Poupoul

voila le rapport de Tcleaner : -->- Recherche: K:\Documents and Settings\poupoul\Bureau\DiagHelp.zip: trouvé ! K:\Documents and Settings\poupoul\Bureau\HijackThis.exe: trouvé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp: trouvé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp\DiagHelp: trouvé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp\DiagHelp\tar.exe: trouvé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp\DiagHelp\LFiles.exe: trouvé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp\DiagHelp\gzip.exe: trouvé ! --------------------------------- -->- Suppression: K:\Documents and Settings\poupoul\Bureau\DiagHelp.zip: supprimé ! K:\Documents and Settings\poupoul\Bureau\HijackThis.exe: supprimé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp\DiagHelp\tar.exe: supprimé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp\DiagHelp\LFiles.exe: supprimé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp\DiagHelp\gzip.exe: supprimé ! K:\Documents and Settings\poupoul\Bureau\DiagHelp: supprimé ! Corbeille vidée! Fichiers temporaires nettoyés ! merci

voila j'ai fait l'analyse avec kaspersky et il m'a trouver des fichier infectés... voila le rapport: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, January 30, 2008 6:29:22 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 30/01/2008 Kaspersky Anti-Virus database records: 538096 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ L:\ M:\ O:\ Scan Statistics: Total number of scanned objects: 210598 Number of viruses found: 5 Number of infected objects: 16 Number of suspicious objects: 0 Duration of the scan process: 01:53:27 Infected Object Name / Virus Name / Last Action C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\change.log Object is locked skipped D:\Avast\DATA\aswResp.dat Object is locked skipped D:\Avast\DATA\Avast4.db Object is locked skipped D:\Avast\DATA\integ\avast.int Object is locked skipped D:\Avast\DATA\log\AshWebSv.ws Object is locked skipped D:\Avast\DATA\log\aswMaiSv.log Object is locked skipped D:\Avast\DATA\log\nshield.log Object is locked skipped D:\Avast\DATA\report\Protection résidente.txt Object is locked skipped D:\Partage\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped D:\Partage\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped D:\Partage\SmitfraudFix.exe RarSFX: infected - 2 skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012284.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped D:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\change.log Object is locked skipped J:\hiberfil.sys Object is locked skipped J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped J:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\change.log Object is locked skipped J:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Object is locked skipped J:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Object is locked skipped K:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped K:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped K:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped K:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped K:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped K:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped K:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped K:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped K:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped K:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped K:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped K:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped K:\Documents and Settings\NetworkService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped K:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped K:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped K:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cert8.db Object is locked skipped K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\history.dat Object is locked skipped K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\key3.db Object is locked skipped K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\parent.lock Object is locked skipped K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\search.sqlite Object is locked skipped K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\urlclassifier2.sqlite Object is locked skipped K:\Documents and Settings\poupoul\Cookies\index.dat Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Messenger\poupoul_@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Messenger\poupoul_@hotmail.com\SharingMetadata\pending.dat Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Messenger\poupoul_@hotmail.com\SharingMetadata\Working\database_B8F0_63D6_F063_9980\dfsr.db Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Messenger\poupoul_@hotmail.com\SharingMetadata\Working\database_B8F0_63D6_F063_9980\fsr.log Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Messenger\poupoul_@hotmail.com\SharingMetadata\Working\database_B8F0_63D6_F063_9980\fsrtmp.log Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Messenger\poupoul_@hotmail.com\SharingMetadata\Working\database_B8F0_63D6_F063_9980\tmp.edb Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Windows Live Contacts\poupoul_@hotmail.com\real\members.stg Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Microsoft\Windows Live Contacts\poupoul_@hotmail.com\shadow\members.stg Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\Cache\633285D9d01/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\Cache\633285D9d01 ZIP: infected - 1 skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\Cache\_CACHE_001_ Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\Cache\_CACHE_002_ Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\Cache\_CACHE_003_ Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\Cache\_CACHE_MAP_ Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\XUL.mfl Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Historique\History.IE5\index.dat Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Historique\History.IE5\MSHist012008013020080131\index.dat Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temp\IMG2F.tmp Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temp\Perflib_Perfdata_f10.dat Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temp\~DF4574.tmp Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temp\~DF57AF.tmp Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temp\~DF57BF.tmp Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temp\~DFD3.tmp Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temp\~DFF8.tmp Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped K:\Documents and Settings\poupoul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped K:\Documents and Settings\poupoul\NTUSER.DAT Object is locked skipped K:\Documents and Settings\poupoul\ntuser.dat.LOG Object is locked skipped K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP66\A0012031.exe/crack.exe Infected: Trojan-Downloader.Win32.Zlob.gsa skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP66\A0012031.exe ZIP: infected - 1 skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012255.dll Infected: not-a-virus:AdTool.Win32.WhenU.r skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012257.exe Infected: not-a-virus:AdTool.Win32.WhenU.s skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012258.dll Infected: not-a-virus:AdWare.Win32.Vapsup.amm skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012298.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012298.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012298.exe RarSFX: infected - 2 skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012304.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\A0012356.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped K:\System Volume Information\_restore{3C3D46B6-D9C2-4844-89A3-AF178C3FC72C}\RP67\change.log Object is locked skipped K:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped K:\WINDOWS\SchedLgU.Txt Object is locked skipped K:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped K:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped K:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped K:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped K:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped K:\WINDOWS\system32\config\default Object is locked skipped K:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped K:\WINDOWS\system32\config\Internet.evt Object is locked skipped K:\WINDOWS\system32\config\ODiag.evt Object is locked skipped K:\WINDOWS\system32\config\OSession.evt Object is locked skipped K:\WINDOWS\system32\config\SAM Object is locked skipped K:\WINDOWS\system32\config\SAM.LOG Object is locked skipped K:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped K:\WINDOWS\system32\config\SECURITY Object is locked skipped K:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped K:\WINDOWS\system32\config\software Object is locked skipped K:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped K:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped K:\WINDOWS\system32\config\system Object is locked skipped K:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped K:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped K:\WINDOWS\system32\h323log.txt Object is locked skipped K:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped K:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped K:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped K:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped K:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped K:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped K:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped K:\WINDOWS\Temp\Perflib_Perfdata_4ac.dat Object is locked skipped K:\WINDOWS\Temp\Perflib_Perfdata_5d4.dat Object is locked skipped K:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped K:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

j'ai cliquer sur "remove infections" et il a tout supprimer mais je ne sais pas cliquer sur save repport... J'ai seulement la possibilité de faire un new scan...

