[urgent]Pc Caisse d'un cybercafé

[eclypse]

Salut

 

Alors voila l'antivirus à été delete par un virus ... de plus lors de tentative de nettoyage le pc redemarre tout seul

quelque soit le mode utilisé

 

Voici le log hijackthis

------------------------

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:14:48 AM, on 5/20/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Safe mode with network support

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\Documents and Settings\administrateur.CYBERSTADE\Local Settings\Application Data\winlogon.exe

C:\Documents and Settings\administrateur.CYBERSTADE\Local Settings\Application Data\services.exe

C:\Documents and Settings\administrateur.CYBERSTADE\Local Settings\Application Data\lsass.exe

C:\Documents and Settings\administrateur.CYBERSTADE\Local Settings\Application Data\inetinfo.exe

C:\Documents and Settings\administrateur.CYBERSTADE\Bureau\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\eksplorasi.exe"

O1 - Hosts: <!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

O1 - Hosts: <html><head><title>Yahoo! - 503 Service Temporarily Unavailable</title><style>

O1 - Hosts: /* nn4 hide */

O1 - Hosts: /*/*/

O1 - Hosts: body {font:small/1.2em arial,helvetica,clean,sans-serif;font:x-small;text-align:center;}table {font-size:inherit;font:x-small;}

O1 - Hosts: html>body {font:83%/1.2em arial,helvetica,clean,sans-serif;}input {font-size:100%;vertical-align:middle;}p, form {margin:0;padding:0;}

O1 - Hosts: p {padding-bottom:6px;margin-bottom:10px;}#doc {width:48.5em;margin:0 auto;border:1px solid #fff;text-align:center;}#ygma {text-align:right;margin-bottom:53px}

O1 - Hosts: h1 {font-size:135%;text-align:center;margin:0 0 15px;}legend {display:none;}fieldset {border:0 solid #fff;padding:.8em 0 .8em 4.5em;}

O1 - Hosts: form {position:relative;background:#eee;margin-bottom:15px;border:1px solid #ccc;border-width:1px 0;}

O1 - Hosts: form span {position:absolute;left:70%;top:.8em;}form a {font:78%/1.2em arial;display:block;padding-left:.8em;white-space:nowrap;background: url(http://us.i1.yimg.com/us.yimg.com/i/s/bullet.gif) no-repeat left center;}

O1 - Hosts: form .sep {display:none;}.more {text-align:center;}#ft {padding-top:10px;border-top:1px solid #999;}#ft p {text-align:center;font:78% arial;}

O1 - Hosts: /* end nn4 hide */

O1 - Hosts: </style></head>

O1 - Hosts: <body><div id="doc">

O1 - Hosts: <div id="ygma"><a href="http://us.rd.yahoo.com/503/*http://www.yahoo.com"><img

O1 - Hosts: src=http://us.i1.yimg.com/us.yimg.com/i/yahoo.gif

O1 - Hosts: width=147 height=31 border=0 alt="Yahoo!"></a><div><a

O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://www.yahoo.com">Yahoo!</a>'>http://us.rd.yahoo.com/503/*http://www.yahoo.com">Yahoo!</a>

O1 - Hosts: - <a href="http://us.rd.yahoo.com/503/*http://help.yahoo.com">Help</a></div></div>

O1 - Hosts: <div id="bd"><h1>Sorry, Service Temporarily Unavailable.</h1>

O1 - Hosts: The server is temporarily unable to service your

O1 - Hosts: request due to maintenance downtime or capacity

O1 - Hosts: problems. Please try again later.

O1 - Hosts: <P>Additionally, a 503 Service Temporarily Unavailable

O1 - Hosts: error was encountered while trying to use an ErrorDocument to handle the request.

O1 - Hosts: <p>Please check the URL for proper spelling and capitalization. If

O1 - Hosts: you're having trouble locating a destination on Yahoo!, try visiting the

O1 - Hosts: <strong><a

O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://www.yahoo.com">Yahoo! home

O1 - Hosts: page</a></strong> or look through a list of <strong><a

O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://docs.yahoo.com/docs/family/more/">Yahoo!'s

O1 - Hosts: online services</a></strong>. Also, you may find what you're looking for

O1 - Hosts: if you try searching below.</p>

O1 - Hosts: <form name="s1" action="http://us.rd.yahoo.com/503/*-http://search.yahoo.com/search"><fieldset>

O1 - Hosts: <legend><label for="s1p">Search the Web</label></legend>

O1 - Hosts: <input type="text" size=30 name="p" id="s1p" title="enter search terms here">

O1 - Hosts: <input type="submit" value="Search">

O1 - Hosts: <span><a href="http://us.rd.yahoo.com/503/*http://search.yahoo.com/search/options?p=">advanced search</a> <span class=sep>|</span> <a href="http://us.rd.yahoo.com/503/*http://buzz.yahoo.com">most popular</a></span>

O1 - Hosts: </fieldset></form>

O1 - Hosts: <p class="more">Please try <strong><a

O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://help.yahoo.com">Yahoo!

O1 - Hosts: Help Central</a></strong> if you need more assistance.</p>

O1 - Hosts: </div><div id="ft"><p>Copyright © 2009 Yahoo! Inc.

O1 - Hosts: All rights reserved. <a

O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://privacy.yahoo.com">Privacy

O1 - Hosts: Policy</a> - <a

O1 - Hosts: href="http://us.rd.yahoo.com/503/*http://docs.yahoo.com/info/terms/">Terms

O1 - Hosts: of Service</a></p></div>

O1 - Hosts: </div></body></html>

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exeO4 - HKLM\..\Run: [bron-Spizaetus] "C:\WINDOWS\ShellNew\bronstab.exe"O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\administrateur.CYBERSTADE\Local Settings\Application Data\smss.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - Startup: Empty.pif = ?

O4 - Global Startup: Démarrage rapide du logiciel HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab

O16 - DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213964242218

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213972808875

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cyberstade.lan

O17 - HKLM\Software\..\Telephony: DomainName = cyberstade.lan

O17 - HKLM\System\CCS\Services\Tcpip\..\{ADD55CEC-C550-45E6-B74E-A2EFCC644CF7}: NameServer = 192.168.0.100

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cyberstade.lan

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cyberstade.lan

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Fichiers communs\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp2\bin\apache\apache2.2.11\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp2\bin\mysql\mysql5.1.30\bin\mysqld.exe

 

--

End of file - 13225 bytes

 

Passage d'un rhosts sans grand succes / mbam trouve rien

 

Cordialement

[Falkra]

Bonjour,

 

Le logiciel qui suit n'est à utiliser que prescrit par un helper qualifié et formé à l'outil.

Ne pas utiliser en dehors de ce cas de figure ou seul : dangereux.

 

Télécharge combofix.exe de sUBs et sauvegarde le sur ton bureau (et pas ailleurs).

• Assure toi que tous les programmes sont fermés avant de commencer.
  
• Désactive l'antivirus, sinon combofix va te mettre un message (sinon, dis ok au message).
  
• Double-clique combofix.exe afin de l'exécuter.
  
• Clique sur "Oui" au message de Limitation de Garantie qui s'affiche.
  
• Si on te propose de redémarrer parc qu'un rootkit a été trouvé, fais-le.
  
• On va te proposer de télécharger et installer la console de récupération, clique sur "Oui" au message, autorise le téléchargement dans ton firewall si demandé, puis accepte le message de contrat utilisateur final.
  
• Le bureau disparaît, c'est normal, et il va revenir.
  
• Ne ferme pas la fenêtre qui s'ouvre, tu te retrouverais avec un bureau vide.
  
• Lorsque l'analyse sera terminée, un rapport apparaîtra.
  
• Copie-colle ce rapport dans ta prochaine réponse.
  Le rapport se trouve dans : C:\Combofix.txt (si jamais).
  

