Aller au contenu

Cartier83

Membres
 Afficher le profil  Afficher son activité

  • Compteur de contenus

    72

  • Inscription

  • Dernière visite

 Type de contenu 

Tout ce qui a été posté par Cartier83

  1. Cartier83
    Ok, c'est super !!! je te dis bonne soirée parce que j'ai l'impression que ça va mouliner pendant un moment. Je posterai les rapports dès que possible
  2. Cartier83
    Nouveau rapport Gmer. Au fait, swreg que tu m'as fait téléchargé, je touche toujours pas ? bon, en tout cas Antivir accepte de démarrer!!! c'est la première fois... GMER 1.0.14.14205 - http://www.gmer.net Rootkit scan 2008-03-23 19:53:18 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7C748AC] SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7C74812] ---- Kernel code sections - GMER 1.0.14 ---- ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Le fichier spécifié est introuvable. ! ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) Device \Driver\USBSTOR \Device\0000007c F7941218 Device \Driver\USBSTOR \Device\0000007d F7941218 AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ---- EOF - GMER 1.0.14 ----
  3. Cartier83
    Rapport Gmer : GMER 1.0.14.14205 - http://www.gmer.net Rootkit scan 2008-03-23 19:27:02 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7C748AC] SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7C74812] ---- Kernel code sections - GMER 1.0.14 ---- ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Le fichier spécifié est introuvable. ! ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_name cegegsiagl Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_expand drv Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@reg_name ltdttd Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@reg_id 987234 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_name jojktooksar Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_expand dll Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@reg_name eiiogkms Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@reg_id 7523455 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@start_function WLEntry ---- EOF - GMER 1.0.14 ----
  4. Cartier83
    Et voilà ! c'était un peu long parce que je transfère tout par clé USB d'un ordi à l'autre. Voici les rapports ComboFix et HiJackThis. J'ai téléchargé swreg mais pas lancé. ComboFix 08-03-21.2 - Ed 2008-03-23 18:54:33.7 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.694 [GMT 1:00] Endroit: C:\Documents and Settings\Ed\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\Ed\Bureau\CFScript.txt * Création d'un nouveau point de restauration AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! FILE :: C:\DOCUME~1\Walter\LOCALS~1\Temp\csrssc.exe C:\WINDOWS\PSEXESVC.EXE C:\WINDOWS\system32\aiqcodo.drv C:\WINDOWS\SYSTEM32\cegegsiagl.drv C:\WINDOWS\TEMP\oekmqsscqms.drv C:\WINDOWS\TEMP\sqbbrsfnihd.drv C:\WINDOWS\TEMP\winlogan.exe . TimedOut: progfile.dat (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\PSEXESVC.EXE C:\WINDOWS\system32\aiqcodo.drv C:\WINDOWS\SYSTEM32\cegegsiagl.drv . ((((((((((((((((((((((((((((( Fichiers créés 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))))))) . 2008-03-21 12:52 . 2008-03-21 12:52 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Webroot 2008-03-20 11:46 . 2008-03-22 18:17 250 --a------ C:\WINDOWS\gmer.ini 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-03-19 15:27 . 2008-03-21 16:17 <REP> d-------- C:\WINDOWS\BDOSCAN8 2008-03-18 15:33 . 2008-03-19 14:12 1,414 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-03-18 13:52 . 2008-03-18 13:53 <REP> d-------- C:\WINDOWS\ERUNT 2008-03-18 13:16 . 2008-03-18 13:16 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Application Data\Grisoft 2008-03-16 23:09 . 2008-03-16 23:09 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Grisoft 2008-03-16 19:06 . 2008-03-16 19:06 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft 2008-03-16 19:05 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-16 19:04 . 2008-03-16 19:04 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft 2008-03-16 19:00 . 2008-03-16 19:00 <REP> d-------- C:\Program Files\CCleaner 2008-03-16 12:26 . 2008-03-16 12:26 <REP> d-------- C:\Program Files\Trend Micro 2008-03-12 17:38 . 2004-08-20 01:09 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll 2008-03-12 17:29 . 2008-03-15 14:30 <REP> d--h----- C:\Documents and Settings\Administrateur.AMATEUR\Modèles 2008-03-12 17:29 . 2008-03-12 17:29 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer 2008-03-12 17:29 . 2008-03-12 17:29 <REP> dr------- C:\Documents and Settings\Administrateur.AMATEUR\Favoris 2008-03-12 17:29 . 2008-03-18 18:44 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Bureau 2008-03-12 17:00 . 2008-03-12 17:00 35,464 --a------ C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe 2008-03-12 16:52 . 2008-03-12 16:52 <REP> dr------- C:\Documents and Settings\LocalService.AUTORITE NT\Favoris 2008-03-11 19:59 . 2008-03-11 19:59 63 --a------ C:\WINDOWS\mdm.ini 2008-03-07 20:21 . 2008-03-07 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-07 20:21 . 2008-03-07 20:21 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-23 12:55 . 2003-05-28 17:53 45,056 --a------ C:\WINDOWS\SYSTEM32\WNASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 17,005 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 5,600 --a------ C:\WINDOWS\SYSTEM\WINASPI.BAK 2008-02-23 12:55 . 2003-05-28 17:53 4,672 --a------ C:\WINDOWS\SYSTEM\WOWPOST.BAK 2008-02-23 12:53 . 2003-09-12 13:08 83,208 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL 2008-02-23 12:53 . 2003-09-12 13:08 82,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-21 15:54 --------- d-----w C:\Program Files\Riven 2008-03-21 15:48 --------- d-----w C:\Program Files\Norton SystemWorks 2008-03-21 15:41 --------- d-----w C:\Program Files\UltraDefrag 2008-03-21 13:58 --------- d-----w C:\Program Files\WAV to MP3 Encoder 2008-03-21 13:47 --------- d-----w C:\Program Files\MessenPass 2008-03-19 10:48 94,208 ----a-w C:\WINDOWS\DUMP9971.tmp 2008-03-12 15:53 14,336 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe 2008-03-07 19:23 --------- d-----w C:\Documents and Settings\Walter\Application Data\Corel 2008-03-04 18:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus! 2008-03-03 12:15 --------- d-----w C:\Program Files\Spamihilator 2008-02-28 14:06 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared 2008-02-25 13:13 --------- d-----w C:\Documents and Settings\Ed\Application Data\Corel 2008-02-23 11:57 --------- d-----w C:\Documents and Settings\Walter\Application Data\Symantec 2008-02-23 11:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec 2008-02-23 11:54 --------- d-----w C:\Program Files\Symantec 2008-02-11 18:05 --------- d-----w C:\Program Files\Myst Online 2008-02-10 12:16 --------- d-----w C:\Program Files\QuickTime 2008-02-10 11:57 --------- d-----w C:\Program Files\Lavasoft 2008-02-10 11:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft 2008-02-10 11:26 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-01-27 17:06 --------- d-----w C:\Program Files\Common Files 2008-01-27 15:54 --------- d-----w C:\Documents and Settings\Walter\Application Data\Apple Computer 2008-01-27 14:09 --------- d-----w C:\Program Files\L'Amerzone 2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2007-12-29 00:31 39,424 ----a-w C:\WINDOWS\zipinst.exe 2007-12-29 00:26 47,104 ----a-w C:\WINDOWS\SYSTEM32\KMVIDC32.DLL 2004-05-11 17:58 39,859 ----a-w C:\Program Files\3dsUninst.exe 2004-05-11 17:58 1,210 ----a-w C:\Program Files\install.log 2004-03-29 15:21 958,549 ----a-w C:\Program Files\ThereKernel.dll 2004-03-29 15:21 24,657 ----a-w C:\Program Files\GnuMalloc.dll 2004-03-29 15:21 1,294,427 ----a-w C:\Program Files\ThereNetClient.dll 2002-04-01 18:51 266 --sh--w C:\Program Files\desktop.ini 2002-04-01 18:51 11,208 ---ha-w C:\Program Files\folder.htt 2001-03-28 10:02 122,880 ----a-w C:\WINDOWS\INF\Agfa\message.exe . ((((((((((((((((((((((((((((( snapshot@2008-03-22_13.50.21,79 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-23 17:57:51 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_894.dat . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-10-06 14:32 185632] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\Solenne Gilpin\Menu D‚marrer\Programmes\D‚marrage\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2000-01-21 09:15:56 65588] Norton System Doctor.lnk - C:\Program Files\Norton SystemWorks\Norton Utilities\Sysdoc32.exe [2003-09-13 14:17:26 57344] Rappels du Calendrier Microsoft Works.lnk - C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe [1999-08-06 08:53:00 53317] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKLM\~\startupfolder\C:^Documents and Settings^Administrateur.AMATEUR^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^.protected] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\.protected backup=C:\WINDOWS\pss\.protectedCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^autorun.exe] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^EPSON Background Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\EPSON Background Monitor.lnk backup=C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^PGPtray.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\PGPtray.lnk backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TEMP^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\TEMP\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 10:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr] --a------ 2003-09-15 16:04 582168 C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload] C:\Documents and Settings\Ed\Local Settings\Application Data\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent] --a------ 2008-03-12 17:00 35464 C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-20 00:09 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp] --a------ 2003-06-10 18:02 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2001-07-25 10:00 192568 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] --a------ 2003-09-18 17:03 124048 C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2005-12-09 08:49 15691264 C:\WINDOWS\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-08 11:40 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-06 14:32 185632 C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trgiieco] --a------ 2004-08-20 00:10 33792 C:\WINDOWS\SYSTEM32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Myst Online\\UruExplorer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Team17\\Worms2\\frontend.exe"= "C:\\Program Files\\AC2\\ac2probe.exe"= "C:\\WINDOWS\\SYSTEM32\\rundll32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "27363:TCP"= 27363:TCP:@xpsp2res.dll,-22005 "17213:TCP"= 17213:TCP:@xpsp2res.dll,-22005 "9736:TCP"= 9736:TCP:@xpsp2res.dll,-22005 "18311:TCP"= 18311:TCP:@xpsp2res.dll,-22005 R0 ULiFilter;ULi PCIE Bridge Filter;C:\WINDOWS\system32\DRIVERS\ULiFiltr.sys [2005-12-08 08:20] R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01] R2 PGPmemlock;PGPmemlock;C:\WINDOWS\system32\drivers\PGPmemlock.sys [1999-10-29 05:52] S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [] . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-03-10 15:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-21 16:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job" - C:\Program Files\Norton SystemWorks\OBC.exe "2008-03-04 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Fichiers communs\Symantec Shared\SymDrmc.exe "2008-03-23 17:57:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-23 18:58:02 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-03-23 19:01:35 ComboFix-quarantined-files.txt 2008-03-23 18:01:33 ComboFix2.txt 2008-03-22 12:50:35 ComboFix3.txt 2008-03-21 15:32:53 . 2008-03-12 12:26:50 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:04:57, on 23/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\ESM2\SAgentNT.exe C:\WINDOWS\System32\svchost.exe C:\ESM2\EBRR.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: Capturer ! - {47055D63-DFCD-11d3-8406-00500445A7D0} - C:\Program Files\Goto\MemoWeb 4\IEBtn\Launcher (file missing) O9 - Extra 'Tools' menuitem: Capturer ce web - {47055D63-DFCD-11d3-8406-00500445A7D0} - C:\Program Files\Goto\MemoWeb 4\IEBtn\Launcher (file missing) O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186846561046 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Epson Printer Status Agent (StatusAgent) - SEIKO EPSON CORPORATION - C:\ESM2\SAgentNT.exe -- End of file - 5451 bytes
  5. Cartier83
    Désolé de te déranger pour rien en fait j'étais sur l'ordi du boulot. Paradoxalement, le WE j'ai des horaires plus contraignants que la semaine. Ca y est là, je viens d'arriver chez moi et je me lance dans les manips. Je les poste dès que c'est fini
  6. Cartier83
    Ok, retour à la maison Voici le log du Gmer : GMER 1.0.14.14205 - http://www.gmer.net Rootkit scan 2008-03-22 18:20:29 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7C9D8AC] SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7C9D812] ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@file_name arqnfm Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@file_expand dll Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@reg_name sgsgkkgo Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@reg_id 234533 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@file_name aiqcodo Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@file_expand drv Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@file_path C:\WINDOWS\system32\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@reg_name oqajnkcg Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@reg_id 235124 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_name cegegsiagl Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_expand drv Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@reg_name bcmhnssj Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@reg_id 987234 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@file_name fqhgbiton Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@file_expand nls Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@file_path C:\WINDOWS\system32\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@reg_name qgcsqaqe Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@reg_id 7237565 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_name jojktooksar Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_expand dll Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@reg_name eooopklt Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@reg_id 7523455 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@start_function WLEntry ---- EOF - GMER 1.0.14 ----
  7. Cartier83
    Trop tard pfffff. Je suis reparti au boulot là. Je le ferais ce soir. Comment dois-je interpréter ton "bah bof!!" ?
