asked on

Problem with autorun.inf

Hello,

I have a problem with an autorun.inf in my WD External Hard drive and this affect any USB storage has autorun.inf I also have a folder called RECYCLER containing a file named jwgkvsq.vmx also reported as a malware, please help

Avira reported the autorun.inf as :

Guard : Malware fund

A virus or unwanted program 'WORM/Kido.IX' was found in file I:\files\autorun.inf.blocked'

Access to this file was denied

I can't delete it, using the keyboard 'Suppr' or with MS DOS and even on Safe Mode on Windows, please help me

romel_rms

hi there,

please post here the startup programs by going to

start > msconfig > startup

or before posting them try this trick to delete the file:

start > cmd

goto autorun.inf directory if the directory is e:\ for example do this

cd e:

attrib autorun.inf -s -h -a -r
del autorun.inf /f

if not ok so post here the startup programs please to check if the PC is infected

Sudeep Sharma

Hello David,

I have provided the solution to the autotun.inf problem before. You could try those solution here in link below:
https://www.experts-exchange.com/questions/25472927/delete-autorun-inf-virus-from-windows-2003-Users-Shared-Folders-myusername.html
or

You could also try these tools to remove the autorun.inf from the flash drives and HDD. I would recommend removing the virus using these and then running Autorun Eater to stop the further infection of this virus. Hope it would help you and others too.

Tools you need are:
InfBlocker 2.0 and InfBlocker PLUS 2.0
Download Link: http://www.brothersoft.com/infblocker-294427.html

InfBlocker 2.0:
"InfBlocker is a small antivirus."BSEditor:
InfBlocker can help you delete Infection of AutoRun.inf MS32DLL.dll.vbs Worm
Download Link: http://www.brothersoft.com/infblocker-plus-294977.html

InfBlocker PLUS 2.0:
"InfBlocker PLUS: Pendrive HDD antivirusHDD e System drive protection."
+---$RECYCLE.BIN.exe
+---AdobeR.exe
+---algsrvs.exe
+---antivirus.bat
+---arona.exe
+---AutoRun.bat
+---autorun.com
+---Autorun.inf
+---autorun.inf.exe
+---autorun.ini
+---autorun.rar
+---autorun.reg
+---autorun.vbs
+---AUTORUN_.INF
+---boot.exe
+---comment.htt
+---Copy.exe
+---desktop.vbs
+---desktop2.exe
+---dialer.exe
+---Folder.exe
+---Folders.exe
+---found.000
+---FUN.XLS.EXE
+---handydriver.exe
+---Host.exe
+---hvNrtID.exe
+---knight.exe
+---logon.bat
+---MS32DLL.dll.vbs
+---msfun80.exe
+---msime82.exe
+---msvcr71.dll
+---New Folder.exe
+---Ravmon.exe
+---ravmon.log
+---Recycler.exe
+---run.bat
+---setup.dll.vb
+---slp2.exe
+---startup.vbs
+---Svchost.exe
+---svchost32.exe
+---Svchosts.exe
+---sys.exe
+---sys32_.exe
+---temp.ftp
+---Thumbs.com
+---Thumbs.exe
+---video.exe
+---windows.bat
+---windows.cmd
+---windows.com
+---winfile.exe
+---WinLog.exe
+---_autorun.inf

====================Alternatively=====================

Autorun.inf virus actually spread mainly from portable media such as USB drives, Memory Cards etc. If you are a victim of this virus then you may experience following problems:

[1] You can’t enable “Show Hidden Files and Folders”

[2] Task Manager will be disabled and you can’t open it.

[3] Autorun.inf can enable more viruses when portable devices are used.

[4] Access to Registry Editor will be locked.

[5] It can open the drives in new window each time when you try to open them.

When an infected device is infected with a malware and an ‘autorun.inf’ file is dropped, the shell menu is normally modified to execute the malware whenever the unsuspecting user double-clicks the infected drive. Actually Autorun.inf changes few entries on the registry of your system, and you can’t restore those manually as access to the Registry Editor already disabled by this virus.

So, it’s a real problem if you are affected with this virus. Normally, popular antivirus software often fails to detect and remove Autorun.inf completely. To get rid of this, you can try a nice FREE utility called AutorunEater. It’s a very fast and easy to use tool and helps you to remove Autorun.inf and restore all registry changes.

Autorun Eater will remove any suspicious ‘autorun.inf’ files even before the user attempts to access the drive.
(http://www.softpedia.com/progDownload/Autorun-Eater-Download-85585.html) - Autorun Eater 2.4

One Important Point I would like to tell you that some antivirus and antispyware programs may show ‘false positive‘ behaviour which means they can flag Autorun Eater as being infected/malware, although the application is perfectly safe and does not pose a threat to your system. If you already have other antivirus or anti-malware installed then they can detect AutorunEater as virus, just ignore this. Also you can disable and exit all antivirus program installed on your system before running AutorunEater.

