Jump to content

Trojan infection pls help!


Recommended Posts

  • Replies 171
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

When you shut down your computer and restart do you have an option for the Recovery Console ?

 

If so please start up into the Recovery Console and run CHKDSK from there.

 

How to install and use the Windows XP Recovery Console

 

Description of the Windows XP Recovery Console for advanced users

Then run the following command from the DOS Recovery Console
 

CHKDSK C: /R

That should allow the full disk check to run.

 

Link to post
Share on other sites

Hi M. :)

 

It's the command that I copied/pasted that turn off my computer. After I clicked "enter", a window pop up to warn me to save my work that the system will shutdown and there was a countdown. The system shutted down but during the reboot nothing happened. My desktop appeared like always.

 

Hum, you talking about the black screen where the choices are "start normal mode, windows..bla bla"? I'll try to watch the choices to see if I see recovery console. But if I recall good, i have just 3 choices.. safe mode, normal mode, and windows xp.

 

And to add the recovery console, there is a problem.... My computer is used, so I don't have the windows xp CD. But I know my Windows XP is legal cause my computer came from a bank. A bank here was getting rid of its old machines and I got one.

That's why I don't want to reformat my hardrive, be obligated to download a windows XP online and have problems after.

 

I know someone who may have one Windows XP Pro CD, but it's a used computers sailman that gave it to him, saying that this windows xp CD gives the right to put it in multiple machines because of the sort of key for multiples machines.....You think it's trustable to put that CD in my machine? I don't want my Windows XP to become illegal.

Link to post
Share on other sites

Ok finally I had "RECOVERY CONSOLE" in the upper choice.

 

So I read carefully how to use it, but it's not working...

 

In the beggining I am supposed to type "1" and see if I need a password. But when I am there, my keyboard is different. :( I tried to type "1" but the numbers write other signs and letters in recovery console it seems...

 

Seriously, I am a little bit sad, nothing seems to work like it's suppose to do! I read carefully but when I try the stuff, there are always a difference!

 

You are away for a few days, so for now I think I will uninstall Java and adobe reader, delete stuff with games name on it (if I am able :( ) and try to put back a Free AV.

I'm disapointed, maybe I'm not intelligent enough to clean my computer with you. :( It's complicated!

Link to post
Share on other sites

Hi M! :)

 

Thanks for encouraging me.

 

It's the keyboard settings that seems to change while I am in the recovery console. I need to type '1' to begin but when I pressed the '1' button it made this: & and I tried all the numbers and it made something else but not the right thing. I even tried  the letters and 75% of the time it's not the letter it's suppose to write.

Link to post
Share on other sites

  • Root Admin

Do you have access to another keyboard? 

 

We can try to run some other tools and see what we can find, but as said that is a bit odd that you can't check the drive.

 

See if you can download the Seagate Tools for Windows and run that to test the drive.

 

http://www.seagate.com/support/downloads/seatools/

 

Or try the Western Digital Tools - click the Download button.

http://support.wdc.com/product/download.asp?groupid=606&sid=3&lang=en

 

See if they find anything wrong with the hard drive and let me know.

Link to post
Share on other sites

Hi M. :)

 

I ran the checkdisk the other day in windows tool; it ran when the computer reboot, before windows starts. It's in a blue screen, but when its done the result appear just a few seconds.

 

It seems the one in run command is the same, but we can see the results. So I tried to write just: chkdsk c: to see, without doing anything..here the results.

 

Execution of CHKDSK in reading only.

 

CHKDSK checking files (step 1 of 3)...

The verification of files done.

CHKDSK checking index (step 2 of 3)...

The verification of index done.

CHKDSK checking security descriptors (step 3 of 3)...

The verification of security descriptors done.

CHKDSK checking USN journal...

Verification of USN journal done.

Correction into the volume card.

Windows have detected problems in the files system.

Execute CHKDSK with /f option to correct them.

 

39070048 Ko total space disk.

12652060 Ko in 32164 files.

11244 Ko in 2314 index.

0 Ko in bad sectors.

154120 used by the system.

65536 Ko used by the journal file.

26252624 Ko free on the disk

 

4096 bytes in each allocation unit.

9767512 allocation's units total on the disk.

6563156 free allocation's units on the disk.

 

Waiting for your instructions :)

Link to post
Share on other sites

Hi M. :)

 

It's done. The chkdsk ran in the blue window; and this time it took about 25 minutes to check the disk. The results were too fast to be able to see them. You will need to tell me the path to go find thoses results.

 

After the reboot, the blue window appeared to tell me that I have previously ran a chkdsk and that the disk was clean. After that, Windows started normally.

 

Waiting for your instructions.

Link to post
Share on other sites

Hi M. :)

 

Here the chkdsk results. Do you want me to translate the results or its ok?

 

Type de l'événement : Informations
Source de l'événement : Winlogon
Catégorie de l'événement : Aucun
ID de l'événement : 1001
Date :  2013-08-31
Heure :  03:57:27
Utilisateur : N/A
Ordinateur : IBMCAMRESEAU
Description :
Vérification du système de fichiers sur C:
Le type du système de fichiers est NTFS.
Le nom de volume est IBM-PC.

Une vérification de disque a été planifiée.
Windows va maintenant vérifier le disque.               
Nettoyage en cours de 16 entrées d'index inutilisées à partir de l'index $SII du fichier 0x9.
Nettoyage en cours de 16 entrées d'index inutilisées à partir de l'index $SDH du fichier 0x9.
Nettoyage en cours de 16 descripteurs de sécurité non utilisés.
CHKDSK vérifie le journal USN...
Vérification du journal USN terminée.
CHKDSK est en train de vérifier les données du fichier (étape 4 de 5)...
La vérification des données du fichier est terminée.
CHKDSK est en train de vérifier l'espace libre (étape 5 de 5)...
La vérification de l'espace libre est terminée.

  39070048 Ko d'espace disque au total.
  12655120 Ko dans 32527 fichiers.
     11412 Ko dans 2316 index.
         0 Ko dans des secteurs défectueux.
    154376 Ko utilisés par le système.
     65536 Ko occupés par le fichier journal.
  26249140 Ko disponibles sur le disque.

      4096 octets dans chaque unité d'allocation.
   9767512 unités d'allocation au total sur le disque.
   6562285 unités d'allocation disponibles sur le disque.

Informations internes :
d0 40 01 00 27 88 00 00 95 b8 00 00 00 00 00 00  .@..'...........
ce 00 00 00 00 00 00 00 e8 05 00 00 00 00 00 00  ................
86 95 03 04 00 00 00 00 70 ae e9 10 00 00 00 00  ........p.......
8c fc f7 10 00 00 00 00 6e db 06 cc 01 00 00 00  ........n.......
0e 12 10 bf 01 00 00 00 72 e2 0c b9 03 00 00 00  ........r.......
b0 bd 61 b2 00 00 00 00 10 38 07 00 0f 7f 00 00  ..a......8......
00 00 00 00 00 40 68 04 03 00 00 00 0c 09 00 00  .....@h.........

Windows a terminé la vérification de votre disque.
Veuillez patienter pendant le redémarrage de votre ordinateur.

Pour plus d'informations, consultez le centre Aide et support à l'adresse http://go.microsoft.com/fwlink/events.asp.

Link to post
Share on other sites

  • Root Admin

Hi there,

 

Okay, well that's good to see you were able to run it.  No issues found so I assume that if any were found it was from a previous run. 

 

So now that we have that out of the way, how is the computer running now and what issues do you still have left that you need assistance with?

