Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

fast browser search et igraal

greemlins

Par greemlins
dans Analyses et éradication malwares

 Partager

Messages recommandés

greemlins Member

greemlins

Posté(e)
  • Auteur
Posté(e)

rapport tdsskiller:

 

15:04:37:312 3176 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25

15:04:37:312 3176 ================================================================================

15:04:37:312 3176 SystemInfo:

 

15:04:37:312 3176 OS Version: 5.1.2600 ServicePack: 3.0

15:04:37:312 3176 Product type: Workstation

15:04:37:312 3176 ComputerName: HELLOW

15:04:37:312 3176 UserName: Jean Michel

15:04:37:312 3176 Windows directory: C:\WINDOWS

15:04:37:312 3176 Processor architecture: Intel x86

15:04:37:312 3176 Number of processors: 1

15:04:37:312 3176 Page size: 0x1000

15:04:37:312 3176 Boot type: Normal boot

15:04:37:312 3176 ================================================================================

15:04:37:312 3176 UnloadDriverW: NtUnloadDriver error 2

15:04:37:312 3176 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

15:04:37:312 3176 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

15:04:37:328 3176 UtilityInit: KLMD drop and load success

15:04:37:328 3176 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)

15:04:37:328 3176 UtilityInit: KLMD open success

15:04:37:328 3176 UtilityInit: Initialize success

15:04:37:328 3176

15:04:37:328 3176 Scanning Services ...

15:04:37:328 3176 CreateRegParser: Registry parser init started

15:04:37:328 3176 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127

15:04:37:328 3176 CreateRegParser: DisableWow64Redirection error

15:04:37:328 3176 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

15:04:37:328 3176 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043

15:04:37:328 3176 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:04:37:328 3176 wfopen_ex: Trying to KLMD file open

15:04:37:328 3176 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system

15:04:37:328 3176 wfopen_ex: File opened ok (Flags 2)

15:04:37:328 3176 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 384B08

15:04:37:328 3176 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

15:04:37:328 3176 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043

15:04:37:328 3176 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:04:37:328 3176 wfopen_ex: Trying to KLMD file open

15:04:37:328 3176 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software

15:04:37:328 3176 wfopen_ex: File opened ok (Flags 2)

15:04:37:328 3176 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 384B70

15:04:37:328 3176 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127

15:04:37:328 3176 CreateRegParser: EnableWow64Redirection error

15:04:37:328 3176 CreateRegParser: RegParser init completed

15:04:37:359 3176 GetAdvancedServicesInfo: Raw services enum returned 355 services

15:04:37:375 3176 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

15:04:37:375 3176 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

15:04:37:375 3176

15:04:37:375 3176 Scanning Kernel memory ...

15:04:37:375 3176 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk

15:04:37:375 3176 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 865CE588

15:04:37:375 3176 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects

15:04:37:375 3176

15:04:37:375 3176 DetectCureTDL3: DEVICE_OBJECT: 8652DC68

15:04:37:375 3176 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8652DC68

15:04:37:375 3176 KLMD_ReadMem: Trying to ReadMemory 0x8652DC68[0x38]

15:04:37:375 3176 DetectCureTDL3: DRIVER_OBJECT: 865CE588

15:04:37:375 3176 KLMD_ReadMem: Trying to ReadMemory 0x865CE588[0xA8]

15:04:37:375 3176 KLMD_ReadMem: Trying to ReadMemory 0xE163D578[0x18]

15:04:37:375 3176 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk

15:04:37:375 3176 DetectCureTDL3: IrpHandler (0) addr: F7604BB0

15:04:37:375 3176 DetectCureTDL3: IrpHandler (1) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (2) addr: F7604BB0

15:04:37:375 3176 DetectCureTDL3: IrpHandler (3) addr: F75FED1F

15:04:37:375 3176 DetectCureTDL3: IrpHandler (4) addr: F75FED1F

15:04:37:375 3176 DetectCureTDL3: IrpHandler (5) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (6) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (7) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (:P addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (9) addr: F75FF2E2

15:04:37:375 3176 DetectCureTDL3: IrpHandler (10) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (11) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (12) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (13) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (14) addr: F75FF3BB

15:04:37:375 3176 DetectCureTDL3: IrpHandler (15) addr: F7602F28

15:04:37:375 3176 DetectCureTDL3: IrpHandler (16) addr: F75FF2E2

15:04:37:375 3176 DetectCureTDL3: IrpHandler (17) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (18) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (19) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (20) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (21) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (22) addr: F7600C82

15:04:37:375 3176 DetectCureTDL3: IrpHandler (23) addr: F760599E

15:04:37:375 3176 DetectCureTDL3: IrpHandler (24) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (25) addr: 804F355A

15:04:37:375 3176 DetectCureTDL3: IrpHandler (26) addr: 804F355A

15:04:37:375 3176 TDL3_FileDetect: Processing driver: Disk

15:04:37:375 3176 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys

15:04:37:375 3176 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys

15:04:37:406 3176 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

15:04:37:406 3176

15:04:37:406 3176 DetectCureTDL3: DEVICE_OBJECT: 85BF9AB8

15:04:37:406 3176 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85BF9AB8

15:04:37:406 3176 DetectCureTDL3: DEVICE_OBJECT: 86552910

15:04:37:406 3176 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86552910

15:04:37:406 3176 DetectCureTDL3: DEVICE_OBJECT: 86530028

15:04:37:406 3176 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86530028

15:04:37:406 3176 KLMD_ReadMem: Trying to ReadMemory 0x86530028[0x38]

15:04:37:406 3176 DetectCureTDL3: DRIVER_OBJECT: 8656EF38

15:04:37:406 3176 KLMD_ReadMem: Trying to ReadMemory 0x8656EF38[0xA8]

15:04:37:406 3176 KLMD_ReadMem: Trying to ReadMemory 0xE1004DA0[0x1C]

15:04:37:406 3176 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iastor, Driver Name: iastor

15:04:37:406 3176 DetectCureTDL3: IrpHandler (0) addr: F735892E

15:04:37:406 3176 DetectCureTDL3: IrpHandler (1) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (2) addr: F735892E

15:04:37:406 3176 DetectCureTDL3: IrpHandler (3) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (4) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (5) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (6) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (7) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (:P addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (9) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (10) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (11) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (12) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (13) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (14) addr: F7355B28

15:04:37:406 3176 DetectCureTDL3: IrpHandler (15) addr: 8656E5B8

15:04:37:406 3176 DetectCureTDL3: IrpHandler (16) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (17) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (18) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (19) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (20) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (21) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (22) addr: F734D9D6