[eclypse]

Salut Falkra

 

Voila comme convenu

 

ComboFix 09-05-21.01 - administrateur 05/22/2009 1:44.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.2046.1525 [GMT 2:00]

Running from: c:\documents and settings\administrateur.CYBERSTADE\Bureau\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\administrateur.CYBERSTADE\Application Data\.#

c:\documents and settings\administrateur.CYBERSTADE\Application Data\.#\MBX@1708@A141A8.###

c:\documents and settings\administrateur.CYBERSTADE\Application Data\.#\MBX@1708@A141D8.###

c:\documents and settings\administrateur.CYBERSTADE\Application Data\.#\MBX@1708@A14208.###

c:\documents and settings\administrateur.CYBERSTADE\Application Data\.#\MBX@1FA4@A141A8.###

c:\documents and settings\administrateur.CYBERSTADE\Application Data\.#\MBX@1FA4@A141D8.###

c:\documents and settings\administrateur.CYBERSTADE\Application Data\.#\MBX@1FA4@A14208.###

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013

c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe

c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini

c:\windows\system32\Ijl11.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

 

----- BITS: Possible infected sites -----

 

hxxp://srv-1

.

((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))

.

 

2009-05-20 13:46 . 2009-05-21 23:45 -------- d-sh--r C:\RESTORE

2009-05-20 12:04 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-20 12:04 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-20 12:04 . 2009-05-20 12:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-20 09:56 . 2009-05-20 10:03 -------- d-----w c:\program files\Woonoz

2009-05-20 06:30 . 2009-03-30 08:32 96104 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-20 06:30 . 2009-03-24 14:07 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-05-20 06:30 . 2009-02-13 10:28 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys

2009-05-20 06:30 . 2009-02-13 10:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys

2009-05-20 06:30 . 2009-05-20 06:30 -------- d-----w c:\program files\Avira

2009-05-20 06:30 . 2009-05-20 06:30 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-05-20 05:45 . 2009-05-20 05:45 3544 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok.A9.em.bin

2009-05-19 22:00 . 2009-05-19 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-20

2009-05-18 22:00 . 2009-05-18 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-19

2009-05-17 22:00 . 2009-05-17 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-18

2009-05-16 22:00 . 2009-05-16 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-17

2009-05-16 09:05 . 2009-05-16 09:05 8854 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\Uninstall_Namco_Muse_6FD27D5CCAFD4721825FD0DDE6C960D2.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ffe.exe1_2FCAB582E6F945AF988D869015108473.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ffe.exe_2FCAB582E6F945AF988D869015108473.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ARPPRODUCTICON.exe

2009-05-16 09:05 . 2009-05-16 09:05 -------- d-----w c:\program files\Namco

2009-05-15 22:00 . 2009-05-15 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-16

2009-05-14 22:00 . 2009-05-14 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-15

2009-05-13 22:00 . 2009-05-13 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-14

2009-05-12 22:00 . 2009-05-12 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-13

2009-05-12 16:22 . 2009-05-12 16:22 57344 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-36e50021-n\Decora-SSE.dll

2009-05-12 16:22 . 2009-05-12 16:22 24064 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3c017a66-n\Decora-D3D.dll

2009-05-12 16:22 . 2009-05-12 16:22 315392 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-5a1a7d5f-n\jogl.dll

2009-05-12 16:22 . 2009-05-12 16:22 20480 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-5a1a7d5f-n\jogl_awt.dll

2009-05-12 16:22 . 2009-05-12 16:22 114688 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-5a1a7d5f-n\jogl_cg.dll

2009-05-12 16:22 . 2009-05-12 16:22 499712 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5bf2b31c-n\msvcp71.dll

2009-05-12 16:22 . 2009-05-12 16:22 499712 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5bf2b31c-n\jmc.dll

2009-05-12 16:22 . 2009-05-12 16:22 348160 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5bf2b31c-n\msvcr71.dll

2009-05-12 16:22 . 2009-05-12 16:22 20480 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-27c1967d-n\gluegen-rt.dll

2009-05-11 22:00 . 2009-05-11 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-12

2009-05-10 22:00 . 2009-05-10 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-11

2009-05-09 22:00 . 2009-05-09 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-10

2009-05-08 22:00 . 2009-05-08 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-9

2009-05-08 14:38 . 2009-05-08 14:38 -------- d-----w c:\program files\CCleaner

2009-05-08 13:51 . 2009-05-09 22:11 -------- d-----w c:\program files\Ê¢´óÍøÂç

2009-05-07 22:00 . 2009-05-07 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-8

2009-05-06 22:00 . 2009-05-06 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-7

2009-05-06 17:43 . 2009-05-19 10:21 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Loc.Mail.Bron.Tok

2009-05-06 17:43 . 2009-05-06 17:43 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Ok-SendMail-Bron-tok

2009-05-06 17:37 . 2009-05-06 17:37 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-6

2009-04-23 15:44 . 2009-04-23 15:45 -------- d-----w c:\program files\QuickTime

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-21 12:54 . 2008-11-20 18:42 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\U3

2009-05-20 19:47 . 2009-02-06 14:00 -------- d-----w c:\program files\World of Warcraft

2009-05-19 13:36 . 2009-02-03 14:01 1 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-05-19 13:23 . 2009-01-15 12:51 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-05-17 16:57 . 2008-09-29 16:46 -------- d-----w c:\program files\Warcraft III

2009-05-17 15:51 . 2009-04-11 18:26 -------- d-----w c:\program files\Garena

2009-05-16 09:04 . 2008-06-20 11:54 -------- d-----w c:\program files\Fichiers communs\InstallShield

2009-05-13 13:33 . 2008-09-27 17:57 -------- d-----w c:\program files\Dofus

2009-05-09 22:11 . 2009-05-08 13:51 -------- d-----w c:\program files\Ê¢´óÍøÂç

2009-05-09 22:08 . 2008-09-27 02:07 91568 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-08 15:20 . 2008-09-28 23:21 -------- d-----w c:\program files\Fichiers communs\Blizzard Entertainment

2009-05-08 15:17 . 2009-01-15 12:51 -------- d-----w c:\program files\Google

2009-05-08 14:49 . 2008-08-01 07:19 81984 ----a-w c:\windows\system32\bdod.bin

2009-05-08 10:48 . 2008-11-12 09:25 -------- d-----w c:\program files\L'Entraîneur 2006

2009-05-06 18:02 . 2008-06-20 12:31 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-03 20:01 . 2008-11-20 10:33 -------- d-----w c:\program files\Steam

2009-04-28 03:29 . 2009-03-08 18:56 265416 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-04-27 18:59 . 2008-12-02 01:32 -------- d-----w c:\program files\Curse

2009-04-25 18:28 . 2009-03-11 20:17 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\teamspeak2

2009-04-16 17:51 . 2009-04-16 17:44 -------- d-----w c:\program files\Metin2_France

2009-04-10 14:03 . 2009-01-06 10:56 334912 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-04-10 14:02 . 2009-01-06 10:56 171072 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-04-10 14:02 . 2008-09-28 20:36 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-04-10 14:02 . 2008-09-28 20:35 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-04-10 14:02 . 2009-01-06 10:56 874660 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-04-10 14:02 . 2009-01-06 10:56 57344 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-04-10 14:02 . 2009-01-06 10:56 479232 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-04-10 14:02 . 2009-01-06 10:56 2669632 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-04-10 13:57 . 2008-09-28 20:35 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-04-10 13:44 . 2008-09-28 20:36 22328 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\PnkBstrK.sys

2009-04-10 13:44 . 2008-09-28 20:36 22328 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\PnkBstrK.sys

2009-04-10 13:43 . 2008-09-28 20:35 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-31 07:13 . 2007-10-29 12:00 83924 ----a-w c:\windows\system32\perfc00C.dat

2009-03-31 07:13 . 2007-10-29 12:00 507248 ----a-w c:\windows\system32\perfh00C.dat

2009-03-30 07:12 . 2008-09-27 18:39 -------- d-----w c:\program files\Java

2009-03-30 06:50 . 2009-03-30 06:50 152576 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-03-26 19:10 . 2009-03-26 19:09 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Download Manager

2009-03-25 08:46 . 2009-03-25 08:46 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-24 09:53 . 2008-06-20 12:16 -------- d-----w c:\program files\Fichiers communs\Adobe