voila j'avais fermer ewido donc j'ai refait une analyse et j'ai 3 fichier en plus je préfere donc reposter le nouveau rapport pour être sûr... __________________________________________________ ewido anti-spyware online scanner http://www.ewido.net __________________________________________________ Name: TrackingCookie.Smartadserver Path: :mozilla.15:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Adviva Path: :mozilla.16:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.17:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.18:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.19:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Comclick Path: :mozilla.69:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Comclick Path: :mozilla.70:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Comclick Path: :mozilla.71:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Weborama Path: :mozilla.74:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.2o7 Path: :mozilla.88:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Doubleclick Path: :mozilla.89:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Overture Path: :mozilla.90:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Advertising Path: :mozilla.92:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Advertising Path: :mozilla.93:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Advertising Path: :mozilla.94:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Googleadservices Path: :mozilla.132:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Bluestreak Path: :mozilla.147:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Sitestat Path: :mozilla.177:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Sitestat Path: :mozilla.178:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Tradedoubler Path: :mozilla.184:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Adtech Path: K:\Documents and Settings\poupoul\Cookies\poupoul@adtech[1].txt Risk: Medium Name: TrackingCookie.Atdmt Path: K:\Documents and Settings\poupoul\Cookies\poupoul@atdmt[2].txt Risk: Medium Name: TrackingCookie.Bluestreak Path: K:\Documents and Settings\poupoul\Cookies\poupoul@bluestreak[1].txt Risk: Medium Name: TrackingCookie.Doubleclick Path: K:\Documents and Settings\poupoul\Cookies\poupoul@doubleclick[1].txt Risk: Medium Merci

voila le rapport de ewido: __________________________________________________ ewido anti-spyware online scanner http://www.ewido.net __________________________________________________ Name: TrackingCookie.Advertising Path: :mozilla.6:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Advertising Path: :mozilla.7:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Advertising Path: :mozilla.8:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Comclick Path: :mozilla.40:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Comclick Path: :mozilla.43:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Comclick Path: :mozilla.44:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Adviva Path: :mozilla.64:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.66:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.68:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.69:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Smartadserver Path: :mozilla.70:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Googleadservices Path: :mozilla.88:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Overture Path: :mozilla.105:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Bluestreak Path: :mozilla.106:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Doubleclick Path: :mozilla.132:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Sitestat Path: :mozilla.137:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Sitestat Path: :mozilla.138:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Tradedoubler Path: :mozilla.144:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Weborama Path: :mozilla.149:K:\Documents and Settings\poupoul\Application Data\Mozilla\Firefox\Profiles\1gz592q3.default\cookies.txt Risk: Medium Name: TrackingCookie.Atdmt Path: K:\Documents and Settings\poupoul\Cookies\poupoul@atdmt[2].txt Risk: Medium Name: TrackingCookie.Doubleclick Path: K:\Documents and Settings\poupoul\Cookies\poupoul@doubleclick[1].txt Risk: Medium merci

voila le rapport de smitfraudfix: SmitFraudFix v2.277 Rapport fait à 5:41:15,46, mer. 30/01/2008 Executé à partir de K:\Documents and Settings\poupoul\Bureau\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT Le type du système de fichiers est NTFS Fix executé en mode sans echec »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Arret des processus »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés K:\WINDOWS\adsoowf.dll supprimé Deleting [HKEY_CLASSES_ROOT\CLSID\{8FCD5FC8-6B70-497A-8A05-97018F00CBDA}] K:\WINDOWS\dntpkwo???.dll supprimé K:\WINDOWS\ffvrdgt.exe supprimé »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D44BFA3-CF58-420F-A342-C95CA98A84B0}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{B42CEEF2-86CF-4623-84D5-95A5C4E5A3BC}: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D44BFA3-CF58-420F-A342-C95CA98A84B0}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{B42CEEF2-86CF-4623-84D5-95A5C4E5A3BC}: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D44BFA3-CF58-420F-A342-C95CA98A84B0}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{B42CEEF2-86CF-4623-84D5-95A5C4E5A3BC}: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 »»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre Nettoyage terminé. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Fin et celui de DiagHelp: DiagHelp version v1.4 - http://www.malekal.com excute le mer. 30/01/2008 à 5:46:39,35 Liste des derniers fichies modifies/crees dans windir\system32 et prefetch K:\WINDOWS\prefetch\CMD.EXE-137A0D53.pf -->30/01/2008 5:46:37 K:\WINDOWS\prefetch\WINRAR.EXE-2480A367.pf -->30/01/2008 5:46:14 K:\WINDOWS\prefetch\RUNDLL32.EXE-589C4844.pf -->30/01/2008 5:46:08 K:\WINDOWS\prefetch\SVCHOST.EXE-072604B0.pf -->30/01/2008 5:45:30 K:\WINDOWS\prefetch\WUAUCLT.EXE-12D8E25E.pf -->30/01/2008 5:45:14 K:\WINDOWS\prefetch\WMIPRVSE.EXE-0E69CB0B.pf -->30/01/2008 5:45:14 K:\WINDOWS\prefetch\USNSVC.EXE-13CC5607.pf -->30/01/2008 5:45:14 K:\WINDOWS\prefetch\WMIAPSRV.EXE-193A5C0F.pf -->30/01/2008 5:45:10 K:\WINDOWS\prefetch\NET.EXE-1A501125.pf -->30/01/2008 5:45:10 K:\WINDOWS\prefetch\FIREFOX.EXE-1487B939.pf -->30/01/2008 5:45:10 K:\WINDOWS\System32\drivers\lirsgt.sys -->7/01/2008 0:59:13 K:\WINDOWS\System32\drivers\atksgt.sys -->7/01/2008 0:59:13 K:\WINDOWS\System32\drivers\sptd.sys -->7/01/2008 0:15:19 K:\WINDOWS\System32\drivers\AegisP.sys -->5/01/2008 23:14:43 K:\WINDOWS\System32\drivers\nv4_mini.sys -->5/12/2007 1:41:00 K:\WINDOWS\System32\drivers\aswmon.sys -->4/12/2007 15:56:02 K:\WINDOWS\System32\drivers\aswmon2.sys -->4/12/2007 15:55:46 K:\WINDOWS\System32\tmp.txt -->30/01/2008 5:41:18 K:\WINDOWS\System32\tmp.reg -->30/01/2008 5:41:18 K:\WINDOWS\System32\settingsbkup.sfm -->30/01/2008 5:39:11 K:\WINDOWS\System32\settings.sfm -->30/01/2008 5:39:11 K:\WINDOWS\System32\DVCState-{00000004-00000000-00000008-00001102-00000005-00281102}.rfx -->30/01/2008 5:39:11 K:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000008-00001102-00000005-00281102}.rfx -->30/01/2008 5:39:11 K:\WINDOWS\System32\BMXState-{00000004-00000000-00000008-00001102-00000005-00281102}.rfx -->30/01/2008 5:39:11 K:\WINDOWS\System32\FNTCACHE.DAT -->30/01/2008 1:26:20 K:\WINDOWS\System32\wpa.dbl -->30/01/2008 1:26:14 K:\WINDOWS\System32\BASSMOD.dll -->29/01/2008 20:12:29 K:\WINDOWS\System32\IEDFix.exe -->27/01/2008 14:37:54 K:\WINDOWS\System32\nvapps.xml -->25/01/2008 20:14:40 K:\WINDOWS\System32\PerfStringBackup.INI -->11/01/2008 3:01:21 K:\WINDOWS\System32\perfh00C.dat -->11/01/2008 3:01:21 K:\WINDOWS\System32\perfh009.dat -->11/01/2008 3:01:21 K:\WINDOWS\System32\perfc00C.dat -->11/01/2008 3:01:21 K:\WINDOWS\System32\perfc009.dat -->11/01/2008 3:01:21 K:\WINDOWS\System32\QuickTimeVR.qtx -->10/01/2008 15:27:46 K:\WINDOWS\System32\QuickTime.qts -->10/01/2008 15:27:44 K:\WINDOWS\System32\CmdLineExt.dll -->10/01/2008 14:08:28 K:\WINDOWS\System32\uxtheme.dll -->7/01/2008 19:59:06 K:\WINDOWS\System32\UAService7.exe -->7/01/2008 14:30:30 K:\WINDOWS\System32\TZLog.log -->7/01/2008 2:48:45 K:\WINDOWS\System32\jupdate-1.6.0_03-b05.log -->7/01/2008 0:08:10 K:\WINDOWS\System32\uxtheme.backup -->6/01/2008 23:29:56 K:\WINDOWS\WindowsUpdate.log -->30/01/2008 5:45:27 K:\WINDOWS\setupapi.log -->30/01/2008 5:44:39 K:\WINDOWS.log -->30/01/2008 5:44:20 K:\WINDOWS\bootstat.dat -->30/01/2008 5:44:04 K:\WINDOWS\setupact.log -->30/01/2008 5:42:10 K:\WINDOWS\ntbtlog.txt -->30/01/2008 5:40:39 K:\WINDOWS\SchedLgU.Txt -->30/01/2008 5:38:58 K:\WINDOWS\search_res.txt -->30/01/2008 5:16:32 K:\WINDOWS\dat.txt -->30/01/2008 5:16:32 K:\WINDOWS\setuperr.log -->30/01/2008 3:52:04 K:\WINDOWS\NeroDigital.ini -->29/01/2008 21:04:44 K:\WINDOWS\QTFont.qfn -->29/01/2008 1:10:23 K:\WINDOWS\QTFont.for -->29/01/2008 1:10:23 K:\WINDOWS\win.ini -->25/01/2008 8:19:17 K:\WINDOWS\mozver.dat -->25/01/2008 8:19:17 winlogon.exe Verified: Signed svchost.exe Verified: Signed ws2_32.dll Verified: Signed user32.dll Verified: Signed tcpip.sys Verified: Signed ndis.sys Verified: Signed null.sys Verified: Signed ListDLLs v2.25 - DLL lister for Win9x/NT Copyright © 1997-2004 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ explorer.exe pid: 1620 Command line: K:\WINDOWS\Explorer.EXE Base Size Version Path 0x44080000 0xcf000 7.00.6000.16574 K:\WINDOWS\system32\WININET.dll 0x00400000 0x9000 6.00.5441.0000 K:\WINDOWS\system32\Normaliz.dll 0x43e00000 0x45000 7.00.6000.16574 K:\WINDOWS\system32\iertutil.dll 0x58b50000 0x9a000 5.82.2900.2982 K:\WINDOWS\system32\comctl32.dll 0x76f80000 0x7f000 2001.12.4414.0308 K:\WINDOWS\system32\CLBCATQ.DLL 0x77000000 0xd4000 2001.12.4414.0258 K:\WINDOWS\system32\COMRes.dll 0x76ac0000 0x11000 3.05.2284.0000 K:\WINDOWS\system32\ATL.DLL 0x44360000 0x5cd000 7.00.6000.16574 K:\WINDOWS\system32\ieframe.dll 0x44160000 0x127000 7.00.6000.16574 K:\WINDOWS\system32\urlmon.dll 0x7d200000 0x2be000 3.01.4000.4039 K:\WINDOWS\system32\msi.dll 0x442b0000 0x3c000 7.00.6000.16574 K:\WINDOWS\system32\webcheck.dll 0x02000000 0x7000 1.00.0000.0012 K:\WINDOWS\system32\ctagent.dll 0x10000000 0x13000 7.05.0001.0036 K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll 0x01210000 0x5b000 8.00.0000.0000 K:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\PDFShell.dll 0x78130000 0x9b000 8.00.50727.0762 K:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll 0x02300000 0x845000 6.14.0011.6921 K:\WINDOWS\system32\nvcpl.dll 0x74bf0000 0x2c000 4.02.5406.0000 K:\WINDOWS\system32\OLEACC.dll 0x76010000 0x65000 6.02.3104.0000 K:\WINDOWS\system32\MSVCP60.dll 0x01ad0000 0x45000 6.14.0011.6921 K:\WINDOWS\system32\NVRSFR.DLL 0x01b20000 0x60000 6.14.0011.6921 K:\WINDOWS\system32\nvapi.dll 0x01b80000 0x73000 6.14.0010.11132 K:\WINDOWS\system32\nvshell.dll 0x01820000 0x14000 2.06.0006.0000 D:\Nero\Nero 7\Nero BackItUp\NBShell.dll 0x7c250000 0x102000 7.10.3077.0000 D:\Nero\Nero 7\Nero BackItUp\MFC71U.DLL 0x01c00000 0x56000 7.10.3052.0004 D:\Nero\Nero 7\Nero BackItUp\MSVCR71.dll 0x7c3a0000 0x7b000 7.10.3077.0000 D:\Nero\Nero 7\Nero BackItUp\MSVCP71.dll 0x5d360000 0xf000 7.10.3077.0000 K:\WINDOWS\system32\MFC71FRA.DLL 0x01e70000 0x2c000 K:\Program Files\WinRAR\rarext.dll 0x01370000 0x10000 8.00.0000.0456 K:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll 0x6bd10000 0x10000 12.00.4518.1014 K:\Program Files\Microsoft Office\Office12\msohevi.dll 0x60980000 0x7000 3.01.4000.1823 K:\WINDOWS\system32\MSISIP.DLL 0x74e10000 0x10000 5.06.0000.8820 K:\WINDOWS\system32\wshext.dll 0x73d20000 0xfe000 6.02.4131.0000 K:\WINDOWS\system32\MFC42.DLL 0x61d70000 0xe000 6.00.8665.0000 K:\WINDOWS\system32\MFC42LOC.DLL 0x59000000 0xe000 5.06.0000.6626 K:\WINDOWS\system32\wshFR.DLL ListDLLs v2.25 - DLL lister for Win9x/NT Copyright © 1997-2004 Mark Russinovich Sysinternals - www.sysinternals.com ------------------------------------------------------------------------------ winlogon.exe pid: 676 Command line: winlogon.exe Base Size Version Path 0x01000000 0x81000 \??