imageshare.cogia.net

Viruses and worms
1

Hello,

Yesterday i chat on messenger, and a friend send me a spyware: imageshare.cogia.net

I gave it to all my other contacts through messenger, of course.

I did not find any info on the internet, except messages in russian or in griek… the only thing I understood from these messages is “avast” and “testicle breaker”, because these words were in our letters…

I run avast thoroughly and got for the first time : win32:bancos.AUK and VBS:malware.gen.
The files were put in quarantine.

About messenger, I desinstal it and install it again.

My friends still got the first message (spyware) from my messenger. I don’t.

Should I do something else?

Thanks a lot.

Marie-Thérèse

2

Hi marie-therese lets have a look to make sure it is gone

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

3

thanks, here it comes:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:09:17, on 17/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\MSN Messenger\msn.com
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\gtsrp\gtsrp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Menara\dslmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Microsoft Encarta\Encarta World English Dictionary 2001\QSHLFED.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?tab=mn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=EXPLORER.EXE \854144.exe
O2 - BHO: Aide pour le lien d’Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - C:\Program Files\EoRezo\EoAdv\EoRezoBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d’aide de l’Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: My FB Toolbar - {A057A204-BACC-4D26-8988-34A187E2698B} - C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: My FB Toolbar - {A057A204-BACC-4D26-8988-34A187E2698B} - C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [gtsrp] C:\Program Files\gtsrp\gtsrp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [MSN Messenger] msn.com
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - HKCU..\Run: [Octoshape Streaming Services] “C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe” -inv:bootrun
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Outil de détection de support de Cyber-shot Viewer.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\Menara\dslmon.exe
O4 - Global Startup: Démarrage rapide de HP Photosmart Premier.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Quick Shelf.lnk = ?

4

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra ‘Tools’ menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra ‘Tools’ menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_BE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gulbenkian.pt/template/fonts/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip..{A6E0B510-AF89-41AB-9548-37E138BEFDBC}: NameServer = 212.217.0.13 212.217.1.17
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 13578 bytes

5

Hi again - a few bits to remove there

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

F2 - REG:system.ini: Shell=EXPLORER.EXE \854144.exe
O4 - HKLM..\Run: [gtsrp] C:\Program Files\gtsrp\gtsrp.exe
O4 - HKLM..\Run: [MSN Messenger] msn.com

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

6

my god! this computer is getting me mad! lolol! I had so many things to do and I am fighting with this virus… well, I did what you said, but I had trouble at the end… I had to restart the computer and the internet several times before I could be on this forum.

Here the combofix log:
ComboFix 08-02-17.2 - User 2008-02-17 16:57:49.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1361 [GMT 0:00]
Endroit: C:\Documents and Settings\User\Bureau\ComboFix(2).exe

  • Création d’un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N’EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\056226.exe
C:\067170.exe
C:\162543.exe
C:\166321.exe
C:\213540.exe
C:\300688.exe
C:\386327.exe
C:\414673.exe
C:\425111.exe
C:\531675.exe
C:\567016.exe
C:\578680.exe
C:\588478.exe
C:\653745.exe
C:\656431.exe
C:\680768.exe
C:\707704.exe
C:\740876.exe
C:\776858.exe
C:\823583.exe
C:\854144.exe
C:\Autorun.inf
C:\Documents and Settings\User\Mes documents\Divers - Pen Drive\Personnels\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Divers - Pen Drive\Personnels\Plan interactif de Rabat en 2006_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Documents intéressants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\guide psychosocial\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Personnels\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Personnels\Plan interactif de Rabat en 2006_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\guide psychosocial\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Droits des Femmes\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Human rights\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Secteur privé\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\TRIPS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Documents Raphaelle\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Gouvernement Local\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Gouvernement Local\toolkittocfr_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\ONGs\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Prison\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Documents intéressants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\PNUD MAROC\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\RBAS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\santé maternelle\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\5TH HIV FP MEETING POPOINTS & INFO\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Appui au PNLS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Cours Interne NNUU\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Documents intéressants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\guide psychosocial\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Droits des Femmes\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Human rights\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Secteur privé\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\TRIPS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Documents Raphaelle\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Gouvernement Local\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Gouvernement Local\toolkittocfr_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\ONGs\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Prison\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Société Civile\Desktop_.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((( Fichiers créés 2008-01-17 to 2008-02-17 ))))))))))))))))))))))))))))))))))))
.