15:04:37:406 3176 DetectCureTDL3: IrpHandler (23) addr: F734CD68

15:04:37:406 3176 DetectCureTDL3: IrpHandler (24) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (25) addr: 804F355A

15:04:37:406 3176 DetectCureTDL3: IrpHandler (26) addr: 804F355A

15:04:37:406 3176 TDL3_FileDetect: Processing driver: iastor

15:04:37:406 3176 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys

15:04:37:406 3176 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\iaStor.sys

15:04:37:468 3176 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: Clean

15:04:37:468 3176

15:04:37:468 3176 Completed

15:04:37:468 3176

15:04:37:468 3176 Results:

15:04:37:468 3176 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

15:04:37:468 3176 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

15:04:37:468 3176 File objects infected / cured / cured on reboot: 0 / 0 / 0

15:04:37:468 3176

15:04:37:468 3176 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000

15:04:37:468 3176 UtilityDeinit: KLMD(ARK) unloaded successfully

 

 

 

 

Et rapport combofix

 

ComboFix 10-01-20.06 - Jean Michel 23/01/2010 15:55:14.7.1 - x86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1014.686 [GMT 1:00]

Lancé depuis: c:\documents and settings\Jean Michel\Bureau\ComboFix.exe

Commutateurs utilisés :: c:\documents and settings\Jean Michel\Bureau\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

 

----- BITS: Il y a peut-être des sites infectés -----

 

hxxp://armmf.adobe.com

.

--------------- FCopy ---------------

 

c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe --> c:\windows\explorer.exe

.

((((((((((((((((((((((((((((( Fichiers créés du 2009-12-23 au 2010-01-23 ))))))))))))))))))))))))))))))))))))

.

 

2010-01-23 14:04 . 2010-01-23 14:04 -------- d-----w- C:\tdsskiller

2010-01-23 11:58 . 2010-01-23 12:04 -------- d-----w- C:\Gmer

2010-01-22 17:19 . 2010-01-22 17:19 -------- d-----w- c:\program files\Fichiers communs\DivX Shared

2010-01-22 17:19 . 2010-01-22 17:19 -------- d-----w- c:\program files\DivX

2010-01-21 17:52 . 2010-01-21 17:52 -------- d-----w- c:\documents and settings\Jean Michel\Local Settings\Application Data\ESET

2010-01-20 18:58 . 2010-01-20 18:58 -------- d-----w- c:\program files\Fichiers communs\Java

2010-01-20 17:25 . 2010-01-20 17:38 -------- d-----w- C:\Ad-Remover

2010-01-20 16:09 . 2010-01-21 08:14 -------- d-----w- C:\ToolBar SD

2010-01-20 14:25 . 2010-01-20 15:27 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-20 14:25 . 2009-03-30 09:32 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-01-20 14:25 . 2009-02-13 11:28 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-01-20 14:25 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-01-20 14:25 . 2010-01-20 14:25 -------- d-----w- c:\program files\Avira

2010-01-20 14:25 . 2010-01-20 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-01-20 12:01 . 2010-01-20 12:01 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes

2010-01-20 11:51 . 2010-01-20 11:51 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\Malwarebytes

2010-01-20 11:51 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-20 11:51 . 2010-01-20 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-20 11:51 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-20 11:51 . 2010-01-20 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-20 10:20 . 2010-01-20 10:20 -------- d-----w- c:\program files\CCleaner

2010-01-19 21:31 . 2010-01-19 21:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-01-19 09:20 . 2010-01-19 09:20 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\ESET

2010-01-19 09:18 . 2010-01-19 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-01-19 08:54 . 2010-01-19 13:42 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\QuickScan

2010-01-19 07:12 . 2010-01-19 09:18 -------- d-----w- c:\program files\ESET

2010-01-17 21:34 . 2010-01-18 11:08 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\The Path

2010-01-16 18:29 . 2010-01-16 19:10 -------- d-----w- c:\program files\Postal2STP

2010-01-16 15:55 . 2010-01-16 15:55 -------- d-----w- c:\windows\system32\wbem\Repository

2010-01-16 15:48 . 2010-01-20 15:10 -------- d-----w- c:\program files\RegCleaner

2010-01-16 15:29 . 2010-01-16 15:29 -------- d-----w- C:\ProgramData

2010-01-16 15:29 . 2010-01-16 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-01-16 15:13 . 2010-01-16 15:13 -------- d-----w- c:\program files\Intel Corporation

2010-01-14 23:20 . 2010-01-14 23:20 -------- d-----w- c:\program files\Micro Application

2010-01-13 23:01 . 2010-01-13 23:01 0 ----a-w- c:\windows\PowerReg.dat

2010-01-13 20:35 . 2010-01-13 20:35 -------- d-----w- c:\program files\Hobbyist Software

2010-01-13 10:55 . 2008-02-15 11:49 184320 ----a-w- c:\windows\system32\igfxres.dll

2010-01-12 20:45 . 2010-01-19 15:28 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\uTorrent

2010-01-12 19:57 . 2010-01-12 19:57 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2010-01-12 12:06 . 2010-01-12 12:06 -------- d-----w- c:\program files\WinSCP

2010-01-12 07:35 . 2010-01-14 12:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-12 07:35 . 2010-01-14 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit

2010-01-12 07:35 . 2010-01-14 12:51 -------- d-----w- c:\program files\DAP

2010-01-11 20:54 . 2010-01-11 21:14 -------- d-----w- c:\program files\Ludi

2010-01-11 18:06 . 2010-01-11 18:06 -------- d-----w- c:\program files\Lavalys

2010-01-11 13:15 . 2000-07-14 22:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

2010-01-10 14:09 . 2008-04-14 03:05 14720 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-01-10 14:09 . 2008-04-14 03:05 14720 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-01-10 12:20 . 2010-01-10 12:20 -------- d-----w- c:\program files\Hp

2010-01-10 12:20 . 2010-01-11 12:47 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\HpUpdate

2010-01-10 12:20 . 2010-01-10 12:20 -------- d-----w- c:\windows\Hewlett-Packard

2010-01-10 11:37 . 2010-01-10 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2010-01-10 11:17 . 2010-01-10 11:17 -------- d-----w- c:\windows\system32\Adobe

2010-01-10 09:39 . 2009-12-14 11:33 53248 ----a-w- c:\windows\system32\CSVer.dll

2010-01-10 01:20 . 2010-01-10 01:20 -------- d-----w- c:\program files\Driver-Soft

