Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

Vista (Windows 7) Security 2012 / Spy Hunter 4

Recommended Posts



If you get infected by the Security 2012 Trojan, DON'T download (as suggested on some wiki-type fake forums) the Spy Hunter 4 Software.


The SH4 has been created from the same persons as the Security 2012 Malware - first you'll have to PAY/BUY before being able to remove the found files, and after the reboot of your PC via SH4 it will delete your BIOS to delete any traces - better be aware and scan your PC for the following 3 items:






It might be a bit tricky as Security 2012 disables ALL of your .exe-files, so Antivirus or even internet won't run. I made the maybe mistake to download SH4 on another machine to install it, but at least it disabled Security 2012 - and as I didn't use/buy it to remove the files it didn't reboot my PC - actualy I'm just trying to get rid of it and hope it didn't already kill my system ^.^


If you find a sh4ldr-folder on your PC this one has been created by SpyHunter4 and has an .mbr-file in it (master boot record). Don't know yet if I can delete it safely but I'll keep you updated and will not shut down my PC until I know that it is safe ;-)


Wish me luck and have a great day


Link to comment
Share on other sites

Hi LaPanthere!


Welcome to Iobit forum!


If this is just a notification then thanks!!!!:-D


If you would like assistance with your Malware issue, I highly recommend you follow these initial steps: http://forums.iobit.com/showthread.php?t=6216


Fully trained Malware Fighter Superdave will be assisting you... wait for his reply after you have posted the logs!




Live long and prosper!

Link to comment
Share on other sites

Hello and thanks alot Melvin


I'm currently running ESET like i've read in one of the topics on your forum. I already deleted the Security 2012 and now trying to get rid of this annoying Spy Hunter 4 without getting too much trouble :-)


I thought that it would be a good thing to let the user now to not download this "spyware removal tool" as suggested in the first found google results. It's good marketing - most would do anything to get rid of Security 2012 and the fake wiki side (i got download links for SH4 on several sides) are very well done unfortunately.


I already deleted some files manually and also cleaned my registry manually, but will of course post the result reports here - this is my business PC, can't afford to have my BIOS deleted ;-)


Actually, my Antivir didn't recognize ANY thread on my PC, so we'll have to see if ESET does better, as I know that the thread is here. That .mbr-record in the sh4ldr-Folder is causing me some special pain as I really don't know yet if I can just delete it safely as I didn't have SH4 reboot my system ;-)

Link to comment
Share on other sites

I think it's important to spread the news on this one, as the strategy is very well done:


- Either your "purchase" Security 2012 via the provided link in the fake alerts (blocking all your exe) and give access to your credit card data to the hackers

- OR you identify it as malware, download SpyHunter4 and BUY it to remove Security 2012 and grant access to your credit card data to hackers this way


Appearantly SpyWare is the only one identifying "Security 2012" on your PC, it DOES identify threads, you can download, install, scan your PC but you cannot remove the threads from your system before BUYING the software.


And once it reboots the system it will also erase the BIOS ;-)

Link to comment
Share on other sites

Hi LaPanthere!


Thanks for all your feedback on this!;-)


Superdave is a Graduate Of GeekPolice Academy and can help you with any residual Malware on your machine... the more you tell me, the more I urge you to follow the steps in my original post here so that the information is readily available for him when he next logs in.


Superdave is active and respected on multiple forums and his presence here is a blessing.:-D




Link to comment
Share on other sites

I bet that Dave is THE crack after all the posts I've seen here.


Anyway I cannot follow your suggestions as TFC would reboot my system, an if it's already completely infected by SpyHunter this would cause that my BIOS is erased - I cannot take this risk sorry ;-)


I'm an old school user familiar with PC's since Commodore 64, Schneider or Atari ST, but not very much into the technical stuff since DOS or Win 3.11.


Anyway i found that you'll have to delete the following Program and Registry-Entries from SpyHuner:


- Anything with "Enigma Software", "SpyHunter" and the .tmp folder located in c:\windows containing the WiseCustomCalla Stuff. Don't try to run the SpyHunter Uninstaller as it would urge the WiseCustomCall to execute ;-)


On my case this folder is called "1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP" but this will vary on each computer.

Link to comment
Share on other sites

Hi LaPanthere!


Forget TFC then! Can you run the DDS? If you are concerned about trying to run DDS... then I would advise to stop doing anything at all to your machine and wait for Dave! He may be back this evening, I don't know. He seems to usually check in 3-5 times a day.





Link to comment
Share on other sites

Hi LaPanthere!


