Avast WEBforum
Other => Viruses and worms => Topic started by: emcivile on February 03, 2009, 01:13:15 PM
-
hello everybody! My name is Eddie, first post on this forum (I am an advanced pc user)
sunday my pc started to try to connect to irc.zief.pl . . . yep! VVVVVVVVIRUS... nothing more
bastard than one that even if I replace my driver with a clean ghost image...it still persist.
I have 3 drives and some pendrives... which is the virus and WHERE THE HELL it is??
is the VIRUT??? I am trying to clean wit an AVG specific remover...nothing happend...
so... please, help me... it's 3 days Im trying to delete it...
thanks!
Eddie
-
Hi emcivile,
Yep, seems like you anticipated, a virut.h infection: http://vil.nai.com/vil/content/v_143034.htm
also consider the removal instructions there, but first try to download DrWebCureIt from here and do a full scan: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
When your machine is cleansed do a free online scan here http://secunia.com/vulnerability_scanning/online/?task=start (enable JS on that page to start the scan to see what third party software on your machine needs either updates or patches)...
polonus
-
ok.
also when I boot pc it downloads some TMP like VRTx.TMP where X stands for X.
is possible that this virus can affect other drives and pendrives?
-
Just the thing that seems to be working in this case and if that was the infection vector:-
use flash drive disinfector.
it’s a small program. download it from here:
http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/
then run it after preferably turning off your antivirus product’s real-time protection. your screen will go blank for a moment which is normal. when it say ‘Done!’ your problem is solved. it may create a folder called autorun.inf on your pen drive which you shouldn’t delete as it will cause the virus to reappear,
also give us a hjt logfile.txt as an attachment to your next post to analyze the system processes:
download here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.zip or
http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe
I assume you know after placing it on the desktop how to work it (see below):
HijackThis is general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
Usage Instructions:
Note: You should only use HijackThis if you have advanced computer knowledge or if you are under the direction of someone who does. Improper usage of this program can cause problems with how your computer operates.
To use HijackThis, download the file and extract it to a directory on your hard drive called c:\HijackThis. Then navigate to that directory and double-click on the hijackthis.exe file. When the program is started click on the Scan button and then the Save Log button to create a log of your information.
polonus
-
Same problem here.
Avast still blocking "irc.zief.pl"
Dr Web didnt found anything, all my html files that Im saving got iframe script at bottom with zief.pl link.
Secunia scan crashes my firefox nad IE when Im starting scan process.
I cant run AtiTool, Pajaczek (html editor) and other applications.
Polonus can you give me your gg number? Or message me 6252247 .
-
The only way to get rid of it is disconnect from the internet, reformat, and reinstall from scratch because Win32:Virut is a dangerous file infector with some additional features. It tries to connect to an IRC network under the name "Virtu" and zombifies your PC.
-
Cześć sqallpl,
The virus will infect executable files on Windows systems.
Upon execution, the virus uses the CreateEvent function to create an event name "VT_3" so that only one instance of the virus runs on the infected computer.
The virus hooks some of the following system functions, so that it can infect files when they are accessed or executed:
NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx
Then the virus attempts to infect all accessed .exe or .scr files by appending itself to the executable file.
The virus avoids infecting files that contains the following strings:
PSTO
WC32
WCUN
WINC
Then the virus opens a back door by joining the channel #virtu on the IRC server proxim.ircgalaxy.pl through TCP port 65520 allowing a remote attacker to download and execute files onto the infected computer. Cleansing the computer can be done temporarily disabling system restore:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx
If the computer has been severly compromised a total recall can be the only option left, but try to disinfect first,
pozdrawiam,
polonus
-
yo maaaaaaaan... that crap causes lots of damage!!
Now I am moving everithing to an external disk and then I'll format every single disk present on my pc...
right?
-
is possible that the virus can copy itself in a USB pendrive?
