[resolu] mikolobe.dll, bakafe.dll ??? Help svp :-) ??

djjs · le 30 mars 2009

Bonjour a la communaute, je suis nouveau ici. Mon pc commence a bugger serieusement et j ai spotter plusieur virus grace a hijackthis (mikolobe, bakafe...) mais impossible de les virer, pouvez vous m aider svp ??

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:57:53 PM, on 3/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe

C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Toshiba\Tvs\TvsTray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot\TeaTimer.exe

C:\WINDOWS\system32\RAMASST.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Jean-Sebastien\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Qoobox\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://online-search.c.la/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.fr/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: {d5b60bf7-a411-ca58-8134-6cc7d7ffb501} - {105bff7d-7cc6-4318-85ac-114a7fb06b5d} - C:\WINDOWS\system32\aoqqeo.dll

O2 - BHO: DWABrowserHlprObj Class - {2709D830-B643-4e72-9A1E-701CFFFCF30C} - C:\WINDOWS\system32\dwabho.dll

O2 - BHO: (no name) - {42e4ce7c-b1f7-4ec1-a212-ad60ee84a14e} - C:\WINDOWS\system32\mikolobe.dll

O2 - BHO: (no name) - {5108ecec-4b4c-48c4-8a34-6bd4846de956} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [mogiluhehe] Rundll32.exe "C:\WINDOWS\system32\bafekefe.dll",s (User 'LOCAL SERVICE')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (Lotus Quickr Class) - http://e.absparis.com/qp2.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by126fd.bay126.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - https://inside.sfsu.edu/mail04b/dwa7W.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\zukepive.dll

O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe

O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe

O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe

O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 10744 bytes

Merci d avance !

Modifié le 1 avril 2009 par djjs

angelique · le 30 mars 2009

1• désactiver TeaTimer::

Pour désactiver TeaTimer :

Afficher d'abord le Mode Avancé dans SpyBot

Options Avancées :

- menu Mode, Mode Avancé.

Une colonne de menus apparaît dans la partie gauche :

- cliquer sur Outils,

- cliquer sur Résident,

Dans Résident :

- décocher Résident "TeaTimer" pour le désactiver.

2• Télécharge combofix.exe (par sUBs) et sauvegarde le sur ton bureau , pas ailleurs!!!!! de cette maniere ci dessous.

Fait un clic droit sur le lien de ComboFix et choisir ->

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.forospyware.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

* Avec Firefox -> Enregistrer la cible du lien sous...

* Avec Internet Explorer -> Enregistrer la cible sous...

Comme sur la capture, avant le téléchargement :

* Choisir le Bureau

* renommer par COlaF , Combo-Fix dans l'exemple

* Vous devez obtenir -> COlaF

* Cliquez enfin sur -> Enregistrer

Les Antivirus couinent sur ComboFix (Nircmd ....), faut autoriser ou désactiver temporairement son AV , ainsi que la demande d'access à la zone sure si le firewall couine , il faut autoriser \o/

* Double-clique combofix.exe(COlaF), accepte le CluF qui s'affiche, afin de l'exécuter et suis les instructions.

* Lorsque l'analyse sera complétée, un rapport apparaîtra que tu me posteras.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

tuto:: Un guide et un tutoriel sur l'utilisation de ComboFix

==> be back vers 09H30

djjs · le 30 mars 2009

Thanks pour ton temps Angelique !

Voila le rapport Combofix (la premiere fois que je l ai lancer il n a pas fait de rapport, juste a la 2e tentative)

ComboFix 09-03-29.02 - Jean-Sebastien 2009-03-30 0:03:35.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.1014.573 [GMT -7:00]

Lancé depuis: c:\documents and settings\Jean-Sebastien\Desktop\COlaF.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

FW: ZoneAlarm Firewall *enabled*

* Un nouveau point de restauration a été créé

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Exécution préalable -------

.