\K:\WINDOWS\system32\winlogon.exe 0x58b50000 0x9a000 5.82.2900.2982 K:\WINDOWS\system32\COMCTL32.dll 0x74730000 0x3d000 3.525.1117.0000 K:\WINDOWS\system32\ODBC32.dll 0x20000000 0x18000 3.525.1117.0000 K:\WINDOWS\system32\odbcint.dll 0x77000000 0xd4000 2001.12.4414.0258 K:\WINDOWS\system32\COMRes.dll 0x76f80000 0x7f000 2001.12.4414.0308 K:\WINDOWS\system32\CLBCATQ.DLL Le volume dans le lecteur K s'appelle WinXP Le numéro de série du volume est F063-9980 Répertoire de K:\WINDOWS\system32 19/08/2004 15:09 6.144 csrss.exe 1 fichier(s) 6.144 octets 0 Rép(s) 138.065.346.560 octets libres Contenu de Downloaded Program Files Le volume dans le lecteur K s'appelle WinXP Le numéro de série du volume est F063-9980 Répertoire de K:\WINDOWS\Downloaded Program Files 06/01/2008 01:20 <REP> . 06/01/2008 01:20 <REP> .. 05/01/2008 22:54 65 desktop.ini 11/04/2007 14:55 1.292 erma.inf 20/11/2007 16:04 1.523.536 FP_AX_CAB_INSTALLER.exe 20/11/2007 15:50 247 swflash.inf 4 fichier(s) 1.525.140 octets Total des fichiers listés : 4 fichier(s) 1.525.140 octets 2 Rép(s) 138.065.342.464 octets libres Recherche de rootkit! (Merci S!Ri) Recherche d'infections connues Export des clefs sensibles.. Liste des fichiers en exception sur le pare-feu XP SP2 "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "D:\\jeux\\overlord\\Overlord.exe"="D:\\jeux\\overlord\\Overlord.exe:*:Enabled:Game Application" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "K:\\Program Files\\uTorrent\\uTorrent.exe"="K:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent" "D:\\3DSMax 9\\3dsmax.exe"="D:\\3DSMax 9\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 9 32-bit" "K:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="K:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor" "K:\\Program Files\\Autodesk\\Backburner\\manager.exe"="K:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager" "K:\\Program Files\\Autodesk\\Backburner\\server.exe"="K:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server" "K:\\Program Files\\Bonjour\\mDNSResponder.exe"="K:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour" "K:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="K:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "K:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="K:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "D:\\eMule\\emule.exe"="D:\\eMule\\emule.exe:*:Enabled:eMule" "D:\\Mozilla\\firefox.exe"="D:\\Mozilla\\firefox.exe:*:Enabled:Firefox" "K:\\WINDOWS\\system32\\dpvsetup.exe"="K:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test" "K:\\WINDOWS\\system32\\rundll32.exe"="K:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Exécuter une DLL en tant qu'application" "D:\\jeux\\Splinter Cell\\SCDA-Offline\\System\\SplinterCell4.exe"="D:\\jeux\\Splinter Cell\\SCDA-Offline\\System\\SplinterCell4.exe:*:Enabled:SplinterCell4" "D:\\jeux\\Soldier of fortune\\sof3.exe"="D:\\jeux\\Soldier of fortune\\sof3.exe:*:Enabled:sof3" "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "K:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="K:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "K:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="K:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" Export de la clef SharedTaskScheduler [sharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant" exports des policies REGEDIT4 [system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 Export des clefs sensibles.. Rechercher adresses sensibles dans le fichier HOSTS... catchme 0.3.1319 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 05:47:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden services & system hive ... IPC error: 2 Le fichier spécifié est introuvable. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="D:\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:85,3d,4e,b1,49,d2,15,2f,96,7b,69,a9,0a,89,82,8f,fa,3c,3f,18,22,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001] "a0"=hex:20,01,00,00,9b,58,e4,c5,50,5b,d1,e5,97,fe,86,e0,7d,15,a7,79,8d,.. "khjeh"=hex:f4,08,24,13,8b,9d,a3,9c,d3,2a,33,28,ac,49,4a,7d,81,6b,a1,fc,04,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40] "khjeh"=hex:88,d7,48,21,1d,87,91,c8,7f,5a,39,6c,a3,e6,81,af,c9,5e,a0,b9,3c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="D:\DAEMON Tools Lite\" "h0"=dword:00000000 "khjeh"=hex:85,3d,4e,b1,49,d2,15,2f,96,7b,69,a9,0a,89,82,8f,fa,3c,3f,18,22,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001] "a0"=hex:20,01,00,00,9b,58,e4,c5,50,5b,d1,e5,97,fe,86,e0,7d,15,a7,79,8d,.. "khjeh"=hex:f4,08,24,13,8b,9d,a3,9c,d3,2a,33,28,ac,49,4a,7d,81,6b,a1,fc,04,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4000001Jf40] "khjeh"=hex:88,d7,48,21,1d,87,91,c8,7f,5a,39,6c,a3,e6,81,af,c9,5e,a0,b9,3c,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden services: 0 hidden files: 0 KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Process list by traversal of KiWaitListHead 4 - System 140 - Ctxfihlp.exe 204 - AdskScSrv.exe 272 - guard.exe 352 - Center.exe 360 - mDNSResponder.e 620 - ashDisp.exe 632 - CtHelper.exe 652 - csrss.exe 676 - winlogon.exe 720 - services.exe 732 - lsass.exe 900 - svchost.exe 948 - svchost.exe 1044 - svchost.exe 1156 - CTxfispi.exe 1176 - svchost.exe 1196 - nTuneService.ex 1200 - acrotray.exe 1252 - svchost.exe 1284 - nvsvc32.exe 1400 - wdfmgr.exe 1492 - ashServ.exe 1592 - UAService7.exe 1620 - explorer.exe 1808 - rundll32.exe 1816 - winampa.exe 1948 - spoolsv.exe 2188 - avgas.exe 2196 - ctfmon.exe 2204 - msnmsgr.exe 2212 - NMBgMonitor.exe 2252 - NMIndexStoreSvr 2268 - ExeGo.exe 2384 - svchost.exe 2392 - acrobat_sl.exe 2748 - ashMaiSv.exe 2792 - ashWebSv.exe 2844 - wmiapsrv.exe 2876 - cmd.exe 3120 - wmiprvse.exe 3244 - FNPLicensingSer 3388 - firefox.exe 3400 - alg.exe 3468 - wuauclt.exe 3656 - usnsvc.exe Total number of processes = 46 NOTE: Under WinXP, this will not show all processes. KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg) Driver/Module list by traversal of PsLoadedModuleList 804D7000 - \WINDOWS\system32\ntkrnlpa.exe 806E2000 - \WINDOWS\system32\hal.dll BADA8000 - \WINDOWS\system32\KDCOM.DLL BACB8000 - \WINDOWS\system32\BOOTVID.dll BA6A9000 - spsp.sys BADAA000 - \WINDOWS\System32\Drivers\WMILIB.SYS BA691000 - \WINDOWS\System32\Drivers\SCSIPORT.SYS