-----------------

Thanos · le 5 janvier 2009

salut

croquis, j'aimerai que tu retentes d'utiliser l'Uninstallation package d'Antivir comme ceci >

-Elimine celui qui est sur ton Bureau et télécharge le de nouveau.

-Télécharge aussi Avira AntiVir RegistryCleaner et dézippe le sur le Bureau.

-Redémarre le pc en mode sans échec (puisqu'il fonctionne )

Utilise les deux fichiers téléchargés.

Après ca, redémarre le pc et >>

1°) Branche tous les supports amovibles que tu possèdes avant de faire les scans suivants (clé usb/disque dur externe etc)

Fais un double clic sur OTMoveIt3.com pour lancer l'exécution de l'outil.

Copie les lignes de la zone "Code" ci-dessous dans le Presse-papiers en les sélectionnant toutes puis en appuyant simultanément sur les touches CTRL et C (ou, après les avoir sélectionnées, en faisant un clic droit puis en choisissant Copier):

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AVSetup"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ahmed^Start Menu^Programs^Startup^Sality_off.exe-m.lnk]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"G:\inbjbn.pif"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winimhb.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\rufjmw.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winptrkul.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winebusjq.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjesbwu.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nheqf.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\mgjx.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winehvl.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oasbv.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winlffyf.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmxkfko.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ljas.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvtbg.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\emxay.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\qpnppb.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\jxaxw.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winpish.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjuuj.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winuqdamk.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wngm.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ghab.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvucfcy.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxisbb.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nusuou.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\sifjqp.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\solpmm.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winkhmlgh.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\vtvb.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\donbtp.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winrkkq.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\xsubf.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaouyb.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\untla.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oham.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winnjwfyc.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaqukrj.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\munony.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oifkrs.exe"=-
"G:\peig.exe"=-
"C:\WINDOWS\TEMP\okxr.exe"=-
"C:\WINDOWS\TEMP\winmkosm.exe"=-
"C:\WINDOWS\TEMP\yugfs.exe"=-
"C:\WINDOWS\TEMP\winllumow.exe"=-
"C:\WINDOWS\TEMP\xngem.exe"=-
"C:\WINDOWS\TEMP\wintbtiim.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxuqfr.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\fhmxgh.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winabxjdx.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\icymt.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmsrvs.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winoradjt.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wincvdmwp.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\windqcx.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wppi.exe"=-
"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\curly.exe"=
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda16d90-925e-11da-8a73-b21743fdc8a4}]

:files
C:\Program Files\sality_regkeys
C:\Program Files\sality_off
G:\inbjbn.pif
G:\peig.exe

:commands
[emptytemp]

Retourne dans la fenêtre de OTMoveIt3, fais un clic droit dans la zone de gauche intitulée "Paste Instructions for Items to be Moved" (sous la barre jaune) puis choisir Coller.
Clique sur le bouton rouge Moveit!.
Ferme OTMoveIt3
Poste dans ta prochaine réponse le rapport de OTMoveIt3 (contenu du fichier C:\_OTMoveIt\MovedFiles\********_******.log - les *** sont des chiffres représentant la date [moisjourannée] et l'heure)

Note: Si un fichier ou un dossier ne peut pas être déplacé immédiatement, un redémarrage sera peut-être nécessaire pour permettre de terminer le processus de déplacement. Si le redémarrage de la machine vous est demandé, choisir Oui/Yes.