Read more: http://inforids.com/remove-autoruninf-virus-easily/#ixzz0j1ETqdVV

Thanks and Regards,
Sudeep

rpggamergirl

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

Also ComboFix and show us the log.
ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

david875

ASKER

when i downloaded Flash_Disinfector.exe and installed i tried to click on the autorun.inf directory in my External hard drive and suddenly the computer crashed and reboot automatically, i don't understand why when i did it again it didn't happen, but i still have problem with the autorun.inf

rpggamergirl

Flash)Disinfector supposed to delete the harmful autorun.inf, and then create a harmless autorun.inf folder also, to stop spreading autorun.inf infection.
Try ComboFix, and if it's not removed in its first run we can use its script function to remove it.

david875

ASKER

ComboFix didn't help, even with MS Dos commands, i attached 2 screenshot to show you what i was trying to do
screenshot-auotorun.JPG
Screenshot-MSDOS.JPG

Sudeep Sharma

Did you tried InfBlocker and Autorun eater as suggested by me above?

Sudeep

david875

ASKER

Well, Autorun did nothing and i just couldn't figure out how to use it, it gives you to scan volume A which never exists and Scan volume B to scan which doesn't exists i can't use it at all, any idea? and infBlocker it just create folders, so how to remove the virus shown in the screenshot?

rpggamergirl

Can you please post the ComboFix log? using its script function can remove any files that exists in the system.

david875

ASKER

ComboFix 10-07-01.02 - David 02/07/2010 19:55:11.2.1 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.1526.1056 [GMT 1:00]
Lancé depuis: c:\documents and settings\David\Mes documents\Téléchargements\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Un antivirus résident est actif

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David\Application Data\.#
c:\documents and settings\David\Application Data\QUAD Backups
c:\documents and settings\David\Application Data\QUAD Backups\01.11.2010,21-55-45\Automatic.reg
c:\documents and settings\David\Application Data\QUAD Backups\01.14.2010,23-47-13\Automatic.reg
c:\documents and settings\David\Application Data\QUAD Backups\02.26.2010,23-02-56\Automatic.reg
c:\documents and settings\David\Application Data\QUAD Backups\02.26.2010,23-19-30\Automatic.reg
c:\program files\QUAD Utilities
c:\program files\QUAD Utilities\QUAD Registry Cleaner\program.log
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner website.url
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.exe
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.exe.BAK
c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Scheduler.exe
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Styles\Vista.cjstyles
c:\program files\QUAD Utilities\QUAD Registry Cleaner\uninst.exe
c:\program files\QUAD Utilities\QUAD Registry Cleaner\Vista Scheduler.dll
C:\Thumbs.db
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
c:\windows\jestertb.dll
I:\install.exe

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-06-02 au 2010-07-02 ))))))))))))))))))))))))))))))))))))
.