BA662000 - ACPI.sys BA651000 - pci.sys BA8A8000 - ohci1394.sys BA8B8000 - \WINDOWS\system32\DRIVERS\1394BUS.SYS BA8C8000 - isapnp.sys BAE70000 - pciide.sys BAB28000 - \WINDOWS\system32\DRIVERS\PCIIDEX.SYS BA8D8000 - MountMgr.sys BA632000 - ftdisk.sys BADAC000 - dmload.sys BA60C000 - dmio.sys BAB30000 - PartMgr.sys BA8E8000 - VolSnap.sys BA5F4000 - atapi.sys BA5DA000 - nvata.sys BA8F8000 - disk.sys BA908000 - \WINDOWS\system32\DRIVERS\CLASSPNP.SYS BA5BA000 - fltMgr.sys BA5A8000 - sr.sys BA918000 - PxHelp20.sys BA591000 - KSecDD.sys BA504000 - Ntfs.sys BA4D7000 - NDIS.sys BA4BC000 - Mup.sys BAB08000 - \SystemRoot\system32\DRIVERS\nic1394.sys BA9E8000 - \SystemRoot\system32\DRIVERS\intelppm.sys B9D1E000 - \SystemRoot\system32\DRIVERS\nv4_mini.sys B9D0A000 - \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS BACA8000 - \SystemRoot\system32\DRIVERS\usbohci.sys B9CE7000 - \SystemRoot\system32\DRIVERS\USBPORT.SYS BACB0000 - \SystemRoot\system32\DRIVERS\usbehci.sys BA9F8000 - \SystemRoot\system32\DRIVERS\cdrom.sys BAA08000 - \SystemRoot\system32\DRIVERS\redbook.sys B9CC4000 - \SystemRoot\system32\DRIVERS\ks.sys BAA18000 - \SystemRoot\system32\DRIVERS\imapi.sys B9C46000 - \SystemRoot\system32\drivers\ctaud2k.sys B9C24000 - \SystemRoot\system32\drivers\portcls.sys BAA28000 - \SystemRoot\system32\drivers\drmk.sys B9BF0000 - \SystemRoot\system32\drivers\ctoss2k.sys BAB50000 - \SystemRoot\system32\drivers\ctprxy2k.sys B9BCB000 - \SystemRoot\system32\DRIVERS\HDAudBus.sys BAA38000 - \SystemRoot\system32\DRIVERS\nvnetbus.sys B9AEA000 - \SystemRoot\system32\DRIVERS\NVNRM.SYS B9A64000 - \SystemRoot\System32\Drivers\a3ycxn14.SYS BAF28000 - \SystemRoot\system32\DRIVERS\audstub.sys BAA48000 - \SystemRoot\system32\DRIVERS\rasl2tp.sys BA44A000 - \SystemRoot\system32\DRIVERS\ndistapi.sys B98D1000 - \SystemRoot\system32\DRIVERS\ndiswan.sys BAA58000 - \SystemRoot\system32\DRIVERS\raspppoe.sys BAA68000 - \SystemRoot\system32\DRIVERS\raspptp.sys BABE0000 - \SystemRoot\system32\DRIVERS\TDI.SYS B98C0000 - \SystemRoot\system32\DRIVERS\psched.sys BAA78000 - \SystemRoot\system32\DRIVERS\msgpc.sys BABE8000 - \SystemRoot\system32\DRIVERS\ptilink.sys BABF0000 - \SystemRoot\system32\DRIVERS\raspti.sys B926D000 - \SystemRoot\system32\DRIVERS\rdpdr.sys BAA88000 - \SystemRoot\system32\DRIVERS\termdd.sys BABF8000 - \SystemRoot\system32\DRIVERS\kbdclass.sys BAC00000 - \SystemRoot\system32\DRIVERS\mouclass.sys BADCE000 - \SystemRoot\system32\DRIVERS\swenum.sys B9214000 - \SystemRoot\system32\DRIVERS\update.sys BAD58000 - \SystemRoot\system32\DRIVERS\mssmbios.sys BAA98000 - \SystemRoot\System32\Drivers\NDProxy.SYS BAAA8000 - \SystemRoot\system32\DRIVERS\usbhub.sys BADD0000 - \SystemRoot\system32\DRIVERS\USBD.SYS BAAB8000 - \SystemRoot\system32\DRIVERS\NVENETFD.sys B2D46000 - \SystemRoot\system32\drivers\ha20x2k.sys B2D17000 - \SystemRoot\system32\drivers\emupia2k.sys B2CEE000 - \SystemRoot\system32\drivers\ctsfm2k.sys B2C52000 - \SystemRoot\system32\drivers\ctac32k.sys BADD6000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS BAF67000 - \SystemRoot\System32\Drivers\Null.SYS BADD8000 - \SystemRoot\System32\Drivers\Beep.SYS BAF71000 - \SystemRoot\System32\DRIVERS\AvgAsCln.sys BAC28000 - \SystemRoot\system32\DRIVERS\usbccgp.sys BAC30000 - \SystemRoot\system32\DRIVERS\HIDPARSE.SYS BAC38000 - \SystemRoot\System32\drivers\vga.sys BADDC000 - \SystemRoot\System32\Drivers\mnmdd.SYS BADDE000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys BAC40000 - \SystemRoot\System32\Drivers\Msfs.SYS BAC48000 - \SystemRoot\System32\Drivers\Npfs.SYS BA48C000 - \SystemRoot\system32\DRIVERS\rasacd.sys B2C1F000 - \SystemRoot\system32\DRIVERS\ipsec.sys B2BC7000 - \SystemRoot\system32\DRIVERS\tcpip.sys BAAE8000 - \SystemRoot\System32\Drivers\aswTdi.SYS B2BA6000 - \SystemRoot\system32\DRIVERS\ipnat.sys B2B7E000 - \SystemRoot\system32\DRIVERS\netbt.sys BAAF8000 - \SystemRoot\system32\DRIVERS\wanarp.sys B2B5C000 - \SystemRoot\System32\drivers\afd.sys BAB18000 - \SystemRoot\system32\DRIVERS\netbios.sys BA948000 - \SystemRoot\system32\DRIVERS\arp1394.sys B2B31000 - \SystemRoot\system32\DRIVERS\rdbss.sys B2AC2000 - \SystemRoot\system32\DRIVERS\mrxsmb.sys BA958000 - \SystemRoot\System32\Drivers\Fips.SYS BAF8D000 - \??\K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys BAC60000 - \SystemRoot\System32\Drivers\Aavmker4.SYS BAC70000 - \SystemRoot\system32\DRIVERS\USBSTOR.SYS B9210000 - \SystemRoot\system32\DRIVERS\hidusb.sys BA988000 - \SystemRoot\system32\DRIVERS\HIDCLASS.SYS BA9D8000 - \SystemRoot\System32\Drivers\Cdfs.SYS B920C000 - \SystemRoot\system32\DRIVERS\kbdhid.sys B9208000 - \SystemRoot\system32\DRIVERS\mouhid.sys B29E0000 - \SystemRoot\System32\Drivers\dump_nvata.sys BADF2000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS BF800000 - \SystemRoot\System32\win32k.sys B91F0000 - \SystemRoot\System32\drivers\Dxapi.sys BAC88000 - \SystemRoot\System32\watchdog.sys BF9C3000 - \SystemRoot\System32\drivers\dxg.sys BAFC3000 - \SystemRoot\System32\drivers\dxgthk.sys BF9D5000 - \SystemRoot\System32\nv4_disp.dll BFFA0000 - \SystemRoot\System32\ATMFD.DLL BACA0000 - \SystemRoot\system32\DRIVERS\AegisP.sys B26DC000 - \SystemRoot\system32\DRIVERS\ndisuio.sys B254A000 - \SystemRoot\System32\Drivers\aswMon2.SYS B229D000 - \SystemRoot\system32\DRIVERS\mrxdav.sys B2192000 - \SystemRoot\system32\DRIVERS\atksgt.sys B217D000 - \SystemRoot\system32\drivers\wdmaud.sys B2A72000 - \SystemRoot\system32\drivers\sysaudio.sys BAB88000 - \SystemRoot\system32\DRIVERS\lirsgt.sys B1F1D000 - \SystemRoot\system32\DRIVERS\srv.sys B1784000 - \SystemRoot\System32\Drivers\HTTP.sys BADB0000 - \??\K:\WINDOWS\nvoclock.sys B1770000 - \SystemRoot\System32\Drivers\aswRdr.SYS B1710000 - \??