2009-03-23 19:15 . 2009-03-11 20:04 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Mumble

2009-03-12 05:44 . 2009-03-12 14:06 1027408 ----a-w c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\LGUserCSTool.exe

2009-03-12 05:43 . 2009-03-12 14:06 434176 ----a-w c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\LGMUpgradeDL.dll

2009-03-09 03:19 . 2008-12-14 12:37 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-05 22:45 . 2009-03-05 22:45 12800 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Thinstall\Quake III Arena\4000003da00002i\quake3.exe

2009-03-03 22:45 . 2009-03-12 14:06 81920 ----a-w c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\LGMobileDL.dll

2008-09-27 03:56 . 2008-09-27 03:56 15397 ----a-w c:\program files\settings.dat

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2007-10-29 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408]

"Google Update"="c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-21 133104]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 245760]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-11-14 16270848]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2007-10-29 15360]

 

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

D‚marrage rapide du logiciel HP Image Zone.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

 

[HKLM\~\startupfolder\C:^Documents and Settings^administrateur.CYBERSTADE^Menu Démarrer^Programmes^Démarrage^Empty.pif]

path=c:\documents and settings\administrateur.CYBERSTADE\Menu Démarrer\Programmes\Démarrage\Empty.pif

backup=c:\windows\pss\Empty.pifStartup

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [5/20/2009 8:30 AM 108289]

R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [6/23/2008 5:24 PM 1121536]

S2 ievefcn;dtgqv;c:\windows\system32\svchost.exe -k netsvcs [10/29/2007 2:00 PM 14336]

S2 nwddqsgj;Shell Universal;c:\windows\system32\svchost.exe -k netsvcs [10/29/2007 2:00 PM 14336]

S2 ohlzzd;Security Helper;c:\windows\system32\svchost.exe -k netsvcs [10/29/2007 2:00 PM 14336]

S2 ynpgfzvwh;System Microsoft;c:\windows\system32\svchost.exe -k netsvcs [10/29/2007 2:00 PM 14336]

S3 kiowznvsp;kiowznvsp;\??\c:\windows\system32\03CB.tmp --> c:\windows\system32\03CB.tmp [?]

S3 ktmfiaw;ktmfiaw;\??\c:\windows\system32\0640.tmp --> c:\windows\system32\0640.tmp [?]

S3 qpkvc;qpkvc;\??\c:\windows\system32\034D.tmp --> c:\windows\system32\034D.tmp [?]

S3 qyynu;qyynu;\??\c:\windows\system32\01407.tmp --> c:\windows\system32\01407.tmp [?]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

nwddqsgj

ohlzzd

ynpgfzvwh

ievefcn

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C631322}]

c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe

.

Contents of the 'Scheduled Tasks' folder

 

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1881933800-2416438935-2271469046-500.job

- c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 21:47]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {ADD55CEC-C550-45E6-B74E-A2EFCC644CF7} = 192.168.0.100

FF - ProfilePath - c:\documents and settings\administrateur.CYBERSTADE\Application Data\Mozilla\Firefox\Profiles\arl8etxo.default\

FF - prefs.js: browser.startup.homepage - www.google.Fr

FF - plugin: c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-22 01:49

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kiowznvsp]

"ImagePath"="\??\c:\windows\system32\03CB.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ktmfiaw]

"ImagePath"="\??\c:\windows\system32\0640.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qpkvc]

"ImagePath"="\??\c:\windows\system32\034D.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qyynu]

"ImagePath"="\??\c:\windows\system32\01407.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ievefcn]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nwddqsgj]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohlzzd]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ynpgfzvwh]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,bb,88,18,06,dd,

4b,f0,93,c8,28,51,af,b0,29,a3,98,91,45,1c,27,36,e6,56,ae,e2,63,26,f1,3f,c8,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,82,d8,95,42,f2,

e4,97,e5,71,3b,04,66,8b,46,0d,96,98,ba,db,16,95,bb,83,90,6a,9c,d6,61,af,45,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2d,c7,52,d5,9e,

c1,c8,1e,25,da,ec,7e,55,20,c9,26,86,c2,2f,d6,d9,02,80,0c,ff,7c,85,e0,43,d4,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,3a,0e,72,1e,ad,

f3,97,8d,3e,1e,9e,e0,57,5a,93,61,ed,4e,f5,a8,e1,42,c6,c9,86,8c,21,01,be,91,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,88,b3,35,eb,5a,

ab,6c,1d,cd,44,cd,b9,a6,33,6c,cd,d7,78,b5,af,b8,3f,38,8e,f5,1d,4d,73,a8,13,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,22,92,7e,cf,04,

a9,42,8a,b0,18,ed,a7,3f,8d,37,a4,15,b0,8e,ab,d9,bc,e5,e0,df,20,58,62,78,6b,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,e2,0b,04,1b,79,

5a,0d,74,31,77,e1,ba,b1,f8,68,02,d4,8a,7e,0e,0a,d3,c9,b7,fb,a7,78,e6,12,2f,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,e6,a2,ec,fe,b7,

be,c9,81,83,6c,56,8b,a0,85,96,ab,ac,fb,9b,d3,ad,41,3f,00,01,3a,48,fc,e8,04,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,2a,47,03,c8,76,

f4,f5,ac,51,fa,6e,91,28,9e,14,cc,05,8b,26,22,94,bb,8c,0e,f6,0f,4e,58,98,5b,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,b0,3a,03,c3,59,

a8,0b,e6,b1,cd,45,5a,a8,c4,f8,b9,e9,df,bb,fc,07,ec,94,f5,3d,ce,ea,26,2d,45,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,55,74,c9,fe,f3,

65,cb,c2,e3,0e,66,d5,eb,bc,2f,6b,22,69,2b,f6,93,82,b9,70,2a,b7,cc,b5,b9,7f,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a6,8c,b1,15,ea,

61,8e,9e,fa,ea,66,7f,d4,3b,6b,70,0c,a6,e1,4d,70,d4,72,e6,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'lsass.exe'(844)

c:\program files\Bonjour\mdnsNSP.dll

 

- - - - - - - > 'explorer.exe'(6444)

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe

c:\progra~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

.

**************************************************************************

.

Completion time: 2009-05-21 1:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-21 23:56

 

Pre-Run: 148,751,904,768 octets libres

Post-Run: 148,810,395,648 octets libres

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(2)partition(2)\WINDOWS=Windows XP/2003

 

327 --- E O F --- 2009-05-21 23:55

 

J'ai effacer :

2009-05-20 05:45 . 2009-05-20 05:45 3544 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok.A9.em.bin

2009-05-19 22:00 . 2009-05-19 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-20

2009-05-18 22:00 . 2009-05-18 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-19

2009-05-17 22:00 . 2009-05-17 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-18

2009-05-16 22:00 . 2009-05-16 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-17

2009-05-20 05:45 . 2009-05-20 05:45 3544 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok.A9.em.bin

2009-05-19 22:00 . 2009-05-19 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-20

2009-05-18 22:00 . 2009-05-18 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-19

2009-05-17 22:00 . 2009-05-17 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-18

2009-05-16 22:00 . 2009-05-16 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-17

2009-05-20 05:45 . 2009-05-20 05:45 3544 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok.A9.em.bin

2009-05-19 22:00 . 2009-05-19 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-20

2009-05-18 22:00 . 2009-05-18 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-19

2009-05-17 22:00 . 2009-05-17 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-18

2009-05-16 22:00 . 2009-05-16 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-17

2009-05-20 05:45 . 2009-05-20 05:45 3544 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok.A9.em.bin

2009-05-19 22:00 . 2009-05-19 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-20

2009-05-18 22:00 . 2009-05-18 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-19

2009-05-17 22:00 . 2009-05-17 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-18

2009-05-16 22:00 . 2009-05-16 22:00 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Bron.tok-9-17

Modifié le 22 mai 2009 par eclypse

[Falkra]

N'efface rien, c'est le meilleur moyen d'effacer un truc de trop ! Le jour où c'est un fichier légitime renommé ou patché, tu exploses ton système gentiment.