  8. Cartier83
    Voilà, c'est fait. Voici le log de Combofix : ComboFix 08-03-21.2 - Ed 2008-03-22 13:44:29.6 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.677 [GMT 1:00] Endroit: C:\Documents and Settings\Ed\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\Ed\Bureau\CFScript.txt.txt * Création d'un nouveau point de restauration AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! FILE :: C:\WINDOWS\system32\ojclpcsdlqi.sys C:\WINDOWS\TEMP\aqkieggckcq.nls . TimedOut: progfile.dat (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ojclpcsdlqi.sys . ((((((((((((((((((((((((((((( Fichiers créés 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))))))) . 2008-03-22 13:47 . 2008-03-22 13:47 53,248 --a------ C:\WINDOWS\PSEXESVC.EXE 2008-03-22 13:44 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\cegegsiagl.drv 2008-03-21 12:52 . 2008-03-21 12:52 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Webroot 2008-03-20 11:46 . 2008-03-21 16:19 250 --a------ C:\WINDOWS\gmer.ini 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-03-19 15:27 . 2008-03-21 16:17 <REP> d-------- C:\WINDOWS\BDOSCAN8 2008-03-18 15:33 . 2008-03-19 14:12 1,414 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-03-18 13:52 . 2008-03-18 13:53 <REP> d-------- C:\WINDOWS\ERUNT 2008-03-18 13:16 . 2008-03-18 13:16 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Application Data\Grisoft 2008-03-16 23:09 . 2008-03-16 23:09 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Grisoft 2008-03-16 19:06 . 2008-03-16 19:06 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft 2008-03-16 19:05 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-16 19:04 . 2008-03-16 19:04 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft 2008-03-16 19:00 . 2008-03-16 19:00 <REP> d-------- C:\Program Files\CCleaner 2008-03-16 12:26 . 2008-03-16 12:26 <REP> d-------- C:\Program Files\Trend Micro 2008-03-12 17:38 . 2004-08-20 01:09 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll 2008-03-12 17:29 . 2008-03-15 14:30 <REP> d--h----- C:\Documents and Settings\Administrateur.AMATEUR\Modèles 2008-03-12 17:29 . 2008-03-12 17:29 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer 2008-03-12 17:29 . 2008-03-12 17:29 <REP> dr------- C:\Documents and Settings\Administrateur.AMATEUR\Favoris 2008-03-12 17:29 . 2008-03-18 18:44 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Bureau 2008-03-12 17:00 . 2008-03-12 17:00 35,464 --a------ C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe 2008-03-12 16:52 . 2008-03-12 16:52 <REP> dr------- C:\Documents and Settings\LocalService.AUTORITE NT\Favoris 2008-03-11 19:59 . 2008-03-11 19:59 63 --a------ C:\WINDOWS\mdm.ini 2008-03-07 20:21 . 2008-03-07 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-07 20:21 . 2008-03-07 20:21 1,409 --a------ C:\WINDOWS\QTFont.for 2008-02-23 12:55 . 2003-05-28 17:53 45,056 --a------ C:\WINDOWS\SYSTEM32\WNASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 17,005 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 5,600 --a------ C:\WINDOWS\SYSTEM\WINASPI.BAK 2008-02-23 12:55 . 2003-05-28 17:53 4,672 --a------ C:\WINDOWS\SYSTEM\WOWPOST.BAK 2008-02-23 12:53 . 2003-09-12 13:08 83,208 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL 2008-02-23 12:53 . 2003-09-12 13:08 82,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-21 15:54 --------- d-----w C:\Program Files\Riven 2008-03-21 15:48 --------- d-----w C:\Program Files\Norton SystemWorks 2008-03-21 15:41 --------- d-----w C:\Program Files\UltraDefrag 2008-03-21 13:58 --------- d-----w C:\Program Files\WAV to MP3 Encoder 2008-03-21 13:47 --------- d-----w C:\Program Files\MessenPass 2008-03-19 10:48 94,208 ----a-w C:\WINDOWS\DUMP9971.tmp 2008-03-12 15:53 14,336 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe 2008-03-07 19:23 --------- d-----w C:\Documents and Settings\Walter\Application Data\Corel 2008-03-04 18:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus! 2008-03-03 12:15 --------- d-----w C:\Program Files\Spamihilator 2008-02-28 14:06 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared 2008-02-25 13:13 --------- d-----w C:\Documents and Settings\Ed\Application Data\Corel 2008-02-23 11:57 --------- d-----w C:\Documents and Settings\Walter\Application Data\Symantec 2008-02-23 11:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec 2008-02-23 11:54 --------- d-----w C:\Program Files\Symantec 2008-02-11 18:05 --------- d-----w C:\Program Files\Myst Online 2008-02-10 12:16 --------- d-----w C:\Program Files\QuickTime 2008-02-10 11:57 --------- d-----w C:\Program Files\Lavasoft 2008-02-10 11:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft 2008-02-10 11:26 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-01-27 17:06 --------- d-----w C:\Program Files\Common Files 2008-01-27 15:54 --------- d-----w C:\Documents and Settings\Walter\Application Data\Apple Computer 2008-01-27 14:09 --------- d-----w C:\Program Files\L'Amerzone 2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2007-12-29 00:31 39,424 ----a-w C:\WINDOWS\zipinst.exe 2007-12-29 00:26 47,104 ----a-w C:\WINDOWS\SYSTEM32\KMVIDC32.DLL 2004-05-11 17:58 39,859 ----a-w C:\Program Files\3dsUninst.exe 2004-05-11 17:58 1,210 ----a-w C:\Program Files\install.log 2004-03-29 15:21 958,549 ----a-w C:\Program Files\ThereKernel.dll 2004-03-29 15:21 24,657 ----a-w C:\Program Files\GnuMalloc.dll 2004-03-29 15:21 1,294,427 ----a-w C:\Program Files\ThereNetClient.dll 2002-04-01 18:51 266 --sh--w C:\Program Files\desktop.ini 2002-04-01 18:51 11,208 ---ha-w C:\Program Files\folder.htt 2001-03-28 10:02 122,880 ----a-w C:\WINDOWS\INF\Agfa\message.exe . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] "TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-10-06 14:32 185632] "sgsgkkgo"="C:\WINDOWS\TEMP\oekmqsscqms.drv WLEntryPoint" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\Solenne Gilpin\Menu D‚marrer\Programmes\D‚marrage\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2000-01-21 09:15:56 65588] Norton System Doctor.lnk - C:\Program Files\Norton SystemWorks\Norton Utilities\Sysdoc32.exe [2003-09-13 14:17:26 57344] Rappels du Calendrier Microsoft Works.lnk - C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe [1999-08-06 08:53:00 53317] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "oqajnkcg"= rundll32.exe "C:\WINDOWS\system32\aiqcodo.drv" WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKLM\~\startupfolder\C:^Documents and Settings^Administrateur.AMATEUR^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^.protected] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\.protected backup=C:\WINDOWS\pss\.protectedCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^autorun.exe] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^EPSON Background Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\EPSON Background Monitor.lnk backup=C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^PGPtray.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\PGPtray.lnk backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TEMP^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\TEMP\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 10:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr] --a------ 2003-09-15 16:04 582168 C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload] C:\Documents and Settings\Ed\Local Settings\Application Data\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent] --a------ 2008-03-12 17:00 35464 C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-20 00:09 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp] --a------ 2003-06-10 18:02 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnskdfmf9eldfd] C:\DOCUME~1\Walter\LOCALS~1\Temp\csrssc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lgrdpdi] C:\WINDOWS\TEMP\sqbbrsfnihd.drv WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2001-07-25 10:00 192568 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] --a------ 2003-09-18 17:03 124048 C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2005-12-09 08:49 15691264 C:\WINDOWS\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-08 11:40 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDefender] C:\Program Files\SystemDefender\SystemDefender.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-06 14:32 185632 C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trgiieco] --a------ 2004-08-20 00:10 33792 C:\WINDOWS\SYSTEM32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Myst Online\\UruExplorer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Team17\\Worms2\\frontend.exe"= "C:\\Program Files\\AC2\\ac2probe.exe"= "C:\\WINDOWS\\SYSTEM32\\rundll32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26697:TCP"= 26697:TCP:@xpsp2res.dll,-22005 "7899:TCP"= 7899:TCP:@xpsp2res.dll,-22005 "49022:TCP"= 49022:TCP:@xpsp2res.dll,-22005 "40397:TCP"= 40397:TCP:@xpsp2res.dll,-22005 R0 ULiFilter;ULi PCIE Bridge Filter;C:\WINDOWS\system32\DRIVERS\ULiFiltr.sys [2005-12-08 08:20] R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01] R2 PGPmemlock;PGPmemlock;C:\WINDOWS\system32\drivers\PGPmemlock.sys [1999-10-29 05:52] S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [] . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-03-10 15:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-21 16:30:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job" - C:\Program Files\Norton SystemWorks\OBC.exe "2008-03-04 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Fichiers communs\Symantec Shared\SymDrmc.exe "2008-03-22 12:42:12 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-22 13:47:38 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-03-22 13:50:35 ComboFix-quarantined-files.txt 2008-03-22 12:50:32 ComboFix2.txt 2008-03-21 15:32:53 . 2008-03-12 12:26:50 --- E O F ---
  9. Cartier83
    D'accord merci. Je ferais un combofix à 13h, avec tes instructions de hier soir pour le CFScript.txt. Je suis pas chez moi là je suis au boulot
  10. Cartier83
    Heu...quand je dis disque D, je parle pas d'une seconde partition du même disque, mais d'un second disque physique dans l'ordi. J'ai deux disques physiques dans l'ordi. Excuse-moi de ne pas avoir été clair. J'ai donc sauvegardé sur le deuxième disque physique, que je peux même enlever pour des opérations délicates
  11. Cartier83
    Salut Angélique, oui j'ai sauvegardé les trucs importants, mais sur le disque D, et cauxboy dit que c'est peut-être débile dans la mesure ou les problèmes type MBR attaquent TOUS les disques Il conseille plutôt de sauvegarder sur un lecteur réseau, mais je vois pas la différence
  12. Cartier83
    Voici le rapport Gmer : GMER 1.0.14.14205 - http://www.gmer.net Rootkit scan 2008-03-21 16:22:46 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF7C518AC] SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF7C51812] ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@file_name aqjdttkmhtg Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@file_expand drv Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@reg_name lgrdpdi Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@reg_id 234533 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\0@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@file_name ojclpcsdlqi Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@file_expand sys Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@file_path C:\WINDOWS\system32\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@reg_name gdsgejks Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@reg_id 235124 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\1@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_name gqrdpfbhnbc Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_expand dll Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@reg_name hllqmrss Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@reg_id 987234 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\2@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@file_name fqhgbiton Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@file_expand nls Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@file_path C:\WINDOWS\system32\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@reg_name qsdrhh Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@reg_id 7237565 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\3@start_function WLEntryPoint Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_name ilcikggmb Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_expand dll Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@file_path C:\WINDOWS\TEMP\ Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@reg_name akcsrcfa Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@reg_id 7523455 Reg HKLM\SOFTWARE\Classes\CLSID\{2926C2DD-8E0B-4CB1-BD1C-B9C914FF9C1B}\Storage\4@start_function WLEntry ---- EOF - GMER 1.0.14 ---- Et voici le rapport ComboFix : ComboFix 08-03-17.1 - Ed 2008-03-21 16:26:53.5 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.575 [GMT 1:00] Endroit: C:\Documents and Settings\Ed\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\Ed\Bureau\CFScript.txt * Création d'un nouveau point de restauration AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! FILE :: C:\WINDOWS\system32\qggssaoii.dll C:\WINDOWS\TEMP\ldgoeq.sys . TimeOut - progfile.dat ((((((((((((((((((((((((((((( Fichiers créés 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))))))) . 2008-03-21 12:52 . 2008-03-21 12:52 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Webroot 2008-03-20 11:46 . 2008-03-21 16:19 250 --a------ C:\WINDOWS\gmer.ini 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-03-19 15:27 . 2008-03-21 16:17 <REP> d-------- C:\WINDOWS\BDOSCAN8 2008-03-18 15:33 . 