Aller au contenu

cel42

Membres
 Afficher le profil  Afficher son activité

  • Compteur de contenus

    5

  • Inscription

  • Dernière visite

 Type de contenu 

Tout ce qui a été posté par cel42

  1. cel42

    netsky32,

    cel42 a répondu à un(e) sujet de cel42 dans Analyses et éradication malwares

    Voilà le scan : ComboFix 10-01-27.06 - Celine 28/01/2010 21:53:14.3.1 - x86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.510.130 [GMT 0:00] Lancé depuis: c:\documents and settings\Celine\Bureau\96460-CF.exe Commutateurs utilisés :: c:\documents and settings\Celine\Bureau\CFScript.txt AV: avast! antivirus 4.8.1229 [VPS 090930-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FILE :: "C:\dqccpnq.exe" "C:\duehpow.exe" "C:\horj.exe" "C:\kkalf.exe" "C:\ojjw.exe" "c:\windows\system32\hkkug5tbf.dll" . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\dqccpnq.exe C:\duehpow.exe C:\horj.exe C:\kkalf.exe C:\ojjw.exe . ((((((((((((((((((((((((((((( Fichiers créés du 2009-12-28 au 2010-01-28 )))))))))))))))))))))))))))))))))))) . 2010-01-28 20:06 . 2010-01-28 20:06 -------- d-----w- C:\tdsskiller 2010-01-12 20:32 . 2009-11-21 16:42 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-28 20:10 . 2004-08-03 22:59 95360 ------w- c:\windows\system32\drivers\atapi.sys 2010-01-25 19:23 . 2008-09-23 07:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-25 19:23 . 2008-09-23 07:06 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-24 19:13 . 2010-01-24 19:13 42496 ----a-w- c:\windows\system32\info.tmp 2010-01-07 16:07 . 2008-09-23 07:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 16:07 . 2008-09-23 07:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-05 09:56 . 2005-03-17 07:07 832512 ------w- c:\windows\system32\wininet.dll 2010-01-05 09:56 . 2005-03-17 07:06 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-05 09:56 . 2005-03-17 07:06 17408 ----a-w- c:\windows\system32\corpol.dll 2009-12-15 08:37 . 2005-03-17 07:07 86418 ----a-w- c:\windows\system32\perfc00C.dat 2009-12-15 08:37 . 2005-03-17 07:07 515650 ----a-w- c:\windows\system32\perfh00C.dat 2009-11-21 16:42 . 2005-03-17 07:06 470528 ----a-w- c:\windows\AppPatch\aclayers.dll 2008-12-27 23:35 . 2006-02-05 02:47 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-27 23:35 . 2006-02-05 02:47 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-27 23:35 . 2006-02-05 02:47 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll 2008-12-27 23:35 . 2006-02-05 02:47 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll 2008-12-27 23:35 . 2006-02-05 02:47 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-03-02 65536] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-05 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512] "PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1077327] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-05 184320] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 88363] "CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-01-21 675840] "TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 53248] "TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2004-12-07 24576] "HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-23 28672] "SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 65536] "Zooming"="ZoomingHook.exe" [2004-07-14 24576] "TCtryIOHook"="TCtrlIOHook.exe" [2005-02-16 28672] "TPSMain"="TPSMain.exe" [2005-01-21 266240] "SmoothView"="c:\program files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe" [2004-11-15 118784] "Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2004-11-12 73728] "NDSTray.exe"="NDSTray.exe" [bU] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939] "TFncKy"="TFncKy.exe" [bU] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064] "TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-12-17 180269] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-04-03 777424] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360] c:\documents and settings\Celine\Menu D‚marrer\Programmes\D‚marrage\ Lancement rapide de Microsoft Office OneNote 2003.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2007-10-12 110592] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\SAS\\Shared Files\\Enterprise Miner Clients\\V9\\nls\\eng\\EmMonitor.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\Free Music Zilla\\FMZilla.exe"= "c:\\Documents and Settings\\Celine\\Mes documents\\logiciels\\freezer.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [06/11/2008 08:39 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [06/11/2008 08:39 20560] S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [02/08/2009 09:29 16640] S3 iadusb;GlobespanVirata USB IAD LAN Modem;c:\windows\system32\drivers\glauiad.sys [01/11/2008 12:12 30630] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/01/2007 17:31 42000] S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [09/11/2007 20:51 30464] S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [09/11/2007 20:51 12672] S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [03/04/2006 16:12 14032] . Contenu du dossier 'Tâches planifiées' 2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 13:42] 2010-01-27 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 16:12] 2005-09-17 c:\windows\Tasks\Rappel d'enregistrement 2.job - c:\windows\system32\OOBE\oobebaln.exe [2005-03-17 11:00] 2005-09-17 c:\windows\Tasks\Rappel d'enregistrement 3.job - c:\windows\system32\OOBE\oobebaln.exe [2005-03-17 11:00] 2010-01-28 c:\windows\Tasks\User_Feed_Synchronization-{3C4599D0-BAAE-4C63-8814-780629F02304}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 10:58] . . ------- Examen supplémentaire ------- . uStart Page = hxxp://www.netvibes.com/ IE: &Télécharger avec NetTransport - c:\program files\Xi\NetTransport 2\NTAddLink.html IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Tout t&élécharger avec NetTransport - c:\program files\Xi\NetTransport 2\NTAddList.html Trusted Zone: microsoft.com\office DPF: {B9907873-6560-4A36-B76B-9DADE84A7F55} - hxxp://www.fnacmusic.com/telechargementFnacmusic/FnacmusicDnl.CAB FF - ProfilePath - c:\documents and settings\Celine\Application Data\Mozilla\Firefox\Profiles\sqrp169r.default\ FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.fr/ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-28 22:03 Windows 5.1.2600 Service Pack 2 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_USERS\S-1-5-21-2240277432-3196995183-530792772-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F25A21A1-0D38-6DFE-6AA0-A5E65F8F3499}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "iagjfpfglajjhdgbid"=hex:6b,61,6d,6b,68,6e,68,61,65,67,61,70,6f,6b,67,6b,67,6e, 66,6a,6a,65,00,00 "haiaplebgokooeld"=hex:6b,61,6d,6b,68,6e,68,61,65,67,61,70,6f,6b,67,6b,67,6e, 66,6a,6a,65,00,00 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|ù•9~*] "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL" . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(808) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(1084) c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\msls31.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Autres processus actifs ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\Ati2evxx.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\CTsvcCDA.EXE c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\wscntfy.exe c:\windows\AGRSMMSG.exe c:\windows\system32\ZoomingHook.exe c:\windows\system32\TCtrlIOHook.exe c:\program files\Apoint2K\Apntex.exe c:\windows\system32\TPSMain.exe c:\program files\TOSHIBA\ConfigFree\NDSTray.exe c:\program files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe c:\windows\system32\TPSBattM.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Heure de fin: 2010-01-28 22:13:03 - La machine a redémarré ComboFix-quarantined-files.txt 2010-01-28 22:12 ComboFix2.txt 2010-01-28 21:41 ComboFix3.txt 2010-01-28 21:05 Avant-CF: 3 260 833 792 octets libres Après-CF: 3 225 358 336 octets libres - - End Of File - - AB1E3F81121980A24F5F38ED0CAA85B9
  2. cel42