2010-07-01 23:20 . 2010-07-01 23:20      --------      d-----w-      C:\autorunhelp
2010-07-01 23:14 . 2010-07-01 23:14      --------      d-----w-      c:\program files\Autorun Eater
2010-07-01 21:14 . 2010-07-01 21:14      501936      ----a-w-      c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb18.tmp.exe
2010-06-28 23:25 . 2010-06-28 23:25      --------      d-----w-      c:\program files\Oracle
2010-06-15 21:29 . 2010-06-15 21:31      --------      d-----w-      c:\documents and settings\David\Application Data\VMware
2010-06-15 20:44 . 2010-06-15 21:38      664      ----a-w-      c:\windows\system32\d3d9caps.dat
2010-06-15 18:37 . 2010-06-15 21:38      --------      d-----w-      c:\documents and settings\LocalService\Application Data\VMware
2010-06-15 18:28 . 2010-06-15 22:04      --------      d-----w-      c:\documents and settings\All Users\Application Data\VMware
2010-06-12 00:31 . 2010-05-06 10:33      743424      -c----w-      c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 21:02 . 2010-06-08 21:02      --------      d-----w-      c:\windows\system32\ivtMobCache
2010-06-08 12:30 . 2010-06-08 12:30      111312      ----a-w-      c:\windows\system32\drivers\VBoxNetFlt.sys
2010-06-08 12:30 . 2010-06-08 12:30      133648      ----a-w-      c:\windows\system32\VBoxNetFltNotify.dll
2010-06-06 01:02 . 2010-06-06 01:02      61440      ----a-w-      c:\documents and settings\David\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe
2010-06-06 01:02 . 2007-03-22 10:46      126976      ----a-w-      c:\documents and settings\David\Application Data\GRETECH\GomPlayer\GrLauncher.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 18:54 . 2001-08-24 12:00      81824      ----a-w-      c:\windows\system32\perfc00C.dat
2010-07-02 18:54 . 2001-08-24 12:00      503894      ----a-w-      c:\windows\system32\perfh00C.dat
2010-07-02 18:50 . 2010-06-02 18:24      1345      --sha-w-      c:\windows\system32\mmf.sys
2010-07-02 18:48 . 2010-07-02 18:49      112640      ----a-w-      c:\windows\Internet Logs\xDBB7.tmp
2010-07-02 18:35 . 2010-01-02 22:28      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2010-07-01 23:14 . 2010-01-07 23:53      --------      d-----w-      c:\documents and settings\All Users\Application Data\Autorun Eater
2010-07-01 20:19 . 2009-10-15 12:20      --------      d-----w-      c:\program files\Messenger Plus! Live
2010-06-30 23:41 . 2010-06-30 23:43      22016      ----a-w-      c:\windows\Internet Logs\xDBB6.tmp
2010-06-30 23:36 . 2010-01-03 22:09      --------      d-----w-      c:\program files\DAEMON Tools
2010-06-30 23:33 . 2010-06-30 23:34      25088      ----a-w-      c:\windows\Internet Logs\xDBB5.tmp
2010-06-30 23:32 . 2009-10-20 21:42      639224      ----a-w-      c:\windows\system32\drivers\sptd.sys
2010-06-30 23:17 . 2010-06-30 23:18      35328      ----a-w-      c:\windows\Internet Logs\xDBB4.tmp
2010-06-30 15:37 . 2010-06-30 15:38      24064      ----a-w-      c:\windows\Internet Logs\xDBB3.tmp
2010-06-30 02:46 . 2010-06-30 15:10      28672      ----a-w-      c:\windows\Internet Logs\xDBB2.tmp
2010-06-30 02:20 . 2010-01-01 14:56      --------      d-----w-      c:\documents and settings\David\Application Data\vlc
2010-06-29 17:04 . 2010-06-29 20:37      44544      ----a-w-      c:\windows\Internet Logs\xDBB1.tmp
2010-06-28 02:18 . 2010-06-28 02:18      120311      ----a-w-      c:\windows\Internet Logs\vsmon_2nd_2010_06_28_02_54_41_small.dmp.zip
2010-06-27 20:55 . 2010-06-27 23:00      28672      ----a-w-      c:\windows\Internet Logs\xDBB0.tmp
2010-06-27 19:53 . 2010-06-27 19:54      38912      ----a-w-      c:\windows\Internet Logs\xDBAF.tmp
2010-06-26 02:30 . 2010-06-26 14:28      26112      ----a-w-      c:\windows\Internet Logs\xDBAE.tmp
2010-06-25 02:02 . 2010-06-25 22:38      27136      ----a-w-      c:\windows\Internet Logs\xDBAD.tmp
2010-06-25 01:26 . 2010-02-16 18:04      --------      d-----w-      c:\documents and settings\David\Application Data\Nokia
2010-06-24 20:26 . 2010-06-25 01:09      29696      ----a-w-      c:\windows\Internet Logs\xDBAC.tmp
2010-06-24 00:52 . 2010-06-24 17:58      32256      ----a-w-      c:\windows\Internet Logs\xDBAB.tmp
2010-06-23 19:16 . 2010-06-23 21:46      28160      ----a-w-      c:\windows\Internet Logs\xDBAA.tmp
2010-06-23 15:54 . 2010-06-23 15:55      44032      ----a-w-      c:\windows\Internet Logs\xDBA9.tmp
2010-06-23 14:27 . 2009-10-26 22:05      --------      d-----w-      c:\documents and settings\David\Application Data\Skinux
2010-06-22 02:10 . 2010-06-22 21:32      25600      ----a-w-      c:\windows\Internet Logs\xDBA8.tmp
2010-06-21 23:00 . 2010-06-22 00:32      43008      ----a-w-      c:\windows\Internet Logs\xDBA7.tmp
2010-06-20 22:52 . 2010-06-20 22:58      37888      ----a-w-      c:\windows\Internet Logs\xDBA6.tmp
2010-06-19 18:06 . 2010-06-19 19:22      19456      ----a-w-      c:\windows\Internet Logs\xDBA5.tmp
2010-06-19 01:42 . 2010-06-19 17:48      24576      ----a-w-      c:\windows\Internet Logs\xDBA4.tmp
2010-06-18 14:28 . 2010-06-18 23:35      30208      ----a-w-      c:\windows\Internet Logs\xDBA3.tmp
2010-06-18 00:40 . 2010-06-18 13:06      32256      ----a-w-      c:\windows\Internet Logs\xDBA2.tmp
2010-06-16 19:25 . 2009-11-06 13:44      4321611      ----a-w-      c:\windows\Internet Logs\tvDebug.Zip
2010-06-16 02:05 . 2010-06-16 19:25      27136      ----a-w-      c:\windows\Internet Logs\xDBA1.tmp
2010-06-15 22:07 . 2010-06-15 22:08      43520      ----a-w-      c:\windows\Internet Logs\xDBA0.tmp
2010-06-15 20:57 . 2010-06-15 20:58      36352      ----a-w-      c:\windows\Internet Logs\xDB9F.tmp
2010-06-15 18:39 . 2010-06-15 18:40      31232      ----a-w-      c:\windows\Internet Logs\xDB9E.tmp
2010-06-15 01:55 . 2010-06-15 18:17      62464      ----a-w-      c:\windows\Internet Logs\xDB9D.tmp
2010-06-15 00:34 . 2009-10-15 12:20      --------      d-----w-      c:\program files\mIRC
2010-06-14 23:39 . 2009-10-26 23:04      --------      d-----w-      c:\documents and settings\David\Application Data\Skype
2010-06-14 23:11 . 2009-10-26 23:07      --------      d-----w-      c:\documents and settings\David\Application Data\skypePM
2010-06-14 02:17 . 2010-06-14 17:55      47616      ----a-w-      c:\windows\Internet Logs\xDB9C.tmp
2010-06-13 17:52 . 2010-06-13 21:52      45056      ----a-w-      c:\windows\Internet Logs\xDB9B.tmp
2010-06-13 02:36 . 2010-06-13 14:10      50176      ----a-w-      c:\windows\Internet Logs\xDB9A.tmp
2010-06-12 16:56 . 2010-06-12 21:05      27648      ----a-w-      c:\windows\Internet Logs\xDB99.tmp