Link to post
Share on other sites

Hehe, Hi m. :)

 

Again thks for all the help and patience you gave me :)

 

The computer is running well, I think. CPU use is very low, internet fast.. The processes seems ok too. The spool is still loading again but maybe it's cause the TROJAN TRACUR. S, that's it's been added to to task manager; but I'l disabled it from RUN, SERVICES.

 

Hum, I'm happy for the help you gave with the Avira AV. Like I said, the error when booting is gone; but I still have keys in REGISTRY named AVIRA and AVG. I dont know if it's ok; I know it was interfering just when I was using COMBOFIX. ... So do you think it will still interfere with other AV?

 

And, cause they were TROJANS, do you thing my computer is safe like before?

 

.... Nothing happens for nothing, I like computers and I will follow the formation to be able to clean a computer like you do! :D ( If I'm accepted!) I will follow it on: SECURITY-X cause I'm a french woman.

 

If nothing needs to be done, I thank you again for all your PATIENCE and good work. bye bye! :D

Link to post
Share on other sites

  • Root Admin

Well with the CHKDSK run we should be able to rule out any disk issue for removal.

 

Please run the following again and we'll see if we can remove some more items.

 

Getting late here for me so I'll probably be leaving soon but will check back in with you when I can.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites

Hi M. :)

 

I ran combofix and it warned me again about the AnTiVir still scanning and the possible dommages for the machine.

 

Here the results; and just inform you that finally I put back COMODO AV cause you said that MABM was taking a lot of ressources from old computer and COMODO is cheaper. I hope is not a problem.

 

Thks, waiting for your instructions.

 

....hum sorry to not attach the results, but I can't find them with the attach...

 

 

ComboFix 13-09-01.02 - home 2013-09-02   5:13.4.2 - x86
Microsoft Windows XP Professionnel  5.1.2600.3.1252.2.1036.18.2015.1464 [GMT -4:00]
Lancé depuis: c:\documents and settings\home\Bureau\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((((((   Fichiers créés du 2013-08-02 au 2013-09-02  ))))))))))))))))))))))))))))))))))))
.
.
2013-09-02 08:54 . 2013-09-02 08:54 -------- d-----w- c:\documents and settings\home\Application Data\Comodo
2013-09-02 08:21 . 2013-09-02 08:21 -------- d-----w- c:\program files\Fichiers communs\COMODO
2013-09-02 08:08 . 2013-09-02 08:58 58400 ----a-w- c:\windows\system32\drivers\sfi.dat
2013-09-02 08:06 . 2013-09-02 08:07 -------- d-s---w- c:\documents and settings\All Users\Application Data\Shared Space
2013-09-02 07:13 . 2013-09-02 07:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\COMODO
2013-09-02 07:13 . 2013-09-02 07:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\COMODO
2013-09-02 07:10 . 2013-09-02 07:10 48392 ----a-w- c:\windows\system32\certsentry.dll
2013-09-02 07:07 . 2013-09-02 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2013-08-28 16:30 . 2013-08-28 16:30 -------- d--h--w- c:\windows\PIF
2013-08-20 02:25 . 2013-08-20 02:29 -------- d-----w- c:\program files\ERUNT
2013-08-19 07:47 . 2013-08-25 21:28 -------- d-----w- C:\FRST
2013-08-19 00:35 . 2013-08-19 01:35 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-08-16 20:10 . 2013-08-16 20:10 -------- d-----w- c:\windows\Logs
2013-08-16 19:41 . 2013-08-16 19:42 -------- d-----w- c:\windows\system32\NtmsData
2013-08-16 19:34 . 2013-08-16 19:34 -------- d-----w- C:\boot
2013-08-16 19:34 . 2013-08-28 16:34 -------- d-----w- c:\program files\Macrium
2013-08-16 19:27 . 2013-08-16 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2013-08-08 01:11 . 2013-08-08 01:33 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Brain Games Mahjongg Files
2013-08-08 00:55 . 2013-08-08 00:55 -------- d-----w- c:\documents and settings\home\Application Data\pixelStorm
2013-08-07 16:43 . 2013-08-07 16:43 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\JollyBear
2013-08-07 16:43 . 2013-08-07 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2013-08-07 16:29 . 2013-08-07 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Casual Box
2013-08-07 14:47 . 2013-08-07 14:47 -------- d-----w- c:\documents and settings\home\Saved Games
2013-08-07 05:05 . 2013-08-07 05:05 -------- d-----w- c:\documents and settings\home\Application Data\AlawarEntertainment
2013-08-07 05:02 . 2013-08-08 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish
2013-08-07 05:01 . 2013-08-07 05:02 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Big Fish
2013-08-07 05:01 . 2013-08-08 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishCache
2013-08-07 04:13 . 2013-08-07 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Solid State Networks
.
.
.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-09 01:59 . 2013-07-09 01:59 587352 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2013-06-28 20:02 . 2013-06-28 20:02 16504 ----a-w- c:\windows\system32\drivers\pssnap.sys
2013-06-18 20:16 . 2013-06-18 20:16 99520 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-06-18 20:16 . 2013-06-18 20:16 32816 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-06-18 20:16 . 2013-06-18 20:16 18528 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-06-18 20:15 . 2013-06-18 20:15 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-06-18 20:15 . 2013-06-18 20:15 348584 ----a-w- c:\windows\system32\guard32.dll
2013-06-18 20:15 . 2013-06-18 20:15 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-06-18 20:15 . 2013-06-18 20:15 278232 ----a-w- c:\windows\system32\cmdvrt32.dll
.
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1740288]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2012-05-30 1842384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-07-09 1464536]
"gbrspcontrol"="c:\program files\Fichiers communs\COMODO\GeekBuddyRSP.exe" [2013-05-30 1851088]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Start GeekBuddy.lnk - c:\program files\Comodo\GeekBuddy\launcher.exe "unit_manager.exe" [2013-7-24 49360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Fichiers communs\Comodo\GeekBuddyRSP.exe"= c:\program files\Fichiers communs\Comodo\GeekBuddyRSP.exe:127.0.0.1/255.255.255.255:Enabled:GeekBuddy RSP
"c:\\Program Files\\File Type Assistant\\TSAssist.exe"=
"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
.
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [07/05/2013 03:00 36112]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [18/06/2013 16:16 18528]
R1 cmdGuard;COMODO Internet Security Driver;c:\windows\system32\drivers\cmdGuard.sys [08/07/2013 21:59 587352]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [18/06/2013 16:16 32816]
R2 CLPSLauncher;COMODO LPS Launcher;c:\program files\Fichiers communs\COMODO\launcher_service.exe [24/07/2013 08:50 70352]
R2 DragonUpdater;COMODO Dragon Update Service;c:\program files\Comodo\Dragon\dragon_updater.exe [01/08/2013 07:20 2095808]
R2 GeekBuddyRSP;GeekBuddyRSP Service;c:\program files\Fichiers communs\COMODO\GeekBuddyRSP.exe [30/05/2013 08:47 1851088]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [30/03/2011 12:09 109728]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [08/04/2013 19:47 418376]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08/04/2013 19:47 22856]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08/04/2013 19:47 701512]
S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [30/03/2011 11:44 24424]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\Comodo\COMODO Internet Security\cmdvirth.exe [18/06/2013 16:15 127192]
S3 WIMMount;WIMMount;\??\c:\program files\Macrium\Reflect\wimmount.sys --> c:\program files\Macrium\Reflect\wimmount.sys [?]
.
--- Autres Services/Pilotes en mémoire ---
.
*NewlyCreated* - CLPSLAUNCHER
*NewlyCreated* - FLKZJG
*NewlyCreated* - GEEKBUDDYRSP
.
Contenu du dossier 'Tâches planifiées'
.
2013-09-02 c:\windows\Tasks\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-02 c:\windows\Tasks\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-02 c:\windows\Tasks\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-02 c:\windows\Tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-02 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2013-04-10 21:24]
.
2013-08-31 c:\windows\Tasks\ProgramRefresh-ATFST.job
- c:\program files\File Type Assistant\TSASetup.exe [2013-04-10 01:18]
.
2013-09-02 c:\windows\Tasks\ProgramUpdateCheck.job
- c:\program files\File Type Assistant\tsassist.exe [2013-04-10 17:09]
.
.
------- Examen supplémentaire -------
.


