winrl.exe - elcobra777

system · January 22, 2008, 7:43pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:47, on 22.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d’aide de l’Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Windows Taskmanager] winrl.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200624367671
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe

–
End of file - 5749 bytes

system · January 22, 2008, 7:49pm

I did as you said.

Thanks for your help Essex Boy.

This seems interesting but I am not an expert:
O4 - HKLM..\Run: [Windows Taskmanager] winrl.exe

essexboy · January 22, 2008, 8:33pm

It is at that

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
[*]Open Spybot Search & Destroy.
[*]In the Mode menu click “Advanced mode” if not already selected.
[*]Choose “Yes” at the Warning prompt.
[*]Expand the “Tools” menu.
[*]Click “Resident”.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]In the File menu click “Exit” to exit Spybot Search & Destroy.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [Windows Taskmanager] winrl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\WINDOWS\System32\winrl.exe
C:\WINDOWS\winrl.exe
C:\winrl.exe

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Logs required : OTMOVEIT and Combofix

system · January 22, 2008, 9:03pm

File/Folder C:\WINDOWS\System32\winrl.exe not found.
C:\WINDOWS\winrl.exe moved successfully.
File/Folder C:\winrl.exe not found.

OTMoveIt2 v1.0.12 log created on 01222008_220148

system · January 22, 2008, 9:11pm

Finally I downloaded Combofix and I followed the prompts. It did some things but then didn’t show me any logs…

essexboy · January 22, 2008, 9:18pm

Have a look in C:\combofix

system · January 22, 2008, 9:24pm

what is the name of the file where there is that log in C:\combofix?

essexboy · January 22, 2008, 9:26pm

It should be something like combofix.txt, if you can’t find it re-run combofix.

If it still fails to produce a log then

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

system · January 22, 2008, 9:29pm

ComboFix 08-01-23.1 - Napoleon 2008-01-22 22:05:31.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.1637 [GMT 1:00]
Endroit: C:\Documents and Settings\Napoleon\Bureau\ComboFix.exe

Création d’un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N’EST PAS INSTALLÉE SUR CETTE MACHINE !!

system · January 22, 2008, 9:32pm

it’s in french. They are saying (in red) that the recovery console is not installed on this machine

essexboy · January 22, 2008, 9:33pm

There should be more than that - is that all there was in the log ? If so then download and run DSS

system · January 22, 2008, 10:29pm

MAIN PART 1

Deckard’s System Scanner v20071014.68
Run by Napoleon on 2008-01-23 23:24:02
Computer is in Normal Mode.

– System Restore --------------------------------------------------------------

Successfully created a Deckard’s System Scanner Restore Point.

– Last 5 Restore Point(s) –
47: 2008-01-23 22:24:08 UTC - RP47 - Deckard’s System Scanner Restore Point
46: 2008-01-22 21:05:07 UTC - RP46 - ComboFix created restore point
45: 2008-01-22 17:08:13 UTC - RP45 - Pilote d’imprimante CutePDF Writer installé
44: 2008-01-22 16:51:58 UTC - RP44 - Pilote d’imprimante CutePDF Writer installé
43: 2008-01-22 16:50:49 UTC - RP43 - Supprimé Adobe Reader 8.1.0 - Français

– First Restore Point –
1: 2008-01-17 20:27:12 UTC - RP1 - Point de vérification système

Backed up registry hives.
Performed disk cleanup.

– HijackThis (run as Napoleon.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:25, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Napoleon\Bureau\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Napoleon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Programme d’aide de l’Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/activex/TmHcmsX.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200624367671
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe

–
End of file - 5332 bytes

– HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups) -----------

backup-20080122-215806-766 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20080122-215806-849 O4 - HKLM..\Run: [Windows Taskmanager] winrl.exe

– File Associations -----------------------------------------------------------

All associations okay.

– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

– Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: G-302 v3 802.11g Wireless PCI Adapter
Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_340D187E&REV_20\4&22775069&0&4070
Manufacturer: ZyXEL
Name: G-302 v3 802.11g Wireless PCI Adapter #2
PNP Device ID: PCI\VEN_10EC&DEV_8185&SUBSYS_340D187E&REV_20\4&22775069&0&4070
Service: rtl8185

system · January 22, 2008, 10:32pm

MAIN PART 2

– Files created between 2007-12-23 and 2008-01-23 -----------------------------

2008-01-22 20:40:10 0 d-------- C:\Program Files\Trend Micro
2008-01-22 20:19:13 8576 --a------ C:\WINDOWS\system32\drivers\rjgsjxumlced.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-22 20:14:07 0 d-------- C:\Documents and Settings\Napoleon\Pavark
2008-01-22 19:59:55 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-01-22 19:14:22 0 d-------- C:\Program Files\SpywareBlaster
2008-01-22 18:16:14 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 18:11:14 0 d-------- C:\Program Files\XoftSpySE
2008-01-22 17:07:51 249856 --a------ C:\WINDOWS\system32\pdfmona.dll <Not Verified; TODO: ; TODO: >
2008-01-22 17:07:51 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2008-01-22 17:07:51 0 d-------- C:\Documents and Settings\All Users\Application Data\pdf995
2008-01-22 17:07:49 0 d-------- C:\Program Files\pdf995
2008-01-22 14:44:06 0 d-------- C:\Program Files\Acro Software
2008-01-22 14:33:19 54764 --a------ C:\WINDOWS\system32\ztx86.sys
2008-01-21 19:11:42 0 d-------- C:\Documents and Settings\Napoleon\Application Data\Google
2008-01-21 19:09:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-01-21 19:08:37 0 d-------- C:\Program Files\Fichiers communs\Adobe
2008-01-21 19:06:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-01-21 19:06:37 0 d-------- C:\Program Files\Google
2008-01-20 19:51:25 0 d-------- C:\Documents and Settings\Napoleon\Application Data\teamspeak2
2008-01-20 19:51:13 0 d-------- C:\Program Files\Teamspeak2_RC2
2008-01-20 19:22:46 0 d-------- C:\Documents and Settings\Napoleon\Contacts
2008-01-20 19:21:56 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-01-20 19:08:16 0 d–hs–c- C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-01-20 19:08:10 0 d-------- C:\Program Files\Windows Live
2008-01-20 19:07:59 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-20 17:35:06 0 d-------- C:\WINDOWS\system32\NtmsData
2008-01-20 17:25:03 0 d-------- C:\WINDOWS\system32\Viewers
2008-01-20 17:24:20 0 d-------- C:\WINDOWS\ShellNew
2008-01-20 17:22:33 0 d-------- C:\WINDOWS\Twain32
2008-01-20 17:22:33 0 d-------- C:\Documents and Settings\Napoleon\Application Data\Microsoft Web Folders
2008-01-20 16:56:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-19 18:33:34 0 d-------- C:\Program Files\GameShadow
2008-01-18 21:39:28 0 d-------- C:\WINDOWS
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\WinSxS
2008-01-18 21:39:28 0 dr------- C:\WINDOWS\Web
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\twain_32
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\wins
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\wbem
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\usmt
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\spool
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\ShellExt
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\Setup
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\ras
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\oobe
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\npp
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\mui
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\inetsrv
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\IME
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\icsxml
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\ias
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\export
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\drivers
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-01-18 21:39:28 0 dr-hs–c- C:\WINDOWS\system32\dllcache
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\dhcp
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\config
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\3076
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\2052
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1054
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1042
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1041
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1037
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1036
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1033
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1031
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1028
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system32\1025
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\system
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\security
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Resources
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\repair
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\mui
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\msapps
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\msagent
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Media
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\java
2008-01-18 21:39:28 0 d–h----- C:\WINDOWS\inf
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\ime
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Help
2008-01-18 21:39:28 0 dr–s---- C:\WINDOWS\Fonts
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Driver Cache
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Debug
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Cursors
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Connection Wizard
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\Config
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\AppPatch
2008-01-18 21:39:28 0 d-------- C:\WINDOWS\addins
2008-01-18 20:46:26 0 d-------- C:\Program Files\Fichiers communs\ODBC
2008-01-18 20:46:23 0 d-------- C:\Program Files\Fichiers communs\SpeechEngines
2008-01-18 20:46:21 0 dr------- C:\Program Files
2008-01-18 20:46:21 0 d-------- C:\Program Files\Fichiers communs
2008-01-18 20:46:01 0 d–h----- C:\Documents and Settings\Default User\Voisinage réseau
2008-01-18 20:46:01 0 d–h----- C:\Documents and Settings\Default User\Voisinage d’impression
2008-01-18 20:46:01 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-01-18 20:46:01 0 d–h----- C:\Documents and Settings\Default User\Recent
2008-01-18 20:46:01 0 d–h----- C:\Documents and Settings\Default User\Modèles
2008-01-18 20:46:01 0 d-------- C:\Documents and Settings\Default User\Mes documents
2008-01-18 20:46:01 0 dr------- C:\Documents and Settings\Default User\Menu Démarrer
2008-01-18 20:46:01 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-01-18 20:46:01 0 d-------- C:\Documents and Settings\Default User\Favoris
2008-01-18 20:46:01 0 d—s---- C:\Documents and Settings\Default User\Cookies
2008-01-18 20:46:01 0 d-------- C:\Documents and Settings\Default User\Bureau
2008-01-18 20:46:01 0 d–h----- C:\Documents and Settings\All Users\Modèles
2008-01-18 20:46:01 0 dr------- C:\Documents and Settings\All Users\Menu Démarrer
2008-01-18 20:46:01 0 d-------- C:\Documents and Settings\All Users\Favoris
2008-01-18 20:46:01 0 dr------- C:\Documents and Settings\All Users\Documents
2008-01-18 20:46:01 0 d-------- C:\Documents and Settings\All Users\Bureau
2008-01-18 20:45:19 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-01-18 20:45:19 0 d-------- C:\WINDOWS\system32\CatRoot
2008-01-18 20:45:13 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-01-18 20:45:13 0 d—s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-01-18 20:45:13 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-01-18 20:45:13 0 d—s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-01-18 20:44:54 0 d-------- C:\Documents and Settings
2008-01-18 16:00:50 53248 -----n— C:\WINDOWS\system32\hklspl.dll <Not Verified; Living Screen; Living Screen>
2008-01-18 11:25:12 0 d-------- C:\Documents and Settings\All Users\Application Data\TrackMania United
2008-01-18 10:27:50 0 d-------- C:\Program Files\TrackMania United