    netsky32,

    cel42 a répondu à un(e) sujet de cel42 dans Analyses et éradication malwares

    Bonsoir ! Rapport TDSSkiller : 20:06:59:828 2660 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25 20:06:59:828 2660 ================================================================================ 20:06:59:828 2660 SystemInfo: 20:06:59:828 2660 OS Version: 5.1.2600 ServicePack: 2.0 20:06:59:828 2660 Product type: Workstation 20:06:59:828 2660 ComputerName: CELINEPORT 20:06:59:828 2660 UserName: Celine 20:06:59:828 2660 Windows directory: C:\WINDOWS 20:06:59:828 2660 Processor architecture: Intel x86 20:06:59:828 2660 Number of processors: 1 20:06:59:828 2660 Page size: 0x1000 20:06:59:843 2660 Boot type: Normal boot 20:06:59:843 2660 ================================================================================ 20:06:59:890 2660 UnloadDriverW: NtUnloadDriver error 2 20:06:59:890 2660 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 20:06:59:890 2660 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 20:07:00:000 2660 UtilityInit: KLMD drop and load success 20:07:00:000 2660 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000) 20:07:00:000 2660 UtilityInit: KLMD open success 20:07:00:000 2660 UtilityInit: Initialize success 20:07:00:000 2660 20:07:00:000 2660 Scanning Services ... 20:07:00:000 2660 CreateRegParser: Registry parser init started 20:07:00:000 2660 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127 20:07:00:000 2660 CreateRegParser: DisableWow64Redirection error 20:07:00:000 2660 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 20:07:00:000 2660 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043 20:07:00:000 2660 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 20:07:00:000 2660 wfopen_ex: Trying to KLMD file open 20:07:00:000 2660 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system 20:07:00:000 2660 wfopen_ex: File opened ok (Flags 2) 20:07:00:000 2660 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3F4A98 20:07:00:000 2660 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 20:07:00:000 2660 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043 20:07:00:000 2660 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 20:07:00:000 2660 wfopen_ex: Trying to KLMD file open 20:07:00:000 2660 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software 20:07:00:000 2660 wfopen_ex: File opened ok (Flags 2) 20:07:00:000 2660 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3F4B00 20:07:00:000 2660 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127 20:07:00:000 2660 CreateRegParser: EnableWow64Redirection error 20:07:00:000 2660 CreateRegParser: RegParser init completed 20:07:00:750 2660 GetAdvancedServicesInfo: Raw services enum returned 356 services 20:07:00:750 2660 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 20:07:00:750 2660 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 20:07:00:750 2660 20:07:00:750 2660 Scanning Kernel memory ... 20:07:00:750 2660 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 20:07:00:750 2660 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 823B5130 20:07:00:750 2660 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects 20:07:00:750 2660 20:07:00:750 2660 DetectCureTDL3: DEVICE_OBJECT: 82301C68 20:07:00:750 2660 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82301C68 20:07:00:750 2660 KLMD_ReadMem: Trying to ReadMemory 0x82301C68[0x38] 20:07:00:750 2660 DetectCureTDL3: DRIVER_OBJECT: 823B5130 20:07:00:750 2660 KLMD_ReadMem: Trying to ReadMemory 0x823B5130[0xA8] 20:07:00:750 2660 KLMD_ReadMem: Trying to ReadMemory 0xE1013150[0x18] 20:07:00:750 2660 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 20:07:00:750 2660 DetectCureTDL3: IrpHandler (0) addr: F859DC30 20:07:00:750 2660 DetectCureTDL3: IrpHandler (1) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (2) addr: F859DC30 20:07:00:750 2660 DetectCureTDL3: IrpHandler (3) addr: F8597D9B 20:07:00:750 2660 DetectCureTDL3: IrpHandler (4) addr: F8597D9B 20:07:00:750 2660 DetectCureTDL3: IrpHandler (5) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (6) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (7) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler ( addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (9) addr: F8598366 20:07:00:750 2660 DetectCureTDL3: IrpHandler (10) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (11) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (12) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (13) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (14) addr: F859844D 20:07:00:750 2660 DetectCureTDL3: IrpHandler (15) addr: F859BFC3 20:07:00:750 2660 DetectCureTDL3: IrpHandler (16) addr: F8598366 20:07:00:750 2660 DetectCureTDL3: IrpHandler (17) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (18) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (19) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (20) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (21) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (22) addr: F8599EF3 20:07:00:750 2660 DetectCureTDL3: IrpHandler (23) addr: F859EA24 20:07:00:750 2660 DetectCureTDL3: IrpHandler (24) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (25) addr: 804FB8DE 20:07:00:750 2660 DetectCureTDL3: IrpHandler (26) addr: 804FB8DE 20:07:00:750 2660 TDL3_FileDetect: Processing driver: Disk 20:07:00:750 2660 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 20:07:00:750 2660 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 20:07:00:765 2660 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 20:07:00:765 2660 20:07:00:765 2660 DetectCureTDL3: DEVICE_OBJECT: 822739F0 20:07:00:765 2660 KLMD_GetLowerDeviceObject: Trying to get lower device object for 822739F0 20:07:00:765 2660 KLMD_ReadMem: Trying to ReadMemory 0x822739F0[0x38] 20:07:00:765 2660 DetectCureTDL3: DRIVER_OBJECT: 823B5130 20:07:00:765 2660 KLMD_ReadMem: Trying to ReadMemory 0x823B5130[0xA8] 20:07:00:765 2660 KLMD_ReadMem: Trying to ReadMemory 0xE1013150[0x18] 20:07:00:765 2660 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 20:07:00:765 2660 DetectCureTDL3: IrpHandler (0) addr: F859DC30 20:07:00:765 2660 DetectCureTDL3: IrpHandler (1) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (2) addr: F859DC30 20:07:00:765 2660 DetectCureTDL3: IrpHandler (3) addr: F8597D9B 20:07:00:765 2660 DetectCureTDL3: IrpHandler (4) addr: F8597D9B 20:07:00:765 2660 DetectCureTDL3: IrpHandler (5) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (6) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (7) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler ( addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (9) addr: F8598366 20:07:00:765 2660 DetectCureTDL3: IrpHandler (10) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (11) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (12) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (13) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (14) addr: F859844D 20:07:00:765 2660 DetectCureTDL3: IrpHandler (15) addr: F859BFC3 20:07:00:765 2660 DetectCureTDL3: IrpHandler (16) addr: F8598366 20:07:00:765 2660 DetectCureTDL3: IrpHandler (17) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (18) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (19) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (20) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (21) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (22) addr: F8599EF3 20:07:00:765 2660 DetectCureTDL3: IrpHandler (23) addr: F859EA24 20:07:00:765 2660 DetectCureTDL3: IrpHandler (24) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (25) addr: 804FB8DE 20:07:00:765 2660 DetectCureTDL3: IrpHandler (26) addr: 804FB8DE 20:07:00:765 2660 TDL3_FileDetect: Processing driver: Disk 20:07:00:765 2660 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys 20:07:00:765 2660 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys 20:07:00:781 2660 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 20:07:00:781 2660 20:07:00:781 2660 DetectCureTDL3: DEVICE_OBJECT: 82327AB8 20:07:00:781 2660 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82327AB8 20:07:00:781 2660 DetectCureTDL3: DEVICE_OBJECT: 8234E8A8 20:07:00:781 2660 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8234E8A8 20:07:00:781 2660 DetectCureTDL3: DEVICE_OBJECT: 82355D98 20:07:00:781 2660 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82355D98 20:07:00:781 2660 KLMD_ReadMem: Trying to ReadMemory 0x82355D98[0x38] 20:07:00:781 2660 DetectCureTDL3: DRIVER_OBJECT: 822FC848 20:07:00:781 2660 KLMD_ReadMem: Trying to ReadMemory 0x822FC848[0xA8] 20:07:00:781 2660 KLMD_ReadMem: Trying to ReadMemory 0x8234D030[0x38] 20:07:00:781 2660 KLMD_ReadMem: Trying to ReadMemory 0x82387F38[0xA8] 20:07:00:781 2660 KLMD_ReadMem: Trying to ReadMemory 0xE1498B10[0x1A] 20:07:00:781 2660 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 20:07:00:781 2660 DetectCureTDL3: IrpHandler (0) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (1) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (2) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (3) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (4) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (5) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (6) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (7) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler ( addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (9) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (10) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (11) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (12) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (13) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (14) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (15) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (16) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (17) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (18) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (19) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (20) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (21) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (22) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (23) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (24) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (25) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: IrpHandler (26) addr: 82277856 20:07:00:781 2660 DetectCureTDL3: All IRP handlers pointed to one addr: 82277856 20:07:00:781 2660 KLMD_ReadMem: Trying to ReadMemory 0x82277856[0x400] 20:07:00:781 2660 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109 20:07:00:781 2660 Driver "atapi" Irp handler infected by TDSS rootkit ... 20:07:00:781 2660 KLMD_WriteMem: Trying to WriteMemory 0x822778CF[0xD] 20:07:00:781 2660 cured 20:07:00:781 2660 KLMD_ReadMem: Trying to ReadMemory 0x82277701[0x400] 20:07:00:781 2660 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1 20:07:00:781 2660 Driver "atapi" StartIo handler infected by TDSS rootkit ... 20:07:00:781 2660 TDL3_StartIoHookCure: Number of patches 1 20:07:00:781 2660 KLMD_WriteMem: Trying to WriteMemory 0x8227780A[0x6] 20:07:00:781 2660 cured 20:07:00:781 2660 TDL3_FileDetect: Processing driver: atapi 20:07:00:781 2660 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 20:07:00:781 2660 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys 20:07:00:812 2660 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected 20:07:00:812 2660 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 20:07:00:812 2660 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 20:07:00:812 2660 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 20:07:00:875 2660 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab 20:07:01:000 2660 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab 20:07:01:046 2660 CabinetCallback: Backup candidate found: atapi.sys:95360, extracting.. 20:07:01:515 2660 CabinetCallback: File extracted successfully: C:\DOCUME~1\Celine\LOCALS~1\Temp\bck2C.tmp 20:07:01:515 2660 ValidateDriverFile: Stage 1 passed 20:07:01:562 2660 ValidateDriverFile: Stage 2 passed 20:07:01:687 2660 DigitalSignVerifyByHandle: Embedded DS result: 800B0100 20:07:07:046 2660 DigitalSignVerifyByHandle: Cat DS result: 00000000 20:07:07:046 2660 ValidateDriverFile: Stage 3 passed 20:07:07:046 2660 CabinetCallback: File validated successfully, restore information prepared 20:07:07:046 2660 FindDriverFileBackup: Backup copy found in cab-file 20:07:07:046 2660 TDL3_FileCure: Backup copy found, using it.. 20:07:07:046 2660 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk2D.tmp 20:07:07:093 2660 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk2D.tmp, system32\drivers\atapi.sys) 20:07:07:093 2660 TDL3_FileCure: KLMD jobs schedule success 20:07:07:093 2660 will be cured on next reboot 20:07:07:093 2660 UtilityBootReinit: Reboot required for cure complete.. 20:07:07:093 2660 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000 20:07:07:125 2660 UtilityBootReinit: KLMD drop success 20:07:07:125 2660 KLMD_ApplyPendList: Pending buffer(1841_34CB, 608) dropped successfully 20:07:07:125 2660 UtilityBootReinit: Cure on reboot scheduled successfully 20:07:07:125 2660 20:07:07:125 2660 Completed 20:07:07:125 2660 20:07:07:125 2660 Results: 20:07:07:125 2660 Memory objects infected / cured / cured on reboot: 2 / 2 / 0 20:07:07:125 2660 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 20:07:07:125 2660 File objects infected / cured / cured on reboot: 1 / 0 / 1 20:07:07:125 2660 20:07:07:125 2660 UnloadDriverW: NtUnloadDriver error 1 20:07:07:125 2660 KLMD_Unload: UnloadDriverW(klmd21) error 1 20:07:07:125 2660 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000 20:07:07:125 2660 UtilityDeinit: KLMD(ARK) unloaded successfully Et