2010-01-09 23:58 . 2010-01-18 18:38 -------- d--h--w- c:\windows\msdownld.tmp

2010-01-09 23:57 . 2010-01-09 23:57 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-01-09 23:57 . 2010-01-11 16:47 -------- d-----w- c:\program files\SystemRequirementsLab

2010-01-09 23:57 . 2010-01-11 16:47 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab

2010-01-09 23:56 . 2010-01-09 23:56 -------- d-----w- c:\windows\Sun

2010-01-09 23:16 . 2010-01-09 23:16 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\igraal

2010-01-09 22:26 . 2010-01-10 14:15 -------- d-----w- c:\program files\Intel

2010-01-09 22:22 . 2010-01-09 22:22 -------- d-----w- C:\Intel

2010-01-09 21:03 . 2010-01-09 21:03 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\QUAD Utilities

2010-01-09 20:13 . 2010-01-09 23:59 -------- d-----w- C:\dxupdate

2010-01-09 12:19 . 2010-01-09 23:25 -------- d-----w- c:\windows\Logs

2010-01-09 11:50 . 2010-01-09 11:50 -------- d-----w- c:\program files\Microids

2010-01-08 20:55 . 2010-01-08 20:55 -------- d-----w- c:\documents and settings\Jean Michel\Local Settings\Application Data\Conduit

2010-01-08 20:55 . 2010-01-08 20:55 -------- d-----w- c:\program files\Alcohol Soft

2010-01-08 17:42 . 2010-01-17 16:27 -------- d-----w- c:\program files\Ubisoft

2010-01-08 17:41 . 2010-01-12 19:00 -------- d-----w- c:\program files\Fichiers communs\InstallShield

2010-01-08 16:14 . 2010-01-08 16:14 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\Uniblue

2010-01-08 16:11 . 2010-01-08 16:11 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-01-08 16:10 . 2010-01-09 23:57 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\DAEMON Tools Lite

2010-01-08 16:10 . 2010-01-08 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2010-01-06 11:18 . 2010-01-12 08:03 -------- d-----w- c:\program files\Internet Download Manager

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-23 14:59 . 2004-08-10 12:00 583322 ----a-w- c:\windows\system32\perfh00C.dat

2010-01-23 14:59 . 2004-08-10 12:00 123604 ----a-w- c:\windows\system32\perfc00C.dat

2010-01-23 00:05 . 2009-08-08 17:09 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\vlc

2010-01-22 16:36 . 2009-08-20 07:40 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\DMCache

2010-01-22 08:57 . 2009-12-21 08:09 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\IDM

2010-01-21 06:16 . 2009-12-10 10:56 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-20 18:59 . 2010-01-20 18:59 61440 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\decora-sse.dll

2010-01-20 18:59 . 2010-01-20 18:59 503808 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\msvcp71.dll

2010-01-20 18:59 . 2010-01-20 18:59 499712 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\jmc.dll

2010-01-20 18:59 . 2010-01-20 18:59 348160 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\msvcr71.dll

2010-01-20 18:59 . 2010-01-20 18:59 12800 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\decora-d3d.dll

2010-01-20 18:58 . 2010-01-20 18:58 315392 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5edfc046-n\jogl.dll

2010-01-20 18:58 . 2010-01-20 18:58 20480 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5edfc046-n\jogl_awt.dll

2010-01-20 18:58 . 2010-01-20 18:58 114688 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5edfc046-n\jogl_cg.dll

2010-01-20 18:58 . 2010-01-20 18:58 20480 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-58e2e8a8-n\gluegen-rt.dll

2010-01-20 18:58 . 2009-12-18 05:40 -------- d-----w- c:\program files\Java

2010-01-17 16:38 . 2009-12-20 08:26 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-16 20:05 . 2009-08-20 08:07 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\dvdcss

2010-01-14 00:00 . 2009-09-03 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-01-12 08:01 . 2010-01-12 07:57 3149032 ----a-w- c:\documents and settings\Jean Michel\Application Data\IDM\idmupdt.exe

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_d_ind.dll

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_c_ind.dll

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_b_ind.dll

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_a_ind.dll

2010-01-10 20:16 . 2009-12-20 09:09 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-01-10 12:23 . 2009-08-10 13:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-09 23:58 . 2009-08-09 06:57 -------- d-----w- c:\program files\ma-config.com

2010-01-09 23:58 . 2009-08-09 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ma-config.com

2010-01-09 23:56 . 2009-09-03 17:59 -------- d-----w- c:\program files\Microsoft Works

2010-01-09 23:56 . 2009-08-08 17:11 -------- d-----w- c:\program files\AIDA32 - Personal System Information

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll

2010-01-06 11:19 . 2010-01-06 11:19 198064 ----a-w- c:\documents and settings\Jean Michel\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

2010-01-06 09:27 . 2009-08-08 17:00 70016 ----a-w- c:\documents and settings\Jean Michel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-22 05:08 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-12-18 07:45 . 2009-12-18 07:45 161 ----a-w- C:\ipodpos.dll

2009-12-18 05:40 . 2009-12-18 05:40 152576 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-18 05:38 . 2009-12-18 05:38 79488 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-17 16:14 . 2009-12-18 05:41 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-17 15:13 . 2009-12-17 15:13 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\GHISLER

2009-12-17 12:42 . 2009-12-17 12:42 25214 ----a-r- c:\documents and settings\Jean Michel\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_29D232B856F0A1CBA486B8.exe

2009-12-17 12:42 . 2009-12-17 12:42 10398 ----a-r- c:\documents and settings\Jean Michel\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_3324690356DD71877A1B6A.exe

2009-12-17 12:42 . 2009-12-17 12:42 -------- d-----w- c:\program files\iPhoneBrowser

2009-12-17 12:40 . 2009-12-17 12:40 -------- d-----w- c:\program files\iPhone Tunnel Suite 2.7 BETA

2009-12-17 12:18 . 2009-12-16 05:12 -------- d-----w- c:\program files\Pod to PC

2009-12-16 05:31 . 2009-12-16 05:31 -------- d-----w- c:\program files\iPhone Explorer

2009-12-14 06:49 . 2009-12-14 06:49 -------- d-----w- c:\program files\Windows Media Connect 2

2009-12-14 05:26 . 2009-08-09 07:18 -------- d-----w- c:\program files\Messenger Plus! Live

2009-12-11 19:32 . 2009-12-10 08:57 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\Apple Computer