\K:\WINDOWS\system32\ASNDIS5.SYS B1335000 - \SystemRoot\system32\drivers\kmixer.sys BAF08000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys Total number of drivers = 133 Liste des programmes installes 3dsmax ancillary install Add or Remove Adobe Creative Suite 3 Design Premium Adobe Acrobat 8 Professional Adobe Anchor Service CS3 Adobe Asset Services CS3 Adobe Bridge CS3 Adobe Bridge Start Meeting Adobe BridgeTalk Plugin CS3 Adobe Camera Raw 4.0 Adobe CMaps Adobe Color - Photoshop Specific Adobe Color Common Settings Adobe Color EU Extra Settings Adobe Color JA Extra Settings Adobe Color NA Recommended Settings Adobe Creative Suite 3 Design Premium Adobe Default Language CS3 Adobe Device Central CS3 Adobe Dreamweaver CS3 Adobe ExtendScript Toolkit 2 Adobe Extension Manager CS3 Adobe Flash CS3 Adobe Flash Player 9 ActiveX Adobe Flash Player 9 Plugin Adobe Flash Player ActiveX Adobe Flash Player Plugin Adobe Flash Video Encoder Adobe Fonts All Adobe Help Viewer CS3 Adobe Illustrator CS3 Adobe InDesign CS3 Icon Handler Adobe Linguistics CS3 Adobe MotionPicture Color Files Adobe PDF Library Files Adobe Photoshop CS3 Adobe Setup Adobe Shockwave Player Adobe SING CS3 Adobe Stock Photos CS3 Adobe Type Support Adobe Update Manager CS3 Adobe Version Cue CS3 Client Adobe WAS CS3 Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS3 AdVantage (Powering DAEMON Tools) AGEIA PhysX v6.10.05 AHV content for Acrobat and Flash Apple Software Update Archiveur WinRAR Assistant de connexion Windows Live ASUS WLAN Card Utilities/Driver Autodesk 3ds Max 9 32-bit Autodesk DWF Viewer 7 avast! Antivirus AVG Anti-Spyware 7.5 Backburner Burn Screensavers 1.0 CCleaner (remove only) Correctif pour Windows XP (KB914440) Correctif Windows XP - KB873339 Correctif Windows XP - KB885835 Correctif Windows XP - KB885836 Correctif Windows XP - KB886185 Correctif Windows XP - KB887472 Correctif Windows XP - KB888302 Correctif Windows XP - KB890859 Correctif Windows XP - KB891781 DivX Content Uploader DivX Web Player EAX4 Unified Redist eMule Fable - The Lost Chapters Fable - The Lost Chapters FBX Plugin 2006.08 for Max 9.0 High Definition Audio Driver Package - KB888111 HijackThis 2.0.2 Hotfix for Windows XP (KB915865) Infernal Java 6 Update 3 LEGO Star Wars LEGO Star Wars LEGO Star Wars II LEGO Star Wars II Ma-Config.com plugin Messenger Plus! Live Microsoft .NET Framework 2.0 Microsoft .NET Framework 2.0 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Access MUI (French) 2007 Microsoft Office Excel MUI (French) 2007 Microsoft Office InfoPath MUI (French) 2007 Microsoft Office Outlook MUI (French) 2007 Microsoft Office PowerPoint MUI (French) 2007 Microsoft Office Professional Plus 2007 Microsoft Office Professional Plus 2007 Microsoft Office Proof (Arabic) 2007 Microsoft Office Proof (Dutch) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (German) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (French) 2007 Microsoft Office Publisher MUI (French) 2007 Microsoft Office Shared MUI (French) 2007 Microsoft Office Word MUI (French) 2007 Microsoft Software Update for Web Folders (French) 12 Microsoft Visual C++ 2005 Redistributable Mise à jour de sécurité pour Lecteur Windows Media (KB911564) Mise à jour de sécurité pour Lecteur Windows Media 6.4 (KB925398) Mise à jour de sécurité pour Lecteur Windows Media 9 (KB936782) Mise à jour de sécurité pour Windows Internet Explorer 7 (KB938127) Mise à jour de sécurité pour Windows Internet Explorer 7 (KB942615) Mise à jour de sécurité pour Windows XP (KB890046) Mise à jour de sécurité pour Windows XP (KB893756) Mise à jour de sécurité pour Windows XP (KB896358) Mise à jour de sécurité pour Windows XP (KB896423) Mise à jour de sécurité pour Windows XP (KB896428) Mise à jour de sécurité pour Windows XP (KB899587) Mise à jour de sécurité pour Windows XP (KB899591) Mise à jour de sécurité pour Windows XP (KB900725) Mise à jour de sécurité pour Windows XP (KB901017) Mise à jour de sécurité pour Windows XP (KB901214) Mise à jour de sécurité pour Windows XP (KB902400) Mise à jour de sécurité pour Windows XP (KB905414) Mise à jour de sécurité pour Windows XP (KB905749) Mise à jour de sécurité pour Windows XP (KB908519) Mise à jour de sécurité pour Windows XP (KB911562) Mise à jour de sécurité pour Windows XP (KB911927) Mise à jour de sécurité pour Windows XP (KB913580) Mise à jour de sécurité pour Windows XP (KB914388) Mise à jour de sécurité pour Windows XP (KB914389) Mise à jour de sécurité pour Windows XP (KB917953) Mise à jour de sécurité pour Windows XP (KB918118) Mise à jour de sécurité pour Windows XP (KB918439) Mise à jour de sécurité pour Windows XP (KB919007) Mise à jour de sécurité pour Windows XP (KB920213) Mise à jour de sécurité pour Windows XP (KB920670) Mise à jour de sécurité pour Windows XP (KB920683) Mise à jour de sécurité pour Windows XP (KB920685) Mise à jour de sécurité pour Windows XP (KB921503) Mise à jour de sécurité pour Windows XP (KB922819) Mise à jour de sécurité pour Windows XP (KB923191) Mise à jour de sécurité pour Windows XP (KB923414) Mise à jour de sécurité pour Windows XP (KB923689) Mise à jour de sécurité pour Windows XP (KB923980) Mise à jour de sécurité pour Windows XP (KB924270) Mise à jour de sécurité pour Windows XP (KB924496) Mise à jour de sécurité pour Windows XP (KB924667) Mise à jour de sécurité pour Windows XP (KB925902) Mise à jour de sécurité pour Windows XP (KB926255) Mise à jour de sécurité pour Windows XP (KB926436) Mise à jour de sécurité pour Windows XP (KB927779) Mise à jour de sécurité pour Windows XP (KB927802) Mise à jour de sécurité pour Windows XP (KB928255) Mise à jour de sécurité pour Windows XP (KB929123) Mise à jour de sécurité pour Windows XP (KB930178) Mise à jour de sécurité pour Windows XP (KB931261) Mise à jour de sécurité pour Windows XP (KB931784) Mise à jour de sécurité pour Windows XP (KB932168) Mise à jour de sécurité pour Windows XP (KB933729) Mise à jour de sécurité pour Windows XP (KB935839) Mise à jour de sécurité pour Windows XP (KB935840) Mise à jour de sécurité pour Windows XP (KB936021) Mise à jour de sécurité pour Windows XP (KB937894) Mise à jour de sécurité pour Windows XP (KB938127) Mise à jour de sécurité pour Windows XP (KB938829) Mise à jour de sécurité pour Windows XP (KB941202) Mise à jour de sécurité pour Windows XP (KB941568) Mise à jour de sécurité pour Windows XP (KB941569) Mise à jour de sécurité pour Windows XP (KB941644) Mise à jour de sécurité pour Windows XP (KB942615) Mise à jour de sécurité pour Windows XP (KB943460) Mise à jour de sécurité pour Windows XP (KB943485) Mise à jour