rapport Combofix : ComboFix 10-01-27.06 - Celine 28/01/2010 20:43:38.1.1 - x86 Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.510.197 [GMT 0:00] Lancé depuis: c:\documents and settings\Celine\Bureau\96460-CF.exe AV: avast! antivirus 4.8.1229 [VPS 090930-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\data c:\documents and settings\Celine\Application Data\sdra64.exe c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D} c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf c:\recycler\S-1-5-21-1628921559-1939241715-3734810672-1003 c:\recycler\S-1-5-21-3178707350-421778963-715303185-1003 c:\recycler\S-1-5-21-602162358-1409082233-725345543-1003 c:\recycler\S-1-5-21-751815227-1368845533-1299865088-1003 C:\s c:\windows\system32\11478.exe c:\windows\system32\15724.exe c:\windows\system32\18467.exe c:\windows\system32\24464.exe c:\windows\system32\26500.exe c:\windows\system32\26962.exe c:\windows\system32\29358.exe c:\windows\system32\6334.exe c:\windows\system32\IS15.exe c:\windows\system32\lowsec c:\windows\system32\lowsec\local.ds c:\windows\system32\lowsec\user.ds c:\windows\system32\sdra64.exe c:\windows\system32\warning.html . ((((((((((((((((((((((((((((((((((((((( Pilotes/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SYSREST.SYS -------\Legacy_TDSSSERV ((((((((((((((((((((((((((((( Fichiers créés du 2009-12-28 au 2010-01-28 )))))))))))))))))))))))))))))))))))) . 2010-01-28 20:06 . 2010-01-28 20:06 -------- d-----w- C:\tdsskiller 2010-01-24 19:13 . 2010-01-24 19:13 15000 ----a-w- c:\windows\system32\hkkug5tbf.dll 2010-01-24 19:13 . 2010-01-24 19:13 29184 ----a-w- C:\dqccpnq.exe 2010-01-24 19:13 . 2010-01-24 19:13 16384 ----a-w- C:\duehpow.exe 2010-01-24 19:13 . 2010-01-24 19:13 20480 ----a-w- C:\kkalf.exe 2010-01-24 19:13 . 2010-01-24 19:13 116736 ----a-w- C:\ojjw.exe 2010-01-24 19:13 . 2010-01-24 19:13 102400 ----a-w- C:\horj.exe 2010-01-12 20:32 . 2009-11-21 16:42 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2010-01-28 20:10 . 2004-08-03 22:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-01-25 19:23 . 2008-09-23 07:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-25 19:23 . 2008-09-23 07:06 5115823 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-24 19:13 . 2010-01-24 19:13 42496 ----a-w- c:\windows\system32\info.tmp 2010-01-07 16:07 . 2008-09-23 07:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 16:07 . 2008-09-23 07:05 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-05 09:56 . 2005-03-17 07:07 832512 ----a-w- c:\windows\system32\wininet.dll 2010-01-05 09:56 . 2005-03-17 07:06 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-05 09:56 . 2005-03-17 07:06 17408 ----a-w- c:\windows\system32\corpol.dll 2009-12-15 08:37 . 2005-03-17 07:07 86418 ----a-w- c:\windows\system32\perfc00C.dat 2009-12-15 08:37 . 2005-03-17 07:07 515650 ----a-w- c:\windows\system32\perfh00C.dat 2009-11-21 16:42 . 2005-03-17 07:06 470528 ----a-w- c:\windows\AppPatch\aclayers.dll 2008-12-27 23:35 . 2006-02-05 02:47 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll 2008-12-27 23:35 . 2006-02-05 02:47 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-27 23:35 . 2006-02-05 02:47 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll 2008-12-27 23:35 . 2006-02-05 02:47 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll 2008-12-27 23:35 . 2006-02-05 02:47 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-03-02 65536] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512] "PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-11-17 1077327] "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-05 184320] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 88363] "CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2005-01-21 675840] "TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2004-11-29 53248] "TOSHIBA Accessibility"="c:\program files\TOSHIBA\Accessibility\FnKeyHook.exe" [2004-12-07 24576] "HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-12-23 28672] "SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2005-02-25 65536] "Zooming"="ZoomingHook.exe" [2004-07-14 24576] "TCtryIOHook"="TCtrlIOHook.exe" [2005-02-16 28672] "TPSMain"="TPSMain.exe" [2005-01-21 266240] "SmoothView"="c:\program files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe" [2004-11-15 118784] "Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2004-11-12 73728] "NDSTray.exe"="NDSTray.exe" [bU] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-01-14 122939] "TFncKy"="TFncKy.exe" [bU] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064] "TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-12-17 180269] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-04-03 777424] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-04-27 257088] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-05 15360] c:\documents and settings\Celine\Menu D‚marrer\Programmes\D‚marrage\ Lancement rapide de Microsoft Office OneNote 2003.