Si tu viens pour une prise en charge, c'est justement pour éviter ça.

 

Ce qui suit n'est que pour cette machine, et cette machine seulement.

Ne surtout pas utiliser sur une autre machine : dangereux.

 

 

• Télécharge le fichier CFscript.txt depuis ce site :
  http://senduit.com/9a5fbe
   
  
• Place-le sur le bureau, près de l'icône de combofix.
  
• Fais un glisser/déposer de ce fichier CFscript sur le fichier ComboFix.exe comme sur la capture
  

• Patiente le temps du scan. Le bureau va disparaître à plusieurs reprises: c'est normal ! Ne touche à rien tant que le scan n'est pas terminé.
  
• Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
  
• Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt
  

[eclypse]

Salut

 

Peux tu remettre le lien du fichier il est expiré

 

@+

[Falkra]

Oui :

http://senduit.com/240d70

[eclypse]

Salut

 

ComboFix 09-05-30.03 - administrateur 30/05/2009 23:24.2 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1616 [GMT 2:00]

Lancé depuis: c:\documents and settings\administrateur.CYBERSTADE\Bureau\ComboFix.exe

Commutateurs utilisés :: c:\documents and settings\administrateur.CYBERSTADE\Bureau\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

FILE ::

"c:\documents and settings\administrateur.CYBERSTADE\Menu Démarrer\Programmes\Démarrage\Empty.pif"

"c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\bob.exe"

"c:\windows\system32\01407.tmp"

"c:\windows\system32\034D.tmp"

"c:\windows\system32\03CB.tmp"

"c:\windows\system32\0640.tmp"

"c:\windows\system32\mgjkp.dll"

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\program files\Ê¢´óÍøÂç

C:\RESTORE

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

 

.

((((((((((((((((((((((((((((( Fichiers créés du 2009-04-28 au 2009-05-30 ))))))))))))))))))))))))))))))))))))

.

 

2009-05-30 20:06 . 2008-12-17 05:55 195096 ----a-w c:\windows\system32\lvci11901262.dll

2009-05-30 20:02 . 2009-05-30 20:02 -------- d-----w c:\program files\ma-config.com

2009-05-30 20:02 . 2009-05-30 20:02 -------- d-----w c:\documents and settings\All Users\Application Data\ma-config.com

2009-05-30 19:55 . 2009-05-30 20:11 194648 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-05-30 19:47 . 2009-05-30 19:47 664 ----a-w c:\windows\system32\d3d9caps.dat

2009-05-30 18:04 . 2009-05-30 18:09 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Rockstar Games

2009-05-30 18:00 . 2008-05-30 12:19 507400 ----a-w c:\windows\system32\XAudio2_1.dll

2009-05-30 18:00 . 2008-05-30 12:17 65032 ----a-w c:\windows\system32\XAPOFX1_0.dll

2009-05-30 18:00 . 2008-05-30 12:18 238088 ----a-w c:\windows\system32\xactengine3_1.dll

2009-05-30 18:00 . 2008-05-30 12:17 25608 ----a-w c:\windows\system32\X3DAudio1_4.dll

2009-05-30 18:00 . 2008-05-30 12:11 467984 ----a-w c:\windows\system32\d3dx10_38.dll

2009-05-30 18:00 . 2008-05-30 12:11 3850760 ----a-w c:\windows\system32\D3DX9_38.dll

2009-05-30 18:00 . 2008-05-30 12:11 1491992 ----a-w c:\windows\system32\D3DCompiler_38.dll

2009-05-30 17:59 . 2009-05-30 17:59 -------- d-----w c:\windows\Logs

2009-05-30 17:57 . 2009-05-30 17:59 -------- d-----w C:\29a1abc75369e977bf14

2009-05-30 17:57 . 2009-05-30 17:57 -------- d-----w c:\windows\system32\xlive

2009-05-30 17:57 . 2009-05-30 18:17 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE

2009-05-30 17:30 . 2009-05-30 17:30 -------- d-----w c:\program files\Rockstar Games

2009-05-23 05:58 . 2009-05-23 05:58 -------- d-sh--w c:\documents and settings\administrateur.CYBERSTADE\IECompatCache

2009-05-22 17:45 . 2008-10-16 12:06 268648 ----a-w c:\windows\system32\mucltui.dll

2009-05-22 15:23 . 2009-05-22 15:23 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Windows Search

2009-05-22 09:35 . 2009-05-22 09:35 -------- d-sh--w c:\documents and settings\administrateur.CYBERSTADE\PrivacIE

2009-05-22 08:58 . 2009-05-22 08:58 -------- d-----r c:\documents and settings\LocalService\Favoris

2009-05-22 05:28 . 2008-06-14 17:33 272768 -c----w c:\windows\system32\dllcache\bthport.sys

2009-05-22 05:28 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys

2009-05-22 05:28 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys

2009-05-22 05:28 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys

2009-05-22 05:28 . 2008-10-15 16:35 337408 -c----w c:\windows\system32\dllcache\netapi32.dll

2009-05-22 05:12 . 2009-05-22 05:12 -------- d-----w c:\windows\l2schemas

2009-05-22 05:12 . 2009-05-22 05:12 -------- d-----w c:\windows\system32\fr

2009-05-22 05:12 . 2009-05-22 05:12 -------- d-----w c:\windows\system32\bits

2009-05-22 05:10 . 2009-05-22 05:12 -------- d-----w c:\windows\ServicePackFiles

2009-05-22 05:03 . 2009-05-22 05:03 -------- d-sh--w c:\documents and settings\LocalService\IETldCache

2009-05-22 05:02 . 2009-05-22 05:02 -------- d-sh--w c:\documents and settings\administrateur.CYBERSTADE\IETldCache

2009-05-22 04:04 . 2009-05-22 04:05 -------- d-----w C:\16419f3366b669dd913e6a2c08a705

2009-05-22 03:55 . 2009-05-22 03:55 -------- d-----w c:\windows\ie8updates

2009-05-22 03:55 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-05-22 03:54 . 2009-05-22 03:55 -------- dc-h--w c:\windows\ie8

2009-05-22 03:47 . 2009-05-22 03:48 -------- d-----w C:\256db5ca899894069a119cd228fb

2009-05-22 03:41 . 2009-05-30 20:31 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Tracing

2009-05-22 03:38 . 2009-05-22 03:38 -------- d-----w c:\program files\Windows Live SkyDrive

2009-05-22 03:37 . 2009-05-22 03:37 -------- d-----w c:\program files\Fichiers communs\Windows Live

2009-05-22 03:36 . 2009-05-22 03:36 -------- d-----w c:\program files\Microsoft Silverlight

2009-05-22 03:36 . 2009-05-22 03:36 -------- d-----w c:\program files\Microsoft

2009-05-22 03:35 . 2009-05-22 04:18 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2009-05-22 03:35 . 2009-05-22 03:35 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Windows Desktop Search

2009-05-22 03:34 . 2009-05-22 03:34 -------- d-----w c:\program files\Windows Desktop Search

2009-05-22 03:34 . 2009-05-22 03:34 -------- d-----w c:\windows\system32\GroupPolicy

2009-05-22 03:34 . 2009-05-22 03:34 -------- d-----w c:\program files\Windows Media Connect 2

2009-05-22 03:32 . 2009-05-22 03:34 -------- d-----w C:\ad6055a07064651d0d439eadb8bc

2009-05-22 03:31 . 2009-05-22 03:32 -------- d-----w C:\25b94b873eb42f49d1e534d39de5

2009-05-22 03:31 . 2009-05-22 03:32 -------- d-----w c:\windows\system32\drivers\UMDF

2009-05-22 03:30 . 2009-05-22 03:31 -------- d-----w C:\4b5f7b9cb3ff552b648fc199

2009-05-22 03:02 . 2009-03-06 14:20 286720 -c----w c:\windows\system32\dllcache\pdh.dll

2009-05-22 03:01 . 2008-04-21 21:15 219136 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-05-22 00:31 . 2009-05-22 00:31 -------- d-----w c:\windows\ERUNT