TCP: DhcpNameServer = 24.201.245.77 24.200.0.1 24.53.0.2
TCP: Interfaces\{E09B6166-8D26-46DF-B5DC-F2814CD3551F}: NameServer = 156.154.70.25,156.154.71.25
.
- - - - ORPHELINS SUPPRIMES - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-02 05:30
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-YKNE-76RZ-ZWT9-D88T-YNWW-P4V9WWS"
"Activated"="N"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\guard32.dll
c:\windows\system32\mswsock.dll
c:\windows\System32\wshtcpip.dll
.
- - - - - - - > 'explorer.exe'(3724)
c:\windows\system32\guard32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\MPR.dll
.
- - - - - - - > 'csrss.exe'(692)
c:\windows\system32\cmdcsr.dll
.
Heure de fin: 2013-09-02  05:37:35
ComboFix-quarantined-files.txt  2013-09-02 09:37
ComboFix2.txt  2013-08-23 16:02
ComboFix3.txt  2013-08-23 01:50
ComboFix4.txt  2013-08-19 07:03
.
Avant-CF: 26 238 799 872 octets libres
Après-CF: 26 326 863 872 octets libres
.
- - End Of File - - 0F6096607786BCA9C8024A92F33E21E6
C99C3199CFAA4CBDCD91493F6D113A50
 

Link to post
Share on other sites

  • Root Admin

Well not good to switch/change antivirus in the middle of logs as it alters there outcome but it is what it is so just go ahead and leave it.

 

The service for Avira appears to finally be gone so now we should be able to remove the WMI entry.

 

Please save the attached file CFScript.txt to the same location as Combofix.  Then close your browser and drag and drop CFScript.txt onto Combofix to run it.   When done please post back the new log.

 

 

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

 

CFScript.txt

Link to post
Share on other sites

Hi M. :)

 

Oh, I'm really sorry. :(  When I began here I had comodo AV and we removed it in the middle of the process cause something made a problem.

But a few posts ago, I told you I will put back on an AV and you said nothing about it so I thought it was ok; I just put back comodo.

I was afraid to not be protected since a while; I'm really sorry if it interfered with your work here.

 

I ran Combofix. Same warning about the real time scan active AntiVir Desktop.

 

Here the results....hehe the AntiVir seems gone!! :D

 

ComboFix 13-09-02.02 - home 2013-09-03  21:55:58.5.2 - x86
Microsoft Windows XP Professionnel  5.1.2600.3.1252.2.1036.18.2015.1596 [GMT -4:00]
Lancé depuis: c:\documents and settings\home\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\home\Bureau\CFScript.txt
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((((((   Fichiers créés du 2013-08-04 au 2013-09-04  ))))))))))))))))))))))))))))))))))))
.
.
2013-09-02 08:54 . 2013-09-02 08:54 -------- d-----w- c:\documents and settings\home\Application Data\Comodo
2013-09-02 08:21 . 2013-09-02 08:21 -------- d-----w- c:\program files\Fichiers communs\COMODO
2013-09-02 08:08 . 2013-09-04 01:44 95792 ----a-w- c:\windows\system32\drivers\sfi.dat
2013-09-02 08:06 . 2013-09-02 08:07 -------- d-s---w- c:\documents and settings\All Users\Application Data\Shared Space
2013-09-02 07:13 . 2013-09-02 07:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\COMODO
2013-09-02 07:13 . 2013-09-02 07:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\COMODO
2013-09-02 07:10 . 2013-09-02 07:10 48392 ----a-w- c:\windows\system32\certsentry.dll
2013-09-02 07:07 . 2013-09-02 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2013-08-28 16:30 . 2013-08-28 16:30 -------- d--h--w- c:\windows\PIF
2013-08-20 02:25 . 2013-08-20 02:29 -------- d-----w- c:\program files\ERUNT
2013-08-19 07:47 . 2013-08-25 21:28 -------- d-----w- C:\FRST
2013-08-19 00:35 . 2013-08-19 01:35 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-08-16 20:10 . 2013-08-16 20:10 -------- d-----w- c:\windows\Logs
2013-08-16 19:41 . 2013-08-16 19:42 -------- d-----w- c:\windows\system32\NtmsData
2013-08-16 19:34 . 2013-08-16 19:34 -------- d-----w- C:\boot
2013-08-16 19:34 . 2013-08-28 16:34 -------- d-----w- c:\program files\Macrium
2013-08-16 19:27 . 2013-08-16 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2013-08-08 01:11 . 2013-08-08 01:33 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Brain Games Mahjongg Files
2013-08-08 00:55 . 2013-08-08 00:55 -------- d-----w- c:\documents and settings\home\Application Data\pixelStorm
2013-08-07 16:43 . 2013-08-07 16:43 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\JollyBear
2013-08-07 16:43 . 2013-08-07 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2013-08-07 16:29 . 2013-08-07 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Casual Box
2013-08-07 14:47 . 2013-08-07 14:47 -------- d-----w- c:\documents and settings\home\Saved Games
2013-08-07 05:05 . 2013-08-07 05:05 -------- d-----w- c:\documents and settings\home\Application Data\AlawarEntertainment
2013-08-07 05:02 . 2013-08-08 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish
2013-08-07 05:01 . 2013-08-07 05:02 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Big Fish
2013-08-07 05:01 . 2013-08-08 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishCache
2013-08-07 04:13 . 2013-08-07 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Solid State Networks
.
.
.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-09 01:59 . 2013-07-09 01:59 587352 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2013-06-28 20:02 . 2013-06-28 20:02 16504 ----a-w- c:\windows\system32\drivers\pssnap.sys
2013-06-18 20:16 . 2013-06-18 20:16 99520 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-06-18 20:16 . 2013-06-18 20:16 32816 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-06-18 20:16 . 2013-06-18 20:16 18528 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-06-18 20:15 . 2013-06-18 20:15 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-06-18 20:15 . 2013-06-18 20:15 348584 ----a-w- c:\windows\system32\guard32.dll
2013-06-18 20:15 . 2013-06-18 20:15 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-06-18 20:15 . 2013-06-18 20:15 278232 ----a-w- c:\windows\system32\cmdvrt32.dll
.
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1740288]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2012-05-30 1842384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-07-09 1464536]
"gbrspcontrol"="c:\program files\Fichiers communs\COMODO\GeekBuddyRSP.exe" [2013-05-30 1851088]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Start GeekBuddy.lnk - c:\program files\Comodo\GeekBuddy\launcher.exe "unit_manager.exe" [2013-7-24 49360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Fichiers communs\Comodo\GeekBuddyRSP.exe"= c:\program files\Fichiers communs\Comodo\GeekBuddyRSP.exe:127.0.0.1/255.255.255.255:Enabled:GeekBuddy RSP
"c:\\Program Files\\File Type Assistant\\TSAssist.exe"=
"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
.
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [07/05/2013 03:00 36112]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [18/06/2013 16:16 18528]
R1 cmdGuard;COMODO Internet Security Driver;c:\windows\system32\drivers\cmdGuard.sys [08/07/2013 21:59 587352]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [18/06/2013 16:16 32816]
R2 CLPSLauncher;COMODO LPS Launcher;c:\program files\Fichiers communs\COMODO\launcher_service.exe [24/07/2013 08:50 70352]
R2 DragonUpdater;COMODO Dragon Update Service;c:\program files\Comodo\Dragon\dragon_updater.exe [01/08/2013 07:20 2095808]
R2 GeekBuddyRSP;GeekBuddyRSP Service;c:\program files\Fichiers communs\COMODO\GeekBuddyRSP.exe [30/05/2013 08:47 1851088]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [30/03/2011 12:09 109728]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [08/04/2013 19:47 418376]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08/04/2013 19:47 22856]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08/04/2013 19:47 701512]
S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [30/03/2011 11:44 24424]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\Comodo\COMODO Internet Security\cmdvirth.exe [18/06/2013 16:15 127192]
S3 WIMMount;WIMMount;\??\c:\program files\Macrium\Reflect\wimmount.sys --> c:\program files\Macrium\Reflect\wimmount.sys [?]
.
Contenu du dossier 'Tâches planifiées'
.
2013-09-04 c:\windows\Tasks\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2013-04-10 21:24]
.
2013-08-31 c:\windows\Tasks\ProgramRefresh-ATFST.job
- c:\program files\File Type Assistant\TSASetup.exe [2013-04-10 01:18]
.
2013-09-04 c:\windows\Tasks\ProgramUpdateCheck.job
- c:\program files\File Type Assistant\tsassist.exe [2013-04-10 17:09]
.
.
------- Examen supplémentaire -------
.


