wehgscl.sys (Rootkit.Agent) [résolu]

[jojom]

Après avoir effectuer un scan avec malwarbytes il a détecter C:\Windows\system32\Drivers\wehgscl.sys (Rootkit.Agent) il mais impossible de le supprimer même en mode sans echec .

 

Quel logiciel pour me débarrasser de lui merci

 

je tourne sous vista

Modifié le 6 mars 2010 par jojom

[Falkra]

Bonjour, bienvenue.

 

Messages : 1

Si jamais tu as besoin de quelques infos ou d'un peu d'aide pour retrouver tes posts :

• Comment participer à un forum
  
• Retrouver ses messages
  

 

 

Télécharge random's system information tool (RSIT) par random/random et sauvegarde-le sur le Bureau. Cet outil va faire un état des lieux, lire la configuration, comme HijackThis, mais en plus détaillé.

• Double-clique sur RSIT.exe afin de lancer RSIT.
  
• Clique Continue à l'écran Disclaimer.
  
• Si l'outil HijackThis (version à jour) n'est pas présent ou non détecté sur l'ordinateur, RSIT le téléchargera (autorise l'accès dans ton pare-feu, si demandé) et tu devras accepter la licence.
  
• Lorsque l'analyse sera terminée, deux fichiers texte s'ouvriront. Poste le contenu de log.txt (<<qui sera affiché) ainsi que de info.txt (<<qui sera réduit dans la Barre des Tâches).
  
• NB : Les rapports sont sauvegardés dans le dossier C:\rsit
  Ca fait deux rapports donc. Comme ils sont longs, tu peux faire 2 réponses, une par rapport.
  

[jojom]

merci de ton aide voila les rapport

 

 

 

info.txt logfile of random's system information tool 1.06 2010-03-06 16:14:06

 

======Uninstall list======

 

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

-->MsiExec /X{B83FC356-B7C0-441F-8A4D-D71E088E7974}

ACID Pro 7.0-->MsiExec.exe /X{BFA5441E-B7E6-46F5-A15D-1B74707AE93A}

Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}

Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Reader 9.3 - Français-->MsiExec.exe /I{AC76BA86-7AD7-1036-7B44-A93000000001}

Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

Archiveur WinRAR-->C:\Program Files\WinRAR\uninstall.exe

ASIO4ALL-->C:\Program Files\ASIO4ALL v2\uninstall.exe

Assistant de connexion Windows Live-->MsiExec.exe /I{DCE8CD14-FBF5-4464-B9A4-E18E473546C7}

Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"

Audacity 1.3.9 (Unicode)-->"C:\Program Files\Audacity 1.3 Beta (Unicode)\unins000.exe"

AusLogics Disk Defrag-->"C:\Program Files\Auslogics\AusLogics Disk Defrag\unins000.exe"

Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE

CCleaner-->"C:\Program Files\CCleaner\uninst.exe"

Collab-->C:\Program Files\Image-Line\Collab\uninstall.exe

Cool Record Edit Pro v7.3.1-->"C:\Program Files\Cool Record Edit Pro\unins000.exe"

Counter-Strike-->"C:\Program Files\Steam\steam.exe" steam://uninstall/10

Curse Client-->C:\Program Files\Curse\uninstall.exe

Deckadance-->C:\Program Files\VstPlugins\Deckadance\uninstall.exe

Dedicated Server-->"C:\Program Files\Steam\steam.exe" steam://uninstall/5

DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC

DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER

DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER

DivX Plus DirectShow Filters-->C:\Program Files\DivX\DivXDSFiltersUninstall.exe /DSFILTERS

DivX Plus Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN

FileZilla Client 3.1.6-->C:\Program Files\FileZilla FTP Client\uninstall.exe

FL Studio 8-->C:\Program Files\Image-Line\FL Studio 8\uninstall.exe

FL Studio 9-->C:\Program Files\Image-Line\FL Studio 9\uninstall.exe

FL Studio v7.0-->"C:\Program Files\Image-Line\FL Studio 7\unins000.exe"

Flash Decompiler Trillix-->"C:\Program Files\Eltima Software\Flash Decompiler Trillix\unins000.exe"

Free Video to Mp3 Converter version 2.7-->"C:\Program Files\DVDVIDEOSOFT\Free Video to Mp3 Converter\unins000.exe"

Galerie de photos Windows Live-->MsiExec.exe /X{B131E59D-202C-43C6-84C9-68F0C37541F1}

GFORCE_SOFTWARE_MINIMONSTA_RTAS_VSTi_v1.06-PLZ-->C:\PROGRA~1\GFORCE~1\MINIMO~1\UNWISE.EXE C:\PROGRA~1\GFORCE~1\MINIMO~1\INSTALL.LOG

Hardcore-->C:\Program Files\Image-Line\Hardcore\uninstall.exe

Hercules DJ Products Series drivers-->C:\Program Files\InstallShield Installation Information\{33999F1F-EA46-4E55-A239-1BA803235396}\setup.exe -runfromtemp -l0x040c -removeonly

HijackThis 2.0.2-->"C:\Users\moi\Desktop\HijackThis.exe" /uninstall

Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

IL Download Manager-->C:\Program Files\Image-Line\Downloader\uninstall.exe

Installation Windows Live-->C:\Program Files\Windows Live\Installer\wlarp.exe

Installation Windows Live-->MsiExec.exe /I{46ABBC54-1872-4AA3-95E2-F2C063A63F31}

Java 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}

Java 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}

JMicron JMB36X Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x40c -removeonly

Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}

Kaspersky Online Scanner-->C:\Windows\system32\KASPER~1\KASPER~1\kavuninstall.exe

Left 4 Dead Dedicated Server-->"C:\Program Files\Steam\steam.exe" steam://uninstall/510

Ma-Config.com-->MsiExec.exe /X{6C4D4FC0-467B-4BD7-8D11-50E49B2770D2}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Messenger Plus! Live-->"C:\Program Files\Messenger Plus! Live\Uninstall.exe"

Microsoft .NET Framework 3.5 Language Pack SP1 - fra-->MsiExec.exe /I{3E31821C-7917-367E-938E-E65FC413EA31}

Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}

Microsoft Office PowerPoint Viewer 2007 (French)-->MsiExec.exe /X{95120000-00AF-040C-0000-0000000FF1CE}

Microsoft Search Enhancement Pack-->MsiExec.exe /X{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}

Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}

Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}

Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}

MIDI Yoke-->MsiExec.exe /I{CCB3F587-BAD0-4F32-99FC-301E6F9ABAB4}

Module linguistique Microsoft .NET Framework 3.5 SP1- fra-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - fra\setup.exe

Mozilla Firefox (3.5.-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}

Mumble and Murmur-->C:\Program Files\Mumble\Uninstall.exe

Nero 9-->C:\Program Files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe REMOVESERIALNUMBER="9M03-01A1-PCX7-K31A-8A94-98PT-KT2E-522A"

neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}

NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI

NVIDIA PhysX-->MsiExec.exe /X{B83FC356-B7C0-441F-8A4D-D71E088E7974}

NVIDIA Stereoscopic 3D Driver-->"C:\Program Files\NVIDIA Corporation\3D Vision\nvStInst.exe" /uninstall /ask

OpenOffice.org 3.1-->MsiExec.exe /I{B2E581DB-C4DD-432C-AC84-ED761AC056BC}

Outil de téléchargement Windows Live-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}

PartyPoker-->"C:\Programs\PartyGaming\PartyPoker\Uninstall.exe" "C:\Programs\PartyGaming\PartyPoker\install.log"

Philips SPC 200NC PC Camera-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A2646FB-7BAC-451B-BF90-4889C4429C5E}\Setup.exe" -l0x40c

PoiZone-->C:\Program Files\Image-Line\PoiZone\uninstall.exe

PokerStars-->"C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars

QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}

Razer Diamondback-->C:\Program Files\InstallShield Installation Information\{DE4CF159-4AD2-4754-BDA0-5FB088C8B58B}\setup.exe -runfromtemp -l0x0009 -removeonly

Realtek 8169 8168 8101E 8102E Ethernet Driver-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x040c -removeonly

reFX Nexus 1.3.5-->"C:\Program Files\Nexus\unins000.exe"

reFX Nexus 1.4.0-->"C:\Program Files\Image-Line\FL Studio 8\Plugins\VST\nexus\Nexus Content\Nexus\unins000.exe"

Sawer-->C:\Program Files\Image-Line\Sawer\uninstall.exe

SoulSeek Client 156c-->"C:\Program Files\Soulseek\uninstall.exe"

SpeedFan (remove only)-->"C:\Program Files\SpeedFan\uninstall.exe"

Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}

Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}

Streamripper (Remove only)-->C:\Program Files\Streamripper\Uninstall.exe

TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"

Toxic Biohazard-->C:\Program Files\Image-Line\Toxic Biohazard\uninstall.exe

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""

VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}

Virtual DJ - Atomix Productions-->C:\PROGRA~1\VIRTUA~3\UNWISE.EXE C:\PROGRA~1\VIRTUA~3\INSTALL.LOG

VLC media player 1.0.3-->C:\Program Files\VideoLAN\VLC\uninstall.exe

Warcraft III-->C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat

Winamp-->"C:\Program Files\Winamp\UninstWA.exe"

Windows Live Call-->MsiExec.exe /I{82C7B308-0BDD-49D8-8EA5-9CD3A3F9DF41}

Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}

Windows Live Contrôle parental-->MsiExec.exe /X{D5D81435-B8DE-4CAF-867F-7998F2B92CFC}

Windows Live FolderShare-->MsiExec.exe /X{2075CB0A-D26F-4DAA-B424-5079296B43BA}

Windows Live Mail-->MsiExec.exe /I{5DD76286-9BE7-4894-A990-E905E91AC818}

Windows Live Messenger-->MsiExec.exe /X{770F1BEC-2871-4E70-B837-FB8525FFA3B1}

Windows Live Movie Maker-->MsiExec.exe /X{53B20C18-D8D4-4588-8737-9BBFE303C354}

Windows Live Toolbar-->MsiExec.exe /X{F7D27C70-90F5-49B9-B188-0A133C0CE353}

Windows Live Writer-->MsiExec.exe /X{4634B21A-CC07-4396-890C-2B8168661FEA}

Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}

World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe

Wow Cartographe 1.10-->C:\Program Files\WowCartographe\uninst.exe

ZHPDiag 1.25-->"C:\Program Files\ZHPDiag\unins000.exe"