2009-12-10 13:32 . 2009-08-20 14:09 -------- d-----w- c:\program files\Webtarot

2009-12-10 12:36 . 2004-08-10 12:00 219648 ----a-w- c:\windows\system32\uxtheme.dll

2009-12-10 11:49 . 2009-12-10 11:49 -------- d-----w- c:\program files\Fichiers communs\Adobe

2009-12-10 10:56 . 2009-12-10 10:54 -------- d-----w- c:\program files\Microsoft

2009-12-10 10:56 . 2009-08-09 07:14 -------- d-----w- c:\program files\Windows Live

2009-12-10 10:55 . 2009-12-10 10:55 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2009-12-10 09:01 . 2009-12-10 09:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2009-12-10 09:01 . 2009-12-10 09:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-12-10 08:59 . 2009-12-10 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-12-10 08:57 . 2009-12-10 08:56 -------- d-----w- c:\program files\iTunes

2009-12-10 08:57 . 2009-12-10 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-12-10 08:56 . 2009-12-10 08:56 -------- d-----w- c:\program files\iPod

2009-12-10 08:56 . 2009-12-10 08:54 -------- d-----w- c:\program files\Fichiers communs\Apple

2009-12-10 08:56 . 2009-12-10 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-12-10 08:56 . 2009-12-10 08:56 -------- d-----w- c:\program files\Bonjour

2009-12-10 08:56 . 2009-12-10 08:55 -------- d-----w- c:\program files\QuickTime

2009-12-10 08:55 . 2009-12-10 08:55 -------- d-----w- c:\program files\Apple Software Update

2009-12-09 16:11 . 2009-11-01 08:41 -------- d-----w- c:\program files\OrangeHSS

2009-11-21 15:58 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-10-29 05:25 . 2006-03-04 03:35 671232 ------w- c:\windows\system32\wininet.dll

.

 

((((((((((((((((((((((((((((( SnapShot@2010-01-23_12.34.49 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-23 15:01 . 2010-01-23 15:01 16384 c:\windows\temp\Perflib_Perfdata_15c.dat

+ 2004-08-10 12:00 . 2010-01-23 14:59 490892 c:\windows\system32\perfh009.dat

+ 2004-08-10 12:00 . 2010-01-23 14:59 101206 c:\windows\system32\perfc009.dat

+ 2004-08-10 12:00 . 2008-04-14 02:34 1037824 c:\windows\system32\dllcache\explorer.exe

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lxdrmon.exe"="c:\program files\Lexmark 4900 Series\lxdrmon.exe" [2008-05-21 676520]

"EzPrint"="c:\program files\Lexmark 4900 Series\ezprint.exe" [2008-05-21 131752]

"ORAHSSSessionManager"="c:\program files\OrangeHSS\SessionManager\SessionManager.exe" [2007-12-12 107248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-01-11 246504]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

2009-04-24 03:16 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

2009-03-02 12:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

2008-10-24 20:50 1451264 ----a-w- c:\program files\ESET\ESET Smart Security\egui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-09 16:53 153136 ----a-w- c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ekrn"=2 (0x2)

"EhttpSrv"=3 (0x3)

"AntiVirService"=2 (0x2)

"AntiVirSchedulerService"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\lxdrcoms.exe"=

"c:\\Program Files\\OrangeHSS\\Connectivity\\ConnectivityManager.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\iPhone Tunnel Suite 2.7 BETA\\iTunnel\\iTunnel.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

 

R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]

S3 gtermddo;gtermddo;\??\c:\docume~1\JEANMI~1\LOCALS~1\Temp\gtermddo.sys --> c:\docume~1\JEANMI~1\LOCALS~1\Temp\gtermddo.sys [?]

S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [17/12/2009 19:00 243056]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [10/12/2009 09:54 17408]

S4 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [20/01/2010 15:25 108289]

S4 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 09:21 468224]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [08/01/2010 17:11 691696]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://google.fr/

mWindow Title =

uInternet Settings,ProxyOverride = *.local

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Télécharger avec IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Télécharger le contenu de video FLV avec IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Télécharger tous les liens avec IDM - c:\program files\Internet Download Manager\IEGetAll.htm

Trusted Zone: mappy.com

Trusted Zone: orange.fr

Trusted Zone: voila.fr\rw.search.ke

Trusted Zone: weborama.fr\orange

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-23 16:02

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865E7150]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7602f28

\Driver\ACPI -> ACPI.sys @ 0xf7474cb8

\Driver\atapi -> atapi.sys @ 0xf73f4852

\Driver\iaStor -> 0x865e7150

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: Réseau local Broadcom 802.11b/g -> SendCompleteHandler -> NDIS.sys @ 0xf720ebb0

PacketIndicateHandler -> NDIS.sys @ 0xf721ba21

SendHandler -> NDIS.sys @ 0xf71f987b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):84,40,8c,45,6e,07,ad,4e,5e,50,66,e5,4e,a1,14,b5,15,c9,3d,34,9a,

a3,b3,f4,1d,6c,fc,e7,3e,f5,c4,3a,fa,0d,63,14,87,17,41,38,00,00,00,00,00,00,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8b9f29eb-a9bc-4695-97ad-7603c028e8b0}]

@Denied: (Full) (Everyone)

"Model"=dword:00000130

"Therad"=dword:00000020

"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,

38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'winlogon.exe'(912)

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\sfc_os.dll

c:\windows\system32\cscui.dll

c:\windows\system32\COMRes.dll

 

- - - - - - - > 'lsass.exe'(1044)

c:\windows\system32\setupapi.dll

c:\windows\system32\scecli.dll

c:\windows\system32\psbase.dll

 

- - - - - - - > 'explorer.exe'(3988)

c:\windows\system32\COMRes.dll

c:\windows\System32\cscui.dll

c:\windows\system32\msi.dll

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\NETSHELL.dll

c:\windows\system32\credui.dll

c:\windows\system32\eappprxy.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\windows\system32\igfxsrvc.exe

c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\progra~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxdrcoms.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Fichiers communs\Ahead\Lib\NMIndexingService.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Heure de fin: 2010-01-23 16:06:36 - La machine a redémarré

ComboFix-quarantined-files.txt 2010-01-23 15:06

ComboFix2.txt 2010-01-23 14:29

ComboFix3.txt 2010-01-23 12:39

ComboFix4.txt 2010-01-23 10:53

ComboFix5.txt 2010-01-23 14:50

 

Avant-CF: 18 813 911 040 octets libres

Après-CF: 18 777 800 704 octets libres

 

- - End Of File - - 07F5A58E1E38A6861BEAF4F13505D9F3

pear Devil Member !

pear

Posté(e)
Posté(e)

Cette fois , il n'y a plus de fichiers patchés :P

Scan en ligne

NOTE: Le scan en ligne sera à faire avec Internet Explorer.