system · January 22, 2008, 10:34pm

MAIN PART 3

2008-01-18 03:35:31 2008-01-18 03:32:48 2008-01-18 03:28:45 2008-01-18 03:28:44 2008-01-18 03:28:44 2008-01-18 03:28:40 2008-01-18 03:28:40 2008-01-18 03:26:57 2008-01-18 03:23:07 2008-01-18 03:23:07 2008-01-18 03:22:57 2008-01-18 03:10:58 2008-01-18 02:50:24 2008-01-18 02:42:51 2008-01-18 02:41:34 2008-01-18 02:32:58 2008-01-18 02:10:34 2008-01-18 01:59:42 2008-01-18 01:59:15 2008-01-18 01:55:18 2008-01-18 01:55:18 2008-01-18 01:55:18 2008-01-18 01:52:27 2008-01-18 01:49:12 2008-01-18 01:46:15 2008-01-18 01:42:10 2008-01-18 01:34:13 2008-01-18 01:20:59 2008-01-18 01:20:24 2008-01-18 01:20:17 2008-01-18 01:15:02 2008-01-18 01:15:00 2008-01-18 01:12:47 2008-01-18 01:09:21 2008-01-18 00:45:54 2008-01-17 22:33:12 2008-01-17 22:31:23 2008-01-17 22:31:19 2008-01-17 21:47:51 2008-01-17 21:47:50 2008-01-17 21:47:14 2008-01-17 21:39:44 2008-01-17 21:39:44 2008-01-17 21:37:56 2008-01-17 21:34:05 2008-01-17 21:29:51 2008-01-17 21:29:28 2008-01-17 21:29:26 2008-01-17 21:28:33 2008-01-17 21:27:01 2008-01-17 21:26:58 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:26:34 2008-01-17 21:25:53 2008-01-17 21:25:51 2008-01-17 21:25:51 2008-01-17 21:25:51 2008-01-17 21:25:51 2008-01-17 21:25:50 2008-01-17 21:25:50 2008-01-17 21:25:50 2008-01-17 21:25:50 2008-01-17 21:25:50 2008-01-17 21:25:50 2008-01-17 21:22:04 2008-01-17 21:22:04 2008-01-17 21:22:02 2008-01-17 21:21:51 2008-01-17 21:21:51 2008-01-17 21:21:51 2008-01-17 21:21:51 2008-01-17 21:20:53 2008-01-17 21:20:42 2008-01-17 21:20:42 2008-01-17 21:20:15 2008-01-17 21:19:40 2008-01-17 21:19:37 2008-01-17 21:19:33 2008-01-17 21:19:33 2008-01-17 21:19:31 2008-01-17 21:19:28 2008-01-17 21:19:28 2008-01-17 21:19:13 2008-01-17 21:18:59 2008-01-17 21:18:34 2008-01-17 21:18:34 2008-01-17 21:18:27 2008-01-17 21:18:23 2008-01-17 21:17:54 2008-01-17 21:17:52 2008-01-17 21:17:51 0 d-------- C:\WINDOWS\system32\fr-fr
0 d-------- C:\WINDOWS\network diagnostic
46352 -----n— C:\WINDOWS\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
139536 -----n— C:\WINDOWS\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) Operating System>
6550 -----n— C:\WINDOWS\jautoexp.dat
113 -----n— C:\WINDOWS\system32\zonedon.reg
113 -----n— C:\WINDOWS\system32\zonedoff.reg
0 d-------- C:\Documents and Settings\Napoleon\Application Data\Sports Interactive
0 d–h----- C:\Program Files\Zero G Registry
0 d-------- C:\Program Files\Sports Interactive
0 d–h----- C:\Documents and Settings\Napoleon\InstallAnywhere
0 d-------- C:\ATI
0 d-------- C:\Documents and Settings\Napoleon\Application Data\temp
0 d-------- C:\Documents and Settings\Napoleon\Application Data\Macromedia
0 d-------- C:\Documents and Settings\Napoleon\Application Data\Adobe
0 d-------- C:\Program Files\EA SPORTS
0 dr------- C:\Music
0 d-------- C:\Documents and Settings\Napoleon\Application Data\Ahead
0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
0 d-------- C:\Program Files\Nero
0 d-------- C:\Program Files\Fichiers communs\Ahead
0 d-------- C:\Documents and Settings\All Users\Application Data\Nero
0 d-------- C:\WINDOWS\system32\PreInstall
0 d–hs---- C:\Documents and Settings\Napoleon\UserData
0 d–h----- C:\WINDOWS$hf_mig$
0 d-------- C:\Program Files\Alwil Software
0 d-------- C:\WINDOWS\system32\SoftwareDistribution
0 d-------- C:\Documents and Settings\LocalService\Menu Démarrer
0 d-------- C:\WINDOWS\SoftwareDistribution
0 d-------- C:\WINDOWS\Prefetch
0 d-------- C:\WINDOWS\peernet
0 d-------- C:\WINDOWS\provisioning