2008-02-17 15:08 . 2008-02-17 15:08 d-------- C:\Program Files\Trend Micro
2008-02-17 12:22 . 2008-02-17 12:22 d-------- C:\WINDOWS\LastGood
2008-02-17 12:10 . 2008-02-17 12:22 d-------- C:\Program Files\Windows Live
2008-02-17 12:10 . 2008-02-17 12:22 d–hsc— C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-02-17 12:09 . 2008-02-17 12:09 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-16 21:20 . 2008-02-17 06:43 32 --a------ C:\WINDOWS\system32\0.bat
2008-02-16 21:19 . 2008-02-17 12:07 32 --a------ C:\WINDOWS\system32\2.bat
2008-02-16 21:19 . 2008-02-17 11:30 32 --a------ C:\WINDOWS\system32\1.bat
2008-02-13 20:04 . 2008-02-13 20:04 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-19 12:50 . 2008-02-17 12:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 12:50 . 2008-01-19 12:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 12:49 . 2008-01-19 12:49 d-------- C:\Program Files\iTunes
2008-01-19 12:49 . 2008-01-19 12:49 d-------- C:\Program Files\iPod
2008-01-19 12:47 . 2008-01-19 12:48 d-------- C:\Program Files\QuickTime

7

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 16:53 --------- d-----w C:\Program Files\Mozilla Firefox
2008-02-17 16:44 --------- d-----w C:\Documents and Settings\User\Application Data\myfbtoolbar
2008-02-17 12:23 --------- d-----w C:\Program Files\Fichiers communs\Microsoft Shared
2008-02-17 12:10 --------- d-----w C:\Program Files\Fichiers communs
2008-02-17 12:09 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-02-17 12:06 2,145,386,496 --sha-w C:\pagefile.sys
2008-02-17 11:59 --------- d-----w C:\Program Files\MSN Messenger
2008-02-15 18:13 --------- d-----w C:\Program Files\Weight Watchers FlexiPoints
2008-02-14 06:11 --------- d-----w C:\Program Files\gtsrp
2008-02-13 20:35 --------- d-----w C:\Program Files\Internet Explorer
2008-02-06 12:27 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2008-02-06 12:27 --------- d-----w C:\Program Files\Adobe
2008-02-04 23:09 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
2008-01-13 13:08 --------- d-----w C:\Program Files\WinSnap
2008-01-12 15:07 --------- d-----w C:\Documents and Settings\User\Application Data\Talkback
2008-01-11 21:36 42,777 ----a-w C:\WINDOWS\system32\imagens111.exe
2008-01-11 20:05 22,528 ----a-w C:\WINDOWS\system32\Partizan.exe
2008-01-11 05:36 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
2008-01-11 05:36 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-06 10:41 8,158,547 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-05 08:53 --------- d-----w C:\Program Files\LaLibre NewsBar
2008-01-05 08:46 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-01 10:01 20,286 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2008-01-01 08:53 --------- d-----w C:\Program Files\Zero G Registry
2007-12-22 15:21 --------- d-----w C:\Program Files\WordUninstaller
2007-12-22 15:20 --------- d-----w C:\Program Files\ScenicReflections
2007-12-19 22:53 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
2007-12-19 22:53 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-19 05:27 --------- d-----w C:\Program Files\myfbtoolbar
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-18 07:18 --------- d-----w C:\Program Files\RadioXpi
2007-12-17 20:42 --------- d-----w C:\Documents and Settings\User\Application Data\NASA
2007-12-08 10:38 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
2007-12-08 10:38 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:03 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:02 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
2007-12-06 11:02 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 23:43 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-11-24 22:25 185,944 ----a-w C:\WINDOWS\system32\rmoc3260.dll
2007-11-24 22:24 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
2007-11-24 22:24 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
2007-11-24 22:24 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
2007-08-08 08:34 468 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat
2007-01-30 08:33 251 ----a-w C:\Program Files\wt3d.ini
2005-09-24 06:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

8

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Note les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A057A204-BACC-4D26-8988-34A187E2698B}]
2007-12-14 21:33 1974512 --a------ C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{A057A204-BACC-4D26-8988-34A187E2698B}

[HKEY_CLASSES_ROOT\clsid{a057a204-bacc-4d26-8988-34a187e2698b}]
[HKEY_CLASSES_ROOT\myfbtoolbar.MYFBTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{A057A204-BACC-4D26-8988-34A187E2698B}”= C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL [2007-12-14 21:33 1974512]