2009-05-20 12:04 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-20 12:04 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-20 12:04 . 2009-05-20 12:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-20 09:56 . 2009-05-20 10:03 -------- d-----w c:\program files\Woonoz

2009-05-20 06:30 . 2009-03-30 08:32 96104 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-20 06:30 . 2009-03-24 14:07 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-05-20 06:30 . 2009-02-13 10:28 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys

2009-05-20 06:30 . 2009-02-13 10:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys

2009-05-20 06:30 . 2009-05-20 06:30 -------- d-----w c:\program files\Avira

2009-05-20 06:30 . 2009-05-20 06:30 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-05-16 09:05 . 2009-05-16 09:05 8854 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\Uninstall_Namco_Muse_6FD27D5CCAFD4721825FD0DDE6C960D2.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ffe.exe1_2FCAB582E6F945AF988D869015108473.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ffe.exe_2FCAB582E6F945AF988D869015108473.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ARPPRODUCTICON.exe

2009-05-16 09:05 . 2009-05-16 09:05 -------- d-----w c:\program files\Namco

2009-05-08 14:38 . 2009-05-08 14:38 -------- d-----w c:\program files\CCleaner

2009-05-06 17:43 . 2009-05-19 10:21 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Loc.Mail.Bron.Tok

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-30 20:07 . 2008-06-20 13:13 -------- d-----w c:\program files\Fichiers communs\LogiShrd

2009-05-30 20:06 . 2008-06-20 13:13 -------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd

2009-05-30 20:06 . 2008-10-28 03:35 -------- d-----w c:\program files\Logitech

2009-05-30 18:01 . 2008-11-12 09:49 107888 ----a-w c:\windows\system32\CmdLineExt.dll

2009-05-30 17:30 . 2008-06-20 12:04 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-30 10:08 . 2009-02-03 14:01 1 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-05-30 01:02 . 2009-04-11 18:26 -------- d-----w c:\program files\Garena

2009-05-29 23:02 . 2009-01-15 12:51 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-05-28 21:45 . 2008-06-20 12:31 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-27 22:09 . 2008-09-29 16:46 -------- d-----w c:\program files\Warcraft III

2009-05-22 18:57 . 2007-10-29 12:00 80956 ----a-w c:\windows\system32\perfc00C.dat

2009-05-22 18:57 . 2007-10-29 12:00 503690 ----a-w c:\windows\system32\perfh00C.dat

2009-05-22 08:46 . 2008-09-27 02:07 91568 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-22 05:13 . 2008-06-20 11:47 86331 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-05-22 03:57 . 2008-06-20 12:55 -------- d-----w c:\program files\Microsoft Works

2009-05-22 03:55 . 2008-09-27 18:00 -------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard

2009-05-22 03:38 . 2008-06-20 14:28 -------- d-----w c:\program files\Windows Live

2009-05-21 12:54 . 2008-11-20 18:42 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\U3

2009-05-20 19:47 . 2009-02-06 14:00 -------- d-----w c:\program files\World of Warcraft

2009-05-16 09:04 . 2008-06-20 11:54 -------- d-----w c:\program files\Fichiers communs\InstallShield

2009-05-13 13:33 . 2008-09-27 17:57 -------- d-----w c:\program files\Dofus

2009-05-08 15:20 . 2008-09-28 23:21 -------- d-----w c:\program files\Fichiers communs\Blizzard Entertainment

2009-05-08 15:17 . 2009-01-15 12:51 -------- d-----w c:\program files\Google

2009-05-08 14:49 . 2008-08-01 07:19 81984 ----a-w c:\windows\system32\bdod.bin

2009-05-08 10:48 . 2008-11-12 09:25 -------- d-----w c:\program files\L'Entraîneur 2006

2009-05-03 20:01 . 2008-11-20 10:33 -------- d-----w c:\program files\Steam

2009-04-27 18:59 . 2008-12-02 01:32 -------- d-----w c:\program files\Curse

2009-04-25 18:28 . 2009-03-11 20:17 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\teamspeak2

2009-04-23 15:45 . 2009-04-23 15:44 -------- d-----w c:\program files\QuickTime

2009-04-21 22:20 . 2009-04-21 22:20 14311680 ----a-w c:\windows\system32\xlive.dll

2009-04-21 22:20 . 2009-04-21 22:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll

2009-04-16 17:51 . 2009-04-16 17:44 -------- d-----w c:\program files\Metin2_France

2009-04-10 14:03 . 2009-01-06 10:56 334912 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-04-10 14:02 . 2009-01-06 10:56 171072 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-04-10 14:02 . 2008-09-28 20:36 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-04-10 14:02 . 2008-09-28 20:35 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-04-10 14:02 . 2009-01-06 10:56 874660 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-04-10 14:02 . 2009-01-06 10:56 57344 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-04-10 14:02 . 2009-01-06 10:56 479232 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-04-10 14:02 . 2009-01-06 10:56 2669632 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-04-10 13:57 . 2008-09-28 20:35 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-04-10 13:44 . 2008-09-28 20:36 22328 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\PnkBstrK.sys

2009-04-10 13:44 . 2008-09-28 20:36 22328 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\PnkBstrK.sys

2009-04-10 13:43 . 2008-09-28 20:35 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-30 06:50 . 2009-03-30 06:50 152576 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-03-25 08:46 . 2009-03-25 08:46 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-09 03:19 . 2008-12-14 12:37 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-08 02:34 . 2007-10-29 12:00 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 02:34 . 2007-10-29 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 02:33 . 2007-10-29 12:00 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 02:33 . 2007-10-29 12:00 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 02:32 . 2007-10-29 12:00 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 02:32 . 2007-10-29 12:00 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 02:31 . 2007-10-29 12:00 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 02:31 . 2007-10-29 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 02:31 . 2007-10-29 12:00 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 02:22 . 2007-10-29 12:00 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:20 . 2007-10-29 12:00 286720 ----a-w c:\windows\system32\pdh.dll

2009-03-05 22:45 . 2009-03-05 22:45 12800 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Thinstall\Quake III Arena\4000003da00002i\quake3.exe

2008-09-27 03:56 . 2008-09-27 03:56 15397 ----a-w c:\program files\settings.dat

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

 

[HKLM\~\startupfolder\C:^Documents and Settings^administrateur.CYBERSTADE^Menu Démarrer^Programmes^Démarrage^Empty.pif]

path=c:\documents and settings\administrateur.CYBERSTADE\Menu Démarrer\Programmes\Démarrage\Empty.pif

backup=c:\windows\pss\Empty.pifStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Démarrage rapide du logiciel HP Image Zone.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Démarrage rapide du logiciel HP Image Zone.lnk

backup=c:\windows\pss\Démarrage rapide du logiciel HP Image Zone.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Windows Search.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [20/05/2009 08:30 108289]

R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [23/06/2008 17:24 1121536]

S2 ievefcn;dtgqv;c:\windows\system32\svchost.exe -k netsvcs [29/10/2007 14:00 14336]

S2 nwddqsgj;Shell Universal;c:\windows\system32\svchost.exe -k netsvcs [29/10/2007 14:00 14336]

S2 ohlzzd;Security Helper;c:\windows\system32\svchost.exe -k netsvcs [29/10/2007 14:00 14336]

S2 ynpgfzvwh;System Microsoft;c:\windows\system32\svchost.exe -k netsvcs [29/10/2007 14:00 14336]

S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [29/05/2009 17:13 234864]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

nwddqsgj

ohlzzd

ynpgfzvwh

ievefcn

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contenu du dossier 'Tâches planifiées'

 

2009-05-30 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-15 19:25]

 

2009-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1881933800-2416438935-2271469046-500.job

- c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 21:47]

.

- - - - ORPHELINS SUPPRIMES - - - -

 

SafeBoot-procexp90.Sys

 

 

.

------- Examen supplémentaire -------

.