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SAS\\SAS 9.1\\sas.exe"= "c:\\Program Files\\AIM\\aim.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\SAS\\Shared Files\\Enterprise Miner Clients\\V9\\nls\\eng\\EmMonitor.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\Free Music Zilla\\FMZilla.exe"= "c:\\Documents and Settings\\Celine\\Mes documents\\logiciels\\freezer.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [06/11/2008 08:39 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [06/11/2008 08:39 20560] R3 iadusb;GlobespanVirata USB IAD LAN Modem;c:\windows\system32\drivers\glauiad.sys [01/11/2008 12:12 30630] S3 AsAudioDevice_351;AsAudioDevice_351;c:\windows\system32\drivers\AsAudioDevice_351.sys [02/08/2009 09:29 16640] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/01/2007 17:31 42000] S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [09/11/2007 20:51 30464] S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [09/11/2007 20:51 12672] S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [03/04/2006 16:12 14032] . Contenu du dossier 'Tâches planifiées' 2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 13:42] 2010-01-27 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-04-03 16:12] 2005-09-17 c:\windows\Tasks\Rappel d'enregistrement 2.job - c:\windows\system32\OOBE\oobebaln.exe [2005-03-17 11:00] 2005-09-17 c:\windows\Tasks\Rappel d'enregistrement 3.job - c:\windows\system32\OOBE\oobebaln.exe [2005-03-17 11:00] 2010-01-28 c:\windows\Tasks\User_Feed_Synchronization-{3C4599D0-BAAE-4C63-8814-780629F02304}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 10:58] . . ------- Examen supplémentaire ------- . uStart Page = hxxp://www.netvibes.com/ IE: &Télécharger avec NetTransport - c:\program files\Xi\NetTransport 2\NTAddLink.html IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Tout t&élécharger avec NetTransport - c:\program files\Xi\NetTransport 2\NTAddList.html Trusted Zone: microsoft.com\office DPF: {B9907873-6560-4A36-B76B-9DADE84A7F55} - hxxp://www.fnacmusic.com/telechargementFnacmusic/FnacmusicDnl.CAB FF - ProfilePath - c:\documents and settings\Celine\Application Data\Mozilla\Firefox\Profiles\sqrp169r.default\ FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.fr/ FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHELINS SUPPRIMES - - - - AddRemove-Macromedia Shockwave Player - c:\windows\system32\Macromed\SHOCKW~1\UNWISE.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-01-28 20:57 Windows 5.1.2600 Service Pack 2 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_USERS\S-1-5-21-2240277432-3196995183-530792772-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F25A21A1-0D38-6DFE-6AA0-A5E65F8F3499}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "iagjfpfglajjhdgbid"=hex:6b,61,6d,6b,68,6e,68,61,65,67,61,70,6f,6b,67,6b,67,6e, 66,6a,6a,65,00,00 "haiaplebgokooeld"=hex:6b,61,6d,6b,68,6e,68,61,65,67,61,70,6f,6b,67,6b,67,6e, 66,6a,6a,65,00,00 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|ù•9~*] "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL" . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(984) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3396) c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\msls31.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\TPwrCfg.DLL c:\windows\system32\TPwrReg.dll c:\windows\system32\TPSTrace.DLL . ------------------------ Autres processus actifs ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\windows\system32\CTsvcCDA.EXE c:\windows\system32\wscntfy.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\AGRSMMSG.exe c:\windows\system32\ZoomingHook.exe c:\windows\system32\TCtrlIOHook.exe c:\windows\system32\TPSMain.exe c:\program files\TOSHIBA\ConfigFree\NDSTray.exe c:\windows\system32\TPSBattM.exe c:\program files\Apoint2K\Apntex.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Last.fm\LastFMHelper.exe . ************************************************************************** . Heure de fin: 2010-01-28 21:05:46 - La machine a redémarré ComboFix-quarantined-files.txt 2010-01-28 21:05 Avant-CF: 1 498 374 144 octets libres Après-CF: 3 241 574 400 octets libres WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect - - End Of File - - 0731143ECB59E02A5B0C1A0B9AF7CE4B
  3. cel42