2008-03-19 14:12 1,414 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-03-18 13:52 . 2008-03-18 13:53 <REP> d-------- C:\WINDOWS\ERUNT 2008-03-18 13:16 . 2008-03-18 13:16 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Application Data\Grisoft 2008-03-16 23:09 . 2008-03-16 23:09 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Grisoft 2008-03-16 19:06 . 2008-03-16 19:06 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft 2008-03-16 19:05 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-16 19:04 . 2008-03-16 19:04 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft 2008-03-16 19:00 . 2008-03-16 19:00 <REP> d-------- C:\Program Files\CCleaner 2008-03-16 12:26 . 2008-03-16 12:26 <REP> d-------- C:\Program Files\Trend Micro 2008-03-12 17:38 . 2004-08-20 01:09 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll 2008-03-12 17:29 . 2008-03-15 14:30 <REP> d--h----- C:\Documents and Settings\Administrateur.AMATEUR\Modèles 2008-03-12 17:29 . 2008-03-12 17:29 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer 2008-03-12 17:29 . 2008-03-12 17:29 <REP> dr------- C:\Documents and Settings\Administrateur.AMATEUR\Favoris 2008-03-12 17:29 . 2008-03-18 18:44 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Bureau 2008-03-12 17:00 . 2008-03-12 17:00 35,464 --a------ C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe 2008-03-12 16:52 . 2008-03-12 16:52 <REP> dr------- C:\Documents and Settings\LocalService.AUTORITE NT\Favoris 2008-03-11 19:59 . 2008-03-11 19:59 63 --a------ C:\WINDOWS\mdm.ini 2008-03-07 20:21 . 2008-03-07 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-07 20:21 . 2008-03-07 20:21 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-03 21:07 . 2008-03-03 21:09 <REP> d-------- C:\Everest Poker 2008-02-23 12:55 . 2003-05-28 17:53 45,056 --a------ C:\WINDOWS\SYSTEM32\WNASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 17,005 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 5,600 --a------ C:\WINDOWS\SYSTEM\WINASPI.BAK 2008-02-23 12:55 . 2003-05-28 17:53 4,672 --a------ C:\WINDOWS\SYSTEM\WOWPOST.BAK 2008-02-23 12:53 . 2003-09-12 13:08 83,208 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL 2008-02-23 12:53 . 2003-09-12 13:08 82,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-21 13:58 --------- d-----w C:\Program Files\WAV to MP3 Encoder 2008-03-21 13:47 --------- d-----w C:\Program Files\MessenPass 2008-03-19 10:48 94,208 ----a-w C:\WINDOWS\DUMP9971.tmp 2008-03-12 15:53 14,336 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe 2008-03-07 19:23 --------- d-----w C:\Documents and Settings\Walter\Application Data\Corel 2008-03-07 17:26 --------- d-----w C:\Program Files\Norton SystemWorks 2008-03-04 18:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus! 2008-03-03 13:30 --------- d-----w C:\Program Files\Riven 2008-03-03 12:15 --------- d-----w C:\Program Files\Spamihilator 2008-02-28 14:06 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared 2008-02-25 13:13 --------- d-----w C:\Documents and Settings\Ed\Application Data\Corel 2008-02-23 11:57 --------- d-----w C:\Documents and Settings\Walter\Application Data\Symantec 2008-02-23 11:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec 2008-02-23 11:54 --------- d-----w C:\Program Files\Symantec 2008-02-11 18:05 --------- d-----w C:\Program Files\Myst Online 2008-02-10 12:16 --------- d-----w C:\Program Files\QuickTime 2008-02-10 11:57 --------- d-----w C:\Program Files\Lavasoft 2008-02-10 11:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft 2008-02-10 11:26 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-01-27 17:06 --------- d-----w C:\Program Files\Common Files 2008-01-27 15:54 --------- d-----w C:\Documents and Settings\Walter\Application Data\Apple Computer 2008-01-27 14:09 --------- d-----w C:\Program Files\L'Amerzone 2008-01-21 11:43 --------- d-----w C:\Program Files\Snapshot Viewer 2008-01-21 11:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SBT 2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2007-12-29 00:31 39,424 ----a-w C:\WINDOWS\zipinst.exe 2007-12-29 00:26 47,104 ----a-w C:\WINDOWS\SYSTEM32\KMVIDC32.DLL 2004-05-11 17:58 39,859 ----a-w C:\Program Files\3dsUninst.exe 2004-05-11 17:58 1,210 ----a-w C:\Program Files\install.log 2004-03-29 15:21 958,549 ----a-w C:\Program Files\ThereKernel.dll 2004-03-29 15:21 24,657 ----a-w C:\Program Files\GnuMalloc.dll 2004-03-29 15:21 1,294,427 ----a-w C:\Program Files\ThereNetClient.dll 2002-04-01 18:51 266 --sh--w C:\Program Files\desktop.ini 2002-04-01 18:51 11,208 ---ha-w C:\Program Files\folder.htt 2001-03-28 10:02 122,880 ----a-w C:\WINDOWS\INF\Agfa\message.exe . ((((((((((((((((((((((((((((( snapshot@2008-03-18_23.23.59.90 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-19 14:28:18 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll + 2008-03-19 14:28:18 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll + 2008-03-19 14:28:18 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll + 2008-03-19 14:28:21 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll + 2008-03-19 14:28:23 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2008-03-19 14:28:19 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll - 2008-03-18 17:39:41 581,632 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2008-03-19 11:12:24 5,009,408 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat - 2008-03-18 17:39:41 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-03-19 11:12:24 708,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-03-20 10:45:37 819,200 ----a-w C:\WINDOWS\gmer.dll + 2008-03-03 19:29:06 761,856 ----a-r C:\WINDOWS\gmer.exe + 2008-03-20 10:45:37 86,097 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys + 2007-06-13 13:22:28 113,664 ----a-w C:\WINDOWS\SYSTEM32\ojclpcsdlqi.sys . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312] "rronsoce"="C:\WINDOWS\TEMP\aqkieggckcq.nls WLEntryPoint" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\Solenne Gilpin\Menu D‚marrer\Programmes\D‚marrage\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2000-01-21 09:15:56 65588] Norton System Doctor.lnk - C:\Program Files\Norton SystemWorks\Norton Utilities\Sysdoc32.exe [2003-09-13 14:17:26 57344] Rappels du Calendrier Microsoft Works.lnk - C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe [1999-08-06 08:53:00 53317] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "sioocseq"= rundll32.exe "C:\WINDOWS\system32\ojclpcsdlqi.sys" WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKLM\~\startupfolder\C:^Documents and Settings^Administrateur.AMATEUR^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^.protected] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\.protected backup=C:\WINDOWS\pss\.protectedCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^autorun.exe] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^EPSON Background Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\EPSON Background Monitor.lnk backup=C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^PGPtray.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\PGPtray.lnk backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TEMP^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\TEMP\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 10:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr] --a------ 2003-09-15 16:04 582168 C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload] C:\Documents and Settings\Ed\Local Settings\Application Data\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent] --a------ 2008-03-12 17:00 35464 C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-20 00:09 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp] --a------ 2003-06-10 18:02 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnskdfmf9eldfd] C:\DOCUME~1\Walter\LOCALS~1\Temp\csrssc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lgrdpdi] C:\WINDOWS\TEMP\sqbbrsfnihd.drv WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2001-07-25 10:00 192568 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] --a------ 2003-09-18 17:03 124048 C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2005-12-09 08:49 15691264 C:\WINDOWS\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-08 11:40 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDefender] C:\Program Files\SystemDefender\SystemDefender.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-06 14:32 185632 C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trgiieco] --a------ 2004-08-20 00:10 33792 C:\WINDOWS\SYSTEM32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Myst Online\\UruExplorer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Team17\\Worms2\\frontend.exe"= "C:\\Program Files\\AC2\\ac2probe.exe"= "C:\\WINDOWS\\SYSTEM32\\rundll32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "7069:TCP"= 7069:TCP:@xpsp2res.dll,-22005 "5152:TCP"= 5152:TCP:@xpsp2res.dll,-22005 "17031:TCP"= 17031:TCP:@xpsp2res.dll,-22005 "16514:TCP"= 16514:TCP:@xpsp2res.dll,-22005 R0 ULiFilter;ULi PCIE Bridge Filter;C:\WINDOWS\system32\DRIVERS\ULiFiltr.sys [2005-12-08 08:20] R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01] R2 PGPmemlock;PGPmemlock;C:\WINDOWS\system32\drivers\PGPmemlock.sys [1999-10-29 05:52] S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [] S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2007-10-08 10:54] . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-03-10 15:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-07 17:28:08 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job" - C:\Program Files\Norton SystemWorks\OBC.exe "2008-03-04 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Fichiers communs\Symantec Shared\SymDrmc.exe "2008-03-21 15:27:19 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-21 16:31:22 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-03-21 16:32:52 ComboFix-quarantined-files.txt 2008-03-21 15:32:49 ComboFix2.txt 2008-03-21 11:07:37 ComboFix3.txt 2008-03-19 18:47:30 ComboFix4.txt 2008-03-18 22:25:06 . 2008-03-12 12:26:50 --- E O F ---
  13. Cartier83
    Et ben voilà, c'est fait : FIXMBR et puis Combofix avec le CFScript.txt Voici le log : ComboFix 08-03-17.1 - Ed 2008-03-21 12:01:55.4 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.694 [GMT 1:00] Endroit: C:\Documents and Settings\Ed\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\Ed\Bureau\CFScript.txt * Création d'un nouveau point de restauration AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! FILE :: C:\WINDOWS\system32\cnten.sys C:\WINDOWS\TEMP\fobagsbslmm.dll . TimeOut - progfile.dat (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\cnten.sys . ((((((((((((((((((((((((((((( Fichiers créés 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))))))) . 2008-03-21 12:02 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\fqfrlbcsnit.nls 2008-03-20 11:46 . 2008-03-20 13:53 250 --a------ C:\WINDOWS\gmer.ini 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-03-19 15:27 . 2008-03-19 15:44 <REP> d-------- C:\WINDOWS\BDOSCAN8 2008-03-18 15:33 . 2008-03-19 14:12 1,414 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-03-18 14:09 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\gtkfieactrm.drv 2008-03-18 13:52 . 2008-03-18 13:53 <REP> d-------- C:\WINDOWS\ERUNT 2008-03-18 13:16 . 2008-03-18 13:16 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Application Data\Grisoft 2008-03-16 23:09 . 2008-03-16 23:09 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Grisoft 2008-03-16 19:06 . 2008-03-16 19:06 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft 2008-03-16 19:05 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-16 19:04 . 2008-03-16 19:04 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft 2008-03-16 19:00 . 2008-03-16 19:00 <REP> d-------- C:\Program Files\CCleaner 2008-03-16 12:26 . 2008-03-16 12:26 <REP> d-------- C:\Program Files\Trend Micro 2008-03-13 16:03 . 2008-03-17 12:20 5,120 --a------ C:\Documents and Settings\LocalService.AUTORITE NT\ftpdll.dll 2008-03-12 18:29 . 2008-03-12 18:29 <REP> d-------- C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\Webroot 2008-03-12 18:26 . 2008-03-12 18:26 <REP> d-------- C:\Program Files\Webroot 2008-03-12 17:38 . 2004-08-20 01:09 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll 2008-03-12 17:37 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\pgfahcn.sys 2008-03-12 17:29 . 2008-03-15 14:30 <REP> d--h----- C:\Documents and Settings\Administrateur.AMATEUR\Modèles 2008-03-12 17:29 . 2008-03-12 17:29 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer 2008-03-12 17:29 . 2008-03-12 17:29 <REP> dr------- C:\Documents and Settings\Administrateur.AMATEUR\Favoris 2008-03-12 17:29 . 2008-03-18 18:44 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Bureau 2008-03-12 17:00 . 2008-03-12 17:00 35,464 --a------ C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe 2008-03-12 16:52 . 2008-03-12 16:52 <REP> dr------- C:\Documents and Settings\LocalService.AUTORITE NT\Favoris 2008-03-11 19:59 . 2008-03-11 19:59 63 --a------ C:\WINDOWS\mdm.ini 2008-03-07 20:21 . 2008-03-07 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-07 20:21 . 2008-03-07 20:21 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-06 21:34 . 2008-03-06 21:34 36,240 --a------ C:\Program Files\instaler.exe 2008-03-03 21:07 . 2008-03-03 21:09 <REP> d-------- C:\Everest Poker 2008-02-23 12:55 . 2003-05-28 17:53 45,056 --a------ C:\WINDOWS\SYSTEM32\WNASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 17,005 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 5,600 --a------ C:\WINDOWS\SYSTEM\WINASPI.BAK 2008-02-23 12:55 . 2003-05-28 17:53 4,672 --a------ C:\WINDOWS\SYSTEM\WOWPOST.BAK 2008-02-23 12:53 . 2003-09-12 13:08 83,208 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL 2008-02-23 12:53 . 