Désactiver l'antivirus actuel

 

Notez que ce scan examine , mais ne désinfecte pas

Kaspersky

Sous Vista,il faut désactiver l'UAC, et cliquer droit sur Internet Explorer / Exécuter en tant qu'administrateur et coller l'URL de Kaspersky

http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Vider la corbeille.

* Cliquer sur Accept

* Une barre jaune va demander d'accepter l'installation de Kavwebscan_Unicode.cab, installer l'Active X.

* cliquer une nouvelle fois sur "Accept"

* Les bases de mises à jour vont s'installer, patienter un moment

* Cliquer sur Next.

* Cliquer sur My Computer, le scan se met en route;

attendre la fin du scan sans fermer la fenêtre sinon il s'arrêtera.

A la fin du scan, si des objets infectés sont découverts, cliquer sur Save report as...

Choisir bureau et nommer le rapport "rapport Kaspersky" et dans le champ d'enregistrement, choisir "fichiers texte" enregistrer le rapport.

Copier/coller l'entièreté du fichier texte ouvert, par clic droit dessus, sélectionner tout/copier.

Coller ce rapport dans la réponse sur le forum.

 

greemlins Member

greemlins

Posté(e)
  • Auteur
Posté(e)

bonjour Pear, igraal a disparu mais fast browser search est toujours là.

 

 

 

KASPERSKY ONLINE SCANNER 7.0: scan report

Sunday, January 24, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Sunday, January 24, 2010 08:28:45

Records in database: 3364342

 

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

 

Scan area My Computer

C:\

 

Scan statistics

Objects scanned 66914

Threats found 1

Infected objects found 1

Suspicious objects found 0

Scan duration 04:26:06

 

File name Threat Threats count

C:\System Volume Information\_restore{E42DC670-1A7B-4433-B545-E19C665E941F}\RP121\A0050772.dll Infected: Packed.Win32.Krap.ag 1

 

Selected area has been scanned.

pear Devil Member !

pear

Posté(e)
Posté(e)

Bonjour,

Désinstallez la Restauration Système.

 

Poste de Travail->Propriétés->Restauration Système.

Cocher la case "Désactiver la Restauration sur tous les lecteurs".

Vous la décocherez par la suite

Un nouveau point de restauration sera créé au redémarrage.

pear Devil Member !

pear

Posté(e)
Posté(e)

Vous décochez et c'est bon.

Si vous estimez votre problème résolu, éditez l'en tête de votre premier message et y indiquez Résolu pour que ceux qui la recherchent y trouvent une solution.

pear Devil Member !

pear

Posté(e)
Posté(e)

Combo, Nettoyage

Déconnectez-vous du net et désactivez l'antivirus (juste le temps de la procédure !)

Connecter tous les disques amovibles (disque dur externe, clé USB).

Dans certaines circonstances , le Mode sans échec peut être nécessaire

Vérifiez que l'antivirus soit bien désactivé car un redémarrage le réactive

Ouvrez Combofix

# Dans le bloc-note ,copiez-collez ces lignes :

KillAll::

Folder::

Driver::

Bonjour service

File::

c:\docume~1\JEANMI~1\LOCALS~1\Temp\gtermddo.sys

c:\docume~1\JEANMI~1\LOCALS~1\Temp\NotifierSetup.exe

c:\program files\Bonjour\mDNSResponder.exe

Fcopy::

Rootkit::

Registry::

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Iminent.Notifier Install =-

* Attention, ce code a été rédigé spécialement pour cet utilisateur, il serait dangereux de le réutiliser dans d'autres cas !

Enregistrez-le en lui donnant le nom CFScript.txt

* Faire un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe

animation1md2.gif

 

* Au message qui apparait dans une fenêtre bleue ( Type 1 to continue, or 2 to abort) , taper 1 puis valider.

* Patienter le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne toucher à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher: poster son contenu.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

 

 

Téléchargez TFC par OldTimer sur votre Bureau

Faites un double clic sur TFC.exe pour le lancer.

Sous Vista, faites un clic droit sur le fichier et choisissez Exécuter en tant qu'Administrateur

L'outil va fermer tous les programmes lors de son exécution, donc vérifiez que vous avez sauvegardé tout votre travail en cours auparavant.

Cliquez sur le bouton Start pour lancer le processus.

Selon la fréquence à laquelle vous supprimez vos fichiers temporaires, cela peut durer de quelques secondes à une minute ou deux.

Laissez le programme s'exécuter sans l'interrompre.

Lorsqu'il aura terminé, l'outil devrait faire redémarrer votre systèmepour parachever le nettoyage..

S'il ne le faisait pas,faites redémarrer manuellement le PC

 

Si après cela vous voyez encore l'intrus précisez où,svp.

greemlins Member

greemlins

Posté(e)
  • Auteur
Posté(e)

combofix détecte encore et toujours un rootkit voici le rapport:

 

ComboFix 10-01-20.06 - Jean Michel 24/01/2010 17:34:20.8.1 - x86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1014.687 [GMT 1:00]

Lancé depuis: c:\documents and settings\Jean Michel\Bureau\ComboFix.exe

Commutateurs utilisés :: c:\documents and settings\Jean Michel\Bureau\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

 

FILE ::

"c:\docume~1\JEANMI~1\LOCALS~1\Temp\gtermddo.sys"

"c:\docume~1\JEANMI~1\LOCALS~1\Temp\NotifierSetup.exe"

"c:\program files\Bonjour\mDNSResponder.exe"

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\program files\Bonjour\mDNSResponder.exe

 

----- BITS: Il y a peut-être des sites infectés -----

 

hxxp://armmf.adobe.com

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_BONJOUR_SERVICE

-------\Service_Bonjour Service

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2009-12-24 au 2010-01-24 ))))))))))))))))))))))))))))))))))))

.