de sécurité pour Windows XP (KB944653) Mise à jour pour Windows XP (KB894391) Mise à jour pour Windows XP (KB898461) Mise à jour pour Windows XP (KB900485) Mise à jour pour Windows XP (KB904942) Mise à jour pour Windows XP (KB908531) Mise à jour pour Windows XP (KB910437) Mise à jour pour Windows XP (KB911280) Mise à jour pour Windows XP (KB916595) Mise à jour pour Windows XP (KB920872) Mise à jour pour Windows XP (KB922582) Mise à jour pour Windows XP (KB927891) Mise à jour pour Windows XP (KB930916) Mise à jour pour Windows XP (KB936357) Mise à jour pour Windows XP (KB938828) Mise à jour pour Windows XP (KB942763) Mise à jour pour Windows XP (KB942840) Mise à jour pour Windows XP (KB946627) Mozilla Firefox (2.0.0.11) Mozilla Thunderbird (1.5) Nero 7 Ultra Edition NVIDIA Drivers NVIDIA nTune NVIDIA nTune Overlord PDF Settings Prey QuickTime Realtek AC'97 Audio Resource Tuner 1.99 Security Update pour Microsoft .NET Framework 2.0 (KB928365) Soldier of Fortune Payback Star Wars Knights of the Old Republic II: The Sith Lords Tom Clancy's Splinter Cell Double Agent Update for Outlook 2007 Junk Email Filter (kb943597) VideoLAN VLC media player 0.8.6d WebFldrs XP Winamp Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live installer Windows Live Messenger Windows Media Format Runtime Le volume dans le lecteur K s'appelle WinXP Le numéro de série du volume est F063-9980 Répertoire de K:\Program Files 30/01/2008 03:37 <REP> . 30/01/2008 03:37 <REP> .. 09/01/2008 23:15 <REP> Adobe 07/01/2008 00:57 <REP> AGEIA Technologies 18/01/2008 12:54 <REP> Apple Software Update 05/01/2008 23:14 <REP> ASUS 09/01/2008 22:55 <REP> Autodesk 09/01/2008 23:16 <REP> Bonjour 05/01/2008 22:53 <REP> ComPlus Applications 09/01/2008 23:13 <REP> Fichiers communs 30/01/2008 03:23 <REP> Grisoft 06/01/2008 00:32 <REP> Intel Desktop Boards 09/01/2008 22:49 <REP> Internet Explorer 07/01/2008 00:08 <REP> Java 06/01/2008 00:16 <REP> ma-config.com 10/01/2008 01:06 <REP> Messenger 08/01/2008 12:40 <REP> Messenger Plus! Live 05/01/2008 22:55 <REP> microsoft frontpage 07/01/2008 01:49 <REP> Microsoft Office 07/01/2008 01:49 <REP> Microsoft Visual Studio 07/01/2008 01:49 <REP> Microsoft Works 07/01/2008 20:05 <REP> Movie Maker 05/01/2008 22:52 <REP> MSN 05/01/2008 22:52 <REP> MSN Gaming Zone 05/01/2008 22:54 <REP> NetMeeting 05/01/2008 22:53 <REP> Online Services 07/01/2008 20:05 <REP> Outlook Express 09/01/2008 23:21 <REP> QuickTime 06/01/2008 02:38 <REP> Realtek AC97 05/01/2008 22:54 <REP> Services en ligne 06/01/2008 00:32 <REP> SigmaTel 09/01/2008 13:25 <REP> uTorrent 06/01/2008 12:34 <REP> Windows Live 18/01/2008 05:19 <REP> Windows Media Player 05/01/2008 22:52 <REP> Windows NT 05/01/2008 23:32 <REP> WinRAR 05/01/2008 22:55 <REP> xerox 0 fichier(s) 0 octets 37 Rép(s) 138.064.670.720 octets libres Le volume dans le lecteur K s'appelle WinXP Le numéro de série du volume est F063-9980 Répertoire de K:\Program Files\fichiers communs 09/01/2008 23:13 <REP> . 09/01/2008 23:13 <REP> .. 09/01/2008 23:25 <REP> Adobe 07/01/2008 15:48 <REP> Ahead 09/01/2008 23:09 <REP> Autodesk Shared 07/01/2008 01:49 <REP> DESIGNER 07/01/2008 18:47 <REP> DirectX 06/01/2008 23:12 <REP> InstallShield 07/01/2008 00:06 <REP> Java 09/01/2008 23:13 <REP> Macrovision Shared 07/01/2008 01:49 <REP> Microsoft Shared 05/01/2008 22:54 <REP> MSSoap 05/01/2008 22:51 <REP> ODBC 05/01/2008 22:54 <REP> Services 05/01/2008 22:51 <REP> SpeechEngines 07/01/2008 02:49 <REP> System 07/01/2008 00:57 <REP> Wise Installation Wizard 0 fichier(s) 0 octets 17 Rép(s) 138.064.666.624 octets libres Le volume dans le lecteur K s'appelle WinXP Le numéro de série du volume est F063-9980 Répertoire de K:\Program Files\fichiers communs\Microsoft Shared\Web Folders 07/01/2008 01:47 <REP> . 07/01/2008 01:47 <REP> .. 07/01/2008 01:47 <REP> 1036 26/10/2006 19:49 970.528 MSONSEXT.DLL 26/10/2006 20:12 40.256 MSOSV.DLL 03/06/1999 12:09 122.937 MSOWS409.DLL 07/03/2001 07:00 127.033 MSOWS40c.DLL 4 fichier(s) 1.260.754 octets 3 Rép(s) 138.064.666.624 octets libres ****** Fin du rapport DiagHelp Veuillez svp envoyer le fichier C:\upload_moi_POUPOUL.tar.gz a l'adresse http://upload.malekal.com Merci

voila le resultat du MSlog: MsLook.exe execute le : mer. 30/01/2008 5:22:32,20 REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdVantage] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AdVantage" "hkey"="HKCU" "command"="\"K:\\Program Files\\AdVantage\\AdVantage.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state] "system.ini"=dword:00000000 "win.ini"=dword:00000000 "bootini"=dword:00000002 "services"=dword:00000000 "startup"=dword:00000002 et celui de SmitfraudFix: SmitFraudFix v2.277 Rapport fait à 5:25:05,56, mer. 30/01/2008 Executé à partir de K:\Documents and Settings\poupoul\Bureau\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT Le type du système de fichiers est NTFS Fix executé en mode normal »»»»»»»»»»»»»»»»»»»»»»»» Process K:\WINDOWS\System32\smss.exe K:\WINDOWS\system32\winlogon.exe K:\WINDOWS\system32\services.exe K:\WINDOWS\system32\lsass.exe K:\WINDOWS\system32\svchost.exe K:\WINDOWS\System32\svchost.exe D:\Avast\aswUpdSv.exe D:\Avast\ashServ.exe K:\WINDOWS\Explorer.EXE K:\WINDOWS\system32\spoolsv.exe K:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe K:\Program Files\Bonjour\mDNSResponder.exe K:\Program Files\ASUS\WLAN Card Utilities\Center.exe D:\Avast\ashDisp.exe K:\WINDOWS\system32\CTHELPER.EXE K:\WINDOWS\system32\CTXFIHLP.EXE K:\Program Files\Java\jre1.6.0_03\bin\jusched.exe D:\3DSMax 9\mentalray\satellite\raysat_3dsmax9_32server.exe K:\WINDOWS\SYSTEM32\CTXFISPI.EXE D:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe D:\NVIDIA Corporation\nTune\nTuneService.exe D:\Winamp\winampa.exe K:\WINDOWS\system32\RUNDLL32.EXE K:\WINDOWS\system32\nvsvc32.exe K:\WINDOWS\system32\UAService7.exe K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe K:\WINDOWS\system32\ctfmon.exe K:\Program Files\Windows Live\Messenger\MsnMsgr.Exe K:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe K:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe D:\ExeGo\ExeGo.exe K:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe K:\WINDOWS\system32\wbem\wmiapsrv.exe K:\Program Files\Windows Live\Messenger\usnsvc.exe K:\WINDOWS\System32\svchost.exe K:\WINDOWS\system32\rundll32.exe D:\Mozilla\firefox.exe D:\Avast\ashMaiSv.exe D:\Avast\ashWebSv.exe K:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» K:\ »»»»»»»»»»»»»»»»»»»»»»»» K:\WINDOWS K:\WINDOWS\adsoowf.dll PRESENT ! K:\WINDOWS\dntpkwo???.dll PRESENT ! K:\WINDOWS\ffvrdgt.exe PRESENT ! »»»»»»»»»»»»»»»»»»»»»»»» K:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» K:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» K:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» K:\Documents and Settings\poupoul »»»»»»»»»»»»»»»»»»»»»»»» K:\Documents and Settings\poupoul\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer »»»»»»»»»»»»»»»»»»»»»»»» K:\DOCUME~1\poupoul\Favoris »»»»»»»»»»»»»»»»»»»»»»»» Bureau »»»»»»»»»»»»»»»»»»»»»»»» K:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues »»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Miniport d'ordonnancement de paquets DNS Server Search Order: 192.168.1.1 Description: NVIDIA nForce Networking Controller - Miniport d'ordonnancement de paquets DNS Server Search Order: 192.168.1.254 HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D44BFA3-CF58-420F-A342-C95CA98A84B0}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{B42CEEF2-86CF-4623-84D5-95A5C4E5A3BC}: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D44BFA3-CF58-420F-A342-C95CA98A84B0}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{B42CEEF2-86CF-4623-84D5-95A5C4E5A3BC}: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D44BFA3-CF58-420F-A342-C95CA98A84B0}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{B42CEEF2-86CF-4623-84D5-95A5C4E5A3BC}: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254 »»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll »»»»»»»»»»»»»»»»»»»»»»»» Fin merci

voila j'ai des pop-up qui apparaisse assez souvent (surtout pour me dire que mon ordinateur n'est pas protégé) et cela commence à devenir lassant... J'ai fait une analyse avec HijackThis et voici le resultat: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:23:45, on 30/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: K:\WINDOWS\System32\smss.exe K:\WINDOWS\system32\winlogon.exe K:\WINDOWS\system32\services.exe K:\WINDOWS\system32\lsass.exe K:\WINDOWS\system32\svchost.exe K:\WINDOWS\System32\svchost.exe D:\Avast\aswUpdSv.exe D:\Avast\ashServ.exe K:\WINDOWS\Explorer.EXE K:\WINDOWS\system32\spoolsv.exe K:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe K:\Program Files\Bonjour\mDNSResponder.exe K:\Program Files\ASUS\WLAN Card Utilities\Center.exe D:\Avast\ashDisp.exe K:\WINDOWS\system32\CTHELPER.EXE K:\WINDOWS\system32\CTXFIHLP.EXE K:\Program Files\Java\jre1.6.0_03\bin\jusched.exe D:\3DSMax 9\mentalray\satellite\raysat_3dsmax9_32server.exe K:\WINDOWS\SYSTEM32\CTXFISPI.EXE D:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe D:\NVIDIA Corporation\nTune\nTuneService.exe D:\Winamp\winampa.exe K:\WINDOWS\system32\RUNDLL32.EXE K:\WINDOWS\system32\nvsvc32.exe K:\WINDOWS\system32\UAService7.exe K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe K:\WINDOWS\system32\ctfmon.exe K:\Program Files\Windows Live\Messenger\MsnMsgr.Exe K:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe K:\Program Files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe D:\ExeGo\ExeGo.exe D:\Avast\ashMaiSv.exe D:\Avast\ashWebSv.exe K:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe K:\WINDOWS\system32\wbem\wmiapsrv.exe K:\Program Files\Windows Live\Messenger\usnsvc.exe K:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe D:\Mozilla\firefox.exe K:\WINDOWS\System32\svchost.exe K:\WINDOWS\system32\wuauclt.exe K:\WINDOWS\system32\rundll32.exe K:\Documents and Settings\poupoul\Bureau\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - K:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: SXG Advisor - {ECA6E136-A0B1-4D9B-AB52-C20229DAC5E3} - K:\WINDOWS\dntpkwowkv.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: ekxdvft - {1BF97F11-E184-42BD-8E57-EDBA3CFB4F7A} - K:\WINDOWS\ekxdvft.dll (file missing) O4 - HKLM\..\Run: [Control Center] K:\Program Files\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE K:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [avast!] D:\Avast\ashDisp.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] "K:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] K:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [NeroFilterCheck] K:\Program Files\Fichiers communs\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE K:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [!AVG Anti-Spyware] "K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "K:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "K:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ExeGo] D:\ExeGo\ExeGo.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O8 - Extra context menu item: Append to existing PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://K:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe O21 - SSODL: adsoowf - {8FCD5FC8-6B70-497A-8A05-97018F00CBDA} - K:\WINDOWS\adsoowf.dll O21 - SSODL: bgrlsmn - {F2D7E889-7BD0-4269-867D-59D83219C0F6} - K:\WINDOWS\bgrlsmn.dll (file missing) O23 - Service: ASWLSVC - Unknown owner - K:\WINDOWS\system32\ASWLSVC.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Avast\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - K:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - D:\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Avast\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - D:\Avast\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - K:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - K:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - K:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\3DSMax 9\mentalray\satellite\raysat_3dsmax9_32server.exe O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - D:\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - K:\WINDOWS\system32\nvsvc32.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - K:\WINDOWS\system32\UAService7.exe -- End of file - 8919 bytes