2°) Lance Malwarebytes

Dans l'onglet "Mise à jour", clique sur le bouton "Recherche de mise à jour": si le pare-feu demande l'autorisation à MBAM de se connecter, accepte.
Une fois la mise à jour terminée, rends-toi dans l'onglet "Recherche".
Sélectionne "Exécuter un examen complêt"
Clique sur "Rechercher"
L'analyse démarre, le scan est relativement long, c'est normal.
A la fin de l'analyse, un message s'affiche :
L'examen s'est terminé normalement. Clique sur 'Afficher les résultats' pour afficher tous les objets trouvés.
Clique sur "Ok" pour poursuivre. Si MBAM n'a rien trouvé, il te le dira aussi.
Ferme tes navigateurs.
Si des malwares ont été détectés, clique sur Afficher les résultats.
Sélectionne tout (ou laisse coché) et clique sur Supprimer la sélection, MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.
MBAM va ouvrir le Bloc-notes et y copier le rapport d'analyse. Copie-colle ce rapport et poste-le dans ta prochaine réponse.

Tente de réinstaller Antivir et dis moi ce que ca donne.

Poste les deux rapports demandés stp

Modifié le 5 janvier 2009 par Thanos

croquis · le 6 janvier 2009

Bonsoir Thanos

Ca y est je crois qu'on apercoit tout doucement le bout du tunnel..!

Je te poste donc dans l'ordre le rapport de MovIt3 et de Malwarebytes.

Je vais a l'instant reessayer d'installer Antivir. Je te tiens au courant.

A+ et merci encore de ton temps

Croquis

========== REGISTRY ==========

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\SpybotSD TeaTimer deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\\AVSetup not found.

Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ahmed^Start Menu^Programs^Startup^Sality_off.exe-m.lnk\\ deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\G:\inbjbn.pif deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winimhb.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\rufjmw.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winptrkul.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winebusjq.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjesbwu.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nheqf.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\mgjx.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winehvl.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oasbv.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winlffyf.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmxkfko.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ljas.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvtbg.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\emxay.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\qpnppb.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\jxaxw.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winpish.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winjuuj.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winuqdamk.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wngm.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\ghab.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winvucfcy.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxisbb.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nusuou.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\sifjqp.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\solpmm.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winkhmlgh.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\vtvb.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\donbtp.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winrkkq.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\xsubf.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaouyb.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\untla.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oham.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winnjwfyc.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winaqukrj.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\munony.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\oifkrs.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\G:\peig.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\TEMP\okxr.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\TEMP\winmkosm.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\TEMP\yugfs.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\TEMP\winllumow.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\TEMP\xngem.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\WINDOWS\TEMP\wintbtiim.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winxuqfr.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\fhmxgh.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winabxjdx.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\icymt.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winmsrvs.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\winoradjt.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wincvdmwp.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\windqcx.exe deleted successfully.

Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\Ahmed\LOCALS~1\Temp\wppi.exe deleted successfully.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\"C:\DOCUME~1\Ahmed\LOCALS~1\Temp\curly.exe"| /E : value set successfully!

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cda16d90-925e-11da-8a73-b21743fdc8a4}\\ deleted successfully.

========== FILES ==========

C:\Program Files\sality_regkeys\Sality_RegKeys moved successfully.

C:\Program Files\sality_regkeys moved successfully.

C:\Program Files\sality_off moved successfully.

File/Folder G:\inbjbn.pif not found.

File/Folder G:\peig.exe not found.

========== COMMANDS ==========

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_540.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 01062009_173820

Files moved on Reboot...

File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

File C:\WINDOWS\temp\Perflib_Perfdata_540.dat not found!

-----------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.32

Version de la base de données: 1624

Windows 5.1.2600 Service Pack 2

1/7/2009 12:57:26 AM

mbam-log-2009-01-07 (00-57-26).txt

Type de recherche: Examen complet (A:\|C:\|D:\|E:\|F:\|G:\|H:\|)

Eléments examinés: 82993

Temps écoulé: 1 hour(s), 54 minute(s), 37 second(s)

Processus mémoire infecté(s): 0

Module(s) mémoire infecté(s): 0

Clé(s) du Registre infectée(s): 0

Valeur(s) du Registre infectée(s): 0

Elément(s) de données du Registre infecté(s): 0

Dossier(s) infecté(s): 0

Fichier(s) infecté(s): 0

Processus mémoire infecté(s):