It is ok that you are running ESET. I noticed you were running ESET from your earlier post. Dave may ask you to run ESET again at some point.


Please understand that the Malware solutions posted for one user on these threads may pose a risk if duplicated by another user (even one step when duplicated). Especially with the more Powerful softwares involved that only follow commands!


Please post the two DDS logs without running anymore applications!:grin:




Link to comment
Share on other sites

DDS Part 1:






DDS (Ver_2011-08-26.01)


Microsoft® Windows Vista™ Édition Familiale Basique

Boot Device: \Device\HarddiskVolume2

Install Date: 25/10/2007 20:05:48

System Uptime: 09/01/2012 12:07:31 (16 hours ago)


Motherboard: Acer | | F690GVM

Processor: AMD Athlon 64 Processor 4000+ | Socket AM2 | 2600/199mhz


==== Disk Partitions =========================


C: is FIXED (NTFS) - 70 GiB total, 20,705 GiB free.

D: is FIXED (NTFS) - 70 GiB total, 31,888 GiB free.


F: is Removable

G: is Removable

H: is Removable

I: is Removable

K: is CDROM ()


==== Disabled Device Manager Items =============


Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}

Description: Souris compatible PS/2

Device ID: ACPI\PNP0F13\3&18D45AA6&0

Manufacturer: Microsoft

Name: Souris compatible PS/2

PNP Device ID: ACPI\PNP0F13\3&18D45AA6&0

Service: i8042prt


==== System Restore Points ===================



==== Installed Programs ======================


Update for Microsoft Office 2007 (KB2508958)

7-Zip 9.20

Acer eDataSecurity Management

Acer eMode Management

Acer Empowering Technology

Acer ePerformance Management

Acer ScreenSaver

Activation Assistant for the 2007 Microsoft Office suites

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Reader 8.1.3

ATI Catalyst Install Manager

ATI Uninstaller


Avira AntiVir Personal - Free Antivirus

Canon MP Navigator EX 1.0

Canon MX310 series

Canon My Printer

Canon Utilities Easy-PhotoPrint EX

Canon Utilities Solution Menu

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Vista

Catalyst Control Center Localization Chinese Standard

Catalyst Control Center Localization Chinese Traditional

Catalyst Control Center Localization Czech

Catalyst Control Center Localization Danish

Catalyst Control Center Localization Dutch

Catalyst Control Center Localization Finnish

Catalyst Control Center Localization French

Catalyst Control Center Localization German

Catalyst Control Center Localization Greek

Catalyst Control Center Localization Hungarian

Catalyst Control Center Localization Italian

Catalyst Control Center Localization Japanese

Catalyst Control Center Localization Korean

Catalyst Control Center Localization Norwegian

Catalyst Control Center Localization Polish

Catalyst Control Center Localization Portuguese

Catalyst Control Center Localization Russian

Catalyst Control Center Localization Spanish

Catalyst Control Center Localization Swedish

Catalyst Control Center Localization Thai

Catalyst Control Center Localization Turkish



CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish


Configuration DivX


DAEMON Tools Lite

Das Schwarze Auge

Data Lifeguard Diagnostic for Windows

Der Planer 3

DivX Converter

ESET Online Scanner v3

Extension de Windows Live Toolbar (Windows Live Toolbar)

ffdshow [rev 3233] [2010-01-28]

FoxTab Music Converter

Free Download Manager 2.5

Free FLAC to MP3 Converter 1.0

Free M4a to MP3 Converter 5.9

Galerie de photos Windows Live

Heroes of Might and Magic® IV

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Java 6 Update 24

Java 6 Update 4

Java 6 Update 5

Java 6 Update 7

Junk Mail filter update

Karaoke for DirectX (remove only)

KB905474 (1.5.708)


Magic Online III

Medieval CUE Splitter

Menus intelligents (Windows Live Toolbar)

Microsoft .NET Framework 3.5 Language Pack SP1 - fra

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Client Profile FRA Language Pack

Microsoft Application Error Reporting

Microsoft FrontPage 2000

Microsoft Image Composer 1.5

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (French) 2007

Microsoft Office Excel MUI (French) 2007

Microsoft Office InfoPath MUI (French) 2007

Microsoft Office Outlook MUI (French) 2007

Microsoft Office PowerPoint MUI (French) 2007

Microsoft Office Professional Plus 2007

Microsoft Office Proof (Arabic) 2007

Microsoft Office Proof (Dutch) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (German) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (French) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (French) 2007

Microsoft Office Shared MUI (French) 2007

Microsoft Office Word MUI (French) 2007

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Mise à jour Microsoft Office Excel 2007 Help (KB963678)