TCP: {ADD55CEC-C550-45E6-B74E-A2EFCC644CF7} = 192.168.0.100

FF - ProfilePath - c:\documents and settings\administrateur.CYBERSTADE\Application Data\Mozilla\Firefox\Profiles\arl8etxo.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - plugin: c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-30 23:42

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ievefcn]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nwddqsgj]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ohlzzd]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

--

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ynpgfzvwh]

"ServiceDll"="c:\windows\system32\mgjkp.dll"

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

 

[HKEY_USERS\S-1-5-21-1881933800-2416438935-2271469046-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,90,41,5b,e7,ed,b0,45,bb,9a,af,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,90,41,5b,e7,ed,b0,45,bb,9a,af,\

 

[HKEY_USERS\S-1-5-21-1881933800-2416438935-2271469046-500\Software\SecuROM\License information*]

"datasecu"=hex:83,ec,ce,39,4b,d4,02,df,c9,8b,5f,c4,34,9e,15,e0,31,47,75,5c,4d,

e8,0b,97,f3,71,bb,08,b2,38,21,39,36,ca,c2,78,f0,ce,c7,82,54,5b,67,38,93,f6,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,bb,88,18,06,dd,

4b,f0,93,c8,28,51,af,b0,29,a3,98,91,45,1c,27,36,e6,56,ae,e2,63,26,f1,3f,c8,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,82,d8,95,42,f2,

e4,97,e5,71,3b,04,66,8b,46,0d,96,98,ba,db,16,95,bb,83,90,6a,9c,d6,61,af,45,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2d,c7,52,d5,9e,

c1,c8,1e,25,da,ec,7e,55,20,c9,26,86,c2,2f,d6,d9,02,80,0c,ff,7c,85,e0,43,d4,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,3a,0e,72,1e,ad,

f3,97,8d,3e,1e,9e,e0,57,5a,93,61,ed,4e,f5,a8,e1,42,c6,c9,86,8c,21,01,be,91,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,88,b3,35,eb,5a,

ab,6c,1d,cd,44,cd,b9,a6,33,6c,cd,d7,78,b5,af,b8,3f,38,8e,f5,1d,4d,73,a8,13,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,22,92,7e,cf,04,

a9,42,8a,b0,18,ed,a7,3f,8d,37,a4,15,b0,8e,ab,d9,bc,e5,e0,df,20,58,62,78,6b,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,e2,0b,04,1b,79,

5a,0d,74,31,77,e1,ba,b1,f8,68,02,d4,8a,7e,0e,0a,d3,c9,b7,fb,a7,78,e6,12,2f,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,e6,a2,ec,fe,b7,

be,c9,81,83,6c,56,8b,a0,85,96,ab,ac,fb,9b,d3,ad,41,3f,00,01,3a,48,fc,e8,04,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,2a,47,03,c8,76,

f4,f5,ac,51,fa,6e,91,28,9e,14,cc,05,8b,26,22,94,bb,8c,0e,f6,0f,4e,58,98,5b,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,b0,3a,03,c3,59,

a8,0b,e6,b1,cd,45,5a,a8,c4,f8,b9,e9,df,bb,fc,07,ec,94,f5,3d,ce,ea,26,2d,45,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,55,74,c9,fe,f3,

65,cb,c2,e3,0e,66,d5,eb,bc,2f,6b,22,69,2b,f6,93,82,b9,70,2a,b7,cc,b5,b9,7f,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a6,8c,b1,15,ea,

61,8e,9e,fa,ea,66,7f,d4,3b,6b,70,0c,a6,e1,4d,70,d4,72,e6,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'lsass.exe'(844)

c:\program files\Bonjour\mdnsNSP.dll

 

- - - - - - - > 'explorer.exe'(7820)

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\searchprotocolhost.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Heure de fin: 2009-05-30 23:50 - La machine a redémarré

ComboFix-quarantined-files.txt 2009-05-30 21:50

 

Avant-CF: 126 491 959 296 octets libres

Après-CF: 126 462 050 304 octets libres

 

366 --- E O F --- 2009-05-22 18:50

 

il plante o milieu obliger de reboot le pc à la main

@+

Modifié le 30 mai 2009 par eclypse

[Falkra]

Ca doit aller mieux. On en fait un autre.

 

Ce qui suit n'est que pour cette machine, et cette machine seulement.

Ne surtout pas utiliser sur une autre machine : dangereux.

 

 

• Télécharge le fichier CFscript.txt depuis ce site :
  http://senduit.com/96b7fd
   
  
• Place-le sur le bureau, près de l'icône de combofix.
  
• Fais un glisser/déposer de ce fichier CFscript sur le fichier ComboFix.exe comme sur la capture
  

• Patiente le temps du scan. Le bureau va disparaître à plusieurs reprises: c'est normal ! Ne touche à rien tant que le scan n'est pas terminé.
  
• Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
  
• Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt
  

[eclypse]

ComboFix 09-05-30.03 - administrateur 03/06/2009 5:26.6 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1532 [GMT 2:00]

Lancé depuis: c:\documents and settings\administrateur.CYBERSTADE\Bureau\ComboFix.exe

Commutateurs utilisés :: \\Srv-1\cyberstade\Install PC\CFscript2.txt

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

 

FILE ::

"c:\windows\system32\mgjkp.dll"

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_IEVEFCN

-------\Legacy_NWDDQSGJ

-------\Legacy_OHLZZD

-------\Legacy_YNPGFZVWH

-------\Service_ievefcn

-------\Service_nwddqsgj

-------\Service_ohlzzd

-------\Service_ynpgfzvwh

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2009-05-03 au 2009-06-03 ))))))))))))))))))))))))))))))))))))

.

 

2009-06-02 12:29 . 2009-06-02 12:29 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\AbiSuite

2009-06-02 12:28 . 2009-06-02 12:29 -------- d-----w c:\program files\AbiSuite2

2009-05-30 20:06 . 2008-12-17 05:55 195096 ----a-w c:\windows\system32\lvci11901262.dll

2009-05-30 20:02 . 2009-05-30 20:02 -------- d-----w c:\program files\ma-config.com

2009-05-30 20:02 . 2009-05-30 20:02 -------- d-----w c:\documents and settings\All Users\Application Data\ma-config.com

2009-05-30 19:55 . 2009-05-30 20:11 194648 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-05-30 19:47 . 2009-05-30 19:47 664 ----a-w c:\windows\system32\d3d9caps.dat

2009-05-30 18:04 . 2009-05-30 18:09 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Rockstar Games

2009-05-30 18:00 . 2008-05-30 12:19 507400 ----a-w c:\windows\system32\XAudio2_1.dll

2009-05-30 18:00 . 2008-05-30 12:17 65032 ----a-w c:\windows\system32\XAPOFX1_0.dll

2009-05-30 18:00 . 2008-05-30 12:18 238088 ----a-w c:\windows\system32\xactengine3_1.dll

2009-05-30 18:00 . 2008-05-30 12:17 25608 ----a-w c:\windows\system32\X3DAudio1_4.dll

2009-05-30 18:00 . 2008-05-30 12:11 467984 ----a-w c:\windows\system32\d3dx10_38.dll

2009-05-30 18:00 . 2008-05-30 12:11 3850760 ----a-w c:\windows\system32\D3DX9_38.dll

2009-05-30 18:00 . 2008-05-30 12:11 1491992 ----a-w c:\windows\system32\D3DCompiler_38.dll

2009-05-30 17:59 . 2009-05-30 17:59 -------- d-----w c:\windows\Logs

2009-05-30 17:57 . 2009-05-30 17:59 -------- d-----w C:\29a1abc75369e977bf14

2009-05-30 17:57 . 2009-05-30 17:57 -------- d-----w c:\windows\system32\xlive

2009-05-30 17:57 . 2009-05-30 18:17 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE

2009-05-30 17:30 . 2009-05-30 17:30 -------- d-----w c:\program files\Rockstar Games

2009-05-23 05:58 . 2009-05-23 05:58 -------- d-sh--w c:\documents and settings\administrateur.CYBERSTADE\IECompatCache

2009-05-22 17:45 . 2008-10-16 12:06 268648 ----a-w c:\windows\system32\mucltui.dll

2009-05-22 15:23 . 2009-05-22 15:23 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Windows Search

2009-05-22 09:35 . 2009-05-22 09:35 -------- d-sh--w c:\documents and settings\administrateur.CYBERSTADE\PrivacIE