0 d-------- C:\WINDOWS\ServicePackFiles
0 d-------- C:\WINDOWS\EHome
0 d-------- C:\d4615381223da3a4a1da64e33c
0 d-------- C:\WINDOWS\RegisteredPackages
266240 -r------- C:\WINDOWS\Cmi6501Uninstall.exe <Not Verified; C-Media Corporation; CmiUSBUninstall Application>
0 d-------- C:\Program Files\C-Media 6501 Sound
0 d-------- C:\WINDOWS\NV244236.TMP
0 d-------- C:\WINDOWS\system32\ReinstallBackups
10288 -----n— C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
0 d-------- C:\Documents and Settings\Napoleon\Application Data\ATI
0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
0 d—s---- C:\WINDOWS\system32\Microsoft
0 d-------- C:\Program Files\Fichiers communs\ATI Technologies
593920 -----n— C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
0 d-------- C:\Program Files\ATI Technologies
0 d–h----- C:\Program Files\InstallShield Installation Information
0 d-------- C:\Program Files\Fichiers communs\InstallShield
0 d–hs---- C:\WINDOWS\Installer
0 d-------- C:\Documents and Settings\Napoleon\Application Data\Identities
0 d–h----- C:\Documents and Settings\Napoleon\Voisinage réseau
0 d–h----- C:\Documents and Settings\Napoleon\Voisinage d’impression
0 dr-h----- C:\Documents and Settings\Napoleon\SendTo
0 dr-h----- C:\Documents and Settings\Napoleon\Recent
3407872 --ah----- C:\Documents and Settings\Napoleon\NTUSER.DAT
0 d–h----- C:\Documents and Settings\Napoleon\Modèles
0 dr------- C:\Documents and Settings\Napoleon\Mes documents
0 dr------- C:\Documents and Settings\Napoleon\Menu Démarrer
0 d–h----- C:\Documents and Settings\Napoleon\Local Settings
0 dr------- C:\Documents and Settings\Napoleon\Favoris
0 d–hs---- C:\Documents and Settings\Napoleon\Cookies
0 d-------- C:\Documents and Settings\Napoleon\Bureau
0 dr-h----- C:\Documents and Settings\Napoleon\Application Data
0 d–hs---- C:\System Volume Information
0 d–h----- C:\Documents and Settings\LocalService\Local Settings
0 d–hs---- C:\Documents and Settings\LocalService\Cookies
0 d-------- C:\Documents and Settings\LocalService\Application Data
0 d—s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
1572864 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
0 d–h----- C:\Documents and Settings\NetworkService\Local Settings
0 d—s---- C:\Documents and Settings\NetworkService\Cookies
0 d-------- C:\Documents and Settings\NetworkService\Application Data
0 d—s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
1572864 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
0 d-------- C:\WINDOWS\system32\xircom
0 d-------- C:\Program Files\microsoft frontpage
233472 —h----- C:\Documents and Settings\Default User\NTUSER.DAT
0 -r-hs---- C:\MSDOS.SYS
0 -r-hs---- C:\IO.SYS
0 -----n— C:\CONFIG.SYS
0 -----n— C:\AUTOEXEC.BAT
0 d–hs---- C:\Documents and Settings\All Users\DRM
0 dr------- C:\WINDOWS\Offline Web Pages
0 d—s---- C:\WINDOWS\Downloaded Program Files
0 d-------- C:\WINDOWS\system32\DirectX
0 d—s---- C:\WINDOWS\Tasks
0 d-------- C:\Program Files\Fichiers communs\MSSoap
0 d-------- C:\WINDOWS\system32\Macromed
0 d-------- C:\WINDOWS\srchasst
0 d-------- C:\Program Files\Movie Maker
0 d-------- C:\WINDOWS\system32\Restore
0 d-------- C:\WINDOWS\PCHealth
21892 -----n— C:\WINDOWS\system32\emptyregdb.dat
0 d-------- C:\WINDOWS\Registration
0 d–h----- C:\Program Files\WindowsUpdate
0 d-------- C:\Program Files\Services en ligne
0 d-------- C:\Program Files\Messenger
0 d-------- C:\Program Files\MSN Gaming Zone
0 d-------- C:\Program Files\Windows NT
0 d-------- C:\WINDOWS\system32\MsDtc
0 d-------- C:\WINDOWS\system32\Com