2003-09-12 13:08 82,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-19 10:48 94,208 ----a-w C:\WINDOWS\DUMP9971.tmp 2008-03-12 15:53 14,336 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe 2008-03-07 19:23 --------- d-----w C:\Documents and Settings\Walter\Application Data\Corel 2008-03-07 17:26 --------- d-----w C:\Program Files\Norton SystemWorks 2008-03-04 18:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus! 2008-03-03 13:30 --------- d-----w C:\Program Files\Riven 2008-03-03 12:15 --------- d-----w C:\Program Files\Spamihilator 2008-02-28 14:06 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared 2008-02-25 13:13 --------- d-----w C:\Documents and Settings\Ed\Application Data\Corel 2008-02-23 11:57 --------- d-----w C:\Documents and Settings\Walter\Application Data\Symantec 2008-02-23 11:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec 2008-02-23 11:54 --------- d-----w C:\Program Files\Symantec 2008-02-11 18:05 --------- d-----w C:\Program Files\Myst Online 2008-02-10 12:16 --------- d-----w C:\Program Files\QuickTime 2008-02-10 11:57 --------- d-----w C:\Program Files\Lavasoft 2008-02-10 11:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft 2008-02-10 11:26 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-01-27 17:06 --------- d-----w C:\Program Files\Common Files 2008-01-27 15:54 --------- d-----w C:\Documents and Settings\Walter\Application Data\Apple Computer 2008-01-27 14:09 --------- d-----w C:\Program Files\L'Amerzone 2008-01-21 11:43 --------- d-----w C:\Program Files\Snapshot Viewer 2008-01-21 11:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SBT 2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2007-12-29 00:31 39,424 ----a-w C:\WINDOWS\zipinst.exe 2007-12-29 00:26 47,104 ----a-w C:\WINDOWS\SYSTEM32\KMVIDC32.DLL 2004-05-11 17:58 39,859 ----a-w C:\Program Files\3dsUninst.exe 2004-05-11 17:58 1,210 ----a-w C:\Program Files\install.log 2004-03-29 15:21 958,549 ----a-w C:\Program Files\ThereKernel.dll 2004-03-29 15:21 24,657 ----a-w C:\Program Files\GnuMalloc.dll 2004-03-29 15:21 1,294,427 ----a-w C:\Program Files\ThereNetClient.dll 2002-04-01 18:51 266 --sh--w C:\Program Files\desktop.ini 2002-04-01 18:51 11,208 ---ha-w C:\Program Files\folder.htt 2001-03-28 10:02 122,880 ----a-w C:\WINDOWS\INF\Agfa\message.exe . ((((((((((((((((((((((((((((( snapshot@2008-03-18_23.23.59.90 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-19 14:28:18 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll + 2008-03-19 14:28:18 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll + 2008-03-19 14:28:18 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll + 2008-03-19 14:28:21 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll + 2008-03-19 14:28:23 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2008-03-19 14:28:19 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll - 2008-03-18 17:39:41 581,632 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2008-03-19 11:12:24 5,009,408 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat - 2008-03-18 17:39:41 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-03-19 11:12:24 708,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-03-20 10:45:37 819,200 ----a-w C:\WINDOWS\gmer.dll + 2008-03-03 19:29:06 761,856 ----a-r C:\WINDOWS\gmer.exe + 2008-03-20 10:45:37 86,097 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\gmer.sys + 2007-06-13 13:22:28 113,664 ----a-w C:\WINDOWS\SYSTEM32\qggssaoii.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "lgrdpdi"="C:\WINDOWS\TEMP\ldgoeq.sys WLEntryPoint" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\Solenne Gilpin\Menu D‚marrer\Programmes\D‚marrage\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2000-01-21 09:15:56 65588] Norton System Doctor.lnk - C:\Program Files\Norton SystemWorks\Norton Utilities\Sysdoc32.exe [2003-09-13 14:17:26 57344] Rappels du Calendrier Microsoft Works.lnk - C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe [1999-08-06 08:53:00 53317] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "gdsgejks"= rundll32.exe "C:\WINDOWS\system32\qggssaoii.dll" WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKLM\~\startupfolder\C:^Documents and Settings^Administrateur.AMATEUR^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^.protected] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\.protected backup=C:\WINDOWS\pss\.protectedCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^autorun.exe] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^EPSON Background Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\EPSON Background Monitor.lnk backup=C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^PGPtray.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\PGPtray.lnk backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TEMP^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\TEMP\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 10:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr] --a------ 2003-09-15 16:04 582168 C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload] C:\Documents and Settings\Ed\Local Settings\Application Data\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent] --a------ 2008-03-12 17:00 35464 C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-20 00:09 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp] --a------ 2003-06-10 18:02 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2001-07-25 10:00 192568 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] --a------ 2003-09-18 17:03 124048 C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2005-12-09 08:49 15691264 C:\WINDOWS\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-08 11:40 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDefender] C:\Program Files\SystemDefender\SystemDefender.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-06 14:32 185632 C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trgiieco] --a------ 2004-08-20 00:10 33792 C:\WINDOWS\SYSTEM32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Myst Online\\UruExplorer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Team17\\Worms2\\frontend.exe"= "C:\\Program Files\\AC2\\ac2probe.exe"= "C:\\WINDOWS\\SYSTEM32\\rundll32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "64567:TCP"= 64567:TCP:@xpsp2res.dll,-22005 "17082:TCP"= 17082:TCP:@xpsp2res.dll,-22005 "7657:TCP"= 7657:TCP:@xpsp2res.dll,-22005 "58156:TCP"= 58156:TCP:@xpsp2res.dll,-22005 R0 ULiFilter;ULi PCIE Bridge Filter;C:\WINDOWS\system32\DRIVERS\ULiFiltr.sys [2005-12-08 08:20] R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01] R2 PGPmemlock;PGPmemlock;C:\WINDOWS\system32\drivers\PGPmemlock.sys [1999-10-29 05:52] S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [] S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2007-10-08 10:54] . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-03-10 15:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-07 17:28:08 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job" - C:\Program Files\Norton SystemWorks\OBC.exe "2008-03-04 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Fichiers communs\Symantec Shared\SymDrmc.exe "2008-03-21 11:07:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-21 12:06:06 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-03-21 12:07:37 ComboFix-quarantined-files.txt 2008-03-21 11:07:29 ComboFix2.txt 2008-03-19 18:47:30 ComboFix3.txt 2008-03-18 22:25:06 . 2008-03-12 12:26:50 --- E O F --- L'activité disque a l'air de s'être calmé. Par contre, je ne peux toujours pas charger Antivir : Message : "Cannot load master resource file"
  14. Cartier83
    Oui, c'est ce que je suis en train de faire. Je mets toutes mes petites affaires sur un autre disque. Je me suis dit que j'étais peut-être aussi en train de sauvegarder les problèmes par la même occasion lol on verra bien...
  15. Cartier83
    J'ai lancé Gmer. Il a bien trouvé un rootkit MBR. J'ai accepté le scan qui a duré 2 heures et à la fin, le bouton "copy" a disparu pffff. Le scan il avait au moins 1500 lignes notamment à cause de la poubelle. Allors, j'ai relancé Gmer, refusé le scan complet et voila le (petit) log : GMER 1.0.14.14205 - http://www.gmer.net Rootkit scan 2008-03-20 13:54:08 Windows 5.1.2600 Service Pack 2 ---- Disk sectors - GMER 1.0.14 ---- Disk \Device\Harddisk0\DR0 sector 00: MBR rootkit detected !!! <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ---- Threads - GMER 1.0.14 ---- Thread 4:716 865AEFC0 Thread 4:720 865A7E44 Thread 4:724 865AD54E Thread 4:864 865A7884 Thread 4:880 865A7884 Thread 4:3332 865E08C0 Thread 4:1632 865CC350 Thread 4:1228 86614790 Thread 4:3432 865B85B0 ---- EOF - GMER 1.0.14 ---- Je fais la manip FIXMBR ou j'attends ?
  16. Cartier83
    Oui, je possède le CD XP d'origine, mais je l'ai acheté il y a longtemps et j'ai fait un tas de mises à jour depuis. C'était avant le pack 2. J'ai lu vos posts. J'essaierai à midi,parce que je suis au boulot en ce moment. Merci encore
  17. Cartier83
    heu.... c'est qui qui est mort ? tu veux dire qu'il y a pas de solutions ?
  18. Cartier83
    voilà, j'ai fait les manipulations indiquées par Angélique. Le bot.exe n'existe plus il n'a pas été uploadé. Voici le log de Combofix : ComboFix 08-03-17.1 - Ed 2008-03-19 19:26:06.3 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.680 [GMT 1:00] Endroit: C:\Documents and Settings\Ed\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\Ed\Bureau\CFScript.txt AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! FILE :: C:\bot.exe C:\DOCUME~1\Ed\LOCALS~1\Temp\csrssc.exe C:\Documents and Settings\Ed\ftpdll.dll C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\printer.exe C:\mmhkj.exe C:\Program Files\antiviirus.exe C:\rdwavag.exe C:\WINDOWS\eReg.dat C:\WINDOWS\shell.exe C:\WINDOWS\SYSTEM32\~.exe C:\WINDOWS\system32\drivers\spools.exe C:\WINDOWS\system32\dsbalkjeh.dll C:\WINDOWS\SYSTEM32\ftpdll.dll C:\WINDOWS\SYSTEM32\mpcnmlknilgfqd.dll C:\WINDOWS\SYSTEM32\msgk374.exe C:\WINDOWS\SYSTEM32\msgk414.exe C:\WINDOWS\SYSTEM32\msgk427.exe C:\WINDOWS\SYSTEM32\msgk449.exe C:\WINDOWS\system32\printer.exe C:\WINDOWS\system32\spoolvs.exe C:\WINDOWS\SYSTEM32\svchost.t__ C:\WINDOWS\system32\tqunnpfw.dll C:\WINDOWS\SYSTEM32\wind32.exe C:\WINDOWS\SYSTEM32\winlogans.tmp C:\WINDOWS\SYSTEM32\winmed.exe C:\WINDOWS\SYSTEM32\wlogon32.dll C:\WINDOWS\system32\yrpyfolu.dll C:\WINDOWS\TEMP\csrssc.exe C:\WINDOWS\TEMP\dkjal.drv C:\WINDOWS\TEMP\ecmjpibjc.nls C:\WINDOWS\TEMP\mkdgoanrnch.dll C:\WINDOWS\TEMP\winlogan.exe C:\xolkyggk.exe . TimeOut - progfile.dat (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\printer.exe C:\Documents and Settings\Walter\Application Data\Anti-Virus-Pro.com C:\mmhkj.exe C:\Program Files\AntiVirusPro C:\rdwavag.exe C:\SDFix C:\SDFix\apps\assosfix.reg C:\SDFix\apps\cliptext.exe C:\SDFix\apps\download.exe C:\SDFix\apps\dummy.sys C:\SDFix\apps\Enable_Command_Prompt.reg C:\SDFix\apps\ERDNT.E_E C:\SDFix\apps\ERDNTDOS.LOC C:\SDFix\apps\ERDNTWIN.LOC C:\SDFix\apps\ERUNT.EXE C:\SDFix\apps\ERUNT.LOC C:\SDFix\apps\fix.reg C:\SDFix\apps\FixBH.reg C:\SDFix\apps\FixComponents.reg C:\SDFix\apps\FIXCU.reg C:\SDFix\apps\FIXLM.reg C:\SDFix\apps\FixPath.exe C:\SDFix\apps\FixRedir.reg C:\SDFix\apps\FixSchedule.reg C:\SDFix\apps\FixWebCheck.reg C:\SDFix\apps\fixXP.reg C:\SDFix\apps\FixXPsp2.reg C:\SDFix\apps\grep.exe C:\SDFix\apps\HPFix.reg C:\SDFix\apps\HPFix2.reg C:\SDFix\apps\HPFix3.reg C:\SDFix\apps\HPFix4.reg C:\SDFix\apps\HPFix5.reg C:\SDFix\apps\HPFix6.reg C:\SDFix\apps\HPFix7.reg C:\SDFix\apps\isadmin.exe C:\SDFix\apps\leg2.txt C:\SDFix\apps\legacy.txt C:\SDFix\apps\legacybk.txt C:\SDFix\apps\locate.com C:\SDFix\apps\LS.exe C:\SDFix\apps\MD5File.exe C:\SDFix\apps\MyGcpvFix.reg C:\SDFix\apps\MyGkFix2.reg C:\SDFix\apps\Process.exe C:\SDFix\apps\procs.exe C:\SDFix\apps\psservice.exe C:\SDFix\apps\Rem.txt C:\SDFix\apps\Rem2.txt C:\SDFix\apps\Replace\regedit.exe C:\SDFix\apps\Replace\W2K.exe C:\SDFix\apps\Replace\w2k\beep.sys C:\SDFix\apps\Replace\w2k\null.sys C:\SDFix\apps\Replace\XP.exe C:\SDFix\apps\Replace\xp\beep.sys C:\SDFix\apps\Replace\xp\null.sys C:\SDFix\apps\Reset_AppInit_DLLs.reg C:\SDFix\apps\RestartIt!.exe C:\SDFix\apps\Restore_SecurityCenter.reg C:\SDFix\apps\Restore_SharedAccess.reg C:\SDFix\apps\sc.exe C:\SDFix\apps\sed.exe C:\SDFix\apps\SF.exe C:\SDFix\apps\shutdown.exe C:\SDFix\apps\srv2.txt C:\SDFix\apps\srv2bk.txt C:\SDFix\apps\svc.txt C:\SDFix\apps\svcbk.txt C:\SDFix\apps\swreg.exe C:\SDFix\apps\swsc.exe C:\SDFix\apps\unzip.exe C:\SDFix\apps\vfind.exe C:\SDFix\apps\WINMSG.EXE C:\SDFix\apps\winsec.reg C:\SDFix\apps\zip.exe C:\SDFix\catchme.exe C:\SDFix\dummy.sys C:\SDFix\RunThis.bat C:\SDFix\SDFIX_ReadMe_Online.url C:\VundoFix Backups C:\WINDOWS\eReg.dat C:\WINDOWS\system32\dsbalkjeh.dll C:\WINDOWS\SYSTEM32\ftpdll.dll C:\WINDOWS\SYSTEM32\mpcnmlknilgfqd.dll C:\WINDOWS\SYSTEM32\wlogon32.dll C:\xolkyggk.exe . ((((((((((((((((((((((((((((( Fichiers créés 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))))))) . 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Program Files\Spybot - Search & Destroy 2008-03-19 16:07 . 2008-03-19 19:19 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy 2008-03-19 15:27 . 2008-03-19 15:44 <REP> d-------- C:\WINDOWS\BDOSCAN8 2008-03-18 15:33 . 2008-03-19 14:12 1,414 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-03-18 14:09 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\gtkfieactrm.drv 2008-03-18 13:52 . 2008-03-18 13:53 <REP> d-------- C:\WINDOWS\ERUNT 2008-03-18 13:16 . 2008-03-18 13:16 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Application Data\Grisoft 2008-03-16 23:09 . 2008-03-16 23:09 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Grisoft 2008-03-16 19:06 . 