2009-05-22 08:58 . 2009-05-22 08:58 -------- d-----r c:\documents and settings\LocalService\Favoris

2009-05-22 05:28 . 2008-06-14 17:33 272768 -c----w c:\windows\system32\dllcache\bthport.sys

2009-05-22 05:28 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys

2009-05-22 05:28 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys

2009-05-22 05:28 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys

2009-05-22 05:28 . 2008-10-15 16:35 337408 -c----w c:\windows\system32\dllcache\netapi32.dll

2009-05-22 05:12 . 2009-05-22 05:12 -------- d-----w c:\windows\l2schemas

2009-05-22 05:12 . 2009-05-22 05:12 -------- d-----w c:\windows\system32\fr

2009-05-22 05:12 . 2009-05-22 05:12 -------- d-----w c:\windows\system32\bits

2009-05-22 05:10 . 2009-05-22 05:12 -------- d-----w c:\windows\ServicePackFiles

2009-05-22 05:03 . 2009-05-22 05:03 -------- d-sh--w c:\documents and settings\LocalService\IETldCache

2009-05-22 05:02 . 2009-05-22 05:02 -------- d-sh--w c:\documents and settings\administrateur.CYBERSTADE\IETldCache

2009-05-22 04:04 . 2009-05-22 04:05 -------- d-----w C:\16419f3366b669dd913e6a2c08a705

2009-05-22 03:55 . 2009-05-22 03:55 -------- d-----w c:\windows\ie8updates

2009-05-22 03:55 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll

2009-05-22 03:54 . 2009-05-22 03:55 -------- dc-h--w c:\windows\ie8

2009-05-22 03:47 . 2009-05-22 03:48 -------- d-----w C:\256db5ca899894069a119cd228fb

2009-05-22 03:41 . 2009-06-02 14:44 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Tracing

2009-05-22 03:38 . 2009-05-22 03:38 -------- d-----w c:\program files\Windows Live SkyDrive

2009-05-22 03:37 . 2009-05-22 03:37 -------- d-----w c:\program files\Fichiers communs\Windows Live

2009-05-22 03:36 . 2009-05-22 03:36 -------- d-----w c:\program files\Microsoft Silverlight

2009-05-22 03:36 . 2009-05-22 03:36 -------- d-----w c:\program files\Microsoft

2009-05-22 03:35 . 2009-05-22 04:18 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2009-05-22 03:35 . 2009-05-22 03:35 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Windows Desktop Search

2009-05-22 03:34 . 2009-05-22 03:34 -------- d-----w c:\program files\Windows Desktop Search

2009-05-22 03:34 . 2009-05-22 03:34 -------- d-----w c:\windows\system32\GroupPolicy

2009-05-22 03:34 . 2009-05-22 03:34 -------- d-----w c:\program files\Windows Media Connect 2

2009-05-22 03:32 . 2009-05-22 03:34 -------- d-----w C:\ad6055a07064651d0d439eadb8bc

2009-05-22 03:31 . 2009-05-22 03:32 -------- d-----w C:\25b94b873eb42f49d1e534d39de5

2009-05-22 03:31 . 2009-05-22 03:32 -------- d-----w c:\windows\system32\drivers\UMDF

2009-05-22 03:30 . 2009-05-22 03:31 -------- d-----w C:\4b5f7b9cb3ff552b648fc199

2009-05-22 03:02 . 2009-03-06 14:20 286720 -c----w c:\windows\system32\dllcache\pdh.dll

2009-05-22 03:01 . 2008-04-21 21:15 219136 -c----w c:\windows\system32\dllcache\wordpad.exe

2009-05-22 00:31 . 2009-05-22 00:31 -------- d-----w c:\windows\ERUNT

2009-05-20 12:04 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-20 12:04 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-20 12:04 . 2009-05-20 12:04 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-20 09:56 . 2009-05-20 10:03 -------- d-----w c:\program files\Woonoz

2009-05-20 06:30 . 2009-03-30 08:32 96104 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-20 06:30 . 2009-03-24 14:07 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-05-20 06:30 . 2009-02-13 10:28 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys

2009-05-20 06:30 . 2009-02-13 10:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys

2009-05-20 06:30 . 2009-05-20 06:30 -------- d-----w c:\program files\Avira

2009-05-20 06:30 . 2009-05-20 06:30 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-05-16 09:05 . 2009-05-16 09:05 8854 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\Uninstall_Namco_Muse_6FD27D5CCAFD4721825FD0DDE6C960D2.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ffe.exe1_2FCAB582E6F945AF988D869015108473.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ffe.exe_2FCAB582E6F945AF988D869015108473.exe

2009-05-16 09:05 . 2009-05-16 09:05 19518 ----a-r c:\documents and settings\administrateur.CYBERSTADE\Application Data\Microsoft\Installer\{6FD27D5C-CAFD-4721-825F-D0DDE6C960D2}\ARPPRODUCTICON.exe

2009-05-16 09:05 . 2009-05-16 09:05 -------- d-----w c:\program files\Namco

2009-05-08 14:38 . 2009-05-08 14:38 -------- d-----w c:\program files\CCleaner

2009-05-06 17:43 . 2009-05-19 10:21 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Loc.Mail.Bron.Tok

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-02 16:52 . 2009-04-11 18:26 -------- d-----w c:\program files\Garena

2009-06-02 12:48 . 2009-01-15 12:51 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-06-02 09:28 . 2009-02-03 14:01 1 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2009-06-01 17:46 . 2008-09-29 16:46 -------- d-----w c:\program files\Warcraft III

2009-05-30 20:07 . 2008-06-20 13:13 -------- d-----w c:\program files\Fichiers communs\LogiShrd

2009-05-30 20:06 . 2008-06-20 13:13 -------- d-----w c:\documents and settings\All Users\Application Data\LogiShrd

2009-05-30 20:06 . 2008-10-28 03:35 -------- d-----w c:\program files\Logitech

2009-05-30 18:01 . 2008-11-12 09:49 107888 ----a-w c:\windows\system32\CmdLineExt.dll

2009-05-30 17:30 . 2008-06-20 12:04 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-28 21:45 . 2008-06-20 12:31 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-22 18:57 . 2007-10-29 12:00 80956 ----a-w c:\windows\system32\perfc00C.dat

2009-05-22 18:57 . 2007-10-29 12:00 503690 ----a-w c:\windows\system32\perfh00C.dat

2009-05-22 08:46 . 2008-09-27 02:07 91568 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-22 05:13 . 2008-06-20 11:47 86331 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-05-22 03:57 . 2008-06-20 12:55 -------- d-----w c:\program files\Microsoft Works

2009-05-22 03:55 . 2008-09-27 18:00 -------- d-----w c:\program files\Fichiers communs\Wise Installation Wizard

2009-05-22 03:38 . 2008-06-20 14:28 -------- d-----w c:\program files\Windows Live

2009-05-21 12:54 . 2008-11-20 18:42 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\U3

2009-05-20 19:47 . 2009-02-06 14:00 -------- d-----w c:\program files\World of Warcraft

2009-05-16 09:04 . 2008-06-20 11:54 -------- d-----w c:\program files\Fichiers communs\InstallShield

2009-05-13 13:33 . 2008-09-27 17:57 -------- d-----w c:\program files\Dofus

2009-05-08 15:20 . 2008-09-28 23:21 -------- d-----w c:\program files\Fichiers communs\Blizzard Entertainment

2009-05-08 15:17 . 2009-01-15 12:51 -------- d-----w c:\program files\Google

2009-05-08 14:49 . 2008-08-01 07:19 81984 ----a-w c:\windows\system32\bdod.bin

2009-05-08 10:48 . 2008-11-12 09:25 -------- d-----w c:\program files\L'Entraîneur 2006

2009-05-03 20:01 . 2008-11-20 10:33 -------- d-----w c:\program files\Steam

2009-04-27 18:59 . 2008-12-02 01:32 -------- d-----w c:\program files\Curse

2009-04-25 18:28 . 2009-03-11 20:17 -------- d-----w c:\documents and settings\administrateur.CYBERSTADE\Application Data\teamspeak2