system · January 22, 2008, 10:35pm

MAIN PART 4

– Find3M Report ---------------------------------------------------------------

2008-01-20 16:57:29 461134 --a------ C:\WINDOWS\system32\perfh00C.dat
2008-01-20 16:57:29 72092 --a------ C:\WINDOWS\system32\perfc00C.dat
2008-01-18 20:46:01 62 —hs---- C:\Documents and Settings\Napoleon\Application Data\desktop.ini

– Registry Dump ---------------------------------------------------------------

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“StartCCC”=“C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35]
“C6501Sound”=“c6501.cpl”
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00]
“NeroFilterCheck”=“C:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-19 16:09]
“MsnMsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2008-01-22 21:44]

C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 22:05:56]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1036\OLFSNT40.EXE [1999-04-06 14:27:42]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@=“Service”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=“Volume shadow copy”

– Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7840 more entries in hosts file.

– End of Deckard’s System Scanner: finished at 2008-01-23 23:26:08 ------------

system · January 22, 2008, 10:36pm

EXTRA PART 1

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

– System Information ----------------------------------------------------------

Microsoft Windows XP Édition familiale (build 2600) SP 2.0
Architecture: X86; Language: French

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4000+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 4000+
Percentage of Memory in Use: 19%
Physical Memory (total/avail): 2047.23 MiB / 1642.31 MiB
Pagefile Memory (total/avail): 3940.19 MiB / 3604.97 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1918.86 MiB

C: is Fixed (NTFS) - 37.11 GiB total, 19.41 GiB free.
D: is Fixed (NTFS) - 39.57 GiB total, 27.96 GiB free.
E: is CDROM (UDF)

\.\PHYSICALDRIVE0 - ExcelStor Technology J680 - 76.69 GiB - 2 partitions
\PARTITION0 (bootable) - Système de fichiers installable - 37.11 GiB - C:
\PARTITION1 - Étendu avec Inter. 13 étendue - 39.57 GiB - D:

– Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.7.1098 [VPS 080122-1] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe”=“C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Enabled:Football Manager 2008”

– Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Napoleon\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Fichiers communs
COMPUTERNAME=NAPOLEON-VX1AR5
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Napoleon
LOGONSERVER=\NAPOLEON-VX1AR5
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Fichiers communs\Ahead\Lib
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Napoleon\LOCALS~1\Temp
TMP=C:\DOCUME~1\Napoleon\LOCALS~1\Temp
USERDOMAIN=NAPOLEON-VX1AR5
USERNAME=Napoleon
USERPROFILE=C:\Documents and Settings\Napoleon
windir=C:\WINDOWS

– User Profiles ---------------------------------------------------------------

Napoleon I[/I]

– Add/Remove Programs ---------------------------------------------------------

→ C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
→ C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
→ C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
→ C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
→ C:\WINDOWS\UNNeroVision.exe /UNINSTALL
→ C:\WINDOWS\UNRecode.exe /UNINSTALL
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX → C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Assistant de connexion Windows Live → MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
ATI - Utilitaire de désinstallation du logiciel → C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI AVIVO Codecs → MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
ATI Catalyst Control Center → RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe” -l0x0
ATI Display Driver → rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION → RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe”
ATI Parental Control & Encoder → MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
avast! Antivirus → rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
C-Media 6501 Sound → C:\WINDOWS\Cmi6501Uninstall.exe C:\Program Files\C-Media 6501 Sound#C-Media 6501 Sound#C-Media 6501 Sound#
Correctif pour Windows XP (KB914440) → “C:\WINDOWS$NtUninstallKB914440$\spuninst\spuninst.exe”
Correctif Windows XP - KB873339 → C:\WINDOWS$NtUninstallKB873339$\spuninst\spuninst.exe
Correctif Windows XP - KB885835 → C:\WINDOWS$NtUninstallKB885835$\spuninst\spuninst.exe
Correctif Windows XP - KB885836 → C:\WINDOWS$NtUninstallKB885836$\spuninst\spuninst.exe
Correctif Windows XP - KB886185 → C:\WINDOWS$NtUninstallKB886185$\spuninst\spuninst.exe
Correctif Windows XP - KB887472 → C:\WINDOWS$NtUninstallKB887472$\spuninst\spuninst.exe
Correctif Windows XP - KB888302 → C:\WINDOWS$NtUninstallKB888302$\spuninst\spuninst.exe
Correctif Windows XP - KB890859 → “C:\WINDOWS$NtUninstallKB890859$\spuninst\spuninst.exe”
Correctif Windows XP - KB891781 → C:\WINDOWS$NtUninstallKB891781$\spuninst\spuninst.exe
FIFA MANAGER 08 → C:\Program Files\EA SPORTS\FIFA MANAGER 08\eauninstall.exe
Football Manager 2008 → “C:\Program Files\Sports Interactive\Football Manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe”
GameShadow → MsiExec.exe /I{6AEAD38B-383B-46FF-8A5D-00A822ADA77A}
Google Toolbar for Internet Explorer → MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer → regsvr32 /u /s “c:\program files\google\googletoolbar1.dll”
HijackThis 2.0.2 → “C:\Program Files\Trend Micro\HijackThis\HijackThis.exe” /uninstall
L’Entraîneur 2008 → RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{2F4E2C8A-B886-418E-BE49-0B867CBDA959}\Setup.exe” -l0x40c -removeonly
Microsoft Office 2000 Premium → MsiExec.exe /I{0000040C-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable → MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}