-
Hi emicivile,
Ir is a propagation manner, so use this: http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/ and leave the file it makes there as a protection against re-infection,
Manual disinfection info I have dug up here, this may be your rescue:
http://www.threatexpert.com/report.aspx?md5=8dc6979d57e456fcd19b7a6d75a463f4
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File MD5
1 [file and pathname of the sample #1] 32,768 bytes 0x8DC6979D57E456FCD19B7A6D75A463F4
* The following files were modified:
o %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
o %System%\ctfmon.exe
o %System%\drivers\etc\hosts
* Notes:
o %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
o %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 45,056 bytes
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories
o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
o HKEY_CURRENT_USER\Keyboard Layout\Toggle
o HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies
o HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
o HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409
o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}
o HKEY_CURRENT_USER\Software\Microsoft\SAPI Layer
o HKEY_CURRENT_USER\Software\Microsoft\Speech
* The newly created Registry Values are:
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}]
+ Enable = 0x00000000
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr]
+ ProfileInitialized = 0x00000001
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar]
+ ExtraIconsOnMinimized = 0x00000001
+ ShowStatus = 0x00000004
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ ctfmon.exe = "%System%\ctfmon.exe"
Other details
* To mark the presence in the system, the following Mutex object was created:
o oleacc-msaa-loaded
* The HOSTS file was updated with the following URL-to-IP mappings:
127.0.0.1 ZieF.pl
#
* The following Host Name was requested from a host database:
o irc.zief.pl
* There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
o %System%\MSCTF.dll
It modifies the registry at the following location to ensure its automatic execution at every Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"TargetHost"
The above registry entry contains IP address and port number information. The virus may then use this information to open a back door on the compromised computer.
If the value in the above registry entry is not available, the virus may open a back door on TCP port 80 using the IRC server ircd.zief.pl.
Additional on Virut.U
The virus uses (Eight Random characters) on the above channel.
The back door allows a remote attacker to download files on to the infected computer and execute them.
This virus first appeared on September 06, 2007.
A rather nasty beast of crap, isn't it,
Ciao,
polonus
-
thank you!
now it's done... so I can plug the pendrive everywhere now without any risks?
-
Hi emcivile,
That is right, but cleanse that crap from your machine, all the entries as I gave them,
polonus
-
oh man... probably something is right now... but I found some of these keys...
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}]
+ Enable = 0x00000000
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr]
+ ProfileInitialized = 0x00000001
now I deleted the one I found and tomorrow I'll format everything in my pc....
yeah, TIRAMISU' for everybody!!!
-
wrong...wrong... I deleted manually every single voice...
what a job!
I also deleted MSCTF.dll and similar.
Now it seems to be free from that damns virus!!
regkeys were deleted... I seen also that in the same position on reboot I have newer values and newer keys different from the last.
it's ok?
-
emcivile, you are after format?
I tried a lot of software, also deleted a lot of register entries, and scan didnt found VIRUT, but now Im scanning all hard drives by Kaspersky Rescue CD, somebody told me that this stuff repraied his system, I will see and reply here.
BTW. Can I just delete all registry and install windows using repray option? I know that I will not have many of important non windows applications entries, but I can handle it, I can reinstall. I dont want to format, because I have many folders, photos, music, movies etc and I dont want to move all stuff to other disks.
-
Don't worry. Just backup all your personal data before reformatting.
-
I have another question. What will hapen if I will have some infected exe's ond HD, but I will not run them?
-
I have another question. What will hapen if I will have some infected exe's ond HD, but I will not run them?
I'd suggest that after formatting, re-scan all of your disks for viruses to make sure that the exe's that you have aren't infected. After that, I'd guess that you were good to go...
-
emcivile, you are after format?
I tried a lot of software, also deleted a lot of register entries, and scan didnt found VIRUT, but now Im scanning all hard drives by Kaspersky Rescue CD, somebody told me that this stuff repraied his system, I will see and reply here.
BTW. Can I just delete all registry and install windows using repray option? I know that I will not have many of important non windows applications entries, but I can handle it, I can reinstall. I dont want to format, because I have many folders, photos, music, movies etc and I dont want to move all stuff to other disks.
I think formatting is a MUST in this case. I think that this virus can replicate in exe files stored in your pc, in installers too. so I deleted everithing an I sore only photos and music. no HTML or other things. too dangerous. fortunately I have a strong backup system based on a 750 GB NAS. consider something similar after this experience.
I'll format tomorrow every single disk.
