How can I get rid of win32:mutant-ag ???

– Scheduled Tasks -------------------------------------------------------------

2008-05-18 22:09:00 282 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-16 17:15:00 424 --a------ C:\WINDOWS\Tasks\Maintenance en 1 clic.job
2008-04-28 17:00:00 276 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2008-03-19 10:32:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-28 23:09:36 404 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2008-01-09 18:00:07 350 --a------ C:\WINDOWS\Tasks\Uniblue SpyEraser.job
2005-10-28 11:58:00 284 --a------ C:\WINDOWS\Tasks\Connexion facile à Internet.job

– Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 12:22:15 0 d-------- C:\WINDOWS\LastGood
2008-05-24 12:22:12 0 d-------- C:\Program Files\Secunia
2008-05-24 04:15:14 0 d-------- C:\Program Files\IObit
2008-05-24 03:44:44 0 d-------- C:\Program Files\Trend Micro
2008-05-23 20:58:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 20:56:48 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 20:56:47 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\SUPERAntiSpyware.com
2008-05-19 12:52:42 1577 --ahs---- C:\WINDOWS\system32\RYbbcMoq.ini2
2008-05-19 00:23:46 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter’s Productions; Bugs!>

– Find3M Report ---------------------------------------------------------------

2008-05-24 13:36:16 0 d-------- C:\Program Files\Java
2008-05-24 13:32:48 0 d-------- C:\Program Files\Uniblue
2008-05-24 13:32:26 0 d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-05-24 12:52:42 0 d-------- C:\Program Files\QuickTime
2008-05-24 04:26:55 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\Uniblue
2008-05-22 10:34:25 0 d-------- C:\Program Files\Fichiers communs
2008-05-21 21:02:19 0 d-------- C:\Program Files\uTorrent
2008-05-21 21:01:57 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\uTorrent
2008-05-20 17:20:27 0 d-------- C:\Program Files\PCPitstop
2008-04-18 21:33:02 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\dvdcss
2008-04-10 12:58:30 448340 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-04-10 12:58:30 64894 --a------ C:\WINDOWS\system32\perfc00C.dat

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}”= C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [2007-11-27 16:14 266240]

[-HKEY_CLASSES_ROOT\CLSID{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2005-02-17 02:11]
“Cpqset”=“C:\Program Files\HPQ\Default Settings\cpqset.exe” [2005-02-17 14:01]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-15 19:19]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Uniblue RegistryBooster 2”=“C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe”
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-02-02 08:11]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-05-13 12:43]
“eabconfg.cpl”=“C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe” [2004-12-03 16:24]
“hpWirelessAssistant”=“C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [2005-04-11 18:21]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2005-02-02 08:12]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-03-22 21:05]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-15 19:19]

C:\Documents and Settings\Steve Paper\Mes documents\Menu D‚marrer\Programmes\D‚marrage
Secunia PSI (RC2).lnk - C:\Program Files\Secunia\PSI (RC2)\psi.exe [2008-05-21 10:36:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableTaskMgr”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)
“NoResolveSearch”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 C:\WINDOWS\system32\qoMcbbYR

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dkR31.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dlS63.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipW54.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jqW63.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mtB17.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\muC41.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qwE64.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ryG74.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime
“LSBWatcher”=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

Newly Created Service - PSI

What’s the difference between Deckard’s System Scanner and HijackThis ? It’s more deep, I can tell, but it looks like if it is working with HijackThis…

Hi…

Ok…here is some information from Symantec on your new friend. ;D There is also a removal tool you can download and use…

http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99&tabid=1

Best Regards…

Hmm… Doesn’t look to hard…
You think after running SuperAntispyware, Advanced WindowCare, RootkitBuster and Secunia, it might still be there ?

Hi, you seem to have gotten rid of most of it. There is a couple of things left.

First we will back up your registry, then remove the remnant.

I did see system restore had beem turned off, DSS turned it back on for you, Please leave it turned ON until we are done.

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

note: the download links are server1,server2, server3

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

REGISTRY FIX

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dkR31.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dlS63.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipW54.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jqW63.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mtB17.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\muC41.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qwE64.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ryG74.sys]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg

Make sure the box at the top is set to Desktop

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

[b]
C:\WINDOWS\system32\qoMcbbYR
C:\WINDOWS\system32\RYbbcMoq.ini2

[/b]

Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Please post the OTMOVEIT2 results and a new DSS log.

Click the start button, click run.
Copy and paste these lines into the run box that appears, one at a time, hitting enter after each line.

sc stop dkR31
sc delete dkR31
sc stop dlS63
sc delete dlS63
sc stop ipW54
sc delete ipW54
sc stop qW63
sc delete qW63
sc stop mtB17
sc delete mtB17
sc stop muC41
sc delete muC41
sc stop qwE64
sc delete qwE64
sc stop ryG74
sc delete ryG74

Thanks

ps, DSS looks at different reg keys, files created in the last 30 days. It’s actually a multi scan tool.

Sorry for not responding right away, wich is bad behavior considering the help you’re provinding me. I’ve been very busy at work…
So, just to tell you I got your instructions, and will fallow them as soon as possible. :slight_smile:

OK. Hope you’re still there…
Here are the results of OTMoveit.