system · January 22, 2008, 10:37pm

EXTRA PART 2

Mise à jour de sécurité pour Lecteur Windows Media (KB911564) → “C:\WINDOWS$NtUninstallKB911564$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398) → “C:\WINDOWS$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Lecteur Windows Media 9 (KB936782) → “C:\WINDOWS$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB890046) → “C:\WINDOWS$NtUninstallKB890046$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB893756) → “C:\WINDOWS$NtUninstallKB893756$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB896358) → “C:\WINDOWS$NtUninstallKB896358$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB896423) → “C:\WINDOWS$NtUninstallKB896423$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB896428) → “C:\WINDOWS$NtUninstallKB896428$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB899587) → “C:\WINDOWS$NtUninstallKB899587$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB899591) → “C:\WINDOWS$NtUninstallKB899591$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB900725) → “C:\WINDOWS$NtUninstallKB900725$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB901017) → “C:\WINDOWS$NtUninstallKB901017$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB901214) → “C:\WINDOWS$NtUninstallKB901214$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB902400) → “C:\WINDOWS$NtUninstallKB902400$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB905414) → “C:\WINDOWS$NtUninstallKB905414$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB905749) → “C:\WINDOWS$NtUninstallKB905749$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB908519) → “C:\WINDOWS$NtUninstallKB908519$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB911562) → “C:\WINDOWS$NtUninstallKB911562$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB911927) → “C:\WINDOWS$NtUninstallKB911927$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB913580) → “C:\WINDOWS$NtUninstallKB913580$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB914388) → “C:\WINDOWS$NtUninstallKB914388$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB914389) → “C:\WINDOWS$NtUninstallKB914389$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB917344) → “C:\WINDOWS$NtUninstallKB917344$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB918118) → “C:\WINDOWS$NtUninstallKB918118$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB918439) → “C:\WINDOWS$NtUninstallKB918439$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB919007) → “C:\WINDOWS$NtUninstallKB919007$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB920213) → “C:\WINDOWS$NtUninstallKB920213$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB920670) → “C:\WINDOWS$NtUninstallKB920670$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB920683) → “C:\WINDOWS$NtUninstallKB920683$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB920685) → “C:\WINDOWS$NtUninstallKB920685$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB921503) → “C:\WINDOWS$NtUninstallKB921503$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB922819) → “C:\WINDOWS$NtUninstallKB922819$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB923191) → “C:\WINDOWS$NtUninstallKB923191$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB923414) → “C:\WINDOWS$NtUninstallKB923414$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB923689) → “C:\WINDOWS$NtUninstallKB923689$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB923980) → “C:\WINDOWS$NtUninstallKB923980$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB924270) → “C:\WINDOWS$NtUninstallKB924270$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB924496) → “C:\WINDOWS$NtUninstallKB924496$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB924667) → “C:\WINDOWS$NtUninstallKB924667$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB925902) → “C:\WINDOWS$NtUninstallKB925902$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB926255) → “C:\WINDOWS$NtUninstallKB926255$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB926436) → “C:\WINDOWS$NtUninstallKB926436$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB927779) → “C:\WINDOWS$NtUninstallKB927779$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB927802) → “C:\WINDOWS$NtUninstallKB927802$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB928255) → “C:\WINDOWS$NtUninstallKB928255$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB928843) → “C:\WINDOWS$NtUninstallKB928843$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB929123) → “C:\WINDOWS$NtUninstallKB929123$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB930178) → “C:\WINDOWS$NtUninstallKB930178$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB931261) → “C:\WINDOWS$NtUninstallKB931261$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB931784) → “C:\WINDOWS$NtUninstallKB931784$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB932168) → “C:\WINDOWS$NtUninstallKB932168$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB933729) → “C:\WINDOWS$NtUninstallKB933729$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB935839) → “C:\WINDOWS$NtUninstallKB935839$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB935840) → “C:\WINDOWS$NtUninstallKB935840$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB936021) → “C:\WINDOWS$NtUninstallKB936021$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB938127) → “C:\WINDOWS$NtUninstallKB938127$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB938829) → “C:\WINDOWS$NtUninstallKB938829$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB941202) → “C:\WINDOWS$NtUninstallKB941202$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB941568) → “C:\WINDOWS$NtUninstallKB941568$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB941569) → “C:\WINDOWS$NtUninstallKB941569$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB941644) → “C:\WINDOWS$NtUninstallKB941644$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB942615) → “C:\WINDOWS$NtUninstallKB942615$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB943460) → “C:\WINDOWS$NtUninstallKB943460$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB943485) → “C:\WINDOWS$NtUninstallKB943485$\spuninst\spuninst.exe”
Mise à jour de sécurité pour Windows XP (KB944653) → “C:\WINDOWS$NtUninstallKB944653$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB894391) → “C:\WINDOWS$NtUninstallKB894391$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB898461) → “C:\WINDOWS$NtUninstallKB898461$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB900485) → “C:\WINDOWS$NtUninstallKB900485$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB904942) → “C:\WINDOWS$NtUninstallKB904942$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB908531) → “C:\WINDOWS$NtUninstallKB908531$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB910437) → “C:\WINDOWS$NtUninstallKB910437$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB911280) → “C:\WINDOWS$NtUninstallKB911280$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB916595) → “C:\WINDOWS$NtUninstallKB916595$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB920872) → “C:\WINDOWS$NtUninstallKB920872$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB922582) → “C:\WINDOWS$NtUninstallKB922582$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB927891) → “C:\WINDOWS$NtUninstallKB927891$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB930916) → “C:\WINDOWS$NtUninstallKB930916$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB938828) → “C:\WINDOWS$NtUninstallKB938828$\spuninst\spuninst.exe”
Mise à jour pour Windows XP (KB942763) → “C:\WINDOWS$NtUninstallKB942763$\spuninst\spuninst.exe”
Nero 7 Essentials → MsiExec.exe /X{66EBD70F-A42C-475F-AEDF-277378151036}
NVIDIA Drivers → C:\WINDOWS\System32\NVUNINST.EXE UninstallGUI
Spybot - Search & Destroy → “C:\Program Files\Spybot - Search & Destroy\unins000.exe”
TeamSpeak 2 RC2 → “C:\Program Files\Teamspeak2_RC2\unins000.exe”
TrackMania United DVD Patch 2006-12-15 → “C:\Program Files\TrackMania United\unins000.exe”
Utilitaire de sauvegarde Windows → MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Live installer → MsiExec.exe /X{FD44E544-E7D0-4DBA-9FA0-8AE1A1300390}
Windows Live Messenger → MsiExec.exe /X{BADF6744-3787-48F6-B8C9-4C4995401D65}