 

2010-01-23 14:04 . 2010-01-23 14:04 -------- d-----w- C:\tdsskiller

2010-01-23 11:58 . 2010-01-23 12:04 -------- d-----w- C:\Gmer

2010-01-22 17:19 . 2010-01-22 17:19 -------- d-----w- c:\program files\Fichiers communs\DivX Shared

2010-01-22 17:19 . 2010-01-22 17:19 -------- d-----w- c:\program files\DivX

2010-01-21 17:52 . 2010-01-21 17:52 -------- d-----w- c:\documents and settings\Jean Michel\Local Settings\Application Data\ESET

2010-01-20 18:59 . 2010-01-20 18:59 61440 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\decora-sse.dll

2010-01-20 18:59 . 2010-01-20 18:59 503808 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\msvcp71.dll

2010-01-20 18:59 . 2010-01-20 18:59 499712 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\jmc.dll

2010-01-20 18:59 . 2010-01-20 18:59 348160 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\msvcr71.dll

2010-01-20 18:59 . 2010-01-20 18:59 12800 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\759e98ee-26b58d07-n\decora-d3d.dll

2010-01-20 18:58 . 2010-01-20 18:58 -------- d-----w- c:\program files\Fichiers communs\Java

2010-01-20 18:58 . 2010-01-20 18:58 315392 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5edfc046-n\jogl.dll

2010-01-20 18:58 . 2010-01-20 18:58 20480 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5edfc046-n\jogl_awt.dll

2010-01-20 18:58 . 2010-01-20 18:58 114688 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\62\6baea4fe-5edfc046-n\jogl_cg.dll

2010-01-20 18:58 . 2010-01-20 18:58 20480 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\Deployment\SystemCache\6.0\45\4f710eed-58e2e8a8-n\gluegen-rt.dll

2010-01-20 17:25 . 2010-01-20 17:38 -------- d-----w- C:\Ad-Remover

2010-01-20 16:09 . 2010-01-21 08:14 -------- d-----w- C:\ToolBar SD

2010-01-20 14:25 . 2010-01-20 15:27 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-01-20 14:25 . 2009-03-30 09:32 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-01-20 14:25 . 2009-02-13 11:28 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2010-01-20 14:25 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2010-01-20 14:25 . 2010-01-20 14:25 -------- d-----w- c:\program files\Avira

2010-01-20 14:25 . 2010-01-20 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2010-01-20 12:01 . 2010-01-20 12:01 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes

2010-01-20 11:51 . 2010-01-20 11:51 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\Malwarebytes

2010-01-20 11:51 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-20 11:51 . 2010-01-20 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-20 11:51 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-20 11:51 . 2010-01-20 11:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-20 10:20 . 2010-01-20 10:20 -------- d-----w- c:\program files\CCleaner

2010-01-19 21:31 . 2010-01-19 21:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-01-19 09:20 . 2010-01-19 09:20 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\ESET

2010-01-19 09:18 . 2010-01-19 09:18 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-01-19 08:54 . 2010-01-19 13:42 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\QuickScan

2010-01-19 07:12 . 2010-01-19 09:18 -------- d-----w- c:\program files\ESET

2010-01-17 21:34 . 2010-01-18 11:08 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\The Path

2010-01-16 18:29 . 2010-01-16 19:10 -------- d-----w- c:\program files\Postal2STP

2010-01-16 15:55 . 2010-01-16 15:55 -------- d-----w- c:\windows\system32\wbem\Repository

2010-01-16 15:48 . 2010-01-20 15:10 -------- d-----w- c:\program files\RegCleaner

2010-01-16 15:29 . 2010-01-16 15:29 -------- d-----w- C:\ProgramData

2010-01-16 15:29 . 2010-01-16 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-01-16 15:13 . 2010-01-16 15:13 -------- d-----w- c:\program files\Intel Corporation

2010-01-14 23:20 . 2010-01-14 23:20 -------- d-----w- c:\program files\Micro Application

2010-01-13 23:01 . 2010-01-13 23:01 0 ----a-w- c:\windows\PowerReg.dat

2010-01-13 20:35 . 2010-01-13 20:35 -------- d-----w- c:\program files\Hobbyist Software

2010-01-13 10:55 . 2008-02-15 11:49 184320 ----a-w- c:\windows\system32\igfxres.dll

2010-01-12 20:45 . 2010-01-19 15:28 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\uTorrent

2010-01-12 19:57 . 2010-01-12 19:57 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

2010-01-12 12:06 . 2010-01-12 12:06 -------- d-----w- c:\program files\WinSCP

2010-01-12 07:57 . 2010-01-12 08:01 3149032 ----a-w- c:\documents and settings\Jean Michel\Application Data\IDM\idmupdt.exe

2010-01-12 07:35 . 2010-01-14 12:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-01-12 07:35 . 2010-01-14 12:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SpeedBit

2010-01-12 07:35 . 2010-01-14 12:51 -------- d-----w- c:\program files\DAP

2010-01-11 20:54 . 2010-01-11 21:14 -------- d-----w- c:\program files\Ludi

2010-01-11 18:06 . 2010-01-11 18:06 -------- d-----w- c:\program files\Lavalys

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_d_ind.dll

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_c_ind.dll

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_b_ind.dll

2010-01-11 16:47 . 2010-01-11 16:47 247296 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_11_0_a_ind.dll

2010-01-11 13:15 . 2000-07-14 22:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL

2010-01-10 14:09 . 2008-04-14 03:05 14720 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-01-10 14:09 . 2008-04-14 03:05 14720 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-01-10 12:20 . 2010-01-10 12:20 -------- d-----w- c:\program files\Hp

2010-01-10 12:20 . 2010-01-11 12:47 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\HpUpdate

2010-01-10 12:20 . 2010-01-10 12:20 -------- d-----w- c:\windows\Hewlett-Packard

2010-01-10 11:37 . 2010-01-10 11:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters

2010-01-10 11:17 . 2010-01-10 11:17 -------- d-----w- c:\windows\system32\Adobe

2010-01-10 09:39 . 2009-12-14 11:33 53248 ----a-w- c:\windows\system32\CSVer.dll

2010-01-10 01:20 . 2010-01-10 01:20 -------- d-----w- c:\program files\Driver-Soft

2010-01-09 23:58 . 2010-01-18 18:38 -------- d--h--w- c:\windows\msdownld.tmp

2010-01-09 23:57 . 2010-01-09 23:57 -------- d-----w- c:\program files\DAEMON Tools Lite

2010-01-09 23:57 . 2010-01-11 16:47 -------- d-----w- c:\program files\SystemRequirementsLab

2010-01-09 23:57 . 2010-01-11 16:47 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab

2010-01-09 23:56 . 2010-01-09 23:56 -------- d-----w- c:\windows\Sun

2010-01-09 23:16 . 2010-01-09 23:16 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\igraal

2010-01-09 22:26 . 2010-01-10 14:15 -------- d-----w- c:\program files\Intel

2010-01-09 22:22 . 2010-01-09 22:22 -------- d-----w- C:\Intel

2010-01-09 21:03 . 2010-01-09 21:03 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\QUAD Utilities