2010-06-12 02:14 . 2010-06-12 13:11      123392      ----a-w-      c:\windows\Internet Logs\xDB98.tmp
2010-06-09 20:30 . 2009-11-18 00:35      --------      d-----w-      c:\documents and settings\David\Application Data\dvdcss
2010-06-09 02:31 . 2010-06-09 17:47      56320      ----a-w-      c:\windows\Internet Logs\xDB97.tmp
2010-06-09 00:17 . 2009-10-15 12:18      --------      d-----w-      c:\program files\FTP Commander
2010-06-08 12:30 . 2010-01-06 16:47      142928      ----a-w-      c:\windows\system32\drivers\VBoxDrv.sys
2010-06-08 12:30 . 2010-01-06 16:47      31504      ----a-w-      c:\windows\system32\drivers\VBoxUSB.sys
2010-06-08 12:30 . 2010-01-06 16:47      41744      ----a-w-      c:\windows\system32\drivers\VBoxUSBMon.sys
2010-06-08 12:30 . 2009-12-17 15:02      100496      ----a-w-      c:\windows\system32\drivers\VBoxNetAdp.sys
2010-06-08 02:05 . 2010-06-08 20:57      54784      ----a-w-      c:\windows\Internet Logs\xDB96.tmp
2010-06-07 20:39 . 2010-06-07 21:12      47616      ----a-w-      c:\windows\Internet Logs\xDB95.tmp
2010-06-07 02:19 . 2010-06-07 16:06      44032      ----a-w-      c:\windows\Internet Logs\xDB94.tmp
2010-06-07 02:14 . 2009-10-15 09:24      --------      d--h--w-      c:\program files\InstallShield Installation Information
2010-06-06 15:46 . 2010-06-06 22:56      52736      ----a-w-      c:\windows\Internet Logs\xDB93.tmp
2010-06-06 01:05 . 2010-06-06 13:14      51712      ----a-w-      c:\windows\Internet Logs\xDB92.tmp
2010-06-05 02:26 . 2010-06-05 23:14      48128      ----a-w-      c:\windows\Internet Logs\xDB91.tmp
2010-06-04 00:57 . 2010-06-04 22:50      30720      ----a-w-      c:\windows\Internet Logs\xDB90.tmp
2010-06-03 01:57 . 2010-06-03 22:49      81920      ----a-w-      c:\windows\Internet Logs\xDB8F.tmp
2010-06-02 18:24 . 2010-06-02 18:24      48640      ----a-w-      c:\windows\mmfs.dll
2010-06-02 18:24 . 2010-06-02 18:24      2560      ----a-w-      c:\windows\Runservice.exe
2010-06-02 11:25 . 2010-06-02 11:25      --------      d-----w-      c:\program files\Apstel
2010-06-02 11:25 . 2010-06-02 11:25      --------      d--h--w-      c:\program files\InstallJammer Registry
2010-06-02 01:20 . 2010-06-02 11:22      42496      ----a-w-      c:\windows\Internet Logs\xDB8E.tmp
2010-06-01 01:10 . 2010-06-01 21:38      91648      ----a-w-      c:\windows\Internet Logs\xDB8D.tmp
2010-05-30 23:14 . 2010-03-15 11:51      --------      d-----w-      c:\program files\WinBlackJackBot V3.0
2010-05-30 23:14 . 2010-03-13 22:55      --------      d-----w-      c:\program files\Vegas Magic Casino
2010-05-30 01:54 . 2010-01-07 00:41      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-05-29 02:35 . 2010-05-29 23:03      80896      ----a-w-      c:\windows\Internet Logs\xDB8C.tmp
2010-05-29 00:35 . 2010-05-29 00:35      --------      d-----w-      c:\documents and settings\All Users\Application Data\CounterPath
2010-05-27 00:28 . 2010-05-27 21:56      56832      ----a-w-      c:\windows\Internet Logs\xDB8B.tmp
2010-05-26 22:22 . 2010-02-02 00:39      --------      d-----w-      c:\program files\CounterPath
2010-05-26 22:16 . 2010-05-26 22:16      --------      d-----w-      c:\documents and settings\All Users\Application Data\CounterPath Corporation
2010-05-26 22:16 . 2010-05-26 22:16      --------      d-----w-      c:\documents and settings\David\Application Data\CounterPath Corporation
2010-05-26 20:51 . 2010-05-26 20:51      --------      d-----w-      c:\program files\Axon Data
2010-05-26 19:36 . 2010-04-14 21:23      --------      d-----w-      c:\documents and settings\David\Application Data\uTorrent
2010-05-26 11:49 . 2010-05-26 17:06      111616      ----a-w-      c:\windows\Internet Logs\xDB8A.tmp
2010-05-24 01:58 . 2010-05-24 21:35      40448      ----a-w-      c:\windows\Internet Logs\xDB89.tmp
2010-05-23 02:24 . 2010-05-23 20:47      50176      ----a-w-      c:\windows\Internet Logs\xDB88.tmp
2010-05-22 04:07 . 2010-05-22 22:51      73216      ----a-w-      c:\windows\Internet Logs\xDB86.tmp
2010-05-22 04:07 . 2010-05-22 22:51      4149760      ----a-w-      c:\windows\Internet Logs\xDB87.tmp
2010-05-20 01:48 . 2010-05-20 20:46      45568      ----a-w-      c:\windows\Internet Logs\xDB85.tmp
2010-05-19 18:08 . 2010-05-19 21:35      27136      ----a-w-      c:\windows\Internet Logs\xDB84.tmp
2010-05-19 02:40 . 2010-05-19 17:48      92160      ----a-w-      c:\windows\Internet Logs\xDB83.tmp
2010-05-18 20:15 . 2010-05-16 02:27      --------      d-----w-      c:\program files\prosonsoft
2010-05-17 03:24 . 2010-05-17 12:32      49664      ----a-w-      c:\windows\Internet Logs\xDB82.tmp
2010-05-16 02:52 . 2010-05-16 21:48      107008      ----a-w-      c:\windows\Internet Logs\xDB81.tmp
2010-05-15 01:48 . 2009-10-15 12:16      --------      d-----w-      c:\program files\Realtek
2010-05-14 23:41 . 2010-05-14 23:42      25088      ----a-w-      c:\windows\Internet Logs\xDB80.tmp
2010-05-14 23:33 . 2010-05-14 23:34      26112      ----a-w-      c:\windows\Internet Logs\xDB7F.tmp
2010-05-14 23:23 . 2010-05-14 23:24      25600      ----a-w-      c:\windows\Internet Logs\xDB7E.tmp
2010-05-14 22:31 . 2010-05-14 23:16      62464      ----a-w-      c:\windows\Internet Logs\xDB7D.tmp
2010-05-14 03:10 . 2010-05-14 19:19      56832      ----a-w-      c:\windows\Internet Logs\xDB7C.tmp
2010-05-14 00:40 . 2010-05-14 00:36      --------      d-----w-      c:\program files\90 Second Website Builder
2010-05-14 00:35 . 2010-05-14 00:37      737280      ----a-w-      c:\windows\iun6002.exe
2009-11-25 11:33 . 2009-11-25 11:33      135680      ----a-w-      c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 917C64008889003E6EA19CF0793CBD72 . 551424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 917C64008889003E6EA19CF0793CBD72 . 551424 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . DD73D6B9F6B4CB630CF35B438B540174 . 512000 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\winlogon.exe
[-] 2004-08-03 . BDBD27FA935D482A3D6890C69913F8A4 . 546304 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 2176257E2D5C71B238B95D8F1C4635FD . 724992 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 . 2176257E2D5C71B238B95D8F1C4635FD . 724992 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2008-04-14 . B4AA331468315B6A174C3F0D5B3BC135 . 617472 . . [5.82] . . c:\windows\VistaMizer\old\comctl32.dll
[-] 2004-08-03 . 7F5AE144A8351E605C5900C34F03D569 . 718848 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll

[-] 2008-04-14 . 543B0B5CB3737D17FEEB7FDC20B1A181 . 588800 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 543B0B5CB3737D17FEEB7FDC20B1A181 . 588800 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[7] 2008-04-14 . E853F84D3CE2FAA2A802E33CF89AC023 . 579584 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\user32.dll
[7] 2004-08-03 . E46FB493E3B33704F0715020CF52106B . 578048 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\user32.dll

[-] 2008-04-14 . E7F63819E78A8C4BB43657472BCEF2C3 . 1556480 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . E7F63819E78A8C4BB43657472BCEF2C3 . 1556480 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 . F2317622D29F9FF0F88AEECD5F60F0DD . 1037824 . . [6.00.2900.5512] . . c:\windows\VistaMizer\old\explorer.exe
[-] 2004-08-03 . 53F294A168AA0D3F68C1409A4D101E14 . 1554944 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2008-04-14 . 6F88A39FD32BF0BE9D0BC0FD4090E9EB . 25088 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . 6F88A39FD32BF0BE9D0BC0FD4090E9EB . 25088 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[7] 2008-04-14 . 59DC5BB82E4C8E0B3EADCFDBC44BA6E4 . 15360 . . [5.1.2600.5512] . . c:\windows\VistaMizer\old\ctfmon.exe
[-] 2004-08-03 . AF699A4A5F2FB5E3D73E931C2E6BEDC4 . 25088 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Z810PNP"="c:\program files\Modem Samsung SCH-U209\SamsungPnPServiceManager.exe" [2009-02-13 176128]
"Z810SysStart"="c:\program files\Modem Samsung SCH-U209\sysctrlU.exe" [2009-02-11 311296]
"DriveCrypt5"="d:\drivecrypt 5\DriveCrypt.exe" [2009-12-02 3398616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SensorsViewPro31"="c:\program files\SensorsViewPro31\sviewpro.exe" [2008-04-27 1650468]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-08-04 226816]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2010-05-06 516216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide de Microsoft Office OneNote 2003.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide de Microsoft Office OneNote 2003.lnk
backup=c:\windows\pss\Lancement rapide de Microsoft Office OneNote 2003.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Logiciel Kodak EasyShare.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Logiciel Kodak EasyShare.lnk
backup=c:\windows\pss\Logiciel Kodak EasyShare.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Menu Démarrer^Programmes^Démarrage^Adobe Gamma.lnk]
path=c:\documents and settings\David\Menu Démarrer\Programmes\Démarrage\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^David^Menu Démarrer^Programmes^Démarrage^ShutDown After.lnk]
path=c:\documents and settings\David\Menu Démarrer\Programmes\Démarrage\ShutDown After.lnk
backup=c:\windows\pss\ShutDown After.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\combofix]
c:\combofix\CF21825.cfxxe [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46      57344      ----a-w-      c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2006-08-16 11:20      69632      ----a-w-      c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2006-08-16 11:20      2808832      ----a-w-      c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Autorun Eater]
2010-05-06 17:59      516216      ----a-w-      c:\program files\Autorun Eater\oldmcdonald.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-08-16 11:20      53248      ------w-      c:\program files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 02:33      25088      ------w-      c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2006-11-12 10:48      157592      ----a-w-      c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveCrypt5]
2009-12-02 14:55      3398616      ----a-w-      d:\drivecrypt 5\DriveCrypt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
2004-01-14 01:10      409600      ----a-w-      c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-11-25 11:33      1838592      ----a-w-      c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-10-15 12:42      133104      ----atw-      c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iCall Internet Phone]
2008-12-18 15:44      1587576      ----a-w-      c:\program files\iCall\iCall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-23 10:13      77824      ------w-      c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-23 10:17      118784      ------w-      c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-23 10:17      94208      ------w-      c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 14:03      292128      ----a-w-      c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-04-29 14:39      437584      ----a-w-      c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
2009-11-20 01:22      190024      ----a-w-      c:\program files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 16:44      3883856      ----a-w-      c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2007-03-23 13:20      227328      ----a-w-      c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Propel Accelerator]
2009-07-29 01:49      69632      ----a-w-      c:\program files\Propel Accelerator\trayctl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 17:18      413696      ----a-w-      c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-08-16 11:23      16248320      ----a-w-      c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SafeBit]
2007-07-18 14:52      1447360      ----a-w-      c:\progra~1\SafeBit\safebit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-08-16 11:21      2879488      ----a-w-      c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-16 11:21      86016      ----a-w-      c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-21 21:12      149280      ----a-w-      c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SxgTkBar]
2002-07-22 16:03      53248      ----a-w-      c:\windows\system32\Sxgtkbar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2008-11-16 20:08      1234312      ----a-w-      c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS12 Preload]
2008-06-09 11:03      397456      ----a-w-      c:\program files\Corel\Corel VideoStudio 12\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"OpenVPNService"=3 (0x3)
"MyWebSearchService"=2 (0x2)
"LightScribeService"=2 (0x2)
"ESDClientService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"a2AntiDialer"=2 (0x2)
"ServiceLayer"=3 (0x3)
"gupdate"=2 (0x2)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"TuneUp.ProgramStatisticsSvc"=2 (0x2)
"PSI_SVC_2"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"vmwriter"=3 (0x3)
"VMwareHostd"=2 (0x2)
"VMAuthdService"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"VMwareServerWebAccess"=2 (0x2)
"MBAMService"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\iCall\\iCall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:PPTP
"47:TCP"= 47:TCP:PPTP2