Mise à jour Microsoft Office Outlook 2007 Help (KB963677)

Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)

Mise à jour Microsoft Office Word 2007 Help (KB963665)

Module linguistique Microsoft .NET Framework 3.5 SP1- fra

Module linguistique Microsoft .NET Framework 4 Client Profile FRA

Monkey's Audio

MP3 Rocket


MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NTI Backup NOW! 4.7

NTI CD & DVD-Maker

Package de pilotes Windows - Nokia pccsmcfd (10/12/2007

Pando Media Booster

PC Connectivity Solution

Power Packet Utility

Pretty Good MahJongg - Flower Tile Set 2.0

Pretty Good MahJongg version 2.32

RarZilla Free Unrar

Realtek High Definition Audio Driver

Roncalli Circus Tycoon

Samsung Mobile phone USB driver Software

Samsung New PC Studio

Samsung New PC Studio USB Driver Installer


Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for 2007 Microsoft Office System (KB2584063)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office Access 2007 (KB979440)

Security Update for Microsoft Office InfoPath 2007 (KB2510061)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2478663)

Security Update for Module linguistique Microsoft .NET Framework 4 Client Profile FRA (KB2518870)

Segoe UI

Sid Meier's Civilization 3 Complete Edition complete 1.00


Spelling Dictionaries Support For Adobe Reader 8

Surligneur (Windows Live Toolbar)

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition

Update for Microsoft Office Outlook 2007 (KB2583910)

Update for Outlook 2007 Junk Email Filter (KB2596560)

VC80CRTRedist - 8.0.50727.6195


Winamp Toolbar for Internet Explorer

Windows Live

Windows Live Communications Platform

Windows Live Favorites pour Windows Live Toolbar

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Mail

Windows Live Messenger

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

xrecode II

Yahoo! Toolbar

Yontoo Layers Runtime 1.10.01


==== End Of File ===========================

Link to comment
Share on other sites

DDS Part 2:



DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by Admin at 4:06:59 on 2012-01-10

Microsoft® Windows Vista™ Édition Familiale Basique 6.0.6002.2.1252.33.1036.18.767.129 [GMT 1:00]


AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}


============== Running Processes ===============




C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs


C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup


C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService



C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe


C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE


C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe


C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe


C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnetwk.exe



C:\Acer\Empowering Technology\SysMonitor.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe





C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe

c:\program files\windows defender\MpCmdRun.exe



C:\Program Files\Internet Explorer\iexplore.exe




============== Pseudo HJT Report ===============


uStart Page = about:blank

uSEARCH PAGE = hxxp://fr.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://fr.search.yahoo.com

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearch Bar = hxxp://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR

mStart Page = hxxp://fr.fr.acer.yahoo.com

mDefault_Page_URL = hxxp://fr.fr.acer.yahoo.com

mDefault_Search_URL = hxxp://fr.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://fr.search.yahoo.com

mSearch Page = hxxp://fr.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://fr.search.yahoo.com

uSearchURL,(Default) = hxxp://fr.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://fr.search.yahoo.com

uURLSearchHooks: H - No File

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll

TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe

mRun: [eRecoveryService]

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [NPSStartup]

dRun: [<NO NAME>]

dRun: [startCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &Winamp Search - c:\programdata\winamp toolbar\ietoolbar\resources\en-us\local\search.html

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Trusted Zone: orange.fr\www

DPF: {04CB5B64-5915-4629-B869-8945CEBADD21} - hxxps://static.impots.gouv.fr/abos/static/securite/certdgi1.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab

TCP: DhcpNameServer =

TCP: Interfaces\{07221A79-3EA3-41EB-A9B2-12D83FE7CD8E} : DhcpNameServer =

TCP: Interfaces\{9CB1927B-C44A-4B1F-9262-AC10E1CF0795} : DhcpNameServer =

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll


============= SERVICES / DRIVERS ===============



=============== Created Last 30 ================


2012-01-09 23:56:48 -------- d-----w- c:\program files\ESET

2012-01-09 19:27:53 110080 ----a-r- c:\users\admin\appdata\roaming\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconF7A21AF7.exe

2012-01-09 19:27:53 110080 ----a-r- c:\users\admin\appdata\roaming\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconD7F16134.exe

2012-01-09 19:27:53 110080 ----a-r- c:\users\admin\appdata\roaming\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconCF33A0CE.exe

2012-01-09 19:26:16 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2012-01-09 11:08:46 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c089bd4c-09bf-476f-b5db-3d5bb795785d}\offreg.dll