2009-04-23 15:45 . 2009-04-23 15:44 -------- d-----w c:\program files\QuickTime

2009-04-21 22:20 . 2009-04-21 22:20 14311680 ----a-w c:\windows\system32\xlive.dll

2009-04-21 22:20 . 2009-04-21 22:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll

2009-04-16 17:51 . 2009-04-16 17:44 -------- d-----w c:\program files\Metin2_France

2009-04-10 14:03 . 2009-01-06 10:56 334912 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-04-10 14:02 . 2009-01-06 10:56 171072 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-04-10 14:02 . 2008-09-28 20:36 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-04-10 14:02 . 2008-09-28 20:35 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-04-10 14:02 . 2009-01-06 10:56 874660 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-04-10 14:02 . 2009-01-06 10:56 57344 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-04-10 14:02 . 2009-01-06 10:56 479232 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-04-10 14:02 . 2009-01-06 10:56 2669632 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-04-10 13:57 . 2008-09-28 20:35 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-04-10 13:44 . 2008-09-28 20:36 22328 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\PnkBstrK.sys

2009-04-10 13:44 . 2008-09-28 20:36 22328 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\PnkBstrK.sys

2009-04-10 13:43 . 2008-09-28 20:35 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-30 06:50 . 2009-03-30 06:50 152576 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2009-03-25 08:46 . 2009-03-25 08:46 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-09 03:19 . 2008-12-14 12:37 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-08 02:34 . 2007-10-29 12:00 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 02:34 . 2007-10-29 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 02:33 . 2007-10-29 12:00 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 02:33 . 2007-10-29 12:00 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 02:32 . 2007-10-29 12:00 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 02:32 . 2007-10-29 12:00 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 02:31 . 2007-10-29 12:00 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 02:31 . 2007-10-29 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 02:31 . 2007-10-29 12:00 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 02:22 . 2007-10-29 12:00 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 14:20 . 2007-10-29 12:00 286720 ----a-w c:\windows\system32\pdh.dll

2009-03-05 22:45 . 2009-03-05 22:45 12800 ----a-w c:\documents and settings\administrateur.CYBERSTADE\Application Data\Thinstall\Quake III Arena\4000003da00002i\quake3.exe

2008-09-27 03:56 . 2008-09-27 03:56 15397 ----a-w c:\program files\settings.dat

.

 

((((((((((((((((((((((((((((( SnapShot@2009-05-30_21.42.15 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-03 03:32 . 2009-06-03 03:32 16384 c:\windows\temp\Perflib_Perfdata_738.dat

+ 2009-06-03 03:32 . 2008-12-16 19:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll

- 2009-05-30 21:41 . 2008-12-16 19:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

 

[HKLM\~\startupfolder\C:^Documents and Settings^administrateur.CYBERSTADE^Menu Démarrer^Programmes^Démarrage^Empty.pif]

path=c:\documents and settings\administrateur.CYBERSTADE\Menu Démarrer\Programmes\Démarrage\Empty.pif

backup=c:\windows\pss\Empty.pifStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Démarrage rapide du logiciel HP Image Zone.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Démarrage rapide du logiciel HP Image Zone.lnk

backup=c:\windows\pss\Démarrage rapide du logiciel HP Image Zone.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Windows Search.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [20/05/2009 08:30 108289]

R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\drivers\3xHybrid.sys [23/06/2008 17:24 1121536]

S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [29/05/2009 17:13 234864]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contenu du dossier 'Tâches planifiées'

 

2009-06-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-15 19:25]

 

2009-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1881933800-2416438935-2271469046-500.job

- c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-21 21:47]

.

.

------- Examen supplémentaire -------

.

TCP: {ADD55CEC-C550-45E6-B74E-A2EFCC644CF7} = 192.168.0.100

FF - ProfilePath - c:\documents and settings\administrateur.CYBERSTADE\Application Data\Mozilla\Firefox\Profiles\arl8etxo.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - plugin: c:\documents and settings\administrateur.CYBERSTADE\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-03 05:37

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

 

[HKEY_USERS\S-1-5-21-1881933800-2416438935-2271469046-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,90,41,5b,e7,ed,b0,45,bb,9a,af,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,90,41,5b,e7,ed,b0,45,bb,9a,af,\

 

[HKEY_USERS\S-1-5-21-1881933800-2416438935-2271469046-500\Software\SecuROM\License information*]

"datasecu"=hex:83,ec,ce,39,4b,d4,02,df,c9,8b,5f,c4,34,9e,15,e0,31,47,75,5c,4d,

e8,0b,97,f3,71,bb,08,b2,38,21,39,36,ca,c2,78,f0,ce,c7,82,54,5b,67,38,93,f6,\

"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,bb,88,18,06,dd,

4b,f0,93,c8,28,51,af,b0,29,a3,98,91,45,1c,27,36,e6,56,ae,e2,63,26,f1,3f,c8,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,82,d8,95,42,f2,

e4,97,e5,71,3b,04,66,8b,46,0d,96,98,ba,db,16,95,bb,83,90,6a,9c,d6,61,af,45,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2d,c7,52,d5,9e,

c1,c8,1e,25,da,ec,7e,55,20,c9,26,86,c2,2f,d6,d9,02,80,0c,ff,7c,85,e0,43,d4,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,3a,0e,72,1e,ad,

f3,97,8d,3e,1e,9e,e0,57,5a,93,61,ed,4e,f5,a8,e1,42,c6,c9,86,8c,21,01,be,91,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,88,b3,35,eb,5a,

ab,6c,1d,cd,44,cd,b9,a6,33,6c,cd,d7,78,b5,af,b8,3f,38,8e,f5,1d,4d,73,a8,13,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,22,92,7e,cf,04,

a9,42,8a,b0,18,ed,a7,3f,8d,37,a4,15,b0,8e,ab,d9,bc,e5,e0,df,20,58,62,78,6b,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,e2,0b,04,1b,79,

5a,0d,74,31,77,e1,ba,b1,f8,68,02,d4,8a,7e,0e,0a,d3,c9,b7,fb,a7,78,e6,12,2f,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,e6,a2,ec,fe,b7,

be,c9,81,83,6c,56,8b,a0,85,96,ab,ac,fb,9b,d3,ad,41,3f,00,01,3a,48,fc,e8,04,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,2a,47,03,c8,76,

f4,f5,ac,51,fa,6e,91,28,9e,14,cc,05,8b,26,22,94,bb,8c,0e,f6,0f,4e,58,98,5b,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,b0,3a,03,c3,59,

a8,0b,e6,b1,cd,45,5a,a8,c4,f8,b9,e9,df,bb,fc,07,ec,94,f5,3d,ce,ea,26,2d,45,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,55,74,c9,fe,f3,

65,cb,c2,e3,0e,66,d5,eb,bc,2f,6b,22,69,2b,f6,93,82,b9,70,2a,b7,cc,b5,b9,7f,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,a6,8c,b1,15,ea,

61,8e,9e,fa,ea,66,7f,d4,3b,6b,70,0c,a6,e1,4d,70,d4,72,e6,6c,43,2d,1e,aa,22,\

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'lsass.exe'(840)

c:\program files\Bonjour\mdnsNSP.dll

 

- - - - - - - > 'explorer.exe'(8084)

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\wpdshext.dll

c:\windows\system32\Audiodev.dll

c:\windows\system32\WMVCore.DLL

c:\windows\system32\WMASF.DLL

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\searchprotocolhost.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Heure de fin: 2009-06-03 5:44 - La machine a redémarré

ComboFix-quarantined-files.txt 2009-06-03 03:44

ComboFix2.txt 2009-05-30 22:11

ComboFix3.txt 2009-05-30 21:50

 

Avant-CF: 127 405 252 608 octets libres

Après-CF: 127 233 998 848 octets libres

 

349 --- E O F --- 2009-05-22 18:50

[Falkra]

Ca a une meilleure tête, poste un nouveau rapport HijackThis stp.

 

Ca tourne mieux ?