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [31/07/2008 19:45 20616]
R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [06/03/2010 20:46 294408]
R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [06/03/2010 20:46 19624]
R0 sensorsview;sensorsview;c:\windows\system32\drivers\sensorsview.sys [10/01/2008 12:34 4224]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [06/01/2010 17:47 142928]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [06/01/2010 17:47 41744]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/10/2009 10:55 135336]
R2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [01/08/2008 14:55 143467]
R2 DriveCryptService;DriveCrypt Service;d:\drivecrypt 5\DCRServ.exe [06/03/2010 20:46 96680]
R2 hidedir;hidedir;c:\windows\system32\drivers\hidedir.sys [25/03/2010 21:48 8704]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [02/07/2008 13:58 26248]
R3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [11/04/2010 01:29 966784]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [08/06/2010 13:30 111312]
R3 vdisk;Virtual Disk Driver;c:\windows\system32\drivers\vdisk.sys [25/03/2010 21:48 23152]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [02/06/2010 19:24 2560]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30/05/2010 02:54 20952]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [17/12/2009 16:02 100496]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [06/01/2010 17:47 31504]
S4 ESDClientService;ESDClientService;c:\program files\Western Union\ESD System\ESDClientService.exe [04/01/2010 08:50 196608]
S4 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2010 02:23 135664]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30/05/2010 02:54 304464]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/10/2009 22:42 639224]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contenu du dossier 'Tâches planifiées'