File/Folder C:\WINDOWS\system32\qoMcbbYR not found.
C:\WINDOWS\system32\RYbbcMoq.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05272008_131144

Here’s the DSS log

Deckard’s System Scanner v20071014.68
Run by Stephany Paper on 2008-05-27 13:18:50
Computer is in Normal Mode.

Total Physical Memory: 511 MiB (512 MiB recommended).

– HijackThis (run as Stephany Paper.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:03, on 2008-05-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Secunia\PSI (RC2)\psi.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve Paper\Bureau\Tueurs de crapules\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\STEVEP~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cf.mg40.mail.yahoo.com/dc/launch?action=welcome&YY=2070394509&.rand=cehg9k68tfgsr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Pando Search Assistant BHO - {06663B51-0D73-4f9f-BCC5-4AA941470AFD} - C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL
O2 - BHO: Aide pour le lien d’Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKCU..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKCU..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKCU..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKCU..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Secunia PSI (RC2).lnk = C:\Program Files\Secunia\PSI (RC2)\psi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188412243718
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe


End of file - 10169 bytes

– Files created between 2008-04-27 and 2008-05-27 -----------------------------

2008-05-24 12:22:15 0 d-------- C:\WINDOWS\LastGood
2008-05-24 12:22:12 0 d-------- C:\Program Files\Secunia
2008-05-24 04:15:14 0 d-------- C:\Program Files\IObit
2008-05-24 03:44:44 0 d-------- C:\Program Files\Trend Micro
2008-05-23 20:58:03 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-23 20:56:48 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-23 20:56:47 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\SUPERAntiSpyware.com
2008-05-19 00:23:46 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter’s Productions; Bugs!>

– Find3M Report ---------------------------------------------------------------

2008-05-24 18:01:34 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\uTorrent
2008-05-24 13:36:16 0 d-------- C:\Program Files\Java
2008-05-24 13:32:48 0 d-------- C:\Program Files\Uniblue
2008-05-24 13:32:26 0 d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-05-24 12:52:42 0 d-------- C:\Program Files\QuickTime
2008-05-24 04:26:55 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\Uniblue
2008-05-22 10:34:25 0 d-------- C:\Program Files\Fichiers communs
2008-05-21 21:02:19 0 d-------- C:\Program Files\uTorrent
2008-05-20 17:20:27 0 d-------- C:\Program Files\PCPitstop
2008-04-18 21:33:02 0 d-------- C:\Documents and Settings\Steve Paper\Application Data\dvdcss
2008-04-10 12:58:30 448340 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-04-10 12:58:30 64894 --a------ C:\WINDOWS\system32\perfc00C.dat

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}”= C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL [2007-11-27 16:14 266240]

[-HKEY_CLASSES_ROOT\CLSID{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2005-02-17 02:11]
“Cpqset”=“C:\Program Files\HPQ\Default Settings\cpqset.exe” [2005-02-17 14:01]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-15 19:19]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-03-28 23:37]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe” [2008-02-22 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Uniblue RegistryBooster 2”=“C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe”
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2005-02-02 08:11]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2008-05-13 12:43]
“eabconfg.cpl”=“C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe” [2004-12-03 16:24]
“hpWirelessAssistant”=“C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [2005-04-11 18:21]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [2005-02-02 08:12]
“ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2005-03-22 21:05]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2008-05-15 19:19]

C:\Documents and Settings\Steve Paper\Mes documents\Menu D‚marrer\Programmes\D‚marrage
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]
Secunia PSI (RC2).lnk - C:\Program Files\Secunia\PSI (RC2)\psi.exe [2008-05-21 10:36:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableTaskMgr”=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)
“NoResolveSearch”=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“LinkResolveIgnoreLinkInfo”=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” -atboottime
“LSBWatcher”=c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

Newly Created Service - PSI

– End of Deckard’s System Scanner: finished at 2008-05-27 13:19:30 ------------

And then I executed all the run commands you posted.

Is everything allright ?

Hi, no problem. Yes everthing looks fine. This infection had hooked itself into your safe mode boot sequence. That what all the “sc” was about. DSS showed the drivers as disabled, but for cleaning purposes they where removed. In hindsight, I should have used a batch file. It would have ben easier for you.

We’’ do some general clean up and remove the tools I had you download.

  • Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Scroll down to “Java Runtime Environment (JRE) 6 Update 6…allows end-users to run Java applications”.
Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

Select the platform (Windows, in your case), mutli language.
Accept the license agreement, click continue.

You do not have to install the Java Web Start ActiveX Control

Scroll down and click on Windows Offline Installation,
Save the file jre-6u6-windows-i586-p.exe to your desktop;
Do not select Run . Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs:

Uninstall the old versions of Sun Java, Java JRE, or similar.
Do not uninstall Java TM 6 Update 6 if found!

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files[b]Java[/b] <=this folder, if found.
Delete any subfolders it may contain.

Do NOT delete jre1.6.0_06 if found!
Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

  • This will clean out some nooks and cranny where malware likes to hide.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please note: your computer may boot a little slower the first couple of times after you use ATF.

  • You should have a resident (real time) scanning antispyware program.
    Here’s a couple to consider.
    Winpatrol
    Windows Defender

    • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0

Take care and keep safe.

Alright. Everything’s done.
Sorry for the delays. Been very busy last couple of days.
Thanks so much for helping me.
And I’ve learn a few things.
Hope I’ll be able to help myself a little more in the futur…
Thanks again.
You’re awesome.

You’re welcome. 8)