2008-03-16 19:06 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft 2008-03-16 19:05 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-16 19:04 . 2008-03-16 19:04 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft 2008-03-16 19:00 . 2008-03-16 19:00 <REP> d-------- C:\Program Files\CCleaner 2008-03-16 12:26 . 2008-03-16 12:26 <REP> d-------- C:\Program Files\Trend Micro 2008-03-13 16:03 . 2008-03-17 12:20 5,120 --a------ C:\Documents and Settings\LocalService.AUTORITE NT\ftpdll.dll 2008-03-12 18:29 . 2008-03-12 18:29 <REP> d-------- C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\Webroot 2008-03-12 18:26 . 2008-03-12 18:26 <REP> d-------- C:\Program Files\Webroot 2008-03-12 17:38 . 2004-08-20 01:09 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll 2008-03-12 17:37 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\pgfahcn.sys 2008-03-12 17:29 . 2008-03-15 14:30 <REP> d--h----- C:\Documents and Settings\Administrateur.AMATEUR\Modèles 2008-03-12 17:29 . 2008-03-12 17:29 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer 2008-03-12 17:29 . 2008-03-12 17:29 <REP> dr------- C:\Documents and Settings\Administrateur.AMATEUR\Favoris 2008-03-12 17:29 . 2008-03-18 18:44 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Bureau 2008-03-12 17:00 . 2008-03-12 17:00 35,464 --a------ C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe 2008-03-12 16:52 . 2008-03-12 16:52 <REP> dr------- C:\Documents and Settings\LocalService.AUTORITE NT\Favoris 2008-03-11 19:59 . 2008-03-11 19:59 63 --a------ C:\WINDOWS\mdm.ini 2008-03-07 20:21 . 2008-03-07 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-07 20:21 . 2008-03-07 20:21 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-06 21:34 . 2008-03-06 21:34 36,240 --a------ C:\Program Files\instaler.exe 2008-03-03 21:07 . 2008-03-03 21:09 <REP> d-------- C:\Everest Poker 2008-02-23 12:55 . 2003-05-28 17:53 45,056 --a------ C:\WINDOWS\SYSTEM32\WNASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 17,005 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 5,600 --a------ C:\WINDOWS\SYSTEM\WINASPI.BAK 2008-02-23 12:55 . 2003-05-28 17:53 4,672 --a------ C:\WINDOWS\SYSTEM\WOWPOST.BAK 2008-02-23 12:53 . 2003-09-12 13:08 83,208 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL 2008-02-23 12:53 . 2003-09-12 13:08 82,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-19 10:48 94,208 ----a-w C:\WINDOWS\DUMP9971.tmp 2008-03-12 15:53 14,336 ----a-w C:\WINDOWS\SYSTEM32\svchost.exe 2008-03-07 19:23 --------- d-----w C:\Documents and Settings\Walter\Application Data\Corel 2008-03-07 17:26 --------- d-----w C:\Program Files\Norton SystemWorks 2008-03-04 18:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus! 2008-03-03 13:30 --------- d-----w C:\Program Files\Riven 2008-03-03 12:15 --------- d-----w C:\Program Files\Spamihilator 2008-02-28 14:06 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared 2008-02-25 13:13 --------- d-----w C:\Documents and Settings\Ed\Application Data\Corel 2008-02-23 11:57 --------- d-----w C:\Documents and Settings\Walter\Application Data\Symantec 2008-02-23 11:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec 2008-02-23 11:54 --------- d-----w C:\Program Files\Symantec 2008-02-11 18:05 --------- d-----w C:\Program Files\Myst Online 2008-02-10 12:16 --------- d-----w C:\Program Files\QuickTime 2008-02-10 11:57 --------- d-----w C:\Program Files\Lavasoft 2008-02-10 11:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft 2008-02-10 11:26 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-01-27 17:06 --------- d-----w C:\Program Files\Common Files 2008-01-27 15:54 --------- d-----w C:\Documents and Settings\Walter\Application Data\Apple Computer 2008-01-27 14:09 --------- d-----w C:\Program Files\L'Amerzone 2008-01-21 11:43 --------- d-----w C:\Program Files\Snapshot Viewer 2008-01-21 11:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SBT 2008-01-09 14:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe 2007-12-29 00:31 39,424 ----a-w C:\WINDOWS\zipinst.exe 2007-12-29 00:26 47,104 ----a-w C:\WINDOWS\SYSTEM32\KMVIDC32.DLL 2004-05-11 17:58 39,859 ----a-w C:\Program Files\3dsUninst.exe 2004-05-11 17:58 1,210 ----a-w C:\Program Files\install.log 2004-03-29 15:21 958,549 ----a-w C:\Program Files\ThereKernel.dll 2004-03-29 15:21 24,657 ----a-w C:\Program Files\GnuMalloc.dll 2004-03-29 15:21 1,294,427 ----a-w C:\Program Files\ThereNetClient.dll 2002-04-01 18:51 266 --sh--w C:\Program Files\desktop.ini 2002-04-01 18:51 11,208 ---ha-w C:\Program Files\folder.htt 2001-03-28 10:02 122,880 ----a-w C:\WINDOWS\INF\Agfa\message.exe . ((((((((((((((((((((((((((((( snapshot@2008-03-18_23.23.59.90 ))))))))))))))))))))))))))))))))))))))))) . + 2008-03-19 14:28:18 45,056 ----a-w C:\WINDOWS\BDOSCAN8\avxdisk.dll + 2008-03-19 14:28:18 10,240 ----a-w C:\WINDOWS\BDOSCAN8\avxs.dll + 2008-03-19 14:28:18 27,136 ----a-w C:\WINDOWS\BDOSCAN8\avxt.dll + 2008-03-19 14:28:21 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll + 2008-03-19 14:28:23 142,848 ----a-w C:\WINDOWS\BDOSCAN8\libfn.dll + 2008-03-19 14:28:19 86,016 ----a-w C:\WINDOWS\BDOSCAN8\librtvr.dll + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\Downloaded Program Files\bdupd.dll + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\Downloaded Program Files\ipsupd.dll - 2008-03-18 17:39:41 581,632 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2008-03-19 11:12:24 5,009,408 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat - 2008-03-18 17:39:41 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-03-19 11:12:24 708,608 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2007-06-13 13:22:28 113,664 ----a-w C:\WINDOWS\SYSTEM32\cnten.sys + 2007-06-13 13:22:28 113,664 ----a-w C:\WINDOWS\TEMP\fobagsbslmm.dll . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "httrdkeg"="C:\WINDOWS\TEMP\fobagsbslmm.dll" [2007-06-13 14:22 113664] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] C:\Documents and Settings\Solenne Gilpin\Menu D‚marrer\Programmes\D‚marrage\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [2000-01-21 09:15:56 65588] Norton System Doctor.lnk - C:\Program Files\Norton SystemWorks\Norton Utilities\Sysdoc32.exe [2003-09-13 14:17:26 57344] Rappels du Calendrier Microsoft Works.lnk - C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe [1999-08-06 08:53:00 53317] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "glorismq"= rundll32.exe "C:\WINDOWS\system32\cnten.sys" WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKLM\~\startupfolder\C:^Documents and Settings^Administrateur.AMATEUR^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^.protected] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\.protected backup=C:\WINDOWS\pss\.protectedCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^autorun.exe] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^EPSON Background Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\EPSON Background Monitor.lnk backup=C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^PGPtray.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\PGPtray.lnk backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TEMP^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\TEMP\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 10:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr] --a------ 2003-09-15 16:04 582168 C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload] C:\Documents and Settings\Ed\Local Settings\Application Data\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent] --a------ 2008-03-12 17:00 35464 C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-20 00:09 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp] --a------ 2003-06-10 18:02 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2001-07-25 10:00 192568 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] --a------ 2003-09-18 17:03 124048 C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2005-12-09 08:49 15691264 C:\WINDOWS\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-08 11:40 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDefender] C:\Program Files\SystemDefender\SystemDefender.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-06 14:32 185632 C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trgiieco] --a------ 2004-08-20 00:10 33792 C:\WINDOWS\SYSTEM32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Myst Online\\UruExplorer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Team17\\Worms2\\frontend.exe"= "C:\\Program Files\\AC2\\ac2probe.exe"= "C:\\WINDOWS\\SYSTEM32\\rundll32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8772:TCP"= 8772:TCP:@xpsp2res.dll,-22005 "33675:TCP"= 33675:TCP:@xpsp2res.dll,-22005 "55398:TCP"= 55398:TCP:@xpsp2res.dll,-22005 "5965:TCP"= 5965:TCP:@xpsp2res.dll,-22005 R0 ULiFilter;ULi PCIE Bridge Filter;C:\WINDOWS\system32\DRIVERS\ULiFiltr.sys [2005-12-08 08:20] R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01] R2 PGPmemlock;PGPmemlock;C:\WINDOWS\system32\drivers\PGPmemlock.sys [1999-10-29 05:52] S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [] S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2007-10-08 10:54] . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-03-10 15:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-07 17:28:08 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job" - C:\Program Files\Norton SystemWorks\OBC.exe "2008-03-04 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Fichiers communs\Symantec Shared\SymDrmc.exe "2008-03-19 18:22:32 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-19 19:32:36 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-03-19 19:47:29 ComboFix-quarantined-files.txt 2008-03-19 18:47:22 ComboFix2.txt 2008-03-18 22:25:06 . 2008-03-12 12:26:50 --- E O F ---
  19. Cartier83
    Ok, je vais faire tout ça. Au sujet des comptes utilisateurs, yen a deux et ils ont tous les deux les droits administrateurs. J'ai fait toutes les manips pour l'instant à partir de celui dont les fichiers étaient interdits à partir de l'autre compte, où du compte admin en mode sans échec. Je vais faire spybot. J'ai essaye spy sweeper, il trouve trojan woplan et se bloque
  20. Cartier83
    Bonjour et merci pour ta réponse, il y a effectivement du boulot J'ai suivi ta prescription et ya du bon et du moins bon au niveau résultat. J'ai démarré SDFix en mode sans échec qui a mouliné normalement puis s'est bloqué arrivé à 75% Checked. J'ai eu l'impression que l'accès à la base de registre était bloqué et toujours pas de panneau de configuration accessible. j'ai relancé l'ordi à la main, SDFix s'est achevé. J'ai lancé smitfraudfix. Impossible de supprimer la restauration système. La commande control donne le message suivant : "Cette opération a été annulée en raison des restrictions en vigueur sur cet ordinateur. Contactez votre administrateur système." J'ai lancé Vundofix; Il n'a rien trouvé mais par contre ne s'arrête pas tout seul. Il se bloque sur "remove..." J'ai finalement accès à system et j'ai supprimé la restauration systeme. Les messages d'alertes de pcprivacytools ont disparus. Le panneau de configuration est revenu. mais toujours impossible d'installer antivir. J'ai relancé et tous les problèmes sont revenus comme au premier jour L'ordi s'est planté pendant que je te répondais et je suis revenu à mon ordi portable pour faire cette réponse. Les logs ont été copiés sur une clé usb. Voici les logs : SDFix: Version 1.158 Run by Ed on 18/03/2008 at 14:01 Microsoft Windows XP [version 5.1.2600] Running From: C:\DOCUME~1\Ed\Bureau\SDFix Checking Services : Name: Google Online Search Service guntest hipsrv ICF riode32 wblwccwx Path: C:\WINDOWS\system32\winlugan.exe -A \??\C:\WINDOWS\Help\guntest.chm \??\C:\WINDOWS\system\hipsrv.mm C:\WINDOWS\system32\svchost.exe:exe.exe \??\C:\WINDOWS\system32\drivers\riode32.sys system32\drivers\bwbtapow.dat Google Online Search Service - Deleted guntest - Deleted hipsrv - Deleted ICF - Deleted riode32 - Deleted wblwccwx - Deleted Killing PID 1600 'shell.exe' Restoring Windows Registry Values Restoring Windows Default Hosts File Restoring Default Desktop Wallpaper Resetting SecurityProviders Value Restoring Default Schedule Service Path Resetting AppInit_DLLs value Rebooting Service wblwccwx - Deleted after Reboot Checking Files : Trojan Files Found: C:\WINDOWS\Installer\{e60bbf5e-46b6-4668-93e1-c75c6fe1c0ca}\AlrtWin.dll - Deleted C:\WINDOWS\Installer\{4cd37ce9-5019-4302-a112-abadf1fde23d}\zip.dll - Deleted C:\WINDOWS\Installer\{026bf553-0746-47a0-b8a1-817ab7ea4ac0}\ServiceAvp.dll - Deleted C:\WINDOWS\Installer\{cc674d1c-81ce-4f4b-bd79-af77443c47ca}\DriveAvp.dll - Deleted C:\WINDOWS\Installer\{3bff9cd4-3090-4896-bf96-a0a73f70e9cb}\WinVolume.dll - Deleted C:\WINDOWS\SYSTEM32\DGFAHCN.BMP - Deleted C:\WINDOWS\SYSTEM32\IDGRETGF.BMP - Deleted C:\WINDOWS\SYSTEM32\JETOJMP.BMP - Deleted C:\WINDOWS\SYSTEM32\LOBIH.BMP - Deleted C:\WINDOWS\system32\Kf94lfg.dll - Deleted C:\176054~1 - Deleted C:\WINDOWS\SYSTEM32\ATMPVCN.DLL - Deleted C:\Documents and Settings\Ed\Local Settings\Application Data\cftmon.exe - Deleted C:\Documents and Settings\LocalService.AUTORITE NT\Local Settings\Application Data\cftmon.exe - Deleted C:\WINDOWS\help\guntest.chm - Deleted C:\WINDOWS\system\hipsrv.mm - Deleted C:\WINDOWS\system32\drivers\spools.exe - Deleted C:\WINDOWS\system32\wowfx.dll - Deleted C:\WINDOWS\system32\drivers\bwbtapow.dat - Deleted Folder C:\WINDOWS\Installer\{e60bbf5e-46b6-4668-93e1-c75c6fe1c0ca} - Removed Folder C:\WINDOWS\Installer\{4cd37ce9-5019-4302-a112-abadf1fde23d} - Removed Folder C:\WINDOWS\Installer\{026bf553-0746-47a0-b8a1-817ab7ea4ac0} - Removed Folder C:\WINDOWS\Installer\{cc674d1c-81ce-4f4b-bd79-af77443c47ca} - Removed Folder C:\WINDOWS\Installer\{3bff9cd4-3090-4896-bf96-a0a73f70e9cb} - Removed Folder C:\Program Files\IE Extensions - Removed Removing Temp Files ADS Check : C:\WINDOWS\system32\svchost.exe : ADS Found! svchost.exe: deleted 28672 bytes in 1 streams. Checking for remaining Streams C:\WINDOWS\system32\svchost.exe No streams found. Final Check : catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-18 16:11:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... C:\bot.exe [2652] 0x86BFB968 scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kprof] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\system32\kprof" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kprof\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\poof] "Type"=dword:00000001 "Start"=dword:00000000 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"system32\poof" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\poof\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kprof] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\system32\kprof" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kprof\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\poof] "Type"=dword:00000001 "Start"=dword:00000000 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"system32\poof" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\poof\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kprof] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"\??