    netsky32,

    cel42 a répondu à un(e) sujet de cel42 dans Analyses et éradication malwares

    Bonjour pear, voici mon rapport ! -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Wednesday, January 27, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, January 26, 2010 20:24:32 Records in database: 3373978 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 118201 Threats found: 10 Infected objects found: 16 Suspicious objects found: 0 Scan duration: 05:29:48 File name / Threat / Threats count C:\Documents and Settings\Celine\Local Settings\Temp\coxramewns.tmp Infected: Packed.Win32.Krap.x 1 C:\Documents and Settings\Celine\Local Settings\Temp\ewmsocarnx.tmp Infected: Trojan.Win32.Vilsel.rjr 1 C:\Documents and Settings\Celine\Local Settings\Temp\osarnwcxme.tmp Infected: Trojan-Downloader.Win32.CodecPack.kni 1 C:\Documents and Settings\Celine\Local Settings\Temp\wmresconxa.tmp Infected: Trojan-Downloader.Win32.Genome.afdq 1 C:\Documents and Settings\Celine\Local Settings\Temporary Internet Files\Content.IE5\4CC7V0WT\frgqax[1].htm Infected: Trojan-Downloader.Win32.FraudLoad.gkm 1 C:\Documents and Settings\Celine\Local Settings\Temporary Internet Files\Content.IE5\CENTG50M\file[1].exe Infected: Packed.Win32.TDSS.aa 1 C:\Documents and Settings\Celine\Local Settings\Temporary Internet Files\Content.IE5\ISMY3F0O\uxdnnno[1].htm Infected: Trojan-Dropper.Win32.Agent.bldg 1 C:\Documents and Settings\Celine\Local Settings\Temporary Internet Files\Content.IE5\ISMY3F0O\wcvsg[1].htm Infected: Packed.Win32.Krap.x 1 C:\dqccpnq.exe Infected: Trojan-Dropper.Win32.Agent.bldg 1 C:\duehpow.exe Infected: Packed.Win32.Krap.x 1 C:\kkalf.exe Infected: Trojan-Downloader.Win32.FraudLoad.gkm 1 C:\WINDOWS\system32\hkkug5tbf.dll Infected: Trojan-Downloader.Win32.Agent.dabw 1 C:\WINDOWS\system32\spool\prtprocs\w32x86\38.tmp Infected: Packed.Win32.TDSS.aa 1 C:\WINDOWS\Temp\1F.tmp Infected: Trojan-Spy.Win32.Zbot.gen 1 C:\WINDOWS\Temp\kpsh.tmp\svchost.exe Infected: Trojan-Spy.Win32.Zbot.gen 1 C:\_OTMoveIt\MovedFiles\09222008_224147\Documents and Settings\Celine\Local Settings\Temp\.tt5E.tmp.exe Infected: not-a-virus:FraudTool.Win32.XPAntivirus.sl 1 Selected area has been scanned.
  4. cel42