2010-01-09 20:13 . 2010-01-09 23:59 -------- d-----w- C:\dxupdate

2010-01-09 12:19 . 2010-01-09 23:25 -------- d-----w- c:\windows\Logs

2010-01-09 11:50 . 2010-01-09 11:50 -------- d-----w- c:\program files\Microids

2010-01-08 20:55 . 2010-01-08 20:55 -------- d-----w- c:\documents and settings\Jean Michel\Local Settings\Application Data\Conduit

2010-01-08 20:55 . 2010-01-08 20:55 -------- d-----w- c:\program files\Alcohol Soft

2010-01-08 17:42 . 2010-01-17 16:27 -------- d-----w- c:\program files\Ubisoft

2010-01-08 17:41 . 2010-01-12 19:00 -------- d-----w- c:\program files\Fichiers communs\InstallShield

2010-01-08 16:14 . 2010-01-08 16:14 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\Uniblue

2010-01-08 16:11 . 2010-01-08 16:11 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-01-08 16:10 . 2010-01-09 23:57 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\DAEMON Tools Lite

2010-01-08 16:10 . 2010-01-08 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll

2010-01-08 11:14 . 2010-01-08 11:14 138240 ----a-w- c:\documents and settings\Jean Michel\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll

2010-01-06 11:19 . 2010-01-06 11:19 198064 ----a-w- c:\documents and settings\Jean Michel\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

2010-01-06 11:18 . 2010-01-12 08:03 -------- d-----w- c:\program files\Internet Download Manager

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-24 16:39 . 2009-12-10 08:56 -------- d-----w- c:\program files\Bonjour

2010-01-24 16:38 . 2004-08-10 12:00 584356 ----a-w- c:\windows\system32\perfh00C.dat

2010-01-24 16:38 . 2004-08-10 12:00 124190 ----a-w- c:\windows\system32\perfc00C.dat

2010-01-24 00:20 . 2009-08-08 17:09 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\vlc

2010-01-23 18:53 . 2009-08-20 07:40 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\DMCache

2010-01-22 08:57 . 2009-12-21 08:09 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\IDM

2010-01-21 06:16 . 2009-12-10 10:56 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-20 18:58 . 2009-12-18 05:40 -------- d-----w- c:\program files\Java

2010-01-17 16:38 . 2009-12-20 08:26 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-16 20:05 . 2009-08-20 08:07 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\dvdcss

2010-01-14 00:00 . 2009-09-03 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-01-10 20:16 . 2009-12-20 09:09 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2010-01-10 12:23 . 2009-08-10 13:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-01-09 23:58 . 2009-08-09 06:57 -------- d-----w- c:\program files\ma-config.com

2010-01-09 23:58 . 2009-08-09 06:57 -------- d-----w- c:\documents and settings\All Users\Application Data\ma-config.com

2010-01-09 23:56 . 2009-09-03 17:59 -------- d-----w- c:\program files\Microsoft Works

2010-01-09 23:56 . 2009-08-08 17:11 -------- d-----w- c:\program files\AIDA32 - Personal System Information

2010-01-06 09:27 . 2009-08-08 17:00 70016 ----a-w- c:\documents and settings\Jean Michel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-22 05:09 . 2006-03-04 03:35 671232 ----a-w- c:\windows\system32\wininet.dll

2009-12-22 05:08 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-12-18 07:45 . 2009-12-18 07:45 161 ----a-w- C:\ipodpos.dll

2009-12-18 05:40 . 2009-12-18 05:40 152576 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-12-18 05:38 . 2009-12-18 05:38 79488 ----a-w- c:\documents and settings\Jean Michel\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-12-17 16:14 . 2009-12-18 05:41 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-17 15:13 . 2009-12-17 15:13 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\GHISLER

2009-12-17 12:42 . 2009-12-17 12:42 25214 ----a-r- c:\documents and settings\Jean Michel\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_29D232B856F0A1CBA486B8.exe

2009-12-17 12:42 . 2009-12-17 12:42 10398 ----a-r- c:\documents and settings\Jean Michel\Application Data\Microsoft\Installer\{495B6040-801F-474C-ADB8-309F132CF5F9}\_3324690356DD71877A1B6A.exe

2009-12-17 12:42 . 2009-12-17 12:42 -------- d-----w- c:\program files\iPhoneBrowser

2009-12-17 12:40 . 2009-12-17 12:40 -------- d-----w- c:\program files\iPhone Tunnel Suite 2.7 BETA

2009-12-17 12:18 . 2009-12-16 05:12 -------- d-----w- c:\program files\Pod to PC

2009-12-16 05:31 . 2009-12-16 05:31 -------- d-----w- c:\program files\iPhone Explorer

2009-12-14 06:49 . 2009-12-14 06:49 -------- d-----w- c:\program files\Windows Media Connect 2

2009-12-14 05:26 . 2009-08-09 07:18 -------- d-----w- c:\program files\Messenger Plus! Live

2009-12-11 19:32 . 2009-12-10 08:57 -------- d-----w- c:\documents and settings\Jean Michel\Application Data\Apple Computer

2009-12-10 13:32 . 2009-08-20 14:09 -------- d-----w- c:\program files\Webtarot

2009-12-10 12:36 . 2004-08-10 12:00 219648 ----a-w- c:\windows\system32\uxtheme.dll

2009-12-10 11:49 . 2009-12-10 11:49 -------- d-----w- c:\program files\Fichiers communs\Adobe

2009-12-10 10:56 . 2009-12-10 10:54 -------- d-----w- c:\program files\Microsoft

2009-12-10 10:56 . 2009-08-09 07:14 -------- d-----w- c:\program files\Windows Live

2009-12-10 10:55 . 2009-12-10 10:55 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition

2009-12-10 09:01 . 2009-12-10 09:01 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2009-12-10 09:01 . 2009-12-10 09:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-12-10 08:59 . 2009-12-10 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-12-10 08:57 . 2009-12-10 08:56 -------- d-----w- c:\program files\iTunes

2009-12-10 08:57 . 2009-12-10 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-12-10 08:56 . 2009-12-10 08:56 -------- d-----w- c:\program files\iPod

2009-12-10 08:56 . 2009-12-10 08:54 -------- d-----w- c:\program files\Fichiers communs\Apple

2009-12-10 08:56 . 2009-12-10 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-12-10 08:56 . 2009-12-10 08:55 -------- d-----w- c:\program files\QuickTime

2009-12-10 08:55 . 2009-12-10 08:55 -------- d-----w- c:\program files\Apple Software Update

2009-12-09 16:11 . 2009-11-01 08:41 -------- d-----w- c:\program files\OrangeHSS

2009-11-21 15:58 . 2004-08-10 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

.