\C:\WINDOWS\system32\kprof" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kprof\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\poof] "Type"=dword:00000001 "Start"=dword:00000000 "ErrorControl"=dword:00000000 "ImagePath"=str(2):"system32\poof" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\poof\Security] "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher] "TracesProcessed"=dword:000000c4 "TracesSuccessful"=dword:00000002 scanning hidden files ... C:\WINDOWS\SYSTEM32\kprof 7040 bytes executable C:\WINDOWS\SYSTEM32\poof 37632 bytes executable scan completed successfully hidden processes: 1 hidden services: 2 hidden files: 46 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Myst Online\\UruExplorer.exe"="C:\\Program Files\\Myst Online\\UruExplorer.exe:*:Enabled:UruExplorer" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Team17\\Worms2\\frontend.exe"="C:\\Team17\\Worms2\\frontend.exe:*:Enabled:Worms 2 Frontend" "C:\\Program Files\\AC2\\ac2probe.exe"="C:\\Program Files\\AC2\\ac2probe.exe:*:Enabled:ac2probe" "C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019" "\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\All Users.WINDOWS\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019" "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\winmed.exe"="C:\\WINDOWS\\system32\\winmed.exe:*:Enabled:ENABLE" "C:\\bot.exe"="C:\\bot.exe:*:Enabled:Windows Update" "C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Walter\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Walter\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Ed\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Ed\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrateur.AMATEUR\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Administrateur.AMATEUR\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\TEMP\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\TEMP\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrateur.AMATEUR\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\Administrateur.AMATEUR\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\printer.exe"="C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019" "\\findfast.exe"="\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\All Users.WINDOWS\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe"="C:\\Documents and Settings\\All Users.WINDOWS\\Menu D‚marrer\\Programmes\\D‚marrage\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019" "%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\sysdefender.exe"="C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\sysdefender.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\mcrupdate.exe"="C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\mcrupdate.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Walter\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Walter\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Ed\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Ed\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrateur.AMATEUR\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\Administrateur.AMATEUR\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\TEMP\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe"="C:\\Documents and Settings\\TEMP\\Menu D‚marrer\\Programmes\\D‚marrage\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019" "C:\\Documents and Settings\\Administrateur.AMATEUR\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\Administrateur.AMATEUR\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019" Remaining Files : File Backups: - C:\DOCUME~1\Ed\Bureau\SDFix\backups\backups.zip Files with Hidden Attributes : Sun 21 Apr 2002 4 A.SHR --- "C:\IOU.SYS" Mon 5 Jan 2004 1,676 A.SHR --- "C:\MSDOS.BAK" Sun 23 May 1999 4 A.SHR --- "C:\G5-200\IOU.SYS" Mon 11 Sep 2000 1,678 A.SHR --- "C:\G5-200\MSDOS.BAK" Sun 17 Oct 1999 16,215 A..HR --- "C:\G5-200\SUHDLOG.BAK" Mon 2 Feb 2004 389,152 A..HR --- "C:\Documents and Settings\Solenne Gilpin\USER.BAK" Tue 3 Feb 2004 1,744,928 A..HR --- "C:\Documents and Settings\Walter Gilpin\USER.BAK" Fri 7 Mar 2008 952 A.SH. --- "C:\WINDOWS\SYSTEM32\KGyGaAvL.sys" Wed 12 Mar 2008 15,505 ...H. --- "C:\WINDOWS\TEMP\csrssc.exe" Mon 17 Mar 2008 616,448 A.SH. --- "C:\WINDOWS\TEMP\yj6zk9vd.TMP" Mon 17 Mar 2008 616,448 A.SH. --- "C:\WINDOWS\TEMP\z9nrodiw.TMP" Sun 10 Mar 2002 25,600 A..H. --- "C:\Documents and Settings\Walter\Mes documents\~WRL0882.tmp" Sun 10 Mar 2002 23,552 A..H. --- "C:\Documents and Settings\Walter\Mes documents\~WRL2935.tmp" Sat 20 Mar 2004 982 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti23.tmp" Mon 13 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp" Wed 12 Mar 2008 15,505 ...H. --- "C:\Documents and Settings\Walter\Local Settings\Temp\csrssc.exe" Wed 28 Aug 2002 29,696 A..H. --- "C:\Documents and Settings\Walter\Mes documents\Economie Politique\~WRL0066.tmp" Fri 2 Feb 2007 749,056 A..H. --- "C:\Documents and Settings\Walter\Application Data\Microsoft\ModŠles\~WRL1242.tmp" Tue 27 Feb 2007 761,856 A..H. --- "C:\Documents and Settings\Walter\Application Data\Microsoft\ModŠles\~WRL1463.tmp" Wed 11 Oct 2006 705,024 A..H. --- "C:\Documents and Settings\Walter\Application Data\Microsoft\ModŠles\~WRL2427.tmp" Tue 4 Jan 2005 78,336 A..H. --- "C:\Documents and Settings\Walter\Mes documents\Lions\Compte-Rendu\~WRL2908.tmp" Tue 4 Jan 2005 78,848 A..H. --- "C:\Documents and Settings\Walter\Mes documents\Lions\Compte-Rendu\~WRL3590.tmp" Thu 4 May 2006 4,348 A..H. --- "C:\Documents and Settings\Walter\Mes documents\Ma musique\Sauvegarde de la licence\drmv1key.bak" Thu 22 Jun 2006 20 A..H. --- "C:\Documents and Settings\Walter\Mes documents\Ma musique\Sauvegarde de la licence\drmv1lic.bak" Thu 4 May 2006 400 A.SH. --- "C:\Documents and Settings\Walter\Mes documents\Ma musique\Sauvegarde de la licence\drmv2key.bak" Sun 27 Aug 2006 24,064 A..H. --- "C:\Documents and Settings\Walter\Application Data\Microsoft Web Folders\Microsoft\Word\~WRL1582.tmp" Tue 5 Jul 2005 22,016 A..H. --- "C:\Documents and Settings\Walter\Application Data\Microsoft Web Folders\Microsoft\Word\~WRL2083.tmp" Wed 28 Aug 2002 139,776 A..H. --- "C:\Documents and Settings\Walter\Application Data\Microsoft Web Folders\Microsoft\Word\~WRL3004.tmp" Wed 5 Oct 2005 868,864 A..H. --- "C:\Documents and Settings\Walter\Application Data\Microsoft Web Folders\Microsoft\Word\~WRL3852.tmp" Fri 22 Dec 2000 19,456 A..H. --- "C:\_Restore\AS\Mes Documents\Domaine de la Vivonne\Vente au d‚tail\Factures\~WRL0007.tmp" Mon 1 Jul 2002 25,088 A..H. --- "C:\_Restore\AS\Mes Documents\Domaine de la Vivonne\Vente au d‚tail\Factures\~WRL3847.tmp" Wed 28 May 2003 65,088 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM" Wed 28 May 2003 12,732 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM" Wed 28 May 2003 26,424 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM" Wed 28 May 2003 28,062 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM" Wed 28 May 2003 10,710 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM" Wed 28 May 2003 10,083 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM" Wed 28 May 2003 10,257 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM" Wed 28 May 2003 29,499 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM" Wed 28 May 2003 12,660 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM" Wed 28 May 2003 11,031 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM" Wed 28 May 2003 17,952 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM" Wed 28 May 2003 9,424 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM" Wed 28 May 2003 7,825 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM" Wed 28 May 2003 13,673 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM" Wed 28 May 2003 14,438 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM" Wed 28 May 2003 7,825 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM" Wed 28 May 2003 7,825 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM" Wed 28 May 2003 7,825 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM" Wed 28 May 2003 7,243 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM" Wed 28 May 2003 24,767 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM" Wed 28 May 2003 7,463 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM" Wed 28 May 2003 7,825 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM" Wed 28 May 2003 10,286 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM" Wed 28 May 2003 25,460 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM" Wed 28 May 2003 28,866 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM" Wed 28 May 2003 14,438 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM" Wed 28 May 2003 8,544 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys" Wed 28 May 2003 33,149 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys" Wed 28 May 2003 51,150 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS" Wed 28 May 2003 35,340 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS" Wed 28 May 2003 14,378 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS" Wed 28 May 2003 37,984 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS" Wed 28 May 2003 44,828 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS" Wed 28 May 2003 29,628 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS" Wed 28 May 2003 52,106 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS" Wed 28 May 2003 49,250 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS" Wed 28 May 2003 50,600 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS" Wed 28 May 2003 161,792 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS" Wed 28 May 2003 174,080 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys" Wed 28 May 2003 21,971 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS" Wed 28 May 2003 30,955 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS" Wed 28 May 2003 202,517 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\CMDS.EXE" Wed 28 May 2003 374,038 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE" Wed 28 May 2003 22,158 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS" Wed 28 May 2003 1,608 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\DEVICE.COM" Wed 28 May 2003 15,345 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS" Wed 28 May 2003 7,840 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS" Wed 28 May 2003 56,821 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\E.EXE" Wed 28 May 2003 64,425 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS" Wed 28 May 2003 32,396 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\GUEST.EXE" Wed 28 May 2003 14,160 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS" Wed 28 May 2003 10,898 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\KEYB.COM" Wed 28 May 2003 53,556 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS" Wed 28 May 2003 15,777 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\MODE.COM" Wed 28 May 2003 37,681 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\MOUSE.COM" Wed 28 May 2003 354,304 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys" Wed 28 May 2003 21,180 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE" Wed 28 May 2003 354,263 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\Net.exe" Wed 28 May 2003 8,513 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\NETBIND.COM" Wed 28 May 2003 41,302 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS" Wed 28 May 2003 129,240 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\OHCI.EXE" Wed 28 May 2003 28,439 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\Paralink.com" Wed 28 May 2003 13,770 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE" Wed 28 May 2003 130,980 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\UHCI.EXE" Wed 28 May 2003 11,854 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM" Wed 28 May 2003 52,715 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM" Wed 28 May 2003 62,391 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM" Wed 28 May 2003 11,491 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com" Wed 28 May 2003 17,791 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com" Wed 28 May 2003 17,043 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com" Wed 28 May 2003 11,786 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com" Wed 28 May 2003 18,300 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com" Wed 28 May 2003 48,224 