[HKEY_CLASSES_ROOT\clsid{a057a204-bacc-4d26-8988-34a187e2698b}]
[HKEY_CLASSES_ROOT\myfbtoolbar.MYFBTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-25 04:00 15360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-15 07:04 68856]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34 5724184]
“googletalk”=“C:\Program Files\Google\Google Talk\googletalk.exe” [2007-04-19 05:39 3297280]
“Octoshape Streaming Services”=“C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe” [2006-02-13 16:33 214648]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-09-13 13:31 22880040]
“WMPNSCFG”=“C:\Program Files\Windows Media Player\WMPNSCFG.exe” [2006-11-03 09:59 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-08-05 19:34 64512]
“hpWirelessAssistant”=“C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [2006-05-03 20:58 458752]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-18 08:00 7585792]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-08-18 08:00 86016]
“nwiz”=“nwiz.exe” [2006-08-18 08:00 1617920 C:\WINDOWS\system32\nwiz.exe]
“MsmqIntCert”=“regsvr32 /s mqrt.dll”
“High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2006-07-26 22:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-09-15 02:27 1015808]
“QPService”=“C:\Program Files\HP\QuickPlay\QPService.exe” [2006-07-11 19:55 102400]
“HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2005-02-16 21:11 49152]
“QlbCtrl”=“C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2006-06-19 09:33 163840]
“Cpqset”=“C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe” [2006-05-30 14:02 40960]
“RecGuard”=“C:\Windows\SMINST\RecGuard.exe” [2005-10-11 08:23 1187840]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 00:02 919280]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe” [2007-03-16 11:45 63712]
“EoEngine”=“”
“EoSudoku”=“”
“SynTPStart”=“C:\Program Files\Synaptics\SynTP\SynTPStart.exe” [2007-09-15 02:29 102400]
“TkBellExe”=“C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe” [2007-11-24 22:24 185896]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-01-10 15:27 385024]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-01-15 03:22 267048]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-25 04:00 15360]
“DWQueuedReporting”=“C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe” [2007-03-22 19:29 39264]

C:\Documents and Settings\User\Menu D‚marrer\Programmes\D‚marrage
Outil de d‚tection de support de Cyber-shot Viewer.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-01-28 17:08:01 155648]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage
Adobe Gamma Loader.lnk - C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-28 16:57:29 113664]
DSLMON.lnk - C:\Program Files\Menara\dslmon.exe [2007-04-23 21:23:41 839680]
D‚marrage rapide de HP Photosmart Premier.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 07:39:30 73728]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-10-06 08:21:09 57344]
Quick Shelf.lnk - C:\WINDOWS\Installer{08001201-5D65-445A-B3B4-3DCE72BA0C6C}\ENCICONS.EXE [2007-01-30 09:28:13 11264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 20:39]
R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-05-04 17:20]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 23:49]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-03-02 17:55]

Newly Created Service - USNJSVC
Newly Created Service - WLSETUPSVC
.
Contenu du dossier ‘Scheduled Tasks/Tâches planifiées’
“2008-02-16 11:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    “2008-02-17 16:40:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job”
  • C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    “2008-02-17 16:13:19 C:\WINDOWS\Tasks\User_Feed_Synchronization-{80BB2F36-6F5B-4A4B-ACD0-E54ACD0C284C}.job”
  • C:\WINDOWS\system32\msfeedssync.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 16:59:22
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés …

Balayage caché autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe???<?@? ???W???Y?@???<?@

Balayage des fichiers cachés …

Scan terminé avec succès
Les fichiers cachés: 0

9

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:28, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Menara\dslmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Microsoft Encarta\Encarta World English Dictionary 2001\QSHLFED.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

10

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?tab=mn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d’Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - C:\Program Files\EoRezo\EoAdv\EoRezoBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d’aide de l’Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: My FB Toolbar - {A057A204-BACC-4D26-8988-34A187E2698B} - C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: My FB Toolbar - {A057A204-BACC-4D26-8988-34A187E2698B} - C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - HKCU..\Run: [Octoshape Streaming Services] “C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe” -inv:bootrun
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Outil de détection de support de Cyber-shot Viewer.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\Menara\dslmon.exe
O4 - Global Startup: Démarrage rapide de HP Photosmart Premier.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Quick Shelf.lnk = ?