system · January 22, 2008, 10:37pm

EXTRA PART 3

– Application Event Log -------------------------------------------------------

Event Record #/Type617 / Success
Event Submitted/Written: 01/22/2008 08:36:42 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type614 / Error
Event Submitted/Written: 01/22/2008 08:16:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Application défaillante services.exe, version 5.1.2600.2180, module défaillant services.exe, version 5.1.2600.2180, adresse de défaillance 0x00008e40.
Traitement de l’événement propre au support pour [services.exe!ws!]

Event Record #/Type604 / Success
Event Submitted/Written: 01/22/2008 07:47:23 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type588 / Success
Event Submitted/Written: 01/22/2008 07:34:15 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type577 / Success
Event Submitted/Written: 01/22/2008 06:51:11 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

– Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

– System Event Log ------------------------------------------------------------

Event Record #/Type3133 / Warning
Event Submitted/Written: 01/23/2008 10:25:02 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type3130 / Error
Event Submitted/Written: 01/23/2008 10:09:39 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Votre ordinateur a perdu le bail de son adresse IP 192.168.2.164 sur la
carte réseau d’adresse réseau 0019664723B8.

Event Record #/Type3129 / Warning
Event Submitted/Written: 01/23/2008 10:09:39 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Votre ordinateur n’a pas pu renouveler son adresse à partir du réseau (à partir
du serveur DHCP) pour la carte réseau dont l’adresse réseau est 0019664723B8. Il s’est
produit l’erreur suivante :
%%121.
Votre ordinateur va continuer à essayer d’obtenir sa propre adresse auprès du
serveur d’adresse réseau (DHCP).

Event Record #/Type3120 / Warning
Event Submitted/Written: 01/22/2008 09:23:04 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

Event Record #/Type3119 / Warning
Event Submitted/Written: 01/22/2008 08:55:45 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP a atteint la limite de sécurité imposée sur le nombre de tentatives de connexion TCP simultanées.

– End of Deckard’s System Scanner: finished at 2008-01-23 23:26:08 ------------

essexboy · January 22, 2008, 11:27pm

Looks OK any problems ?

system · January 23, 2008, 12:04am

Thank you very much. The problem has been solved.

By the way what kind of system is winrl.exe? Is it a spyware or a Trojan?

Take care mate.

elcobra777

winrl.exe - elcobra777

Deckard’s System Scanner v20071014.68 Run by Napoleon on 2008-01-23 23:24:02 Computer is in Normal Mode.

Deckard’s System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post.

Announcements

Deckard’s System Scanner v20071014.68
Run by Napoleon on 2008-01-23 23:24:02
Computer is in Normal Mode.

Deckard’s System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.