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com" Wed 28 May 2003 13,360 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com" Wed 28 May 2003 9,190 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com" Wed 28 May 2003 12,567 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com" Wed 28 May 2003 44,640 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM" Wed 28 May 2003 56,896 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com" Wed 28 May 2003 44,640 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com" Wed 28 May 2003 9,692 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com" Wed 28 May 2003 9,537 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM" Wed 28 May 2003 32,484 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com" Wed 28 May 2003 52,225 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe" Wed 28 May 2003 48,491 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe" Wed 28 May 2003 50,405 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com" Wed 28 May 2003 33,860 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe" Wed 28 May 2003 50,175 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe" Wed 28 May 2003 50,795 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe" Wed 28 May 2003 48,223 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com" Wed 28 May 2003 48,641 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe" Wed 28 May 2003 49,015 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com" Wed 28 May 2003 53,786 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\pcdos\command.com" Wed 28 May 2003 44,240 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM" Wed 28 May 2003 42,550 A..H. --- "C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM" Finished! -------------------------------------------------------------------------------------------------------------------------- SmitFraudFix v2.305 Rapport fait à 21:48:52,64, 18/03/2008 Executé à partir de C:\Documents and Settings\Ed\Bureau\SmitfraudFix OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT Le type du système de fichiers est NTFS Fix executé en mode sans echec »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Arret des processus »»»»»»»»»»»»»»»»»»»»»»»» hosts 10.18.250.4 ad.doubleclick.net 10.18.250.4 ad.fastclick.net 10.18.250.4 ads.fastclick.net 10.18.250.4 ar.atwola.com 10.18.250.4 atdmt.com 10.18.250.4 avp.ch 10.18.250.4 avp.com 10.18.250.4 avp.ru 10.18.250.4 awaps.net 10.18.250.4 banner.fastclick.net 10.18.250.4 banners.fastclick.net 10.18.250.4 ca.com 10.18.250.4 click.atdmt.com 10.18.250.4 clicks.atdmt.com 10.18.250.4 customer.symantec.com 10.18.250.4 dispatch.mcafee.com 10.18.250.4 download.mcafee.com 10.18.250.4 downloads-us1.kaspersky-labs.com 10.18.250.4 downloads-us2.kaspersky-labs.com 10.18.250.4 downloads-us3.kaspersky-labs.com 10.18.250.4 downloads1.kaspersky-labs.com 10.18.250.4 downloads2.kaspersky-labs.com 10.18.250.4 downloads3.kaspersky-labs.com 10.18.250.4 downloads4.kaspersky-labs.com 10.18.250.4 engine.awaps.net 10.18.250.4 f-secure.com 10.18.250.4 fastclick.net 10.18.250.4 ftp.avp.ch 10.18.250.4 ftp.downloads1.kaspersky-labs.com 10.18.250.4 ftp.downloads2.kaspersky-labs.com 10.18.250.4 ftp.downloads3.kaspersky-labs.com 10.18.250.4 ftp.f-secure.com 10.18.250.4 ftp.kasperskylab.ru 10.18.250.4 ftp.sophos.com 10.18.250.4 ids.kaspersky-labs.com 10.18.250.4 kaspersky-labs.com 10.18.250.4 kaspersky.com 10.18.250.4 liveupdate.symantec.com 10.18.250.4 liveupdate.symantecliveupdate.com 10.18.250.4 mast.mcafee.com 10.18.250.4 mcafee.com 10.18.250.4 media.fastclick.net 10.18.250.4 my-etrust.com 10.18.250.4 nai.com 10.18.250.4 networkassociates.com 10.18.250.4 norton.com 10.18.250.4 phx.corporate-ir.net 10.18.250.4 rads.mcafee.com 10.18.250.4 secure.nai.com 10.18.250.4 securityresponse.symantec.com 10.18.250.4 service1.symantec.com 10.18.250.4 sophos.com 10.18.250.4 spd.atdmt.com 10.18.250.4 symantec.com 10.18.250.4 trendmicro.com 10.18.250.4 update.symantec.com 10.18.250.4 updates.symantec.com 10.18.250.4 updates1.kaspersky-labs.com 10.18.250.4 updates2.kaspersky-labs.com 10.18.250.4 updates3.kaspersky-labs.com 10.18.250.4 updates4.kaspersky-labs.com 10.18.250.4 updates5.kaspersky-labs.com 10.18.250.4 us.mcafee.com 10.18.250.4 vil.nai.com 10.18.250.4 viruslist.com 10.18.250.4 viruslist.ru 10.18.250.4 virusscan.jotti.org 10.18.250.4 virustotal.com 10.18.250.4 www.avp.ch 10.18.250.4 www.avp.com 10.18.250.4 www.avp.ru 10.18.250.4 www.awaps.net 10.18.250.4 www.ca.com 10.18.250.4 www.f-secure.com 10.18.250.4 www.fastclick.net 10.18.250.4 www.grisoft.com 10.18.250.4 www.kaspersky-labs.com 10.18.250.4 www.kaspersky.com 10.18.250.4 www.kaspersky.ru 10.18.250.4 www.mcafee.com 10.18.250.4 www.my-etrust.com 10.18.250.4 www.nai.com 10.18.250.4 www.networkassociates.com 10.18.250.4 www.sophos.com 10.18.250.4 www.symantec.com 10.18.250.4 www.trendmicro.com 10.18.250.4 www.viruslist.com 10.18.250.4 www.viruslist.ru 10.18.250.4 www.virustotal.com »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés C:\WINDOWS\shell.exe supprimé C:\WINDOWS\system32\printer.exe supprimé C:\WINDOWS\system32\spoolvs.exe supprimé C:\DOCUME~1\Ed\MENUDM~1\PROGRA~1\DMARRA~1\findfast.exe supprimé C:\DOCUME~1\ALLUSE~1.WIN\MENUDM~1\PROGRA~1\DMARRA~1\autorun.exe supprimé »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{FDD9EFE0-470D-4F72-B5A1-3F6C88E4F671}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{FDD9EFE0-470D-4F72-B5A1-3F6C88E4F671}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{FDD9EFE0-470D-4F72-B5A1-3F6C88E4F671}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{FDD9EFE0-470D-4F72-B5A1-3F6C88E4F671}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 »»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre Nettoyage terminé. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix !!!Attention, les clés qui suivent ne sont pas forcément infectées!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Fin --------------------------------------------------------------------------------------------------------------------- ComboFix 08-03-17.1 - Ed 2008-03-18 22:52:14.1 - NTFSx86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.1.1036.18.658 [GMT 1:00] Endroit: C:\Documents and Settings\Ed\Bureau\ComboFix.exe AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\.protected C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\ultra C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\ultra\uninstall.bat C:\WINDOWS\BM6bdcf4b5.xml C:\WINDOWS\inf\ultra.inf C:\WINDOWS\pskt.ini C:\WINDOWS\SYSTEM32\bbeeg.ini C:\WINDOWS\SYSTEM32\bbeeg.ini2 C:\WINDOWS\system32\bqktnosu.dll C:\WINDOWS\system32\crypts.dll C:\WINDOWS\system32\drivers\etc\.protected C:\WINDOWS\system32\efcabba.dll C:\WINDOWS\system32\geebb.dll C:\WINDOWS\system32\koos.exe C:\WINDOWS\system32\kprof C:\WINDOWS\system32\kr_done1 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\poof C:\WINDOWS\system32\qomjgfd.dll C:\WINDOWS\system32\system C:\WINDOWS\system32\system\msxml4.dll C:\WINDOWS\system32\system\msxml4r.dll C:\WINDOWS\system32\tqunnpfw.dll C:\WINDOWS\SYSTEM32\ututv.ini C:\WINDOWS\SYSTEM32\ututv.ini2 C:\WINDOWS\SYSTEM32\wfpnnuqt.ini C:\WINDOWS\system32\yrpyfolu.dll ----- BITS: Possible sites infectés ----- hxxp://flycodecs.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_POOF ((((((((((((((((((((((((((((( Fichiers créés 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))))))) . 2008-03-18 15:45 . 2008-03-18 15:45 <REP> d-------- C:\VundoFix Backups 2008-03-18 15:33 . 2008-03-18 21:49 1,506 --a------ C:\WINDOWS\SYSTEM32\tmp.reg 2008-03-18 14:09 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\gtkfieactrm.drv 2008-03-18 13:52 . 2008-03-18 13:53 <REP> d-------- C:\WINDOWS\ERUNT 2008-03-18 13:32 . 2008-03-16 06:19 <REP> d-------- C:\SDFix 2008-03-18 13:16 . 2008-03-18 13:16 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Application Data\Grisoft 2008-03-16 23:09 . 2008-03-16 23:09 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Grisoft 2008-03-16 19:06 . 2008-03-16 19:06 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Grisoft 2008-03-16 19:05 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys 2008-03-16 19:04 . 2008-03-16 19:04 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft 2008-03-16 19:00 . 2008-03-16 19:00 <REP> d-------- C:\Program Files\CCleaner 2008-03-16 18:54 . 2008-03-17 12:21 5,120 --a------ C:\Documents and Settings\Ed\ftpdll.dll 2008-03-16 12:26 . 2008-03-16 12:26 <REP> d-------- C:\Program Files\Trend Micro 2008-03-13 16:03 . 2008-03-17 12:20 5,120 --a------ C:\Documents and Settings\LocalService.AUTORITE NT\ftpdll.dll 2008-03-13 14:01 . 2008-03-13 14:01 <REP> d-------- C:\Documents and Settings\Ed\Application Data\Webroot 2008-03-12 18:43 . 2008-03-12 18:43 58,368 --a------ C:\WINDOWS\SYSTEM32\msgk427.exe 2008-03-12 18:30 . 2008-03-12 18:30 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Webroot 2008-03-12 18:29 . 2008-03-12 18:29 <REP> d-------- C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\Webroot 2008-03-12 18:27 . 2008-03-12 18:27 <REP> d-------- C:\Documents and Settings\NetworkService.AUTORITE NT\Application Data\Webroot 2008-03-12 18:26 . 2008-03-12 18:26 <REP> d-------- C:\Program Files\Webroot 2008-03-12 18:26 . 2008-03-12 18:26 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Webroot 2008-03-12 18:26 . 2008-03-12 18:26 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Application Data\Webroot 2008-03-12 18:26 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll 2008-03-12 18:26 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ssidrv.sys 2008-03-12 18:26 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sskbfd.sys 2008-03-12 18:26 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sshrmd.sys 2008-03-12 18:26 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SSFS0BB9.sys 2008-03-12 17:38 . 2004-08-20 01:09 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll 2008-03-12 17:37 . 2007-06-13 14:22 113,664 --a------ C:\WINDOWS\SYSTEM32\pgfahcn.sys 2008-03-12 17:29 . 2008-03-15 14:30 <REP> d--h----- C:\Documents and Settings\Administrateur.AMATEUR\ModŠles 2008-03-12 17:29 . 2008-03-12 17:29 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Menu D‚marrer 2008-03-12 17:29 . 2008-03-12 17:29 <REP> dr------- C:\Documents and Settings\Administrateur.AMATEUR\Favoris 2008-03-12 17:29 . 2008-03-18 18:44 <REP> d-------- C:\Documents and Settings\Administrateur.AMATEUR\Bureau 2008-03-12 17:03 . 2008-03-12 17:03 <REP> d-------- C:\Documents and Settings\Walter\Application Data\Anti-Virus-Pro.com 2008-03-12 17:02 . 2008-03-12 17:50 <REP> d-------- C:\Program Files\AntiVirusPro 2008-03-12 17:00 . 2008-03-12 17:00 35,464 --a------ C:\WINDOWS\SYSTEM32\BluetoothAuthorizationAgent.exe 2008-03-12 16:53 . 2008-03-12 16:53 6,656 --a------ C:\xolkyggk.exe 2008-03-12 16:52 . 2008-03-12 16:52 <REP> dr------- C:\Documents and Settings\LocalService.AUTORITE NT\Favoris 2008-03-12 16:52 . 2008-03-12 16:52 266,240 --a------ C:\WINDOWS\SYSTEM32\wlogon32.dll 2008-03-12 16:52 . 2008-03-12 16:52 111,886 --a------ C:\WINDOWS\SYSTEM32\msgk414.exe 2008-03-12 16:52 . 2008-03-12 16:52 72,192 --a------ C:\bot.exe 2008-03-12 16:52 . 2008-03-12 16:52 69,120 --a------ C:\WINDOWS\SYSTEM32\msgk449.exe 2008-03-12 16:52 . 2008-03-12 16:53 58,368 --a------ C:\rdwavag.exe 2008-03-12 16:52 . 2008-03-12 16:52 16,848 --a------ C:\WINDOWS\SYSTEM32\wind32.exe 2008-03-12 16:52 . 2005-07-18 09:55 9,728 --a------ C:\findfast.exe 2008-03-12 16:52 . 2005-07-12 14:41 9,728 --a------ C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\printer.exe 2008-03-12 16:52 . 2008-03-12 16:52 6,144 --a------ C:\mmhkj.exe 2008-03-12 16:52 . 2008-03-17 12:21 5,120 --a------ C:\WINDOWS\SYSTEM32\ftpdll.dll 2008-03-12 13:52 . 2008-03-12 13:52 30,877 --a------ C:\WINDOWS\SYSTEM32\winmed.exe 2008-03-12 13:51 . 2008-03-12 13:51 17,920 --a------ C:\WINDOWS\SYSTEM32\msgk374.exe 2008-03-12 13:51 . 2008-03-12 21:33 331 --a------ C:\WINDOWS\SYSTEM32\winlogans.tmp 2008-03-12 13:51 . 2008-03-12 18:44 32 --a------ C:\WINDOWS\SYSTEM32\svchost.t__ 2008-03-12 13:50 . 2008-03-12 13:50 3,221 --a------ C:\WINDOWS\SYSTEM32\~.exe 2008-03-12 13:35 . 2008-03-12 13:35 561 --a------ C:\WINDOWS\eReg.dat 2008-03-11 19:59 . 2008-03-11 19:59 63 --a------ C:\WINDOWS\mdm.ini 2008-03-07 20:21 . 2008-03-07 20:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-03-07 20:21 . 2008-03-07 20:21 1,409 --a------ C:\WINDOWS\QTFont.for 2008-03-06 21:34 . 2008-03-06 21:34 36,240 --a------ C:\Program Files\instaler.exe 2008-03-03 21:07 . 2008-03-03 21:09 <REP> d-------- C:\Everest Poker 2008-02-23 12:55 . 2003-05-28 17:53 45,056 --a------ C:\WINDOWS\SYSTEM32\WNASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 17,005 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ASPI2K.BAK 2008-02-23 12:55 . 2003-05-28 17:53 5,600 --a------ C:\WINDOWS\SYSTEM\WINASPI.BAK 2008-02-23 12:55 . 2003-05-28 17:53 4,672 --a------ C:\WINDOWS\SYSTEM\WOWPOST.BAK 2008-02-23 12:53 . 2003-09-12 13:08 83,208 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL 2008-02-23 12:53 . 