 

((((((((((((((((((((((((((((( SnapShot@2010-01-23_12.34.49 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-01-24 16:40 . 2010-01-24 16:40 16384 c:\windows\temp\Perflib_Perfdata_254.dat

+ 2004-08-10 12:00 . 2010-01-24 16:38 491534 c:\windows\system32\perfh009.dat

+ 2004-08-10 12:00 . 2010-01-24 16:38 101656 c:\windows\system32\perfc009.dat

+ 2006-03-04 03:35 . 2009-12-22 05:09 671232 c:\windows\system32\dllcache\wininet.dll

- 2006-03-04 03:35 . 2009-10-29 05:25 671232 c:\windows\system32\dllcache\wininet.dll

+ 2006-03-23 17:35 . 2009-12-22 05:09 3092480 c:\windows\system32\mshtml.dll

+ 2006-03-23 17:35 . 2009-12-22 05:09 3092480 c:\windows\system32\dllcache\mshtml.dll

+ 2004-08-10 12:00 . 2008-04-14 02:34 1037824 c:\windows\system32\dllcache\explorer.exe

+ 2004-08-10 12:00 . 2008-04-14 02:34 1037824 c:\windows\explorer.exe

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lxdrmon.exe"="c:\program files\Lexmark 4900 Series\lxdrmon.exe" [2008-05-21 676520]

"EzPrint"="c:\program files\Lexmark 4900 Series\ezprint.exe" [2008-05-21 131752]

"ORAHSSSessionManager"="c:\program files\OrangeHSS\SessionManager\SessionManager.exe" [2007-12-12 107248]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-01-11 246504]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

2009-04-24 03:16 203928 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]

2009-03-02 12:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]

2008-10-24 20:50 1451264 ----a-w- c:\program files\ESET\ESET Smart Security\egui.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-09 16:53 153136 ----a-w- c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ekrn"=2 (0x2)

"EhttpSrv"=3 (0x3)

"AntiVirService"=2 (0x2)

"AntiVirSchedulerService"=2 (0x2)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\lxdrcoms.exe"=

"c:\\Program Files\\OrangeHSS\\Connectivity\\ConnectivityManager.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\iPhone Tunnel Suite 2.7 BETA\\iTunnel\\iTunnel.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

 

R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]

S3 gtermddo;gtermddo;\??\c:\docume~1\JEANMI~1\LOCALS~1\Temp\gtermddo.sys --> c:\docume~1\JEANMI~1\LOCALS~1\Temp\gtermddo.sys [?]

S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [17/12/2009 19:00 243056]

S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [10/12/2009 09:54 17408]

S4 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [20/01/2010 15:25 108289]

S4 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21/12/2007 09:21 468224]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [08/01/2010 17:11 691696]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://google.fr/

mWindow Title =

uInternet Settings,ProxyOverride = *.local

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Télécharger avec IDM - c:\program files\Internet Download Manager\IEExt.htm

IE: Télécharger le contenu de video FLV avec IDM - c:\program files\Internet Download Manager\IEGetVL.htm

IE: Télécharger tous les liens avec IDM - c:\program files\Internet Download Manager\IEGetAll.htm

Trusted Zone: mappy.com

Trusted Zone: orange.fr

Trusted Zone: voila.fr\rw.search.ke

Trusted Zone: weborama.fr\orange

FF - ProfilePath - c:\documents and settings\Jean Michel\Application Data\Mozilla\Firefox\Profiles\pamoq8in.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=

FF - prefs.js: browser.search.selectedEngine - Fast Browser Search

FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={A089A227-7EF1-C52E-39D8-DDA53E68E3DF}&q=

FF - component: c:\documents and settings\Jean Michel\Application Data\IDM\idmmzcc3\components\idmmzcc.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOP7PlugIn.dll

 

---- PARAMETRES FIREFOX ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-24 17:40

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865D23E8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7602f28

\Driver\ACPI -> ACPI.sys @ 0xf7474cb8

\Driver\atapi -> atapi.sys @ 0xf73f4852

\Driver\iaStor -> 0x865d23e8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: Carte réseau Fast Ethernet PCI Realtek RTL8139 Family -> SendCompleteHandler -> NDIS.sys @ 0xf720fbd4

PacketIndicateHandler -> NDIS.sys @ 0xf71fda0d

SendHandler -> NDIS.sys @ 0xf7211b40

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]

@Denied: (Full) (Everyone)

"scansk"=hex(0):84,40,8c,45,6e,07,ad,4e,5e,50,66,e5,4e,a1,14,b5,15,c9,3d,34,9a,

a3,b3,f4,1d,6c,fc,e7,3e,f5,c4,3a,fa,0d,63,14,87,17,41,38,00,00,00,00,00,00,\

 

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{8b9f29eb-a9bc-4695-97ad-7603c028e8b0}]

@Denied: (Full) (Everyone)

"Model"=dword:00000130

"Therad"=dword:00000020

"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,

38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'winlogon.exe'(1292)

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\sfc_os.dll

c:\windows\system32\cscui.dll

c:\windows\system32\COMRes.dll

 

- - - - - - - > 'lsass.exe'(1380)

c:\windows\system32\scecli.dll

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\psbase.dll

 

- - - - - - - > 'explorer.exe'(3992)

c:\windows\system32\COMRes.dll

c:\windows\System32\cscui.dll

c:\windows\system32\msi.dll

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\NETSHELL.dll

c:\windows\system32\credui.dll

c:\windows\system32\eappprxy.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\progra~1\FICHIE~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxdrcoms.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Fichiers communs\Ahead\Lib\NMIndexingService.exe

c:\program files\Fichiers communs\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Heure de fin: 2010-01-24 17:44:19 - La machine a redémarré

ComboFix-quarantined-files.txt 2010-01-24 16:44

ComboFix2.txt 2010-01-23 15:06

ComboFix3.txt 2010-01-23 14:29

ComboFix4.txt 2010-01-23 12:39

ComboFix5.txt 2010-01-24 16:29

 

Avant-CF: 24 647 262 208 octets libres

Après-CF: 24 714 166 272 octets libres

 

- - End Of File - - 91535EA083446905A6DA8ECDFF89822A

 

quand à TFC il a redémarré mais mais rien ne s'est passé

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...