TCP: DhcpNameServer = 24.201.245.77 24.200.0.1 24.53.0.2
TCP: Interfaces\{E09B6166-8D26-46DF-B5DC-F2814CD3551F}: NameServer = 156.154.70.25,156.154.71.25
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-03 22:07
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-YKNE-76RZ-ZWT9-D88T-YNWW-P4V9WWS"
"Activated"="N"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\guard32.dll
c:\windows\system32\mswsock.dll
c:\windows\System32\wshtcpip.dll
.
- - - - - - - > 'explorer.exe'(1128)
c:\windows\system32\guard32.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\MPR.dll
.
- - - - - - - > 'csrss.exe'(696)
c:\windows\system32\cmdcsr.dll
.
Heure de fin: 2013-09-03  22:12:47
ComboFix-quarantined-files.txt  2013-09-04 02:12
ComboFix2.txt  2013-09-02 09:37
ComboFix3.txt  2013-08-23 16:02
ComboFix4.txt  2013-08-23 01:50
ComboFix5.txt  2013-09-04 01:53
.
Avant-CF: 26 337 955 840 octets libres
Après-CF: 26 334 502 912 octets libres
.
- - End Of File - - 1541004246BD9BC7A70363CA9A71674B
C99C3199CFAA4CBDCD91493F6D113A50
 

Link to post
Share on other sites

  • Root Admin

It's okay, no harm done.

 

It gave that error on first running but if you run Combox fix again right now it should not give that error anymore.

 

Let me have you run the following now one more time.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Link to post
Share on other sites

ok phew! :)

 

I ran FRST, it still seems to have some stuff about Avira :P

Here...

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-09-2013 03
Ran by home (administrator) on IBMCAMRESEAU on 03-09-2013 22:34:55
Running from C:\Documents and Settings\home\Bureau
Microsoft Windows XP Professionnel Service Pack 3 (X86) OS Language: French Standard
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Comodo Security Solutions Inc.) C:\Program Files\Fichiers communs\COMODO\launcher_service.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
() C:\Program Files\Comodo\Dragon\dragon_updater.exe
(Comodo Security Solutions, Inc.) C:\Program Files\Fichiers communs\COMODO\GeekBuddyRSP.exe
(Intel Corporation) C:\WINDOWS\system32\IProsetMonitor.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Comodo Security Solutions, Inc.) C:\Program Files\Fichiers communs\COMODO\GeekBuddyRSP.exe
() C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe
(Gadwin Systems, Inc) C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
(Comodo Security Solutions, Inc.) C:\Program Files\Comodo\GeekBuddy\unit_manager.exe
(Comodo Security Solutions, Inc.) C:\Program Files\Comodo\GeekBuddy\unit.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [COMODO Internet Security] - C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1464536 2013-07-08] (COMODO)
HKLM\...\Run: [gbrspcontrol] - C:\Program Files\Fichiers communs\COMODO\GeekBuddyRSP.exe [1851088 2013-05-30] (Comodo Security Solutions, Inc.)
Winlogon\Notify\igfxcui: igfxsrvc.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HonorAutoRunSetting] 1
HKLM\...\Policies\Explorer: [NoDriveAutoRun] 67108863
HKLM\...\Policies\Explorer: [NoDriveTypeAutoRun] 323
HKLM\...\Policies\Explorer: [NoDrives] 0
HKCU\...\Run: [skinClock] - C:\Program Files\Atomic Alarm Clock\AtomicAlarmClock.exe [1740288 2008-09-30] ()
HKCU\...\Run: [Gadwin PrintScreen] - C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe [1842384 2012-05-30] (Gadwin Systems, Inc)
HKCU\...\Policies\Explorer: [NoDriveTypeAutoRun] 323
HKCU\...\Policies\Explorer: [NoDriveAutoRun] 67108863
HKCU\...\Policies\Explorer: [NoDrives] 0
Startup: C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Start GeekBuddy.lnk
ShortcutTarget: Start GeekBuddy.lnk -> C:\Program Files\Comodo\GeekBuddy\launcher.exe (Comodo Security Solutions Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/defaultf.aspx?ocid=iehp
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKCU -&Adresse - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\Windows\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU -&Liens - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\Windows\system32\SHELL32.dll (Microsoft Corporation)
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\FICHIE~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\FICHIE~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\FICHIE~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\FICHIE~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\FICHIE~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\FICHIE~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\PROGRA~1\FICHIE~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 24.201.245.77 24.200.0.1 24.53.0.2
Tcpip\..\Interfaces\{E09B6166-8D26-46DF-B5DC-F2814CD3551F}: [NameServer]156.154.70.25,156.154.71.25

========================== Services (Whitelisted) =================

R2 CLPSLauncher; C:\Program Files\Fichiers communs\COMODO\launcher_service.exe [70352 2013-07-24] (Comodo Security Solutions Inc.)
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [4801304 2013-07-08] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [127192 2013-06-18] (COMODO)
R2 DragonUpdater; C:\Program Files\Comodo\Dragon\dragon_updater.exe [2095808 2013-08-01] ()
R2 GeekBuddyRSP; C:\Program Files\Fichiers communs\COMODO\GeekBuddyRSP.exe [1851088 2013-05-30] (Comodo Security Solutions, Inc.)
R2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [109728 2011-01-17] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 AntiVirService; "C:\Program Files\Avira\AntiVir Desktop\avguard.exe" [x]