 

=====HijackThis Backups=====

 

O16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} (HardwareDetection Control) - http://www.ma-config.com/activex/MaConfig_3_5_1_0.cab [2010-03-06]

O9 - Extra 'Tools' menuitem: &Ajout Direct dans Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll [2010-03-06]

O9 - Extra button: Ajout Direct - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll [2010-03-06]

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://webscanner.kaspersky.fr/kavwebscan_unicode.cab [2010-03-06]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 [2010-03-06]

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = [2010-03-06]

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe [2010-03-06]

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [2010-03-06]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 [2010-03-06]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 [2010-03-06]

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local [2010-03-06]

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [2010-03-06]

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe [2010-03-06]

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe [2010-03-06]

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/FR-FR/a-UNO1/GAME_UNO1.cab [2010-03-06]

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab [2010-03-06]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 [2010-03-06]

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 [2010-03-06]

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe [2010-03-06]

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [2010-03-06]

O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent [2010-03-06]

 

======Hosts File======

 

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

 

======Security center information======

 

AS: Windows Defender (disabled) (outdated)

 

======System event log======

 

Computer Name: PC-de-moi

Event Code: 4376

Message: Servicing a requis un redémarrage pour terminer la définition du package KB936330(Service Pack) à l’état Installation demandée(Install Requested)

Record Number: 94915

Source Name: Microsoft-Windows-Servicing

Time Written: 20090605125721.000000-000

Event Type: Avertissement

User: AUTORITE NT\SYSTEM

 

Computer Name: PC-de-moi

Event Code: 4376

Message: Servicing a requis un redémarrage pour terminer la définition du package KB936330(Service Pack) à l’état Installation demandée(Install Requested)

Record Number: 94913

Source Name: Microsoft-Windows-Servicing

Time Written: 20090605125721.000000-000

Event Type: Avertissement

User: AUTORITE NT\SYSTEM

 

Computer Name: PC-de-moi

Event Code: 4376

Message: Servicing a requis un redémarrage pour terminer la définition du package KB936330(Service Pack) à l’état Installation demandée(Install Requested)

Record Number: 94818

Source Name: Microsoft-Windows-Servicing

Time Written: 20090605125721.000000-000

Event Type: Avertissement

User: AUTORITE NT\SYSTEM

 

Computer Name: PC-de-moi

Event Code: 4376

Message: Servicing a requis un redémarrage pour terminer la définition du package KB936330(Service Pack) à l’état Installation demandée(Install Requested)

Record Number: 94809

Source Name: Microsoft-Windows-Servicing

Time Written: 20090605125720.000000-000

Event Type: Avertissement

User: AUTORITE NT\SYSTEM

 

Computer Name: PC-de-moi

Event Code: 10010

Message: Le serveur {752073A1-23F2-4396-85F0-8FDB879ED0ED} ne s'est pas enregistré sur DCOM avant la fin du temps imparti.

Record Number: 94722

Source Name: Microsoft-Windows-DistributedCOM

Time Written: 20090605125322.000000-000

Event Type: Erreur

User:

 

=====Application event log=====

 

Computer Name: PC-de-moi

Event Code: 8194

Message: Erreur du service de cliché instantané des volumes : erreur lors de l’interrogation de l’interface IVssWriterCallback. hr = 0x80070005. Cette erreur est souvent due à des paramètres de sécurité incorrects dans le processus du rédacteur ou du demandeur.

 

Opération :

Données du rédacteur en cours de collecte

 

Contexte :

ID de classe du rédacteur: {e8132975-6f93-4464-a53e-1050253ae220}

Nom du rédacteur: System Writer

ID d’instance du rédacteur: {a274e260-8204-4e8d-bebc-7661bb826efa}

Record Number: 121

Source Name: VSS

Time Written: 20081028195917.000000-000

Event Type: Erreur

User:

 

Computer Name: PC-de-moi

Event Code: 1000

Message: Application défailla

 

 

 

 

 

 

 

 

 

 

 

 

 

Logfile of random's system information tool 1.06 (written by random/random)

Run by moi at 2010-03-06 16:18:36

Microsoft® Windows Vista™ Édition Familiale Premium Service Pack 2

System drive C: has 85 GB (28%) free of 305 GB

Total RAM: 3582 MB (63% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:18:44, on 06/03/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18882)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\VM_STI.EXE

C:\Program Files\Razer\Diamondback\razerhid.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Steam\Steam.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Philips\SPC 200NC PC Camera\TrayMin200.exe

C:\Program Files\Razer\Diamondback\razertra.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Razer\Diamondback\razerofa.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\conime.exe

C:\Users\moi\Desktop\RSIT.exe

C:\Users\moi\Desktop\moi.exe

 

O1 - Hosts: ::1 localhost

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [bigDogPath] C:\Windows\VM_STI.EXE Philips SPC 200NC PC Camera

O4 - HKLM\..\Run: [Diamondback] C:\Program Files\Razer\Diamondback\razerhid.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - Startup: CurseClientStartup.ccip

O4 - Global Startup: TrayMin200.exe.lnk = ?