c:\documents and settings\Jean-Sebastien\Application Data\GetModule

c:\windows\system32\aoqqeo.dll

c:\windows\system32\ayunijuh.ini

c:\windows\system32\bajoduza.dll

c:\windows\system32\benugame.dll

c:\windows\system32\biniyogi.dll

c:\windows\system32\bumzaq.dll

c:\windows\system32\forazeto.dll

c:\windows\system32\igoyinib.ini

c:\windows\system32\jiyewopo.dll

c:\windows\system32\mikolobe.dll

c:\windows\system32\movegute.dll

c:\windows\system32\nolomipu.dll

c:\windows\system32\pikiriro.dll

c:\windows\system32\wlcphp.dll

c:\windows\system32\wpv091232070177.cpx

c:\windows\system32\yjiujp.dll

c:\windows\system32\yomudaki.dll

c:\windows\system32\zevayiko.dll

c:\windows\system32\zukepive.dll

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((( Fichiers créés du 2009-02-28 au 2009-03-30 ))))))))))))))))))))))))))))))))))))

.

2009-03-29 23:38 . 2009-03-29 23:41 <DIR> d-------- C:\ComboFix

2009-03-29 11:18 . 2009-03-29 11:19 <DIR> d-------- c:\documents and settings\Jean-Sebastien\Application Data\W Photo Studio Viewer

2009-03-28 23:23 . 2009-03-28 23:23 54,156 --ah----- c:\windows\QTFont.qfn

2009-03-28 23:23 . 2009-03-28 23:23 1,409 --a------ c:\windows\QTFont.for

2009-03-28 11:47 . 2009-03-28 11:47 1,024 --ahs---- c:\windows\system32\rutobuki.dll

2009-03-15 09:07 . 2009-03-15 09:07 <DIR> d-------- c:\program files\Common Files\Windows Live

2009-03-03 17:37 . 2009-03-03 17:37 <DIR> d-------- c:\program files\MSECache

2009-02-15 21:16 . 2009-02-15 21:16 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-02-01 12:53 . 2009-02-07 09:06 <DIR> d-------- c:\documents and settings\Jean-Sebastien\Application Data\skypePM

2009-02-01 12:53 . 2009-02-01 12:53 48 --ah----- c:\windows\system32\ezsidmv.dat

2009-02-01 12:45 . 2009-02-01 12:45 <DIR> d-------- c:\program files\Skype

2009-02-01 12:45 . 2009-02-01 12:45 <DIR> d-------- c:\program files\Common Files\Skype

2009-02-01 12:45 . 2009-02-07 09:12 <DIR> d-------- c:\documents and settings\Jean-Sebastien\Application Data\Skype

2009-02-01 12:44 . 2009-02-01 12:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Skype

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-30 07:14 41,136,160 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-03-30 07:10 485,084 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-03-18 15:02 --------- d-----w c:\program files\Spybot

2009-03-18 14:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-16 17:07 --------- d-----w c:\documents and settings\Jean-Sebastien\Application Data\Vso

2009-03-12 01:34 102,344 ----a-w c:\documents and settings\Jean-Sebastien\Application Data\GDIPFONTCACHEV1.DAT

2009-03-06 06:05 --------- d-----w c:\program files\IsoBuster

2009-02-27 04:34 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-20 19:03 --------- d-----w c:\program files\eMule

2009-02-11 03:52 5,632 --sha-w c:\program files\Thumbs.db

2009-01-30 20:07 --------- d-----w c:\program files\Avira

2009-01-30 20:07 --------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-01-30 19:53 --------- d-----w c:\program files\Fruityloops7

2006-10-30 22:53 0 ----a-w c:\documents and settings\Jean-Sebastien\Application Data\wklnhst.dat

1601-01-01 00:12 1,024 --sha-w c:\windows\system32\lenosopo.dll

2008-10-22 19:07 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102220081023\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-08_23.38.15.82 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-12-11 12:33:59 333,952 ----a-w c:\windows\$hf_mig$\KB958687\SP3QFE\srv.sys

+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB958687\spmsg.dll

+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB958687\spuninst.exe

+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB958687\update\spcustom.dll

+ 2007-11-30 11:18:51 755,576 ----a-w c:\windows\$hf_mig$\KB958687\update\update.exe