11

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra ‘Tools’ menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra ‘Tools’ menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_BE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gulbenkian.pt/template/fonts/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip..{A6E0B510-AF89-41AB-9548-37E138BEFDBC}: NameServer = 212.217.0.13 212.217.1.17
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 13037 bytes

12

BY THE WAY, WHEN TRYING TO RESTART THE COMPUTER I SAW THIS IMAGESHARE STUFF WAS STILL RUNNING…

Please thanks for more help…

13

Sorry my fault I forgot to say that combofix will disconnect you from the net and you may need to reboot to get the connection back :cry:

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\0.bat
C:\WINDOWS\system32\2.bat
C:\WINDOWS\system32\1.bat

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new HijackThis log.
14

ComboFix 08-02-17.2 - User 2008-02-17 18:01:24.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1378 [GMT 0:00]
Endroit: C:\Documents and Settings\User\Bureau\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\User\Mes documents\Emails\Envoyés\CFScript.txt

  • Création d’un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N’EST PAS INSTALLÉE SUR CETTE MACHINE !!

FILE ::
C:\WINDOWS\system32\0.bat
C:\WINDOWS\system32\1.bat
C:\WINDOWS\system32\2.bat
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\0.bat
C:\WINDOWS\system32\1.bat
C:\WINDOWS\system32\2.bat
.
---- Previous Run -------
.
C:\056226.exe
C:\067170.exe
C:\162543.exe
C:\166321.exe
C:\213540.exe
C:\300688.exe
C:\386327.exe
C:\414673.exe
C:\425111.exe
C:\531675.exe
C:\567016.exe
C:\578680.exe
C:\588478.exe
C:\653745.exe
C:\656431.exe
C:\680768.exe
C:\707704.exe
C:\740876.exe
C:\776858.exe
C:\823583.exe
C:\854144.exe
C:\Autorun.inf
C:\Documents and Settings\User\Mes documents\Divers - Pen Drive\Personnels\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Divers - Pen Drive\Personnels\Plan interactif de Rabat en 2006_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Documents intéressants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\guide psychosocial\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Personnels\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\Personnels\Plan interactif de Rabat en 2006_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\guide psychosocial\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Droits des Femmes\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Human rights\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\Secteur privé\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\HARPAS\TRIPS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Documents Raphaelle\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Gouvernement Local\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Mainstreaming\Gouvernement Local\toolkittocfr_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\ONGs\Desktop_.ini
C:\Documents and Settings\User\Mes documents\HIVSIDA\Maroc\SIDA\Prison\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Documents intéressants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\PNUD MAROC\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\RBAS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\santé maternelle\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\5TH HIV FP MEETING POPOINTS & INFO\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Appui au PNLS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Cours Interne NNUU\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Documents intéressants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Gender\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\guide psychosocial\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Droits des Femmes\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Human rights\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\Secteur privé\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\HARPAS\TRIPS\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Documents Raphaelle\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Gouvernement Local\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Mainstreaming\Gouvernement Local\toolkittocfr_fichiers\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Migrants\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\ONGs\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\SIDA\Prison\Desktop_.ini
C:\Documents and Settings\User\Mes documents\Travail\Maroc\Société Civile\Desktop_.ini
D:\Autorun.inf

15

((((((((((((((((((((((((((((( Fichiers créés 2008-01-17 to 2008-02-17 ))))))))))))))))))))))))))))))))))))
.