    netsky32,

    cel42 a répondu à un(e) sujet de cel42 dans Analyses et éradication malwares

    Bonjour pear, merci beaucoup ! Voici mon rapport (avant redémarrage): Malwarebytes' Anti-Malware 1.44 Version de la base de données: 3510 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.11 25/01/2010 20:37:01 mbam-log-2010-01-25 (20-37-01).txt Type de recherche: Examen complet (C:\|) Eléments examinés: 225631 Temps écoulé: 1 hour(s), 11 minute(s), 35 second(s) Processus mémoire infecté(s): 1 Module(s) mémoire infecté(s): 0 Clé(s) du Registre infectée(s): 8 Valeur(s) du Registre infectée(s): 3 Elément(s) de données du Registre infecté(s): 14 Dossier(s) infecté(s): 2 Fichier(s) infecté(s): 25 Processus mémoire infecté(s): C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully. Module(s) mémoire infecté(s): (Aucun élément nuisible détecté) Clé(s) du Registre infectée(s): HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv (Rootkit.Agent) -> Quarantined and deleted successfully. Valeur(s) du Registre infectée(s): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully. Elément(s) de données du Registre infecté(s): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: c:\windows\system32\kbdsock.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: system32\kbdsock.dll -> Quarantined and deleted successfully. Dossier(s) infecté(s): C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot. C:\Documents and Settings\Celine\Application Data\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully. Fichier(s) infecté(s): C:\yfoku.exe (Trojan.Buzus) -> Quarantined and deleted successfully. C:\Documents and Settings\Celine\Local Settings\Temp\nsrcaeomxw.tmp (Trojan.Inject) -> Quarantined and deleted successfully. C:\Documents and Settings\Celine\Local Settings\Temp\ramsneowxc.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully. C:\Documents and Settings\Celine\Local Settings\Temp\casnoxewrm.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Celine\Local Settings\Temporary Internet Files\Content.IE5\4CC7V0WT\leoxyiissg[1].htm (Trojan.Buzus) -> Quarantined and deleted successfully. C:\WINDOWS\urCMPA.dll (Trojan.Hiloti) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot. C:\Documents and Settings\Celine\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Celine\Application Data\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully. C:\Documents and Settings\Celine\Menu Démarrer\Programmes\Démarrage\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\net.net (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot. C:\WINDOWS\system32\Windows_update.exe (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Documents and Settings\Celine\Local Settings\Temp\TDSSf96d.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\spool\prtprocs\w32x86\0000450e.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kbdsock.dll (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mshlps.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
  5. cel42
    Bonjour à tous, Mon PC se retrouve d'un coup infecté; je n'ai pas trop compris ce qui m'arrivait. Il a commencé par s'éteindre (écran bleu stop: 0x00000024). Au redémarrage j'ai reçu divers messages d'erreurs (votre PC est infecté...) J'ai maintenant un fond d'écran "Your system is infected". Je sais que j'ai netsky32 (que j'ai essayé d'enlever avec un utilitaire Symantec, mais sans succès). Je sais que ce n'est pas le seul. Est-ce que quelqu'un pourrait m'aider ? Je vous en remercie grandement par avance. Bonne soirée ! Voici mon log HiJackthis : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:46:42, on 24/01/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16981) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe C:\WINDOWS\system32\ZoomingHook.exe C:\WINDOWS\system32\TCtrlIOHook.exe C:\WINDOWS\system32\TPSMain.exe C:\Program Files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe C:\Program Files\TOSHIBA\Tvs\TvsTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\smss32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP O4 - HKLM\..\Run: [sVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net" O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe O4 - Startup: Lancement rapide de Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O8 - Extra context menu item: &Télécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Tout t&élécharger avec NetTransport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://www.fr.sanofipasteur.net/vdesk/term...llerControl.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab O16 - DPF: {B9907873-6560-4A36-B76B-9DADE84A7F55} (FnacmusicDnl.DnlManager) - http://www.fnacmusic.com/telechargementFna...nacmusicDnl.CAB O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 10709 bytes
×
×
  • Créer...