+ 2007-11-30 11:18:51 382,840 ----a-w c:\windows\$hf_mig$\KB958687\update\updspapi.dll

+ 2007-11-30 12:39:22 231,288 -c----w c:\windows\$NtUninstallKB958687$\spuninst\spuninst.exe

+ 2007-11-30 11:18:51 382,840 -c----w c:\windows\$NtUninstallKB958687$\spuninst\updspapi.dll

+ 2008-09-08 10:41:42 333,824 -c----w c:\windows\$NtUninstallKB958687$\srv.sys

+ 2007-06-25 21:30:10 325,120 ----a-w c:\windows\Downloaded Program Files\dwa7W.dll

- 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

- 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll

+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll

+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll

+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll

+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll

+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe

+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll

+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll

+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll

+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll

+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll

+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll

+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll

+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll

+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe

+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe

+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll

+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll

+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll

+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll

+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll

+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll

+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll

+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll

+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll

+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe

+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll

+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll

+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll

+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll

+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll

+ 2006-10-27 04:12:56 396,592 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MOC.EXE

+ 2007-05-08 19:10:18 16,874,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MSO.DLL

+ 2007-03-22 02:56:50 8,425,856 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OARTCONV.DLL

+ 2006-10-27 23:18:34 1,658,152 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OGL.DLL

+ 2007-05-10 17:04:28 846,248 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OICE.EXE

+ 2007-05-10 18:11:42 1,767,256 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PPCNV.DLL

+ 2007-03-22 03:00:06 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBCOM.EXE

+ 2007-03-22 02:58:40 4,145,520 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CNV.DLL

+ 2007-03-22 02:58:46 24,416 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12EXE.EXE

+ 2007-05-10 18:25:40 14,677,368 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE

+ 2007-09-15 05:45:58 16,901,168 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\MSO.DLL

+ 2007-08-29 08:19:24 1,654,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\OGL.DLL

+ 2007-08-24 13:00:34 1,767,768 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PPCNV.DLL

+ 2007-08-24 13:00:48 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PXBCOM.EXE

+ 2007-10-03 04:00:06 14,708,760 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\XL12CNV.EXE

+ 2009-03-04 05:03:22 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

- 2000-08-31 08:00:00 28,672 ----a-w c:\windows\NIRCMD.exe

+ 2000-08-31 15:00:00 29,696 ----a-w c:\windows\NIRCMD.exe

- 2000-08-31 08:00:00 161,792 ----a-w c:\windows\SWREG.exe

+ 2000-08-31 15:00:00 161,792 ----a-w c:\windows\SWREG.exe

- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll

+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll

+ 2008-03-12 20:29:14 94,465 ----a-w c:\windows\system32\avsda.dll

+ 2008-09-17 23:29:12 20,040 ----a-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig.dll

- 2008-10-22 19:07:49 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-16 04:00:12 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2008-10-22 19:07:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-01-16 04:00:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-10-22 19:07:49 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-16 04:00:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-16 04:16:14 410,984 ----a-w c:\windows\system32\deploytk.dll

- 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll

+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll

- 2008-10-16 20:38:34 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll

+ 2008-12-20 23:15:12 347,136 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll

- 2008-10-16 20:38:34 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll

+ 2008-12-20 23:15:13 214,528 -c--a-w c:\windows\system32\dllcache\dxtrans.dll

- 2008-10-16 20:38:35 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll

+ 2008-12-20 23:15:13 133,120 -c--a-w c:\windows\system32\dllcache\extmgr.dll

- 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll

+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll

- 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe

+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe

- 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll

+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll

- 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll

+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll

- 2008-10-15 07:04:53 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll

+ 2008-12-19 05:23:56 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll

- 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll

+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll

- 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll

+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll

- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll

+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll

- 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll

+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll

- 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll

+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll

- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe

+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe

- 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe

+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe

- 2008-10-16 20:38:37 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll

+ 2008-12-20 23:15:23 27,648 -c--a-w c:\windows\system32\dllcache\jsproxy.dll

- 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll

+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll

- 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll

+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll

- 2008-12-13 06:40:02 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll

+ 2009-01-17 05:35:14 3,594,752 -c--a-w c:\windows\system32\dllcache\mshtml.dll

- 2008-10-16 20:38:38 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll

+ 2008-12-20 23:15:30 477,696 -c--a-w c:\windows\system32\dllcache\mshtmled.dll

- 2008-10-16 20:38:38 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll

+ 2008-12-20 23:15:31 193,024 -c--a-w c:\windows\system32\dllcache\msrating.dll

- 2008-10-16 20:38:39 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll

+ 2008-12-20 23:15:32 671,232 -c--a-w c:\windows\system32\dllcache\mstime.dll

- 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll

+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll

- 2008-10-16 20:38:39 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll

+ 2008-12-20 23:15:38 44,544 -c--a-w c:\windows\system32\dllcache\pngfilt.dll

+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll

+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll

- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys

+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys

- 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll

+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll

- 2008-10-16 20:38:39 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll

+ 2008-12-20 23:15:40 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll

- 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll

+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll

- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys

- 2008-10-16 20:38:40 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll

+ 2008-12-20 23:15:41 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll

- 2006-11-22 20:30:31 34,304 ----a-w c:\windows\system32\drivers\avgntdd.sys

+ 2008-05-09 21:15:51 45,376 ----a-w c:\windows\system32\drivers\avgntdd.sys

- 2006-11-22 20:30:31 14,848 ----a-w c:\windows\system32\drivers\avgntmgr.sys

+ 2008-01-22 02:11:28 22,336 ----a-w c:\windows\system32\drivers\avgntmgr.sys

- 2008-12-26 17:07:37 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys

+ 2008-06-27 23:03:55 75,072 ----a-w c:\windows\system32\drivers\avipbb.sys

- 2008-09-08 10:41:42 333,824 ----a-w c:\windows\system32\drivers\srv.sys

+ 2008-12-11 10:57:09 333,952 ----a-w c:\windows\system32\drivers\srv.sys

- 2007-05-01 06:37:12 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys

+ 2007-03-01 18:34:22 28,352 ----a-w c:\windows\system32\drivers\ssmdrv.sys

+ 2009-01-25 18:30:09 83,440 ----a-w c:\windows\system32\dwabho.dll

- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll

+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll

- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll

+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll

- 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll

+ 2008-12-20 23:15:13 133,120 ----a-w c:\windows\system32\extmgr.dll

- 2008-10-22 19:07:05 337,848 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-03-11 05:29:38 337,848 ----a-w c:\windows\system32\FNTCACHE.DAT

+ 2009-03-29 06:45:32 61,440 --sha-w c:\windows\system32\hajovapa.exe

- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll

+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll

- 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe

+ 2008-12-19 09:10:15 70,656 ----a-w c:\windows\system32\ie4uinit.exe

- 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll

+ 2008-12-20 23:15:14 153,088 ----a-w c:\windows\system32\ieakeng.dll

- 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll

+ 2008-12-20 23:15:14 230,400 ----a-w c:\windows\system32\ieaksie.dll

- 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll

+ 2008-12-19 05:23:56 161,792 ----a-w c:\windows\system32\ieakui.dll

- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll

+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll

- 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll

+ 2008-12-20 23:15:16 384,512 ----a-w c:\windows\system32\iedkcs32.dll

- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll

+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll

- 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll

+ 2008-12-20 23:15:21 44,544 ----a-w c:\windows\system32\iernonce.dll

- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll

+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll

- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe

+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe

- 2005-06-03 10:24:06 49,248 ----a-w c:\windows\system32\java.exe

+ 2009-02-16 04:16:14 144,792 ----a-w c:\windows\system32\java.exe

- 2005-06-03 10:24:14 49,250 ----a-w c:\windows\system32\javaw.exe

+ 2009-02-16 04:16:14 144,792 ----a-w c:\windows\system32\javaw.exe

- 2005-06-03 11:52:56 127,078 ----a-w c:\windows\system32\javaws.exe

+ 2009-02-16 04:16:14 148,888 ----a-w c:\windows\system32\javaws.exe

- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll

+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll

+ 2005-05-16 19:34:48 213,048 ----a-w c:\windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll

+ 2008-08-13 15:03:26 65,536 ----a-w c:\windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe

+ 2008-08-13 15:03:26 798,720 ----a-w c:\windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll

+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

+ 2009-01-17 01:20:07 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe

- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll

+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll

- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll

+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll

- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll

+ 2009-01-17 05:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll

- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll

+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll

- 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll

+ 2008-12-20 23:15:31 193,024 ----a-w c:\windows\system32\msrating.dll

- 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll

+ 2008-12-20 23:15:32 671,232 ----a-w c:\windows\system32\mstime.dll

- 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll

+ 2008-12-20 23:15:38 102,912 ----a-w c:\windows\system32\occache.dll

- 2008-12-26 16:05:13 61,372 ----a-w c:\windows\system32\perfc009.dat

+ 2009-03-12 14:19:27 61,372 ----a-w c:\windows\system32\perfc009.dat

- 2008-12-26 16:05:13 399,050 ----a-w c:\windows\system32\perfh009.dat

+ 2009-03-12 14:19:27 399,050 ----a-w c:\windows\system32\perfh009.dat

- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll

+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll

- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll

+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll

- 2008-04-14 00:12:05 8,461,312 ----a-w c:\windows\system32\shell32.dll

+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll

- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll

+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll

- 2007-08-10 18:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe

+ 2007-07-27 17:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe

- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll

+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll

- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll

+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll

- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll

+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll

- 2008-09-15 12:12:56 1,846,400 ----a-w c:\windows\system32\win32k.sys

+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\system32\win32k.sys

- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll

+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll

- 2007-06-12 07:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll

+ 2008-11-12 02:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll

+ 2009-03-28 18:45:55 61,440 --sha-w c:\windows\system32\wodezoga.exe

+ 2009-03-30 01:18:28 61,440 --sha-w c:\windows\system32\zagubura.exe

+ 2009-03-30 07:11:58 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6a8.dat

+ 2008-04-15 17:47:33 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll

.

-- Instantané actualisé --

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-27 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-27 118784]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-12-13 919016]

"mogiluhehe"="c:\windows\system32\bafekefe.dll" [bU]

"TPSMain"="TPSMain.exe" [2005-05-31 c:\windows\system32\TPSMain.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-02-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.MJPG"= m3jpeg32.dll

"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Medal of Honor Pacific Assault\\mohpa.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Ubisoft\\Far Cry\\Bin32\\FarCry.exe"=

"c:\\Program Files\\VLC\\vlc.exe"=

"c:\\Team17\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"=

"c:\\Program Files\\Cossacks\\dmcr.exe"=

"c:\\WINDOWS\\system32\\dplaysvr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\WINDOWS\\system32\\TPSBattM.exe"=

"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFSvcs.exe"=

"c:\\Program Files\\Microsoft LifeCam\\MSCamS32.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Spybot\\TeaTimer.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 HWFProt;Hywave File Protector HWFProt;c:\windows\system32\drivers\HWFProt.sys [2006-10-27 44480]

R2 AntiVirMailService;Avira AntiVir Premium MailGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe [2009-01-30 164097]

R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\Avira\AntiVir PersonalEdition Premium\avwebgrd.exe [2009-01-30 258305]

R2 AVEService;Avira AntiVir Premium MailGuard helper service;c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe [2009-01-30 41217]

S3 EAGLE2RC;Analog/DVB-T Hybrid Tv Infrared Receiver;c:\windows\system32\drivers\Eagle2RC.sys [2007-04-07 8576]

S3 Eagle2TV;TV tuner device;c:\windows\system32\drivers\Eagle2TV_B.sys [2007-04-07 384128]

S3 EWAVE;EWAVE;\??\c:\windows\system32\drivers\ew.sys --> c:\windows\system32\drivers\ew.sys [?]