2010-04-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 01:22]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 01:22]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1220945662-725345543-1003Core.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-15 12:42]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-1220945662-725345543-1003UA.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-15 12:42]

2010-07-02 c:\windows\Tasks\User_Feed_Synchronization-{F2011298-9509-4F9B-BECC-8A40EA63B876}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 04:31]
.
.
------- Examen supplémentaire -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Copy to &Lightning Note - c:\program files\Corel\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Ajouter à la liste d'impressions - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint Impression rapide - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Imprimer - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Easy-WebPrint Prévisualiser - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Envoyer via Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Envoyer via message(&M)... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
IE: Refresh Pa&ge with Full Quality - c:\program files\Propel Accelerator\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\Propel Accelerator\pac-image.html
IE: Tout télécharger avec Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Télécharger avec Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Télécharger la sélection avec Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Télécharger la vidéo avec Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Télécharger le site avec Free Download Manager - file://c:\program files\Free Download Manager\dlpage.htm
LSP: c:\program files\Propel Accelerator\prplsf.dll
FF - ProfilePath - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\p1jr57lv.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\David\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\p1jr57lv.default\extensions\VMwareVMRC@vmware.com\plugins\np-vmware-vmrc-2.5.0-122581.dll
FF - plugin: c:\documents and settings\David\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera\program\plugins\nppdf32.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHELINS SUPPRIMES - - - -