==================== Drivers (Whitelisted) ====================

S3 ADM8511; C:\Windows\System32\DRIVERS\NET8511.SYS [24424 2000-12-12] (ADMtek)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [66616 2011-12-14] (Avira GmbH)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [138192 2011-12-14] (Avira GmbH)
R1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [36112 2013-05-07] (Windows ® Win 7 DDK provider)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [18528 2013-06-18] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [587352 2013-07-08] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [32816 2013-06-18] (COMODO)
R3 E1000; C:\Windows\System32\DRIVERS\e1000325.sys [171152 2011-03-30] (Intel Corporation)
R3 ialm; C:\Windows\System32\DRIVERS\ialmnt5.sys [737874 2004-08-20] (Intel Corporation)
R0 Inspect; C:\Windows\System32\DRIVERS\inspect.sys [99520 2013-06-18] (COMODO)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 WDM_YAMAHAAC97; C:\Windows\System32\drivers\yacxgc.sys [205440 2003-06-27] (YAMAHA CORPORATION)
S3 catchme; \??\C:\DOCUME~1\home\LOCALS~1\Temp\catchme.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 WIMMount; \??\C:\Program Files\Macrium\Reflect\wimmount.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-09-03 22:12 - 2013-09-03 22:12 - 00011013 _____ C:\ComboFix.txt
2013-09-02 04:54 - 2013-09-02 04:54 - 00000000 ____D C:\Documents and Settings\home\Application Data\Comodo
2013-09-02 04:21 - 2013-09-02 04:21 - 00000000 ____D C:\Program Files\Fichiers communs\COMODO
2013-09-02 04:08 - 2013-09-03 22:34 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59}.job
2013-09-02 04:08 - 2013-09-03 22:33 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
2013-09-02 04:08 - 2013-09-03 22:33 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22}.job
2013-09-02 04:08 - 2013-09-03 22:33 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9}.job
2013-09-02 04:08 - 2013-09-03 21:44 - 00095792 _____ C:\WINDOWS\system32\Drivers\sfi.dat
2013-09-02 04:06 - 2013-09-02 04:07 - 00000000 ___SD C:\Documents and Settings\All Users\Application Data\Shared Space
2013-09-02 04:03 - 2013-09-02 04:03 - 00000746 _____ C:\WINDOWS\system32\{7995330B-E01F-4645-B702-53481E7CB778}.cmdfile
2013-09-02 04:01 - 2013-09-02 04:01 - 150622552 _____ (COMODO) C:\Documents and Settings\home\Bureau\cispro_installer.exe
2013-09-02 03:13 - 2013-09-02 03:13 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\COMODO
2013-09-02 03:10 - 2013-09-02 03:10 - 00048392 _____ (COMODO CA Limited) C:\WINDOWS\system32\certsentry.dll
2013-09-02 03:07 - 2013-09-02 03:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Comodo Downloader
2013-08-28 12:30 - 2013-08-28 12:30 - 00000000 ___HD C:\WINDOWS\PIF
2013-08-28 01:49 - 2013-08-28 01:49 - 00353352 _____ (Malwarebytes Corporation) C:\Documents and Settings\home\Bureau\mbam-check-2.0.0.1000.exe
2013-08-28 01:49 - 2013-08-28 01:49 - 00029598 _____ C:\Documents and Settings\home\Bureau\CheckResults.txt
2013-08-25 23:52 - 2013-09-03 22:34 - 01084575 _____ (Farbar) C:\Documents and Settings\home\Bureau\FRST.exe
2013-08-25 20:43 - 2013-08-25 20:43 - 11260240 _____ (Microsoft Corporation) C:\Documents and Settings\home\Bureau\mseinstall.exe
2013-08-24 15:40 - 2013-08-24 15:40 - 00010398 _____ C:\list.txt
2013-08-24 15:21 - 2013-08-24 15:21 - 00010398 _____ C:\liste.txt
2013-08-23 11:55 - 2013-08-23 11:55 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2013-08-23 00:46 - 2013-08-23 00:48 - 00000000 ____D C:\WINDOWS\pss
2013-08-22 21:22 - 2013-09-03 21:50 - 05119472 ____R (Swearware) C:\Documents and Settings\home\Bureau\ComboFix.exe
2013-08-20 19:10 - 2013-08-20 19:10 - 00005536 _____ C:\Documents and Settings\home\Bureau\xpnetdiag.xml
2013-08-19 22:25 - 2013-08-19 22:29 - 00000000 ____D C:\Program Files\ERUNT
2013-08-19 22:25 - 2013-08-19 22:25 - 00000617 _____ C:\Documents and Settings\home\Bureau\NTREGOPT.lnk
2013-08-19 22:25 - 2013-08-19 22:25 - 00000598 _____ C:\Documents and Settings\home\Bureau\ERUNT.lnk
2013-08-19 22:24 - 2013-08-19 22:24 - 00791393 _____ (Lars Hederer                                                ) C:\Documents and Settings\home\Bureau\erunt-setup.exe
2013-08-19 03:47 - 2013-08-25 17:28 - 00000000 ____D C:\FRST
2013-08-19 02:42 - 2013-08-19 02:42 - 00000000 _RSHD C:\cmdcons
2013-08-19 02:42 - 2011-03-30 10:53 - 00000212 _____ C:\Boot.bak
2013-08-19 02:42 - 2004-08-03 23:00 - 00263488 __RSH C:\cmldr
2013-08-19 02:40 - 2011-06-26 02:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2013-08-19 02:40 - 2010-11-07 13:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2013-08-19 02:40 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2013-08-19 02:40 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2013-08-19 02:40 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2013-08-19 02:40 - 2000-08-30 20:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2013-08-19 02:40 - 2000-08-30 20:00 - 00098816 _____ C:\WINDOWS\sed.exe
2013-08-19 02:40 - 2000-08-30 20:00 - 00080412 _____ C:\WINDOWS\grep.exe
2013-08-19 02:40 - 2000-08-30 20:00 - 00068096 _____ C:\WINDOWS\zip.exe
2013-08-19 02:39 - 2013-09-03 22:13 - 00000000 ____D C:\Qoobox
2013-08-19 02:27 - 2013-08-19 02:28 - 00002776 _____ C:\Documents and Settings\home\Bureau\Rkill.txt
2013-08-19 02:27 - 2013-08-19 02:27 - 01898112 _____ (Bleeping Computer, LLC) C:\Documents and Settings\home\Bureau\rkill.exe
2013-08-18 20:35 - 2013-08-18 21:35 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-08-16 20:12 - 2013-08-23 11:55 - 00000000 ____D C:\WINDOWS\erdnt
2013-08-16 16:41 - 2013-08-28 12:35 - 00011071 _____ C:\Documents and Settings\home\Bureau\attach.txt
2013-08-16 16:41 - 2013-08-28 12:35 - 00006134 _____ C:\Documents and Settings\home\Bureau\dds.txt
2013-08-16 16:40 - 2013-08-16 16:40 - 00000000 ___RD C:\Documents and Settings\home\Mes documents\Mes vidéos
2013-08-16 15:41 - 2013-08-16 15:42 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2013-08-16 15:34 - 2013-08-28 12:34 - 00000000 ____D C:\Program Files\Macrium
2013-08-16 15:30 - 2013-08-16 15:31 - 00000000 ____D C:\Documents and Settings\home\Mes documents\Macrium
2013-08-16 15:27 - 2013-08-16 16:06 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Macrium
2013-08-16 15:06 - 2013-08-16 15:06 - 00688992 ____R (Swearware) C:\Documents and Settings\home\Bureau\dds.com
2013-08-08 03:34 - 2013-08-08 05:07 - 00331324 _____ C:\Documents and Settings\home\Mes documents\Layout.ini
2013-08-07 21:11 - 2013-08-07 21:33 - 00000000 ____D C:\Documents and Settings\home\Local Settings\Application Data\Brain Games Mahjongg Files
2013-08-07 20:55 - 2013-08-07 20:55 - 00000000 ____D C:\Documents and Settings\home\Application Data\pixelStorm
2013-08-07 12:43 - 2013-08-07 12:43 - 00000000 ____D C:\Documents and Settings\home\Local Settings\Application Data\JollyBear
2013-08-07 12:43 - 2013-08-07 12:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\JollyBear
2013-08-07 12:29 - 2013-08-07 12:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Casual Box
2013-08-07 01:05 - 2013-08-07 01:05 - 00000000 ____D C:\Documents and Settings\home\Application Data\AlawarEntertainment
2013-08-07 01:02 - 2013-08-08 12:14 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Big Fish
2013-08-07 01:01 - 2013-08-08 12:14 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\BigFishCache
2013-08-07 01:01 - 2013-08-07 01:02 - 00000000 ____D C:\Documents and Settings\home\Local Settings\Application Data\Big Fish
2013-08-07 00:13 - 2013-08-07 00:30 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Solid State Networks