S3 FILESPY;FILESPY;\??\c:\windows\system32\drivers\FILESPY.sys --> c:\windows\system32\drivers\FILESPY.sys [?]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-10-04 13352]

S3 NETMDSHA;MDSHA031;c:\windows\system32\drivers\MDSHA031.sys [2008-06-22 35331]

S3 NSTATION;NSTATION;\??\c:\windows\system32\drivers\nstation.sys --> c:\windows\system32\drivers\nstation.sys [?]

.

Contenu du dossier 'Tâches planifiées'

2009-03-29 c:\windows\Tasks\At1.job

- c:\documents and settings\Jean-Sebastien\Templates\Brengkolang.com []

2009-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2719839664-1612303478-808430666-1005.job

- c:\documents and settings\Jean-Sebastien\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-16 17:55]

2007-08-25 c:\windows\Tasks\Microsoft_Hardware_Launch_setup_exe.job

- D:\setup.exe []

.

- - - - ORPHELINS SUPPRIMES - - - -

BHO-{105bff7d-7cc6-4318-85ac-114a7fb06b5d} - c:\windows\system32\aoqqeo.dll

BHO-{42e4ce7c-b1f7-4ec1-a212-ad60ee84a14e} - c:\windows\system32\mikolobe.dll

BHO-{5108ecec-4b4c-48c4-8a34-6bd4846de956} - (no file)

HKLM-Run-CPM031e4ca0 - c:\windows\system32\bajoduza.dll

HKLM-Run-002d7f3c - c:\windows\system32\biniyogi.dll

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.yahoo.fr/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

LSP: avsda.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-30 00:12:31

Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès

Fichiers cachés: 0

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]