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Hercules DJ Control MP3 (HerculesDJControlMP3) - Unknown owner - C:\Program Files\Hercules\Audio\DJ Console Series\HerculesDJControlMP3.EXE

O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

 

--

End of file - 3452 bytes

 

======Scheduled tasks folder======

 

C:\Windows\tasks\Hitman Pro 3.5 Boot Task.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-18 1008184]

"BigDogPath"=C:\Windows\VM_STI.EXE [2004-06-09 40960]

"Diamondback"=C:\Program Files\Razer\Diamondback\razerhid.exe [2007-02-14 147456]

"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]

"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]

"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]

"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-07 1394000]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"Steam"=c:\program files\steam\steam.exe [2010-02-28 1217872]

"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]

"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2009-04-23 691656]

 

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

TrayMin200.exe.lnk - C:\Program Files\Philips\SPC 200NC PC Camera\TrayMin200.exe

 

C:\Users\moi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

CurseClientStartup.ccip

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\HitmanPro35Crusader]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"EnableLUA"=0

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

"EnableUIADesktopToggle"=0

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=95000000

"NoDrives"=0

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"BindDirectlyToPropertySetStorage"=

"NoDrives"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

======File associations======

 

.js - edit - C:\Windows\System32\Notepad.exe %1

 

======List of files/folders created in the last 1 months======

 

2010-03-06 16:13:56 ----D---- C:\rsit

2010-03-06 15:55:37 ----A---- C:\Windows\system32\PerfStringBackup.TMP_001

2010-03-06 15:40:57 ----A---- C:\Windows\system32\PerfStringBackup.TMP

2010-03-06 15:39:40 ----D---- C:\Program Files\ZHPDiag

2010-03-06 14:44:16 ----D---- C:\ProgramData\Hitman Pro

2010-03-06 14:44:13 ----D---- C:\Program Files\Hitman Pro 3.5

2010-03-06 05:02:48 ----D---- C:\Windows\Minidump

2010-03-06 04:52:49 ----A---- C:\Users\moi\AppData\Roaming\SetValue.bat

2010-03-06 04:52:49 ----A---- C:\Users\moi\AppData\Roaming\GetValue.vbs

2010-03-06 04:50:40 ----A---- C:\Windows\system32\tmp.txt

2010-03-06 04:50:27 ----A---- C:\Windows\system32\o4Patch.exe

2010-03-06 04:50:27 ----A---- C:\Windows\system32\Agent.OMZ.Fix.exe

2010-03-06 04:50:26 ----A---- C:\Windows\system32\IEDFix.C.exe

2010-03-06 04:50:26 ----A---- C:\Windows\system32\404Fix.exe

2010-03-06 04:50:25 ----A---- C:\Windows\system32\VACFix.exe

2010-03-06 04:50:24 ----A---- C:\Windows\system32\WS2Fix.exe

2010-03-06 04:50:24 ----A---- C:\Windows\system32\IEDFix.exe

2010-03-06 04:50:23 ----A---- C:\Windows\system32\VCCLSID.exe

2010-03-06 04:50:23 ----A---- C:\Windows\system32\swxcacls.exe

2010-03-06 04:50:22 ----A---- C:\Windows\system32\swsc.exe

2010-03-06 04:50:22 ----A---- C:\Windows\system32\SrchSTS.exe

2010-03-06 04:50:22 ----A---- C:\Windows\system32\dumphive.exe

2010-03-06 04:50:21 ----A---- C:\Windows\system32\swreg.exe

2010-03-06 04:50:20 ----A---- C:\Windows\system32\Process.exe

2010-03-06 04:45:04 ----HD---- C:\$AVG

2010-03-06 04:43:59 ----D---- C:\Program Files\AVG

2010-03-06 04:14:09 ----SHD---- C:\$RECYCLE.BIN

2010-03-06 04:14:07 ----D---- C:\Windows\temp

2010-03-06 04:14:06 ----A---- C:\ComboFix.txt

2010-03-06 04:00:53 ----D---- C:\ComboFix

2010-03-06 04:00:36 ----A---- C:\Windows\SWXCACLS.exe

2010-03-06 03:51:18 ----D---- C:\Avenger

2010-03-06 03:51:17 ----A---- C:\avenger.txt

2010-03-06 03:33:03 ----A---- C:\Windows\zip.exe

2010-03-06 03:33:03 ----A---- C:\Windows\SWSC.exe

2010-03-06 03:33:03 ----A---- C:\Windows\SWREG.exe

2010-03-06 03:33:03 ----A---- C:\Windows\sed.exe

2010-03-06 03:33:03 ----A---- C:\Windows\PEV.exe

2010-03-06 03:33:03 ----A---- C:\Windows\NIRCMD.exe

2010-03-06 03:33:03 ----A---- C:\Windows\MBR.exe

2010-03-06 03:33:03 ----A---- C:\Windows\grep.exe

2010-03-06 03:32:54 ----D---- C:\Windows\ERDNT

2010-03-06 03:30:42 ----D---- C:\Qoobox

2010-03-06 01:44:16 ----D---- C:\VundoFix Backups

2010-03-06 01:44:16 ----A---- C:\VundoFix.txt

2010-03-06 00:34:20 ----D---- C:\Program Files\Nexus

2010-02-26 01:56:45 ----D---- C:\Users\moi\AppData\Roaming\Malwarebytes

2010-02-26 01:56:33 ----D---- C:\ProgramData\Malwarebytes

2010-02-26 01:56:31 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2010-02-24 02:55:42 ----A---- C:\Windows\system32\jscript.dll