2012-01-08 17:10:53 2043904 ----a-w- c:\windows\system32\win32k.sys

2012-01-08 17:09:57 707584 ----a-w- c:\program files\common files\system\wab32.dll

2012-01-07 17:44:18 -------- d-----w- c:\users\admin\appdata\roaming\xrecode2

2012-01-07 17:27:10 -------- d-----w- C:\tmp

2012-01-07 17:04:37 446464 ----a-w- c:\windows\system32\MACDll.dll

2012-01-07 01:09:03 6823496 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c089bd4c-09bf-476f-b5db-3d5bb795785d}\mpengine.dll

2011-12-31 17:24:55 -------- d-----w- c:\users\admin\appdata\roaming\Softplicity

2011-12-30 21:53:59 -------- d-----w- c:\program files\KaraokeDX

2011-12-19 14:01:58 -------- d-----w- c:\users\admin\appdata\roaming\Microsoft Games

2011-12-19 13:56:50 -------- d-----w- c:\programdata\Microsoft Games

2011-12-18 14:48:02 -------- d-----w- c:\program files\JoWood

2011-12-18 01:14:23 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-12-18 01:14:05 255848 ----a-w- c:\windows\system32\xactengine2_6.dll

2011-12-18 01:14:04 440080 ----a-w- c:\windows\system32\d3dx10.dll

2011-12-18 01:14:04 251672 ----a-w- c:\windows\system32\xactengine2_5.dll

2011-12-18 01:14:03 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-12-18 01:14:03 237848 ----a-w- c:\windows\system32\xactengine2_4.dll

2011-12-18 01:14:02 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2011-12-18 01:14:01 62744 ----a-w- c:\windows\system32\xinput1_2.dll

2011-12-18 01:14:01 236824 ----a-w- c:\windows\system32\xactengine2_3.dll

2011-12-18 01:13:15 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2011-12-17 16:07:50 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-12-17 16:07:42 -------- d-----w- c:\program files\DAEMON Tools Lite

2011-12-17 16:07:15 -------- d-----w- c:\users\admin\appdata\roaming\DAEMON Tools Lite

2011-12-17 16:07:10 -------- d-----w- c:\programdata\DAEMON Tools Lite

2011-12-15 17:38:50 -------- d-----w- c:\program files\common files\3DO Shared

2011-12-15 17:38:12 328704 ----a-w- c:\windows\IsUn0407.exe


==================== Find3M ====================


2011-12-09 10:59:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll

2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll

2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll

2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-27 08:01:53 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-27 08:01:53 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 15:56:04 49152 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-20 23:26:22 94208 ----a-w- c:\windows\system32\dpl100.dll

2011-10-14 16:02:19 429056 ----a-w- c:\windows\system32\EncDec.dll


============= FINISH: 4:11:37,91 ===============

Link to comment
Share on other sites

Hello and welcome to IOBit Forums. My name is Dave. I will be helping you out with your particular problem on your computer.


1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.

2. The fixes are specific to your problem and should only be used for this issue on this machine.

3. If you don't know or understand something, please don't hesitate to ask.

4. Please DO NOT run any other tools or scans while I am helping you.

5. It is important that you reply to this thread. Do not start a new topic.

6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

7. Absence of symptoms does not mean that everything is clear.


If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.





If you already have SUPERAntiSpyware be sure to check for updates before scanning!


Download SuperAntispyware Free Edition (SAS)

* Double-click the icon on your desktop to run the installer.

* When asked to Update the program definitions, click Yes

* If you encounter any problems while downloading the updates, manually download and unzip them from here

* Next click the Preferences button.


•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts

* Click the Scanning Control tab.

* Under Scanner Options make sure only the following are checked:


•Close browsers before scanning

•Scan for tracking cookies

•Terminate memory threats before quarantining

Please leave the others unchecked


•Click the Close button to leave the control center screen.


* On the main screen click Scan your computer

* On the left check the box for the drive you are scanning.

* On the right choose Perform Complete Scan

* Click Next to start the scan. Please be patient while it scans your computer.

* After the scan is complete a summary box will appear. Click OK

* Make sure everything in the white box has a check next to it, then click Next

* It will quarantine what it found and if it asks if you want to reboot, click Yes


•To retrieve the removal information please do the following:

•After reboot, double-click the SUPERAntiSpyware icon on your desktop.

•Click Preferences. Click the Statistics/Logs tab.


•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.


•It will open in your default text editor (preferably Notepad).