I have noticed also that AVAST can't find infected EXEs.
last night I finished a deep scan with avast and no viruses were found BUT: when I deleted registry key and I plug the LAN to the router for an internet connection AVAST found a VIRx.TMP file (where stands for a number from 1 to 4). becouse of this I imagine that there are some other exe infected files that runs normally in windows but are not found by AVAST....
please, someone to confirm this.
Best regards!
-----
NOTE!!
NOW I AM DOING ANOTHER DEEP ANTIVIRUS SCAN ON THE PC INFECTED. I DELETED ALL REGISTRY KEYS AND NOW ALL HTML FILES ARE INFECTED BY HTML:Iframe-inf VIRUS!!!!
NOW I AM SCANNING ONLY C:\. I HOPE THAT NOTHING WILL BE INFECTED ON OTHER PARTITION.
BECOUSE OF THIS I AM "CONDAMNED" TO DELETE ALL HTM, HTML AND EXE FILES FROM MY DRIVES TO AVOID INFECTED FILES ON THE BACKUP.
THAT'S A PITY....
------------
scythe944
the problem is that AVAST is not ABLE to find the virus. AVAST find only infected htm and html files.
Avast is not able to report infected EXEs too.
question:
today I was on a XP of a friend. I executed REGEDIT to view if he has the same reg keys. he has all of them but no irc...pl connection and no TMP files downoladed... is he infected. I explain: the reg keys up shown are normally in non infected XP copies or added ONLY a consequence of this DAMN virus???
update!!!
I found W32\VIRTU on my drive. It ifecdet a component of MIONET used to open my NAS. disinfected.
is this the end?
-
Hi sqallpl & emciville,
Do the manual cleansing first, delete the malware system files, the registry entries, cleanse your hosts file (it has been altered too) etc. etc. Maybe you have to make a back-up of all your important data,
you must have to work from SafeMode and/or temporaily have to disable system restore, then I think you could have a task at re-installing your system, because you can never tell as too what extent it has been compromised,
In short the normal cleansing for this malware:
When the virus executes, it creates the following event so that only one instance of the threat runs on the compromised computer:
Vx_4
W32.Virut.U is a virus that infects .exe and .scr files on the compromised computer.
Next, the virus checks the value for the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"TargetHost"
The above registry entry contains IP address and port number information.
The virus may then use this information to open a back door on the compromised computer.
If the value in the above registry entry is not available,
the virus may open a back door on TCP port 80 using the following IRC server:
ircd.zief.plThe above registry entry contains IP address and port number information. The virus may then use this information to open a back door on the compromised computer.
It uses the following name on the above channel:
[EIGHT RANDOM CHARACTERS]
The back door allows a remote attacker to download files on to the compromised computer and execute them.
Damage
Damage Level: Medium
Payload: Opens a back door on the compromised computer.
Modifies Files: Infects .exe and .scr files.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.If the antivirus product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode.
After the computer is cleansed you should change all your passwords for your normal log-in accounts...
and for the future use only user rights for your normal activities when online, and full admin rights only for downloading updates, enabling programs, or makingchanges to your configuration
polonus
-
ok, seen. now I am formatting everything.
I cleaned other drives with a deep scan and I disabled system restore not in safe mode but in normal mode. it's the same.
another question: is possible that virus infected my data on a NAS I use to backup things? it is a WD Mybook II with lan 10-100-1000.
I connected it last time when I supposed to solve with a last norton ghost image.
thanks.
-
Hi emcivile,
Well you will see, whenever .exe and .scr files are infected, or you find changed entries in the registry I mentioned earlier, you will understand are not free of it there,
polonus
-
ahm.... but: two of my firends have these reg keys on theyr pc... but they have never done nothing... I explain: now I found an installation pack containing VIRTU of part of it that I downloaded from torrent and unfortunately I opened it...
this firends have the same reg keys you have shown me... but nothing from avast or other antivirus programs.... I'll write them to tell to check.
thanks!
-
I cleaned my PC with everything that could be found on the planes of internet, read all that was written here and followed all instructions... After 2 days of torture and formatting 5 times... call me a quitter, but I'm switching to Linux.
-
Hi everyone,
I got infected by the same virus this morning, but after 2 windows reinstalls, I managed to get rid of it, although not fully.