2010-02-24 02:55:36 ----A---- C:\Windows\system32\tzres.dll

2010-02-24 02:54:50 ----A---- C:\Windows\system32\secproc_isv.dll

2010-02-24 02:54:50 ----A---- C:\Windows\system32\secproc.dll

2010-02-24 02:54:49 ----A---- C:\Windows\system32\secproc_ssp_isv.dll

2010-02-24 02:54:49 ----A---- C:\Windows\system32\secproc_ssp.dll

2010-02-24 02:54:49 ----A---- C:\Windows\system32\RMActivate_ssp_isv.exe

2010-02-24 02:54:49 ----A---- C:\Windows\system32\RMActivate_ssp.exe

2010-02-24 02:54:49 ----A---- C:\Windows\system32\RMActivate_isv.exe

2010-02-24 02:54:49 ----A---- C:\Windows\system32\RMActivate.exe

2010-02-24 02:54:49 ----A---- C:\Windows\system32\msdrm.dll

2010-02-24 02:54:45 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll

2010-02-24 02:54:45 ----A---- C:\Windows\system32\gameux.dll

2010-02-24 02:54:45 ----A---- C:\Windows\system32\Apphlpdm.dll

2010-02-09 21:03:32 ----A---- C:\Windows\system32\ntoskrnl.exe

2010-02-09 21:03:32 ----A---- C:\Windows\system32\ntkrnlpa.exe

2010-02-09 21:03:25 ----A---- C:\Windows\system32\tsbyuv.dll

2010-02-09 21:03:25 ----A---- C:\Windows\system32\quartz.dll

2010-02-09 21:03:25 ----A---- C:\Windows\system32\msyuv.dll

2010-02-09 21:03:25 ----A---- C:\Windows\system32\msvidc32.dll

2010-02-09 21:03:25 ----A---- C:\Windows\system32\msvfw32.dll

2010-02-09 21:03:25 ----A---- C:\Windows\system32\msrle32.dll

2010-02-09 21:03:25 ----A---- C:\Windows\system32\mciavi32.dll

2010-02-09 21:03:25 ----A---- C:\Windows\system32\iyuv_32.dll

2010-02-09 21:03:24 ----A---- C:\Windows\system32\avifil32.dll

 

======List of files/folders modified in the last 1 months======

 

2010-03-06 16:14:05 ----D---- C:\Windows\Prefetch

2010-03-06 16:11:41 ----D---- C:\Windows\system32\drivers

2010-03-06 16:11:41 ----D---- C:\Windows\Microsoft.NET

2010-03-06 15:55:37 ----D---- C:\Windows\System32

2010-03-06 15:51:05 ----D---- C:\Program Files\Mozilla Firefox

2010-03-06 15:49:27 ----D---- C:\ProgramData\NVIDIA

2010-03-06 15:49:20 ----D---- C:\Program Files\Steam

2010-03-06 15:39:40 ----RD---- C:\Program Files

2010-03-06 15:33:11 ----A---- C:\Windows\ntbtlog.txt

2010-03-06 15:31:22 ----D---- C:\Windows\Tasks

2010-03-06 15:25:56 ----D---- C:\Windows\inf

2010-03-06 15:25:56 ----A---- C:\Windows\system32\PerfStringBackup.INI

2010-03-06 14:44:16 ----D---- C:\ProgramData

2010-03-06 14:44:14 ----D---- C:\Windows\system32\Tasks

2010-03-06 14:32:09 ----SHD---- C:\System Volume Information

2010-03-06 14:08:01 ----SD---- C:\Users\moi\AppData\Roaming\Microsoft

2010-03-06 14:08:01 ----D---- C:\Windows

2010-03-06 05:13:14 ----D---- C:\Program Files\World of Warcraft

2010-03-06 05:13:14 ----D---- C:\Program Files\Curse

2010-03-06 05:07:33 ----A---- C:\rapport.txt

2010-03-06 04:43:44 ----SHD---- C:\Windows\Installer

2010-03-06 04:43:43 ----D---- C:\Windows\winsxs

2010-03-06 04:11:41 ----A---- C:\Windows\system.ini

2010-03-06 04:08:30 ----D---- C:\Windows\AppPatch

2010-03-06 04:08:29 ----D---- C:\Program Files\Common Files

2010-03-06 03:24:55 ----SD---- C:\Windows\Downloaded Program Files

2010-03-06 02:56:42 ----D---- C:\Windows\schemas

2010-03-06 02:40:23 ----D---- C:\Windows\RaidTool

2010-03-06 02:29:42 ----D---- C:\Windows\twain_32

2010-03-06 02:29:42 ----D---- C:\Windows\Provisioning

2010-03-06 01:47:16 ----D---- C:\Program Files\CCleaner

2010-03-06 01:34:26 ----D---- C:\Windows\LiveKernelReports

2010-03-06 01:31:33 ----D---- C:\Users\moi\AppData\Roaming\uTorrent

2010-03-06 01:29:53 ----D---- C:\Windows\PLA

2010-03-05 15:33:14 ----D---- C:\Users\moi\AppData\Roaming\vlc

2010-02-28 09:32:59 ----D---- C:\Windows\rescache

2010-02-28 09:17:43 ----D---- C:\Windows\system32\catroot2

2010-02-28 09:15:27 ----D---- C:\Windows\system32\fr-FR

2010-02-28 09:15:25 ----RSD---- C:\Windows\Fonts

2010-02-26 10:40:21 ----D---- C:\Windows\system32\catroot

2010-02-26 01:53:01 ----D---- C:\Program Files\Spybot - Search & Destroy

2010-02-14 09:15:33 ----D---- C:\Program Files\Windows Mail

2010-02-11 15:33:19 ----D---- C:\Users\moi\AppData\Roaming\Mumble

 