==================== One Month Modified Files and Folders =======

2013-09-03 22:34 - 2013-09-02 04:08 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59}.job
2013-09-03 22:34 - 2013-08-25 23:52 - 01084575 _____ (Farbar) C:\Documents and Settings\home\Bureau\FRST.exe
2013-09-03 22:34 - 2011-03-30 11:41 - 00000000 ____D C:\Documents and Settings\home\Bureau
2013-09-03 22:33 - 2013-09-02 04:08 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
2013-09-03 22:33 - 2013-09-02 04:08 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22}.job
2013-09-03 22:33 - 2013-09-02 04:08 - 00000440 _____ C:\WINDOWS\Tasks\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9}.job
2013-09-03 22:29 - 2011-03-30 10:57 - 01239116 _____ C:\WINDOWS\WindowsUpdate.log
2013-09-03 22:26 - 2011-12-14 20:33 - 00000757 _____ C:\Documents and Settings\home\Application Data\AtomicAlarmClock.ini
2013-09-03 22:25 - 2013-04-09 21:16 - 00000392 _____ C:\WINDOWS\Tasks\ProgramUpdateCheck.job
2013-09-03 22:25 - 2013-04-09 21:16 - 00000384 _____ C:\WINDOWS\Tasks\Final Media Player Update Checker.job
2013-09-03 22:25 - 2011-03-30 11:39 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-09-03 22:24 - 2011-03-30 11:41 - 00000184 ___SH C:\Documents and Settings\home\ntuser.ini
2013-09-03 22:24 - 2011-03-30 11:41 - 00000000 ____D C:\Documents and Settings\home
2013-09-03 22:24 - 2011-03-30 11:39 - 00032582 _____ C:\WINDOWS\SchedLgU.Txt
2013-09-03 22:13 - 2013-08-19 02:39 - 00000000 ____D C:\Qoobox
2013-09-03 22:12 - 2013-09-03 22:12 - 00011013 _____ C:\ComboFix.txt
2013-09-03 22:08 - 2004-08-05 08:00 - 00000227 _____ C:\WINDOWS\system.ini
2013-09-03 22:02 - 2011-03-30 05:30 - 00000000 ____D C:\Program Files\Fichiers communs
2013-09-03 21:50 - 2013-08-22 21:22 - 05119472 ____R (Swearware) C:\Documents and Settings\home\Bureau\ComboFix.exe
2013-09-03 21:44 - 2013-09-02 04:08 - 00095792 _____ C:\WINDOWS\system32\Drivers\sfi.dat
2013-09-03 21:34 - 2004-08-05 08:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2013-09-02 05:07 - 2011-03-30 10:56 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-09-02 04:54 - 2013-09-02 04:54 - 00000000 ____D C:\Documents and Settings\home\Application Data\Comodo
2013-09-02 04:54 - 2013-01-22 19:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\COMODO
2013-09-02 04:22 - 2013-01-22 19:41 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\COMODO
2013-09-02 04:22 - 2011-03-30 05:30 - 00000000 ____D C:\Documents and Settings\All Users\Bureau
2013-09-02 04:21 - 2013-09-02 04:21 - 00000000 ____D C:\Program Files\Fichiers communs\COMODO
2013-09-02 04:07 - 2013-09-02 04:06 - 00000000 ___SD C:\Documents and Settings\All Users\Application Data\Shared Space
2013-09-02 04:05 - 2013-01-22 19:37 - 00000000 ____D C:\Program Files\Comodo
2013-09-02 04:03 - 2013-09-02 04:03 - 00000746 _____ C:\WINDOWS\system32\{7995330B-E01F-4645-B702-53481E7CB778}.cmdfile
2013-09-02 04:01 - 2013-09-02 04:01 - 150622552 _____ (COMODO) C:\Documents and Settings\home\Bureau\cispro_installer.exe
2013-09-02 03:56 - 2013-02-04 10:50 - 00000000 ____D C:\Documents and Settings\home\Mes documents\PrintScreen Files
2013-09-02 03:13 - 2013-09-02 03:13 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\COMODO
2013-09-02 03:10 - 2013-09-02 03:10 - 00048392 _____ (COMODO CA Limited) C:\WINDOWS\system32\certsentry.dll
2013-09-02 03:10 - 2013-01-22 19:37 - 00000000 ____D C:\Documents and Settings\home\Local Settings\Application Data\COMODO
2013-09-02 03:09 - 2011-03-30 05:29 - 00586596 _____ C:\WINDOWS\setupapi.log
2013-09-02 03:07 - 2013-09-02 03:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Comodo Downloader
2013-09-02 01:38 - 2011-03-30 12:33 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe
2013-08-30 21:18 - 2013-04-09 21:18 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\FileTypeAssistant
2013-08-30 21:18 - 2013-04-09 21:16 - 00000448 _____ C:\WINDOWS\Tasks\ProgramRefresh-ATFST.job
2013-08-30 21:18 - 2013-04-09 21:16 - 00000000 ____D C:\Program Files\File Type Assistant
2013-08-28 13:37 - 2011-03-30 05:33 - 00000216 _____ C:\WINDOWS\wiadebug.log
2013-08-28 13:37 - 2011-03-30 05:33 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-08-28 12:35 - 2013-08-16 16:41 - 00011071 _____ C:\Documents and Settings\home\Bureau\attach.txt
2013-08-28 12:35 - 2013-08-16 16:41 - 00006134 _____ C:\Documents and Settings\home\Bureau\dds.txt
2013-08-28 12:34 - 2013-08-16 15:34 - 00000000 ____D C:\Program Files\Macrium
2013-08-28 12:30 - 2013-08-28 12:30 - 00000000 ___HD C:\WINDOWS\PIF
2013-08-28 01:49 - 2013-08-28 01:49 - 00353352 _____ (Malwarebytes Corporation) C:\Documents and Settings\home\Bureau\mbam-check-2.0.0.1000.exe
2013-08-28 01:49 - 2013-08-28 01:49 - 00029598 _____ C:\Documents and Settings\home\Bureau\CheckResults.txt