2003-09-12 13:08 82,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-07 19:23 --------- d-----w C:\Documents and Settings\Walter\Application Data\Corel 2008-03-07 17:26 --------- d-----w C:\Program Files\Norton SystemWorks 2008-03-04 18:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus! 2008-03-03 13:30 --------- d-----w C:\Program Files\Riven 2008-03-03 12:15 --------- d-----w C:\Program Files\Spamihilator 2008-02-28 14:06 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared 2008-02-25 13:13 --------- d-----w C:\Documents and Settings\Ed\Application Data\Corel 2008-02-23 11:57 --------- d-----w C:\Documents and Settings\Walter\Application Data\Symantec 2008-02-23 11:55 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec 2008-02-23 11:54 --------- d-----w C:\Program Files\Symantec 2008-02-11 18:05 --------- d-----w C:\Program Files\Myst Online 2008-02-10 12:16 --------- d-----w C:\Program Files\QuickTime 2008-02-10 11:57 --------- d-----w C:\Program Files\Lavasoft 2008-02-10 11:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft 2008-02-10 11:26 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-01-27 17:06 --------- d-----w C:\Program Files\Common Files 2008-01-27 15:54 --------- d-----w C:\Documents and Settings\Walter\Application Data\Apple Computer 2008-01-27 14:09 --------- d-----w C:\Program Files\L'Amerzone 2008-01-21 11:43 --------- d-----w C:\Program Files\Snapshot Viewer 2008-01-21 11:43 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\SBT 2007-12-29 00:31 39,424 ----a-w C:\WINDOWS\zipinst.exe 2004-05-11 17:58 39,859 ----a-w C:\Program Files\3dsUninst.exe 2004-05-11 17:58 1,210 ----a-w C:\Program Files\install.log 2004-03-29 15:21 958,549 ----a-w C:\Program Files\ThereKernel.dll 2004-03-29 15:21 24,657 ----a-w C:\Program Files\GnuMalloc.dll 2004-03-29 15:21 1,294,427 ----a-w C:\Program Files\ThereNetClient.dll 2002-04-01 18:51 266 --sh--w C:\Program Files\desktop.ini 2002-04-01 18:51 11,208 ---ha-w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-20 00:09 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664] "rfmtlpre"="C:\WINDOWS\TEMP\mkdgoanrnch.dll" [2007-06-13 14:22 113664] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:09 15360] "Hhjg5jfd93dftdf"="C:\WINDOWS\TEMP\winlogan.exe" [ ] "Jnskdfmf9eldfd"="C:\WINDOWS\TEMP\csrssc.exe" [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "scpmnsp"= rundll32.exe "C:\WINDOWS\system32\dsbalkjeh.dll" WLEntryPoint [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"="logonui.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mpcnmlknilgfqd] mpcnmlknilgfqd.dll 2007-06-13 14:22 113664 C:\WINDOWS\SYSTEM32\mpcnmlknilgfqd.dll [HKLM\~\startupfolder\C:^Documents and Settings^Administrateur.AMATEUR^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Administrateur.AMATEUR\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^.protected] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\.protected backup=C:\WINDOWS\pss\.protectedCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^autorun.exe] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^EPSON Background Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\EPSON Background Monitor.lnk backup=C:\WINDOWS\pss\EPSON Background Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^InterVideo WinCinema Manager.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\InterVideo WinCinema Manager.lnk backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Démarrer^Programmes^Démarrage^PGPtray.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Menu Démarrer\Programmes\Démarrage\PGPtray.lnk backup=C:\WINDOWS\pss\PGPtray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKLM\~\startupfolder\C:^Documents and Settings^Ed^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk] path=C:\Documents and Settings\Ed\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^TEMP^Menu Démarrer^Programmes^Démarrage^findfast.exe] path=C:\Documents and Settings\TEMP\Menu Démarrer\Programmes\Démarrage\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 10:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\68efc729] C:\WINDOWS\system32\tqunnpfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr] --a------ 2003-09-15 16:04 582168 C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acqnabng] C:\WINDOWS\TEMP\dkjal.drv WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] -ra------ 2005-05-03 11:43 69632 C:\WINDOWS\ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus] C:\Program Files\antiviirus.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] --a------ 2006-01-02 17:41 45056 C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload] C:\Documents and Settings\Ed\Local Settings\Application Data\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent] --a------ 2008-03-12 17:00 35464 C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6bdcf4b5] C:\WINDOWS\system32\yrpyfolu.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2004-08-20 00:09 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gflghssj] C:\WINDOWS\TEMP\dkjal.drv WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp] --a------ 2003-06-10 18:02 94208 C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhjg5jfd93dftdf] C:\WINDOWS\TEMP\winlogan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jelcjad] C:\WINDOWS\TEMP\dkjal.drv WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnitmrte] C:\WINDOWS\TEMP\dkjal.drv WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnskdfmf9eldfd] C:\DOCUME~1\Ed\LOCALS~1\Temp\csrssc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2001-07-25 10:00 192568 C:\Program Files\Microsoft Money\System\Money Express.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton SystemWorks] --a------ 2003-09-18 17:03 124048 C:\Program Files\Fichiers communs\Symantec Shared\CfgWiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser] C:\WINDOWS\system32\drivers\spools.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer] C:\WINDOWS\system32\printer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qrcap] C:\WINDOWS\TEMP\dkjal.drv WLEntryPoint [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -ra------ 2005-12-09 08:49 15691264 C:\WINDOWS\RTHDCPL.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv] C:\WINDOWS\system32\spoolvs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] --a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-06-08 11:40 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System] --a------ 2008-03-12 16:52 16848 C:\WINDOWS\system32\wind32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDefender] C:\Program Files\SystemDefender\SystemDefender.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-10-06 14:32 185632 C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trgiieco] --a------ 2004-08-20 00:10 33792 C:\WINDOWS\SYSTEM32\rundll32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMed] --a------ 2008-03-12 13:52 30877 C:\WINDOWS\SYSTEM32\winmed.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Myst Online\\UruExplorer.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Team17\\Worms2\\frontend.exe"= "C:\\Program Files\\AC2\\ac2probe.exe"= "C:\\Documents and Settings\\LocalService.AUTORITE NT\\Application Data\\printer.exe"= "%windir%\\system32\\winav.exe"= "C:\\WINDOWS\\system32\\winmed.exe"= "C:\\bot.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "51326:TCP"= 51326:TCP:@xpsp2res.dll,-22005 "51365:TCP"= 51365:TCP:@xpsp2res.dll,-22005 "5240:TCP"= 5240:TCP:@xpsp2res.dll,-22005 "37711:TCP"= 37711:TCP:@xpsp2res.dll,-22005 R0 ULiFilter;ULi PCIE Bridge Filter;C:\WINDOWS\system32\DRIVERS\ULiFiltr.sys [2005-12-08 08:20] R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01] R2 PGPmemlock;PGPmemlock;C:\WINDOWS\system32\drivers\PGPmemlock.sys [1999-10-29 05:52] S3 SmartCd;SmartCd;C:\WINDOWS\system32\Drivers\SmartCd.sys [] S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2007-10-08 10:54] . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-03-10 15:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-03-07 17:28:08 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job" - C:\Program Files\Norton SystemWorks\OBC.exe "2008-03-04 23:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job" - C:\Program Files\Fichiers communs\Symantec Shared\SymDrmc.exe "2008-03-18 22:09:53 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-18 23:08:52 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\ESM2\SAgentNT.exe C:\ESM2\EBRR.EXE C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\Ati2evxx.exe . ************************************************************************** . Temps d'accomplissement: 2008-03-18 23:25:05 - machine was rebooted ComboFix-quarantined-files.txt 2008-03-18 22:24:56 . 2008-03-12 12:26:50 --- E O F --- -------------------------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:11:10, on 19/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\shell.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [rfmtlpre] rundll32.exe "C:\WINDOWS\TEMP\ecmjpibjc.nls" WLEntryPoint O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - HKLM\..\Policies\Explorer\Run: [scpmnsp] rundll32.exe "C:\WINDOWS\system32\dsbalkjeh.dll" WLEntryPoint O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: findfast.exe O4 - Global Startup: autorun.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: Capturer ! - {47055D63-DFCD-11d3-8406-00500445A7D0} - C:\Program Files\Goto\MemoWeb 4\IEBtn\Launcher (file missing) O9 - Extra 'Tools' menuitem: Capturer ce web - {47055D63-DFCD-11d3-8406-00500445A7D0} - C:\Program Files\Goto\MemoWeb 4\IEBtn\Launcher (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186846561046 O20 - Winlogon Notify: mpcnmlknilgfqd - C:\WINDOWS\SYSTEM32\mpcnmlknilgfqd.dll O21 - SSODL: akDcvc - {68EFC787-C245-6D2D-5C5A-BABE7E0DE695} - (no file) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Epson Printer Status Agent (StatusAgent) - SEIKO EPSON CORPORATION - C:\ESM2\SAgentNT.exe O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 5406 bytes
  21. Cartier83
    Ok, merci. Voici le log transféré via une clé usb. L'ordi ne fonctionne qu'en mode sans échec. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:13:32, on 17/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\shell.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [hrniaj] rundll32.exe "C:\WINDOWS\TEMP\dkjal.drv" WLEntryPoint O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKCU\..\Run: [spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - HKLM\..\Policies\Explorer\Run: [rmlgr] rundll32.exe "C:\WINDOWS\system32\dsbalkjeh.dll" WLEntryPoint O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [spoolsv] C:\WINDOWS\system32\spoolvs.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService.AUTORITE NT\Local Settings\Application Data\cftmon.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: findfast.exe O4 - Global Startup: autorun.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: Capturer ! - {47055D63-DFCD-11d3-8406-00500445A7D0} - C:\Program Files\Goto\MemoWeb 4\IEBtn\Launcher (file missing) O9 - Extra 'Tools' menuitem: Capturer ce web - {47055D63-DFCD-11d3-8406-00500445A7D0} - C:\Program Files\Goto\MemoWeb 4\IEBtn\Launcher (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1186846561046 O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll O21 - SSODL: AlrtWin - {e60bbf5e-46b6-4668-93e1-c75c6fe1c0ca} - C:\WINDOWS\Installer\{e60bbf5e-46b6-4668-93e1-c75c6fe1c0ca}\AlrtWin.dll O21 - SSODL: zip - {4cd37ce9-5019-4302-a112-abadf1fde23d} - C:\WINDOWS\Installer\{4cd37ce9-5019-4302-a112-abadf1fde23d}\zip.dll O21 - SSODL: ServiceAvp - {026bf553-0746-47a0-b8a1-817ab7ea4ac0} - C:\WINDOWS\Installer\{026bf553-0746-47a0-b8a1-817ab7ea4ac0}\ServiceAvp.dll O21 - SSODL: WLogon - {C222CF11-145F-2FF2-31AC-F613D471C63D} - C:\WINDOWS\system32\wlogon32.dll O21 - SSODL: akDcvc - {68EFC787-C245-6D2D-5C5A-BABE7E0DE695} - (no file) O21 - SSODL: DriveAvp - {cc674d1c-81ce-4f4b-bd79-af77443c47ca} - C:\WINDOWS\Installer\{cc674d1c-81ce-4f4b-bd79-af77443c47ca}\DriveAvp.dll O21 - SSODL: WinVolume - {3bff9cd4-3090-4896-bf96-a0a73f70e9cb} - C:\WINDOWS\Installer\{3bff9cd4-3090-4896-bf96-a0a73f70e9cb}\WinVolume.dll O22 - SharedTaskScheduler: Hjkfj93dffd - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Kf94lfg.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe O23 - Service: Google Online Search Service - Unknown owner - C:\WINDOWS\system32\winlugan.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Epson Printer Status Agent (StatusAgent) - SEIKO EPSON CORPORATION - C:\ESM2\SAgentNT.exe O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 6937 bytes
  22. Cartier83
    Bonjour, Voici l'historique de la situation : - Avast antivirus a commencé à envoyer des alertes d'attaques. - J'ai fait un scan complet avec Avast. Nettoyage ok. - J'ai pensé (grosse bétise) à faire un autre scan avec Antivir que j'utlise sur d'autres ordis. Mais comme 2 antivirus ne cohabitent pas, j'ai commencé par désinstaller Avast avant de télécharger Antivir. Antivir s'est chargé mais jamais installé. - J'ai supprimé la connection de cet ordi pour qu'il n'infecte pas mon réseau local. - j'ai récupéré Spy Sweeper sur un autre ordi par une clé usb, et je l'ai installé. Installation apparement normale. - début des alertes en tout genre style redirection vers pcprivacytool.com. - disparition de l'accès au panneau de configuration. - blocage de l'ordi au lancement de Spy Sweeper, et impossible de le redémarrer en mode normal : Le pointeur se bloque au moment de choisir un utilisateur. - à partir de là, démarrage possible uniquement en mode sans échec. - Spy sweeper avec antivirus se lance mais se bloque avant la fin. Si je l'arrête manuellement, il efface les trojan. Si je renouvelle l'opération, les mêmes trojans sont trouvés à nouveau. - toujours avec la clé usb, j'ai chargé hijackthis et récupéré le log sur la clé. - retour sur un autre ordi où j'ai donné le log à mouliner à http://www.hijackthis.de/fr. C'est très mauvais. - toujours en mode sans échec, j'ai fait un ccleaner. Résultat ok - Avec la clé usb j'ai installé AVG spyware. Il ne s'est pas bloqué contrairement à Spy sweeper, mais impossible d'avoir un rapport à la fin (bouton grisé) - toujours impossible d'accéder en mode normal. en mode sans échec, les propositions de télécharger un anti spyware continuent. Je vois venir le reformatage à grands pas, mais bon, merci pour votre aide ( si il y a une solution...)
×
×
  • Créer...