"OODEFRAG10.00.00.01WORKSTATION"="C50D2FED5EE752DF6F89D31287CD385A3111AEAA5D8BB631355AF4EEB643970B88C501F6D12

480C51CD058AF7E79E035172CFADB99B92DE874D70E2753B0ED8A78D04CCA49B319476C504B3F6B6B

41C7AE9A8FFA39A9904017DD7449C7CA16052620DA2B99B3DF36043A33CB48D3EB00536FCE7D7DBB6

05E4C8285D3B9449BF7B46829BF6E480C8C9D86CAC5E5E364EE7003D0BEF9538D8BD39DD7AA22D27C

86DAA4E814C496CBE582F08102645624C88971E079175B7E3786CD33134D2F2EF963940117EE4B3D8

115F678B83CE41866FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C

FEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79335D575E7D6A3B98089

DB7CE019D40AA5C6C79D870FCAECAFB49A74ACB694C3EED0EB2322B5F103CD4F16BC291143DE51882

6E555935F256EFE1E62EEFD7F255645CD891122C735653C203279D0A0E3D0E9E49B0FAC6ADFE0335B

A0C06DD1A0F78D0168897EB8E9CD6E6F00D1774DA9A8307DF891BF9A19ECA1B3A3E1B691A1059F863

CEB5516521C9C1AF27FEE9791CBC904B30E66C95800400BFD2273D476F5CF6FBCEC9E58068BA487B5

FBBD84455A0A76A2AEB10D3E48F646A0D7F70FD3C7BFE62A995046DEFD986D650988397CD3A4BDE32

1F2CAB80F0DB1FE2E2EC1EF6D2DA5731BEDB3DA1FD99854CC27AD57FB60E8F33D758EFF9CE8E827EF

0738C9322E665EE4DF0826222B391D7CCAA65D96B18A5D2D004F5ED76B9823EAD94AE7C5095581CAF

1BD786E11C482B2D4FAE3FCD251062A870196DD7AD4B3681B7F18EE5EB3FA9B606D9D8012CB9B1BFF

71F88F88381ED6433397B074ED22C389745998E036FBA1933A71864D23C0DC00BA980AA16EE32EAB6

368FB992CE9A04441CE31C8880A66E7466F31791E7915441436348D593A18737F917CE89B9AF789E6

EA5833CCEF936F0BF16C5FE1BC77FA66567574CEBE069C76BF04451D44E8E5EB70DDC76FAF25027DF

1543C575EBAD9B8EB1831BBBC8254E7D71BE9EA00CA08EF839E51D68858164F60105A35D6EADD63FD

E9A72886730042061063A6735F00E33417FAFBFD8F44EBA5BA4EBFBF4305FFD7B8F9B9C7FE67749FA

067FB047238F70AD2E3EEBC9B75BE19A6003BDD74C92540DF9F085858809F6714E604F7541983B7A9

B6E1FE73AD72BA71AE5D4A1FC214F0A14E29622397024E492DED324B4052399137ACB74D262D5E0D7

20B415A00F01DB3E7365357F355670AB159570D004BB6F862EAAE83AF0A798435518A5793700E379B

A4C4EC7B6919E152FB0A8C7979DD50C6B38EF0EC9E8152ABA7BFC2DC463746EE3E8335FA5636F6E6B

05CCB39764195A2834E9CF096510009C207547384CD2E5AD9D5E7C09D7D7FCA1B3160FACAE7ACFEBA

3E8E49EEE37D7578A21B6E758BBD0"

.

--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'lsass.exe'(1096)

c:\windows\system32\avsda.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\ZoneLabs\vsmon.exe

c:\program files\Avira\AntiVir PersonalEdition Premium\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Premium\avguard.exe

c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe

c:\windows\system32\Crypserv.exe

c:\windows\system32\DVDRAMSV.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\toshiba\IVP\swupdate\swupdtmr.exe

c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\TPSBattM.exe

c:\program files\Windows Live\Messenger\usnsvc.exe

.

**************************************************************************

.

Heure de fin: 2009-03-30 0:20:43 - La machine a redémarré [Jean-Sebastien]

ComboFix-quarantined-files.txt 2009-03-30 07:20:37

ComboFix2.txt 2009-01-08 23:39:26

Avant-CF: 4,739,035,136 bytes free

Après-CF: 4,657,995,776 bytes free

454 --- E O F --- 2009-03-16 04:04:51

angelique · le 30 mars 2009

• ouvre ton bloc note[executer--notepad] et copies/colles le contenu du cadre ci dessous:

File::
c:\windows\system32\lenosopo.dll
c:\windows\system32\rutobuki.dll
c:\windows\system32\bafekefe.dll
c:\windows\Tasks\At1.job
c:\documents and settings\Jean-Sebastien\Templates\Brengkolang.com
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mogiluhehe"=-

[*]Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>

[*]Choisis "Enregistrer sous" et choisis "Bureau"

[*]Dans le champs "Nom du fichier" en bas de page donne le nom suivant:CFScript

[*]Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"

[*]Quitte le Bloc Notes.

DECONNECTE TOI PHYSIQUEMENT D'INTERNET (debranche le cable)

[*]Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture

* suis les instructions

* Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher, reconnecte toi et poste son contenu avec un nouveau rapport HijackThis

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

djjs · le 30 mars 2009

Voila la suite, merci pour ta rapidite !

Par contre je suis a San Francisco la et il est 1h du mat donc jvais aller me coucher, mais si jamais y a encore des trucs a faire jles ferais dmain matin donc c'est normal si je repond pas tout de suite !

ComboFix 09-03-29.02 - Jean-Sebastien 2009-03-30 0:47:29.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.1014.442 [GMT -7:00]

Lancé depuis: c:\documents and settings\Jean-Sebastien\Desktop\COlaF.exe

Commutateurs utilisés :: c:\documents and settings\Jean-Sebastien\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

FW: ZoneAlarm Firewall *enabled*

* Un nouveau point de restauration a été créé

FILE ::

c:\documents and settings\Jean-Sebastien\Templates\Brengkolang.com

c:\windows\system32\bafekefe.dll

c:\windows\system32\lenosopo.dll

c:\windows\system32\rutobuki.dll

c:\windows\Tasks\At1.job