2008-02-17 15:08 . 2008-02-17 15:08 d-------- C:\Program Files\Trend Micro
2008-02-17 12:10 . 2008-02-17 12:22 d-------- C:\Program Files\Windows Live
2008-02-17 12:10 . 2008-02-17 12:22 d–hsc— C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-02-17 12:09 . 2008-02-17 12:09 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-13 20:04 . 2008-02-13 20:04 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-19 12:50 . 2008-02-17 17:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 12:50 . 2008-01-19 12:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-19 12:49 . 2008-01-19 12:49 d-------- C:\Program Files\iTunes
2008-01-19 12:49 . 2008-01-19 12:49 d-------- C:\Program Files\iPod
2008-01-19 12:47 . 2008-01-19 12:48 d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 17:22 --------- d-----w C:\Program Files\Mozilla Firefox
2008-02-17 17:20 --------- d-----w C:\Documents and Settings\User\Application Data\myfbtoolbar
2008-02-17 17:14 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-02-17 17:09 2,145,386,496 --sha-w C:\pagefile.sys
2008-02-17 17:02 2,356,736 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-02-17 12:23 --------- d-----w C:\Program Files\Fichiers communs\Microsoft Shared
2008-02-17 12:10 --------- d-----w C:\Program Files\Fichiers communs
2008-02-17 11:59 --------- d-----w C:\Program Files\MSN Messenger
2008-02-15 18:13 --------- d-----w C:\Program Files\Weight Watchers FlexiPoints
2008-02-14 06:11 --------- d-----w C:\Program Files\gtsrp
2008-02-13 20:35 --------- d-----w C:\Program Files\Internet Explorer
2008-02-06 12:27 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2008-02-06 12:27 --------- d-----w C:\Program Files\Adobe
2008-02-04 23:09 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
2008-01-13 13:08 --------- d-----w C:\Program Files\WinSnap
2008-01-12 15:07 --------- d-----w C:\Documents and Settings\User\Application Data\Talkback
2008-01-11 21:36 42,777 ----a-w C:\WINDOWS\system32\imagens111.exe
2008-01-11 20:05 22,528 ----a-w C:\WINDOWS\system32\Partizan.exe
2008-01-11 05:36 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll
2008-01-11 05:36 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-06 10:41 8,158,547 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-01-05 08:53 --------- d-----w C:\Program Files\LaLibre NewsBar
2008-01-05 08:46 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-01 10:01 20,286 ----a-w C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2008-01-01 08:53 --------- d-----w C:\Program Files\Zero G Registry
2007-12-22 15:21 --------- d-----w C:\Program Files\WordUninstaller
2007-12-22 15:20 --------- d-----w C:\Program Files\ScenicReflections
2007-12-19 22:53 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll
2007-12-19 22:53 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-19 05:27 --------- d-----w C:\Program Files\myfbtoolbar
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-18 07:18 --------- d-----w C:\Program Files\RadioXpi
2007-12-17 20:42 --------- d-----w C:\Documents and Settings\User\Application Data\NASA
2007-12-08 10:38 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll
2007-12-08 10:38 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:03 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:02 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe
2007-12-06 11:02 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll
2007-12-06 04:59 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-25 23:43 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-11-24 22:25 185,944 ----a-w C:\WINDOWS\system32\rmoc3260.dll
2007-11-24 22:24 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
2007-11-24 22:24 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
2007-11-24 22:24 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
2007-08-08 08:34 468 ----a-w C:\Documents and Settings\User\Application Data\wklnhst.dat
2007-01-30 08:33 251 ----a-w C:\Program Files\wt3d.ini
2005-09-24 06:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

(((((((((((((((((((((((((((

16

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Note les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A057A204-BACC-4D26-8988-34A187E2698B}]
2007-12-14 21:33 1974512 --a------ C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{A057A204-BACC-4D26-8988-34A187E2698B}

[HKEY_CLASSES_ROOT\clsid{a057a204-bacc-4d26-8988-34a187e2698b}]
[HKEY_CLASSES_ROOT\myfbtoolbar.MYFBTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{A057A204-BACC-4D26-8988-34A187E2698B}”= C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL [2007-12-14 21:33 1974512]