I'm using windows XP SP2 and avast! home 4.8, the latest version.
Apparently, as polonus has said in one of his posts, this virus infects all .exe, .htm, .html and .scr files in your computer.
It even managed to infect explorer.exe and userinit.exe in my previous windows installation (as reported by combofix), disabled my mozilla firefox and alot of other softwares (media player classic, foobar2000,etc). Avast gave me a lot of "blocked access from irc.zief.pl" messages. When I tried to reinstall the softwares from the installers I got, the .html and .htm files created by the installer got infected instantly by the virus.
This is really one hell of a virus. I got this virus from my friend's flash disk ( forgot to clean it before I browsed the disk).
What I did to cleanse the virus was update avast to the latest version, do a thorough scan on safemode (avast deleted all .htm and .html files it can find on my harddisk, but it couldn't detect the infected .exes), then delete all the installers I had (I have 3 partitions on my disk), do a complete windows reinstall and download all the installers I once had.
After that, I ran a thorough scan once more from safe mode (avast found 3 .scr entries and deleted them) then restart.
With this method, all the softwares that was disabled by the virus works again. Didn't find any weird entries on hijackthis, and the latest combofix didn't report anything. No changed entries in registry and hosts file, too.
But still, I found something weird everytime i log in. Explorer.exe won't run automatically (had to run it manually from task manager), and I got this (will attach picture later) error message everytime I log into my computer. Apart from those, everything runs normally (I think). Any way to fix this?
Hope this helps, btw.
-
Your system will keep getting infected until you update Windows to SP3 that has been available for over 6 months that has several security fixes.
In IE go to Tools then Windows Update then let it install all the updates.
By the way, next Tuesday is Patch Tuesday and a couple of new critical updates will be available.
-
I've found a solution for this virus.
I've cleaned it thorougly by using AVG's virut remover (http://www.avg.com/virus-removal.ndi-67762), then reformatting my computer.
The remover deleted almost all of my installers, but hey, everything works now, don't find anything strange anymore in my computer, logs for hijackthis and combofix are clean too.
Hope this helps.
-
You don't really need to scan your hard drive if you are going to reformat. A good reformat will clear all your data away. Having said that, if you really want to be sure you have wiped out all the nasties, use a bootcd that has some utilities on it, several are available on the internet. All you really need is a utility that will overwrite the hard drive with zero's, some hard drives come with such a utility disc from the manufacturer. There are also a number available on the internet. You should power your computer completely down and then unplug from the power, wait 60 seconds for the memory to clear. Replug the power, reboot from a utility cd, wipe the hard drive by writing zero's to it - this can take 1 hr to several hours depending on how many passes you want to do. When this is done, repartition the drive using either dos (fdisk) or one of the programs like partitionmagic, there are several free linux utilities that can do this as well. I would suggest when creating partitions, make the boundaries at a new sizes, ie boot partition of 42gb, data 36 gb, if the old setup was perhaps 60gb boot, and 16gb data. Now format it and then let windows format it again when you do the install.
You should run a port scanner and a process explorer after you do the reinstall, to make sure you do not have any gremlins running in the background or using your network. When you install windows make sure your network cable is unplugged so that nothing and no one can access the machine while you do the install. Install an antivirus and do all windows updates.
Once you have a clean system, do a backup and save a copy of your registry, put both on a cd or dvd and save them in case you need to restore the system to a known good state, this will save a lot of time in case you get reinfected.
Now start scanning any cds or dvds you may have burned lately to make sure they don't have crapware hiding on them.
-
Hey guys, i think i have the same virus here so i did a scan with avast and deleted one compromised file, but now when i'm launching my web browser, avast blocks a connection to "irc.zief.pl" and i wanted to know how could i get rid of this without having to format my computer. Here's my report on HijackThis if it could help you :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:55:39, on 31/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\RtHDVCpl.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Raf\Desktop\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ig?sourceid=navclient&hl=fr&ie=UTF-8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ldlc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 130.49.221.40:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKLM\..\Run: [Habu] C:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
-
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/VistaMSNPUpldfr-fr.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
--
End of file - 10407 bytes
Thanks!