2013-08-25 20:59 - 2012-01-18 20:59 - 00001919 _____ C:\WINDOWS\epplauncher.mif
2013-08-25 20:43 - 2013-08-25 20:43 - 11260240 _____ (Microsoft Corporation) C:\Documents and Settings\home\Bureau\mseinstall.exe
2013-08-25 17:28 - 2013-08-19 03:47 - 00000000 ____D C:\FRST
2013-08-24 15:40 - 2013-08-24 15:40 - 00010398 _____ C:\list.txt
2013-08-24 15:21 - 2013-08-24 15:21 - 00010398 _____ C:\liste.txt
2013-08-23 12:06 - 2011-03-30 11:01 - 00000000 __SHD C:\Documents and Settings\NetworkService
2013-08-23 11:55 - 2013-08-23 11:55 - 00008192 ____H C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\system.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\software.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\SAM.tmp.LOG
2013-08-23 11:55 - 2013-08-23 11:55 - 00000000 ____H C:\WINDOWS\system32\config\default.tmp.LOG
2013-08-23 11:55 - 2013-08-16 20:12 - 00000000 ____D C:\WINDOWS\erdnt
2013-08-23 11:55 - 2011-03-30 05:29 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2013-08-23 11:55 - 2011-03-30 05:29 - 00024576 _____ C:\WINDOWS\system32\config\SAM.bak
2013-08-23 11:55 - 2011-03-30 05:28 - 13631488 _____ C:\WINDOWS\system32\config\software.bak
2013-08-23 11:55 - 2011-03-30 05:28 - 04456448 _____ C:\WINDOWS\system32\config\system.bak
2013-08-23 11:55 - 2011-03-30 05:28 - 00262144 _____ C:\WINDOWS\system32\config\default.bak
2013-08-23 00:48 - 2013-08-23 00:46 - 00000000 ____D C:\WINDOWS\pss
2013-08-23 00:48 - 2011-03-30 05:28 - 00000328 __RSH C:\boot.ini
2013-08-23 00:48 - 2004-08-05 08:00 - 00000507 _____ C:\WINDOWS\win.ini
2013-08-20 19:10 - 2013-08-20 19:10 - 00005536 _____ C:\Documents and Settings\home\Bureau\xpnetdiag.xml
2013-08-19 22:29 - 2013-08-19 22:25 - 00000000 ____D C:\Program Files\ERUNT
2013-08-19 22:25 - 2013-08-19 22:25 - 00000617 _____ C:\Documents and Settings\home\Bureau\NTREGOPT.lnk
2013-08-19 22:25 - 2013-08-19 22:25 - 00000598 _____ C:\Documents and Settings\home\Bureau\ERUNT.lnk
2013-08-19 22:24 - 2013-08-19 22:24 - 00791393 _____ (Lars Hederer                                                ) C:\Documents and Settings\home\Bureau\erunt-setup.exe
2013-08-19 02:42 - 2013-08-19 02:42 - 00000000 _RSHD C:\cmdcons
2013-08-19 02:28 - 2013-08-19 02:27 - 00002776 _____ C:\Documents and Settings\home\Bureau\Rkill.txt
2013-08-19 02:27 - 2013-08-19 02:27 - 01898112 _____ (Bleeping Computer, LLC) C:\Documents and Settings\home\Bureau\rkill.exe
2013-08-19 01:52 - 2011-03-30 11:41 - 00000000 ___HD C:\Documents and Settings\home\Voisinage réseau
2013-08-18 21:35 - 2013-08-18 20:35 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2013-08-16 16:40 - 2013-08-16 16:40 - 00000000 ___RD C:\Documents and Settings\home\Mes documents\Mes vidéos
2013-08-16 16:06 - 2013-08-16 15:27 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Macrium
2013-08-16 15:49 - 2011-03-30 10:55 - 00000000 ____D C:\WINDOWS\Registration
2013-08-16 15:49 - 2011-03-30 05:23 - 00000000 ____D C:\WINDOWS\repair
2013-08-16 15:42 - 2013-08-16 15:41 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2013-08-16 15:31 - 2013-08-16 15:30 - 00000000 ____D C:\Documents and Settings\home\Mes documents\Macrium
2013-08-16 15:06 - 2013-08-16 15:06 - 00688992 ____R (Swearware) C:\Documents and Settings\home\Bureau\dds.com
2013-08-15 02:48 - 2013-01-07 04:25 - 00000000 ___RD C:\Documents and Settings\home\Mes documents\Mes images
2013-08-14 14:45 - 2013-04-12 19:32 - 00000000 ____D C:\Eric
2013-08-08 12:14 - 2013-08-07 01:02 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Big Fish
2013-08-08 12:14 - 2013-08-07 01:01 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\BigFishCache
2013-08-08 05:07 - 2013-08-08 03:34 - 00331324 _____ C:\Documents and Settings\home\Mes documents\Layout.ini
2013-08-07 23:07 - 2011-03-30 05:23 - 00000000 ____D C:\WINDOWS\Help
2013-08-07 21:33 - 2013-08-07 21:11 - 00000000 ____D C:\Documents and Settings\home\Local Settings\Application Data\Brain Games Mahjongg Files
2013-08-07 20:55 - 2013-08-07 20:55 - 00000000 ____D C:\Documents and Settings\home\Application Data\pixelStorm
2013-08-07 12:43 - 2013-08-07 12:43 - 00000000 ____D C:\Documents and Settings\home\Local Settings\Application Data\JollyBear
2013-08-07 12:43 - 2013-08-07 12:43 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\JollyBear
2013-08-07 12:29 - 2013-08-07 12:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Casual Box
2013-08-07 01:05 - 2013-08-07 01:05 - 00000000 ____D C:\Documents and Settings\home\Application Data\AlawarEntertainment
2013-08-07 01:02 - 2013-08-07 01:01 - 00000000 ____D C:\Documents and Settings\home\Local Settings\Application Data\Big Fish
2013-08-07 00:30 - 2013-08-07 00:13 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Solid State Networks
2013-08-07 00:27 - 2011-03-30 12:10 - 00000000 ___HD C:\Program Files\InstallShield Installation Information