•Save the notepad file to your desktop by clicking (in notepad) File > Save As...


* Save the log somewhere you can easily find it. (normally the desktop)

* Click close and close again to exit the program.

*Copy and Paste the log in your post.




Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:


If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Link to comment
Share on other sites

So finally back and scans done - was already 5AM here and had the PC scan alone while i took some short moments of sleep ;-)


SUPERAntiSpyware Scan Log



Generated 01/11/2012 at 05:19 AM


Application Version : 5.0.1142


Core Rules Database Version : 8121

Trace Rules Database Version: 5933


Scan type : Complete Scan

Total Scan Time : 01:41:30


Operating System Information

Windows Vista Home Basic 32-bit, Service Pack 2 (Build 6.00.6002)

UAC On - Limited User (Administrator User)


Memory items scanned : 639

Memory threats detected : 0

Registry items scanned : 37197

Registry threats detected : 1

File items scanned : 168286

File threats detected : 101


Adware.Tracking Cookie

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\0IF1UKL2.txt [ Cookie:admin@ad3.adfarm1.adition.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\5OZ88SHN.txt [ Cookie:admin@gae.solution.weborama.fr/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZO3N5D0B.txt [ Cookie:admin@adfarm1.adition.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\16FQ1APU.txt [ Cookie:admin@barrirepoker.solution.weborama.fr/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\75X05DUA.txt [ Cookie:admin@vivastreet.112.2o7.net/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\3NPLH5UQ.txt [ Cookie:admin@legolas-media.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\SX3K0R2H.txt [ Cookie:admin@advertising.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\H7EFMGIM.txt [ Cookie:admin@adviva.net/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\3CZ001CI.txt [ Cookie:admin@amazon-adsystem.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\MI6Z43KC.txt [ Cookie:admin@ad6media.fr/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\0UB0Y6D9.txt [ Cookie:admin@ad.piximedia.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\U2B5G7CG.txt [ Cookie:admin@steelhousemedia.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\LVMKKUGE.txt [ Cookie:admin@ad.zanox.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\V61TURRA.txt [ Cookie:admin@webclickengine.com/rotads/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\843GI1DP.txt [ Cookie:admin@tracking.quisma.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\VNYWAKSZ.txt [ Cookie:admin@xiti.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\HOTCVS63.txt [ Cookie:admin@media6degrees.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\PEDQL8K6.txt [ Cookie:admin@www.googleadservices.com/pagead/conversion/1070847646/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\E9NOJYNU.txt [ Cookie:admin@doubleclick.net/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\49P12FAZ.txt [ Cookie:admin@bouyguestelecom.solution.weborama.fr/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\SS0MEIZ1.txt [ Cookie:admin@clickintext.net/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\A0IBSP6O.txt [ Cookie:admin@movitex.122.2o7.net/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\6M3KP7BM.txt [ Cookie:admin@kontera.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\R1LTI90K.txt [ Cookie:admin@advertstream.com/a ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\42OU4RDD.txt [ Cookie:admin@invitemedia.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\7S4YQLQ7.txt [ Cookie:admin@track.effiliation.com/servlet/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\SS3MHS3P.txt [ Cookie:admin@s07.flagcounter.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\66WAZ67F.txt [ Cookie:admin@collective-media.net/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\AIV7207Y.txt [ Cookie:admin@bubblestat.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\30RAX4J6.txt [ Cookie:admin@www.googleadservices.com/pagead/conversion/1041836870/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\C7DSWTEV.txt [ Cookie:admin@serving-sys.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\V14JCKAV.txt [ Cookie:admin@smartadserver.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\3LY5BOGN.txt [ Cookie:admin@weborama.fr/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\Q04G361E.txt [ Cookie:admin@clubmed.solution.weborama.fr/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\C8TG0ATR.txt [ Cookie:admin@mediaplex.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\5FHSX79P.txt [ Cookie:admin@track.effiliation.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\G7Y5AHIF.txt [ Cookie:admin@ad2.adfarm1.adition.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\YCOZQ7HM.txt [ Cookie:admin@boursoramabanque.solution.weborama.fr/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\8BAXRJ8M.txt [ Cookie:admin@bs.serving-sys.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\BH7N0M2B.txt [ Cookie:admin@apmebf.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\4I21IIGQ.txt [ Cookie:admin@ad.yieldmanager.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\KXQKFIZM.txt [ Cookie:admin@c.atdmt.com/ ]