[HKEY_CLASSES_ROOT\clsid{a057a204-bacc-4d26-8988-34a187e2698b}]
[HKEY_CLASSES_ROOT\myfbtoolbar.MYFBTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe” [2006-03-25 04:00 15360]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-15 07:04 68856]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34 5724184]
“googletalk”=“C:\Program Files\Google\Google Talk\googletalk.exe” [2007-04-19 05:39 3297280]
“Octoshape Streaming Services”=“C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe” [2006-02-13 16:33 214648]
“Skype”=“C:\Program Files\Skype\Phone\Skype.exe” [2007-09-13 13:31 22880040]
“WMPNSCFG”=“C:\Program Files\Windows Media Player\WMPNSCFG.exe” [2006-11-03 09:59 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-08-05 19:34 64512]
“hpWirelessAssistant”=“C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe” [2006-05-03 20:58 458752]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-08-18 08:00 7585792]
“NvMediaCenter”=“C:\WINDOWS\system32\NvMcTray.dll” [2006-08-18 08:00 86016]
“nwiz”=“nwiz.exe” [2006-08-18 08:00 1617920 C:\WINDOWS\system32\nwiz.exe]
“MsmqIntCert”=“regsvr32 /s mqrt.dll”
“High Definition Audio Property Page Shortcut”=“CHDAudPropShortcut.exe” [2006-07-26 22:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-09-15 02:27 1015808]
“QPService”=“C:\Program Files\HP\QuickPlay\QPService.exe” [2006-07-11 19:55 102400]
“HP Software Update”=“C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe” [2005-02-16 21:11 49152]
“QlbCtrl”=“C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe” [2006-06-19 09:33 163840]
“Cpqset”=“C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe” [2006-05-30 14:02 40960]
“RecGuard”=“C:\Windows\SMINST\RecGuard.exe” [2005-10-11 08:23 1187840]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-03-09 00:02 919280]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe” [2007-03-16 11:45 63712]
“EoEngine”=“”
“EoSudoku”=“”
“SynTPStart”=“C:\Program Files\Synaptics\SynTP\SynTPStart.exe” [2007-09-15 02:29 102400]
“TkBellExe”=“C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe” [2007-11-24 22:24 185896]
“QuickTime Task”=“C:\Program Files\QuickTime\QTTask.exe” [2008-01-10 15:27 385024]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-01-15 03:22 267048]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2006-03-25 04:00 15360]
“DWQueuedReporting”=“C:\PROGRA~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe” [2007-03-22 19:29 39264]

C:\Documents and Settings\User\Menu D‚marrer\Programmes\D‚marrage
Outil de d‚tection de support de Cyber-shot Viewer.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-01-28 17:08:01 155648]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage
Adobe Gamma Loader.lnk - C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-28 16:57:29 113664]
DSLMON.lnk - C:\Program Files\Menara\dslmon.exe [2007-04-23 21:23:41 839680]
D‚marrage rapide de HP Photosmart Premier.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 07:39:30 73728]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-10-06 08:21:09 57344]
Quick Shelf.lnk - C:\WINDOWS\Installer{08001201-5D65-445A-B3B4-3DCE72BA0C6C}\ENCICONS.EXE [2007-01-30 09:28:13 11264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

R3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;C:\WINDOWS\system32\Drivers\5U870CAP.sys [2006-06-06 20:39]
R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-05-04 17:20]
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 23:49]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-03-02 17:55]

.
Contenu du dossier ‘Scheduled Tasks/Tâches planifiées’
“2008-02-16 11:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    “2008-02-17 17:40:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job”
  • C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
    “2008-02-17 16:13:19 C:\WINDOWS\Tasks\User_Feed_Synchronization-{80BB2F36-6F5B-4A4B-ACD0-E54ACD0C284C}.job”
  • C:\WINDOWS\system32\msfeedssync.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 18:04:10
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés …

Balayage caché autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe???<?@? ???0X???Y?@???<?@

Balayage des fichiers cachés …

Scan terminé avec succès
Les fichiers cachés: 0

.

17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:13, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Menara\dslmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Microsoft Encarta\Encarta World English Dictionary 2001\QSHLFED.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

18

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?tab=mn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d’Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - C:\Program Files\EoRezo\EoAdv\EoRezoBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d’aide de l’Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: My FB Toolbar - {A057A204-BACC-4D26-8988-34A187E2698B} - C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: My FB Toolbar - {A057A204-BACC-4D26-8988-34A187E2698B} - C:\PROGRA~1\MYFBTO~1\MYFBTO~1.DLL
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Edition Découverte\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - HKCU..\Run: [Octoshape Streaming Services] “C:\Program Files\Octoshape Streaming Services\User\OctoshapeClient.exe” -inv:bootrun
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVICE RÉSEAU’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Outil de détection de support de Cyber-shot Viewer.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\Menara\dslmon.exe
O4 - Global Startup: Démarrage rapide de HP Photosmart Premier.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Quick Shelf.lnk = ?

19

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra ‘Tools’ menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra ‘Tools’ menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Fichiers communs\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=FR_BE&c=64&bd=pavilion&pf=laptop
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://www.musica.gulbenkian.pt/template/fonts/clearadj.cab
O17 - HKLM\System\CCS\Services\Tcpip..{A6E0B510-AF89-41AB-9548-37E138BEFDBC}: NameServer = 212.217.0.13 212.217.1.17
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 13213 bytes

20

WHEN I TRIED TO REBOOT I SAW THE IMAGESHARE.COGIA.NET IS STILL RUNNING ON FIREFOX