MSConfigStartUp-a-squared - c:\program files\a-squared Anti-Dialer\a2adguard.exe
MSConfigStartUp-QUAD Scheduler - c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Scheduler.exe
MSConfigStartUp-QUAD Windows service - c:\program files\QUAD Utilities\QUAD Registry Cleaner\QUAD Registry Cleaner.exe
MSConfigStartUp-QuickFinder Scheduler - c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
AddRemove-Vegas Magic Casino - c:\program files\Vegas Magic Casino\Install.exe
AddRemove-_{EAB6F4ED-B18D-4BF5-B18E-3C7921560EC4} - d:\corel painter sketch pad\Setup\SetupARP.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-02 20:04
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Z810PNP = c:\program files\Modem Samsung SCH-U209\SamsungPnPServiceManager.exe???? ??|`??|????]??|di?w????????????D??????w???????????????w???w|???|??????w???w????????????????T???)??w????)??w???w???????w??@?????P???P?????:~??@?????????????????x?"|x?"|????`??6e????VDE
Z810SysStart = c:\program files\Modem Samsung SCH-U209\sysctrlU.exe??:~??????:~??:~??e?}???????,?:~????????????????4???s??|??????????e?}???????????????D?A?S?:~N?:~??:~??????????????????:~L&<?????L?????:~????????????????`?????A?????????????????r?A???????????????????????A

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BF865BB3-BAE1-5B2B-43B7-7BC32F1F8A5F}\InProcServer32*]
"jadnjijmofnlohdhjnoo"=hex:6b,61,6d,6b,6e,70,63,6e,6f,66,6e,65,69,6a,67,6c,65,
6d,70,6e,6b,68,00,00
"iadnhjdnmoacjhmmcf"=hex:6b,61,6d,6b,6e,70,63,6e,6f,66,6e,65,69,6a,67,6c,65,6d,
70,6e,6b,68,00,00

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B7F5EA513569EA3E98352E3A3D1D6A3D]
"1"=hex:df,c7,3a,96,ab,66,13,d2,36,78,6c,b8,10,1c,c4,b0,a6,93,a9,25,23,fb,66,
2c,77,d8,5d,6a,fe,59,6e,ef
"2"=hex:14,ce,87,8d,79,74,ee,b2
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:58,eb,3b,8d,af,31,32,62,22,1b,23,79,6d,f4,12,c1,db,b4,20,3e,7f,80,2a,
0f,6a,a6,22,9f,10,4c,a5,77,df,44,a4,37,10,4b,bc,75,d7,98,0e,82,a4,8d,85,b3,\
"8"=hex:cf,51,61,14,72,6e,58,56,09,df,6c,0f,74,8d,cf,b5,78,65,12,ae,76,79,35,
e0,59,7a,c7,42,77,f4,36,78
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|þ»Ñw*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•9~*]
"C040710900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1268)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1332)
c:\windows\system32\scecli.dll
c:\windows\system32\SETUPAPI.dll
c:\program files\Propel Accelerator\prplsf.dll
c:\windows\system32\psbase.dll
.
Heure de fin: 2010-07-02 20:10:23
ComboFix-quarantined-files.txt 2010-07-02 19:10
ComboFix2.txt 2010-01-08 23:51

Avant-CF: 4 756 992 000 octets libres
Après-CF: 5 227 560 960 octets libres

- - End Of File - - EEB46E0AA6AA13C9E926EEDA9F762097

ASKER CERTIFIED SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

david875

ASKER

Hi @rpggamergirl I must say that your last solution works perfectly and the autorun.inf files are deleted successfully, I still need help for 1 more time, i still have those folders like this way :

I:\_
|_.Trash-500
|_files
|_RECYCLER
|_S-5-3-42-2819952290-8240758988-879315005-3665

All these folders are like protected and Deleting them is denied, access refused even with MS DOS, i tried the same with with ComboFix i put them in the scan file and start it, obviously ComboFix didn't delete them because they are not viruses and they have nothing inside, i just want to delete theses folders, any help?

1 more thing i paid attention to, is when i start my computer, when you see the Welcome Screen before the display of desktop, this Welcome screen freeze for like 10 seconds or more little bit before i can my desktop, any tool to resolve this problem, and thank you very much in advance

rpggamergirl

Glad the autorun.inf is gone.

Have you tried using Combofix script function to delete the folder and it didn't work?

Using ComboFix script below:
I'm not sure of the path of the folder, just make sure the path is correct.

Folder::
I:\_\_.Trash-500\_files\_RECYCLER\_S-5-3-42-2819952290-8240758988-879315005-3665

If nothing works also try Kaspersky KidoKiller (kk.exe)
http://support.kaspersky.com/faq/?qid=208279973

david875

ASKER

Hi, I tried ComboFix Script + the kk.exe but nothing, any idea?

david875

ASKER

In addition, when i try to delete this folder .Trash-500 a Folder is generated named RECYCLER, what can generating this folder?

rpggamergirl

I'm sorry...
Did you manage to delete the RECYCLER folder?

It's normal for the default RECYCLER folder to be generated,.... but those created by nasties if they are respawned then the infection is still active.

How did you resolve the issue, may I ask.
Thanks!