C:\USERS\ADMIN\AppData\Roaming\Microsoft\Windows\Cookies\Low\RMBLK4QE.txt [ Cookie:admin@adtech.de/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@laredoutebranding.solution.weborama[2].txt [ Cookie:invité@laredoutebranding.solution.weborama.fr/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@247realmedia[2].txt [ Cookie:invité@247realmedia.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@casalemedia[2].txt [ Cookie:invité@casalemedia.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@advertising[1].txt [ Cookie:invité@advertising.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@acces-adulte[1].txt [ Cookie:invité@acces-adulte.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@weborama[1].txt [ Cookie:invité@weborama.fr/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@lagarderefrance.solution.weborama[2].txt [ Cookie:invité@lagarderefrance.solution.weborama.fr/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@elle.solution.weborama[1].txt [ Cookie:invité@elle.solution.weborama.fr/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@atdmt[2].txt [ Cookie:invité@atdmt.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@adinterax[2].txt [ Cookie:invité@adinterax.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@rm.piximedia[1].txt [ Cookie:invité@rm.piximedia.fr/v2/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@doubleclick[2].txt [ Cookie:invité@doubleclick.net/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@xiti[1].txt [ Cookie:invité@xiti.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@msnportal.112.2o7[1].txt [ Cookie:invité@msnportal.112.2o7.net/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@zedo[2].txt [ Cookie:invité@zedo.com/ ]

C:\USERS\INVITé\AppData\Roaming\Microsoft\Windows\Cookies\Low\invité@smartadserver[1].txt [ Cookie:invité@smartadserver.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@boursoramabanque.solution.weborama[2].txt [ Cookie:kali@boursoramabanque.solution.weborama.fr/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@msnportal.112.2o7[1].txt [ Cookie:kali@msnportal.112.2o7.net/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@weborama[1].txt [ Cookie:kali@weborama.fr/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@adrevolver[1].txt [ Cookie:kali@adrevolver.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@media.adrevolver[3].txt [ Cookie:kali@media.adrevolver.com/adrevolver/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@mediaplex[1].txt [ Cookie:kali@mediaplex.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@654.stats.misstrends[2].txt [ Cookie:kali@654.stats.misstrends.com/stats/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@media.adrevolver[2].txt [ Cookie:kali@media.adrevolver.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@richmedia.yahoo[1].txt [ Cookie:kali@richmedia.yahoo.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@1808.stats.misstrends[1].txt [ Cookie:kali@1808.stats.misstrends.com/stats/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@yourmedia[1].txt [ Cookie:kali@yourmedia.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@samsung.solution.weborama[2].txt [ Cookie:kali@samsung.solution.weborama.fr/ ]


C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@atdmt[1].txt [ Cookie:kali@atdmt.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@smartadserver[2].txt [ Cookie:kali@smartadserver.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@dynamic.media.adrevolver[2].txt [ Cookie:kali@dynamic.media.adrevolver.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@www.sexyavenue[2].txt [ Cookie:kali@www.sexyavenue.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@doubleclick[2].txt [ Cookie:kali@doubleclick.net/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@apmebf[1].txt [ Cookie:kali@apmebf.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@advertising[2].txt [ Cookie:kali@advertising.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@879.stats.misstrends[2].txt [ Cookie:kali@879.stats.misstrends.com/stats/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@serving-sys[1].txt [ Cookie:kali@serving-sys.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@bs.serving-sys[2].txt [ Cookie:kali@bs.serving-sys.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@microsoftinternetexplorer.112.2o7[1].txt [ Cookie:kali@microsoftinternetexplorer.112.2o7.net/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@5272.stats.misstrends[1].txt [ Cookie:kali@5272.stats.misstrends.com/stats/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@fl01.ct2.comclick[1].txt [ Cookie:kali@fl01.ct2.comclick.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@cz8.clickzs[2].txt [ Cookie:kali@cz8.clickzs.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@bluestreak[2].txt [ Cookie:kali@bluestreak.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@sexyavenue[1].txt [ Cookie:kali@sexyavenue.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@photos.bellesexy[2].txt [ Cookie:kali@photos.bellesexy.com/ ]

C:\USERS\KALI\AppData\Roaming\Microsoft\Windows\Cookies\Low\kali@overture[2].txt [ Cookie:kali@overture.com/ ]
















Link to comment
Share on other sites

Malwarebytes Anti-Malware (Trial)



Database version: v2012.01.11.02


Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Admin :: WORKSTATION [administrator]


Protection: Enabled


11/01/2012 12:29:13

mbam-log-2012-01-11 (12-29-13).txt


Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System |


Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 356723

Time elapsed: 1 hour(s), 6 minute(s), 12 second(s)


Memory Processes Detected: 0

(No malicious items detected)


Memory Modules Detected: 0

(No malicious items detected)


Registry Keys Detected: 0

(No malicious items detected)


Registry Values Detected: 0

(No malicious items detected)


Registry Data Items Detected: 0

(No malicious items detected)


Folders Detected: 0

(No malicious items detected)


Files Detected: 0

(No malicious items detected)



Link to comment
Share on other sites

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.


link # 1

Link # 2

If you are using Firefox, make sure that your download settings are as follows:


* Tools->Options->Main tab

* Set to "Always ask me where to Save the files".


Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.


Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.


Right-click combofix.exe and select Run as Administrator and follow the prompts.

When finished, ComboFix will produce a log for you.

Post the ComboFix login your next reply.


NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.


Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Link to comment
Share on other sites

Thanks again Dave


Here's the result, as I'm located in southern france with a french Vista-Version it produced the report in french though


ComboFix 12-01-10.02 - Admin 11/01/2012 22:02:59.1.1 - x86

Microsoft® Windows Vista™ Édition Familiale Basique 6.0.6002.2.1252.33.1036.18.767.289 [GMT 1:00]

Lancé depuis: d:\downloads\ComboFix.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))



c:\programdata\Tarma Installer

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico













((((((((((((((((((((((((((((( Fichiers créés du 2011-12-11 au 2012-01-11 ))))))))))))))))))))))))))))))))))))



2012-01-11 21:12 . 2012-01-11 21:12 -------- d-----w- c:\users\Kali\AppData\Local\temp

2012-01-11 21:12 . 2012-01-11 21:12 -------- d-----w- c:\users\Invité\AppData\Local\temp

2012-01-11 21:12 . 2012-01-11 21:13 -------- d-----w- c:\users\Admin\AppData\Local\temp

2012-01-11 21:12 . 2012-01-11 21:12 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-11 19:24 . 2012-01-11 19:24 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07B64968-E001-4F74-9518-04A6F819770A}\offreg.dll

2012-01-11 02:28 . 2012-01-11 02:28 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes

2012-01-11 02:27 . 2012-01-11 02:27 -------- d-----w- c:\programdata\Malwarebytes

2012-01-11 02:27 . 2012-01-11 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-01-11 02:27 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-01-11 02:26 . 2012-01-11 02:26 -------- d-----w- c:\users\Admin\AppData\Roaming\SUPERAntiSpyware.com

2012-01-11 02:25 . 2012-01-11 02:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-01-11 02:25 . 2012-01-11 02:25 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2012-01-11 00:50 . 2011-11-21 10:47 6823496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07B64968-E001-4F74-9518-04A6F819770A}\mpengine.dll

2012-01-09 23:56 . 2012-01-09 23:56 -------- d-----w- c:\program files\ESET

2012-01-09 19:27 . 2012-01-09 19:27 110080 ----a-r- c:\users\Admin\AppData\Roaming\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconCF33A0CE.exe

2012-01-09 19:27 . 2012-01-09 19:27 110080 ----a-r- c:\users\Admin\AppData\Roaming\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconF7A21AF7.exe

2012-01-09 19:27 . 2012-01-09 19:27 110080 ----a-r- c:\users\Admin\AppData\Roaming\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconD7F16134.exe

2012-01-09 19:26 . 2012-01-09 19:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2012-01-08 17:10 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys

2012-01-08 17:09 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll

2012-01-07 17:44 . 2012-01-07 19:28 -------- d-----w- c:\users\Admin\AppData\Roaming\xrecode2

2012-01-07 17:27 . 2012-01-07 17:28 -------- d-----w- C:\tmp

2012-01-07 17:04 . 2011-04-16 20:08 446464 ----a-w- c:\windows\system32\MACDll.dll

2011-12-31 17:24 . 2011-12-31 17:24 -------- d-----w- c:\users\Admin\AppData\Roaming\Softplicity

2011-12-30 21:53 . 2011-12-30 21:53 -------- d-----w- c:\program files\KaraokeDX

2011-12-19 14:01 . 2012-01-09 17:04 -------- d-----w- c:\users\Admin\AppData\Roaming\Microsoft Games

2011-12-19 13:56 . 2011-12-19 13:56 -------- d-----w- c:\programdata\Microsoft Games

2011-12-18 14:48 . 2011-12-18 14:48 -------- d-----w- c:\program files\JoWood

2011-12-18 01:14 . 2011-12-18 01:14 108144 ----a-w- c:\windows\system32\CmdLineExt.dll