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe
[2004-08-05 08:00] - [2008-04-13 20:34] - 0512000 ____A (Microsoft Corporation) dd73d6b9f6b4cb630cf35b438b540174

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2004-08-05 08:00] - [2008-04-13 20:33] - 0579584 ____A (Microsoft Corporation) e853f84d3ce2faa2a802e33cf89ac023

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Link to post
Share on other sites

Hi M. :)

 

I reboot and ran Combofix, no warning this time about Avira!

 

After I went to see in the registry and the Avira  AntiVir desktop keys are still there. But I made a research for AVg and no keys found it seems.

 

I don't see Avira in the programs files but there are some in Windows/system32/drivers....for example, "avgntflt.sys" and it says its Avira minifilter driver...

 

Here Combofix results:

 

ComboFix 13-09-02.02 - home 2013-09-03  23:13:30.6.2 - x86
Microsoft Windows XP Professionnel  5.1.2600.3.1252.2.1036.18.2015.1468 [GMT -4:00]
Lancé depuis: c:\documents and settings\home\Bureau\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((((((   Fichiers créés du 2013-08-04 au 2013-09-04  ))))))))))))))))))))))))))))))))))))
.
.
2013-09-02 08:54 . 2013-09-02 08:54 -------- d-----w- c:\documents and settings\home\Application Data\Comodo
2013-09-02 08:21 . 2013-09-02 08:21 -------- d-----w- c:\program files\Fichiers communs\COMODO
2013-09-02 08:08 . 2013-09-04 01:44 95792 ----a-w- c:\windows\system32\drivers\sfi.dat
2013-09-02 08:06 . 2013-09-02 08:07 -------- d-s---w- c:\documents and settings\All Users\Application Data\Shared Space
2013-09-02 07:13 . 2013-09-02 07:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\COMODO
2013-09-02 07:13 . 2013-09-02 07:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\COMODO
2013-09-02 07:10 . 2013-09-02 07:10 48392 ----a-w- c:\windows\system32\certsentry.dll
2013-09-02 07:07 . 2013-09-02 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2013-08-28 16:30 . 2013-08-28 16:30 -------- d--h--w- c:\windows\PIF
2013-08-20 02:25 . 2013-08-20 02:29 -------- d-----w- c:\program files\ERUNT
2013-08-19 07:47 . 2013-08-25 21:28 -------- d-----w- C:\FRST
2013-08-19 00:35 . 2013-08-19 01:35 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2013-08-16 20:10 . 2013-08-16 20:10 -------- d-----w- c:\windows\Logs
2013-08-16 19:41 . 2013-08-16 19:42 -------- d-----w- c:\windows\system32\NtmsData
2013-08-16 19:34 . 2013-08-16 19:34 -------- d-----w- C:\boot
2013-08-16 19:34 . 2013-08-28 16:34 -------- d-----w- c:\program files\Macrium
2013-08-16 19:27 . 2013-08-16 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium
2013-08-08 01:11 . 2013-08-08 01:33 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Brain Games Mahjongg Files
2013-08-08 00:55 . 2013-08-08 00:55 -------- d-----w- c:\documents and settings\home\Application Data\pixelStorm
2013-08-07 16:43 . 2013-08-07 16:43 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\JollyBear
2013-08-07 16:43 . 2013-08-07 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\JollyBear
2013-08-07 16:29 . 2013-08-07 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Casual Box
2013-08-07 14:47 . 2013-08-07 14:47 -------- d-----w- c:\documents and settings\home\Saved Games
2013-08-07 05:05 . 2013-08-07 05:05 -------- d-----w- c:\documents and settings\home\Application Data\AlawarEntertainment
2013-08-07 05:02 . 2013-08-08 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish
2013-08-07 05:01 . 2013-08-07 05:02 -------- d-----w- c:\documents and settings\home\Local Settings\Application Data\Big Fish
2013-08-07 05:01 . 2013-08-08 16:14 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishCache
2013-08-07 04:13 . 2013-08-07 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Solid State Networks
.
.
.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-09 01:59 . 2013-07-09 01:59 587352 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2013-06-28 20:02 . 2013-06-28 20:02 16504 ----a-w- c:\windows\system32\drivers\pssnap.sys
2013-06-18 20:16 . 2013-06-18 20:16 99520 ----a-w- c:\windows\system32\drivers\inspect.sys
2013-06-18 20:16 . 2013-06-18 20:16 32816 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2013-06-18 20:16 . 2013-06-18 20:16 18528 ----a-w- c:\windows\system32\drivers\cmderd.sys
2013-06-18 20:15 . 2013-06-18 20:15 35488 ----a-w- c:\windows\system32\cmdcsr.dll
2013-06-18 20:15 . 2013-06-18 20:15 348584 ----a-w- c:\windows\system32\guard32.dll
2013-06-18 20:15 . 2013-06-18 20:15 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
2013-06-18 20:15 . 2013-06-18 20:15 278232 ----a-w- c:\windows\system32\cmdvrt32.dll
.
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-30 1740288]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2012-05-30 1842384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-07-09 1464536]
"gbrspcontrol"="c:\program files\Fichiers communs\COMODO\GeekBuddyRSP.exe" [2013-05-30 1851088]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\
Start GeekBuddy.lnk - c:\program files\Comodo\GeekBuddy\launcher.exe "unit_manager.exe" [2013-7-24 49360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Fichiers communs\Comodo\GeekBuddyRSP.exe"= c:\program files\Fichiers communs\Comodo\GeekBuddyRSP.exe:127.0.0.1/255.255.255.255:Enabled:GeekBuddy RSP
"c:\\Program Files\\File Type Assistant\\TSAssist.exe"=
"c:\\Program Files\\FinalMediaPlayer\\FMPCheckForUpdates.exe"=
.
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [07/05/2013 03:00 36112]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [18/06/2013 16:16 18528]
R1 cmdGuard;COMODO Internet Security Driver;c:\windows\system32\drivers\cmdGuard.sys [08/07/2013 21:59 587352]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [18/06/2013 16:16 32816]
R2 CLPSLauncher;COMODO LPS Launcher;c:\program files\Fichiers communs\COMODO\launcher_service.exe [24/07/2013 08:50 70352]
R2 DragonUpdater;COMODO Dragon Update Service;c:\program files\Comodo\Dragon\dragon_updater.exe [01/08/2013 07:20 2095808]
R2 GeekBuddyRSP;GeekBuddyRSP Service;c:\program files\Fichiers communs\COMODO\GeekBuddyRSP.exe [30/05/2013 08:47 1851088]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [30/03/2011 12:09 109728]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [08/04/2013 19:47 418376]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [08/04/2013 19:47 22856]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [08/04/2013 19:47 701512]
S3 ADM8511;Belkin USB Ethernet Adapter;c:\windows\system32\drivers\NET8511.SYS [30/03/2011 11:44 24424]
S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\Comodo\COMODO Internet Security\cmdvirth.exe [18/06/2013 16:15 127192]
S3 WIMMount;WIMMount;\??\c:\program files\Macrium\Reflect\wimmount.sys --> c:\program files\Macrium\Reflect\wimmount.sys [?]
.
Contenu du dossier 'Tâches planifiées'
.
2013-09-04 c:\windows\Tasks\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85}.job
- c:\program files\COMODO\COMODO Internet Security\cfpconfg.exe [2013-07-09 01:59]
.
2013-09-04 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2013-04-10 21:24]
.
2013-08-31 c:\windows\Tasks\ProgramRefresh-ATFST.job
- c:\program files\File Type Assistant\TSASetup.exe [2013-04-10 01:18]
.
2013-09-04 c:\windows\Tasks\ProgramUpdateCheck.job
- c:\program files\File Type Assistant\tsassist.exe [2013-04-10 17:09]
.
.
------- Examen supplémentaire -------
.


TCP: DhcpNameServer = 24.201.245.77 24.200.0.1 24.53.0.2
TCP: Interfaces\{E09B6166-8D26-46DF-B5DC-F2814CD3551F}: NameServer = 156.154.70.25,156.154.71.25
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-03 23:25
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"v5Licence0"="15-YKNE-76RZ-ZWT9-D88T-YNWW-P4V9WWS"
"Activated"="N"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\guard32.dll
c:\windows\system32\mswsock.dll
c:\windows\System32\wshtcpip.dll
.
- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\guard32.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\WS2HELP.dll
c:\windows\system32\MPR.dll
.
- - - - - - - > 'csrss.exe'(696)
c:\windows\system32\cmdcsr.dll
.
Heure de fin: 2013-09-03  23:30:07
ComboFix-quarantined-files.txt  2013-09-04 03:29
ComboFix2.txt  2013-09-04 02:12
ComboFix3.txt  2013-09-02 09:37
ComboFix4.txt  2013-08-23 16:02
ComboFix5.txt  2013-09-04 03:11
.
Avant-CF: 26 312 962 048 octets libres
Après-CF: 26 324 889 600 octets libres
.
- - End Of File - - 3FC8E4EE9E3CBDFF6EFAAA2288B12785
C99C3199CFAA4CBDCD91493F6D113A50
 

Thx again for your help! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.