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]

R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2009-03-30 96104]

R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-09-24 28520]

R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2009-12-11 56816]

R3 HdAudAddService;Pilote de fonction UAA 1.1 Microsoft pour le service High Definition Audio; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]

R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-07-14 9557216]

R3 Razerlow;Razerlow USB Filter Driver; C:\Windows\System32\Drivers\Razerlow.sys [2005-04-24 13225]

R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-10-28 133120]

S3 a3n58mzw;a3n58mzw; C:\Windows\system32\drivers\a3n58mzw.sys []

S3 catchme;catchme; \??\C:\Users\moi\AppData\Local\Temp\catchme.sys []

S3 driverhardwarev2;driverhardwarev2; \??\C:\Program Files\ma-config.com\Drivers\driverhardwarev2.sys [2009-05-29 14336]

S3 drmkaud;Filtre de décodeur DRM (Noyau Microsoft); C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]

S3 fssfltr;FssFltr; C:\Windows\system32\DRIVERS\fssfltr.sys [2009-08-05 54632]

S3 HDJCtrl;Hercules DJ Control MP3 Service; C:\Windows\System32\Drivers\HDJCtrl.sys [2008-05-12 17408]

S3 HDJMidi;Hercules DJ Control MP3 MIDI; C:\Windows\system32\DRIVERS\HDJMidi.sys [2008-06-04 95744]

S3 LoopBeMidi1;nerds.de LoopBe1 - Internal Midi Port SvcDesc(WDM); C:\Windows\system32\drivers\loopbe1.sys []

S3 MSKSSRV;Proxy de service de répartition Microsoft; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]

S3 MSPCLOCK;Proxy d'horloge de répartition Microsoft; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]

S3 MSPQM;Proxy de gestion de qualité de répartition Microsoft; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]

S3 MSTEE;Convertisseur en T/site-à-site de répartition Microsoft; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]

S3 PL-40R;CASIO USB MIDI; C:\Windows\System32\Drivers\pl40rwdm.sys [2004-10-01 18048]

S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver; C:\Windows\system32\DRIVERS\WlanUZXP.sys [2009-08-06 260608]

S3 taphss;Anchorfree HSS Adapter; C:\Windows\system32\DRIVERS\taphss.sys [2009-09-15 32768]

S3 usbscan;Pilote de scanneur USB; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-18 35328]

S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]

S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]

S3 ZDPSp60;ZDPSp60 NDIS Protocol Driver; C:\Windows\System32\Drivers\ZDPSp60.sys []

S3 ZSMC301b;Philips SPC 200NC PC Camera; C:\Windows\System32\Drivers\usbVM31b.sys [2005-02-26 91527]

S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

 

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

 

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-12-11 611664]

R2 AntiVirSchedulerService;Avira AntiVir Planificateur; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-09-24 108289]

R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-09-24 185089]

R2 HerculesDJControlMP3;Hercules DJ Control MP3; C:\Program Files\Hercules\Audio\DJ Console Series\HerculesDJControlMP3.EXE [2007-11-21 17408]

R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-24 935208]

R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-07-14 215584]

R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]

S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-18 21504]

S3 fsssvc;Service Windows Live Contrôle parental; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]

S3 maconfservice;Ma-Config Service; C:\Program Files\ma-config.com\maconfservice.exe [2009-05-29 234864]

S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-10-29 316664]

 

-----------------EOF-----------------

[Falkra]

Télécharge GMER Rootkit Scanner du lien suivant :

 

http://www.gmer.net/#files

 

- Clique sur le bouton "Download EXE"

- Sauvegarde-le sur ton Bureau.

- Colle et sauvegarde ces instructions dans un fichier texte ou imprime-les, car tu devras fermer le navigateur.

- Ferme les fenêtres de navigateur ouvertes.

- Lance le fichier téléchargé (le nom comporte 8 chiffres/lettres aléatoires) par double clic ;

- Si l'outil te lance un warning d'activité de rootkit et te demande de faire un scan ; clique "NO"

- Dans la section de droite de la fenêtre de l'outil, décoche les options suivantes :

• Sections, IAT/EAT
  
• **Assure-toi que "Show All" est décoché**
  

- Clique maintenant sur le bouton "Scan" et patiente (cela peut prendre 10 minutes ou +)

- Lorsque l'analyse sera terminée, clique sur le bouton "Save..." (au bas à droite) ;

- Nomme le fichier"Ark.txt" et sauvegarde-le sur le Bureau ;

- Copie/colle le contenu de ce rapport dans ta réponse.