2011-12-18 01:14 . 2007-01-24 14:27 255848 ----a-w- c:\windows\system32\xactengine2_6.dll

2011-12-18 01:14 . 2006-12-08 11:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll

2011-12-18 01:14 . 2006-11-29 12:06 440080 ----a-w- c:\windows\system32\d3dx10.dll

2011-12-18 01:14 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2011-12-18 01:14 . 2006-09-28 15:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll

2011-12-18 01:14 . 2006-09-28 15:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll

2011-12-18 01:14 . 2006-07-28 08:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll

2011-12-18 01:14 . 2006-07-28 08:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll

2011-12-18 01:13 . 2005-05-26 14:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2011-12-17 16:07 . 2011-12-17 16:07 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-12-17 16:07 . 2011-12-17 16:07 -------- d-----w- c:\program files\DAEMON Tools Lite

2011-12-17 16:07 . 2012-01-06 15:03 -------- d-----w- c:\users\Admin\AppData\Roaming\DAEMON Tools Lite

2011-12-17 16:07 . 2011-12-17 16:07 -------- d-----w- c:\programdata\DAEMON Tools Lite

2011-12-15 17:38 . 2011-12-15 17:39 -------- d-----w- c:\program files\Common Files\3DO Shared




(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))


2011-12-09 10:59 . 2011-06-08 09:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\system32\dpl100.dll



((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))



*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2011-07-22 23:53 787744 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll



"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2011-10-21 2663232]



"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-01-24 319488]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]



"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]



"EnableUIADesktopToggle"= 0 (0x0)



"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]






[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoStartNPSAgent]

2009-04-02 16:05 102400 ----a-w- c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-04-03 16:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-05-14 16:01 644696 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-12-24 16:50 460872 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]

2007-03-16 07:06 1822720 ----a-w- c:\windows\SkyTel.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]

2006-11-05 19:48 57344 ----a-w- c:\acer\WR_PopUp\WarReg_PopUp.exe


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]



[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]



S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache


Contenu du dossier 'Tâches planifiées'



------- Examen supplémentaire -------


uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://fr.fr.acer.yahoo.com

uSearchURL,(Default) = hxxp://fr.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://fr.search.yahoo.com

IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: orange.fr\www

TCP: DhcpNameServer =

DPF: {04CB5B64-5915-4629-B869-8945CEBADD21} - hxxps://static.impots.gouv.fr/abos/static/securite/certdgi1.cab




HKLM-Run-eRecoveryService - (no file)

HKLM-Run-NPSStartup - (no file)

HKU-Default-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe

MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe

AddRemove-Heroes of Might and Magic IV - c:\windows\IsUn0407.exe

AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe

AddRemove-FoxTab Music Converter - c:\program files\Music\MusicConverter\Uninstall\Uninstall.exe






catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-11 22:13

Windows 6.0.6002 Service Pack 2 NTFS


Recherche de processus cachés ...


Recherche d'éléments en démarrage automatique cachés ...


Recherche de fichiers cachés ...


Scan terminé avec succès

Fichiers cachés: 0





"ImagePath"="c:\windows\system32\GameMon.des -service"


--------------------- CLES DE REGISTRE BLOQUEES ---------------------



@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)



Heure de fin: 2012-01-11 22:19:55

ComboFix-quarantined-files.txt 2012-01-11 21:19


Avant-CF: 21*537*296*384 octets libres

Après-CF: 27*273*584*640 octets libres


- - End Of File - - 36D05A3C6D8A0C59AFF0BD10F6EEF3D6

Link to comment
Share on other sites

Here's the result, as I'm located in southern france with a french Vista-Version it produced the report in french though

No problem. I can read french. Most of my hockey buddies are french.


SysProt Antirootkit



SysProt Antirootkit from the link below (you will find it at the bottom

of the page under attachments, or you can get it from one of the





Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.
    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

    [*]At the bottom of the page

    • Hidden Objects Only << Selected

    [*]Click on the Create Log button on the bottom right.

    [*]After a few seconds a new window should appear.

    [*]Select Scan Root Drive. Click on the Start button.

    [*]When it is complete a new window will appear to indicate that the scan is finished.

    [*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

Link to comment
Share on other sites

SysProt AntiRootkit v1.0.1.0

by swatkat





No Hidden Processes found




No Hidden Kernel Modules found




No SSDT Hooks found




No Kernel Hooks found




No hidden files/folders found

Link to comment
Share on other sites

Rerun it?

Don't bother. Just get rid of it and try this one.


Please download RootRepeal from GooglePages.com.

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...