[jojom]

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-06 16:49:15

Windows 6.0.6002 Service Pack 2

Running: 9c4m2g9m.exe; Driver: C:\Users\moi\AppData\Local\Temp\ugtyypob.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT 9EF6CA54 ZwCreateThread

SSDT 9EF6CA40 ZwOpenProcess

SSDT 9EF6CA45 ZwOpenThread

SSDT 9EF6CA4F ZwTerminateProcess

 

INT 0x52 ? 8772CBF8

INT 0x52 ? 8772CBF8

INT 0x52 ? 8772CBF8

INT 0x52 ? 8772CBF8

INT 0x62 ? 8772CBF8

INT 0x72 ? 864ABBF8

INT 0x82 ? 864ABBF8

INT 0x92 ? 864ABBF8

INT 0x92 ? 864ABBF8

INT 0x92 ? 864AABF8

INT 0x92 ? 8772CBF8

INT 0x92 ? 864ABBF8

INT 0xA2 ? 8772CBF8

INT 0xA2 ? 8772CBF8

INT 0xA3 ? 8772CBF8

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!KeSetEvent + 221 82AE5984 4 Bytes [54, CA, F6, 9E] {PUSH ESP; RETF 0x9ef6}

.text ntkrnlpa.exe!KeSetEvent + 3F1 82AE5B54 4 Bytes [40, CA, F6, 9E] {INC EAX; RETF 0x9ef6}

.text ntkrnlpa.exe!KeSetEvent + 40D 82AE5B70 4 Bytes [45, CA, F6, 9E] {INC EBP; RETF 0x9ef6}

.text ntkrnlpa.exe!KeSetEvent + 621 82AE5D84 4 Bytes [4F, CA, F6, 9E] {DEC EDI; RETF 0x9ef6}

? System32\Drivers\spdp.sys Le chemin d'accès spécifié est introuvable. !

? System32\Drivers\wehgscl.sys Un périphérique attaché au système ne fonctionne pas correctement. !

.text USBPORT.SYS!DllUnload 8CB5241B 5 Bytes JMP 8772C1D8

.text a3n58mzw.SYS 8C76B000 22 Bytes [82, D3, A0, 82, 6C, D2, A0, ...]

.text a3n58mzw.SYS 8C76B017 181 Bytes [00, 32, 47, 3A, 8C, 3D, 45, ...]

.text a3n58mzw.SYS 8C76B0CE 10 Bytes [00, 00, 00, 00, 00, 00, 02, ...]

.text a3n58mzw.SYS 8C76B0DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]

.text a3n58mzw.SYS 8C76B0E7 714 Bytes [00, F0, 0E, 00, 00, 00, 00, ...]

.text ...

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!FindResourceExA 779E2575 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!FindResourceA 779E2653 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!CreateEventA 77A044C0 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!LockResource 77A068DF 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!FindResourceExW 77A069FD 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!LoadResource 77A06ADB 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!FindResourceW 77A07FA1 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] kernel32.dll!SizeofResource 77A07FBF 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] ADVAPI32.dll!CryptDeriveKey 778FFCAE 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] ADVAPI32.dll!CryptDecrypt 778FFE91 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!CreateDialogParamW 772772A2 5 Bytes JMP 28006090 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!SetWindowPlacement 77277963 5 Bytes JMP 28005E10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!SetWindowRgn 7727A221 7 Bytes JMP 28005F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!LoadImageW 7727C9E5 5 Bytes JMP 280066E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!LoadIconW 7727DA9F 5 Bytes JMP 280068D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!CreateWindowExW 77281305 5 Bytes JMP 28003C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!GetWindowLongW 7728F8BF 7 Bytes JMP 28006A70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!PeekMessageW 7729045A 5 Bytes JMP 28004630 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!TrackPopupMenuEx 772A0CE7 5 Bytes JMP 28004F10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] USER32.dll!MessageBoxIndirectW 772CD5D3 5 Bytes JMP 28006280 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] SHELL32.dll!Shell_NotifyIconW 767B8626 5 Bytes JMP 280033B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] ole32.dll!CoRegisterClassObject 76627DB6 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] ole32.dll!CoCreateInstance 76669EA6 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] ole32.dll!CoInitializeEx 7666AD63 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] WININET.dll!InternetReadFile 77AB654B 5 Bytes JMP 2800A090 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] WININET.dll!InternetCloseHandle 77AB9088 5 Bytes JMP 2800A240 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] WININET.dll!HttpOpenRequestA 77ABD508 5 Bytes JMP 28009F00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1908] WININET.dll!HttpSendRequestA 77ACEE89 5 Bytes JMP 2800A170 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

 

---- Devices - GMER 1.0.15 ----

 

Device \FileSystem\Ntfs \Ntfs 87748B50

Device \FileSystem\Ntfs \Ntfs 864B11F8

Device \FileSystem\fastfat \FatCdrom 8883A1F8

Device \FileSystem\udfs \UdfsCdRom 877351F8

Device \FileSystem\udfs \UdfsDisk 877351F8

Device \Driver\volmgr \Device\VolMgrControl 864AD1F8

Device \Driver\usbuhci \Device\USBPDO-0 874C11F8

Device \Driver\sptd \Device\390620351 spdp.sys

Device \Driver\netbt \Device\NetBT_Tcpip_{BF287B4E-DB63-43C5-A67B-CA958A2F798D} 87E751F8

Device \Driver\usbuhci \Device\USBPDO-1 874C11F8

Device \Driver\usbuhci \Device\USBPDO-2 874C11F8

Device \Driver\usbehci \Device\USBPDO-3 8773E1F8

Device \Driver\usbuhci \Device\USBPDO-4 874C11F8

Device \Driver\usbuhci \Device\USBPDO-5 874C11F8

Device \Driver\usbuhci \Device\USBPDO-6 874C11F8

Device \Driver\volmgr \Device\HarddiskVolume1 864AD1F8

Device \Driver\usbehci \Device\USBPDO-7 8773E1F8

Device \Driver\cdrom \Device\CdRom0 87733500

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 864AF1F8

Device \Driver\atapi \Device\Ide\IdePort0 864AF1F8

Device \Driver\atapi \Device\Ide\IdePort1 864AF1F8

Device \Driver\atapi \Device\Ide\IdePort2 864AF1F8

Device \Driver\atapi \Device\Ide\IdePort3 864AF1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 864AF1F8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-3 864AF1F8

Device \Driver\cdrom \Device\CdRom1 87733500

Device \Driver\cdrom \Device\CdRom2 87733500

Device \Driver\netbt \Device\NetBt_Wins_Export 87E751F8

Device \Driver\PCI_PNP0341 \Device\0000004b spdp.sys

Device \Driver\Smb \Device\NetbiosSmb 87E781F8

Device \Driver\iScsiPrt \Device\RaidPort0 8774D1F8

Device \Driver\usbuhci \Device\USBFDO-0 874C11F8

Device \Driver\usbuhci \Device\USBFDO-1 874C11F8

Device \Driver\usbuhci \Device\USBFDO-2 874C11F8

Device \Driver\usbehci \Device\USBFDO-3 8773E1F8

Device \Driver\usbuhci \Device\USBFDO-4 874C11F8

Device \Driver\usbuhci \Device\USBFDO-5 874C11F8

Device \Driver\usbuhci \Device\USBFDO-6 874C11F8

Device \Driver\usbehci \Device\USBFDO-7 8773E1F8

Device \Driver\a3n58mzw \Device\Scsi\a3n58mzw1Port6Path0Target0Lun0 877491F8

Device \Driver\a3n58mzw \Device\Scsi\a3n58mzw1 877491F8

Device \Driver\JRAID \Device\Scsi\JRAID1 864B01F8

Device \FileSystem\fastfat \Fat 8883A1F8

 

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Gestionnaire de filtres de système de fichiers Microsoft/Microsoft Corporation)

 

Device \FileSystem\cdfs \Cdfs 878CB1F8

 

---- Services - GMER 1.0.15 ----

 

Service (*** hidden *** ) [bOOT] wehgscl <-- ROOTKIT !!!

 

---- Registry - GMER 1.0.15 ----

 

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD0 0x89 0x61 0x63 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x32 0xF2 0x62 0xDE ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF0 0x88 0x56 0xAD ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x34 0x75 0x0E 0xE2 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xB5 0x49 0xC8 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x79 0x6B 0x13 0x43 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\wehgscl@Type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\wehgscl@Start 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\wehgscl@ErrorControl 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\wehgscl@Group Boot Bus Extender

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD0 0x89 0x61 0x63 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x32 0xF2 0x62 0xDE ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF0 0x88 0x56 0xAD ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x34 0x75 0x0E 0xE2 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEF 0xB5 0x49 0xC8 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x79 0x6B 0x13 0x43 ...

Reg HKLM\SYSTEM\ControlSet003\Services\wehgscl@Type 1

Reg HKLM\SYSTEM\ControlSet003\Services\wehgscl@Start 0

Reg HKLM\SYSTEM\ControlSet003\Services\wehgscl@ErrorControl 0

Reg HKLM\SYSTEM\ControlSet003\Services\wehgscl@Group Boot Bus Extender

 

---- EOF - GMER 1.0.15 ----

[Falkra]

C'est vilan tout ça. Un dernier rapport et on passe un peu plus à l'action. Télécharge MBR Rootkit Detector de gmer et enregistre-le sur le bureau.

 

Désactiver provisoirement les programmes de protection (antivirus, firewall,anti-spyware...)

 

Double-clique sur mbr.exe, une fenêtre d'invite de commande va s'ouvrir et se refermer,

- Un rapport sera généré : mbr.log.

 

Copie/colle le résultat de ce log dans ta réponse.

[jojom]

rien de bien méchant docteur ? ^^

 

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

[Falkra]

Ici non, mais ailleurs, oui.

 

Tu vas utiliser Combofix. Ce logiciel n'est à utiliser que prescrit et piloté par un helper qualifié et formé à l'outil.

Ne pas utiliser en dehors de ce cas de figure ou seul : dangereux.

 

Télécharge combofix.exe de sUBs et sauvegarde le sur ton bureau (et pas ailleurs).

• Assure toi que tous les programmes sont fermés avant de commencer.
  
• Désactive l'antivirus, sinon combofix va te mettre un message (sinon, dis ok au message).
  
• Double-clique combofix.exe afin de l'exécuter.
  
• Clique sur "Oui" au message de Limitation de Garantie qui s'affiche.
  
• Si on te propose de redémarrer parc qu'un rootkit a été trouvé, fais-le.
  
• On va te proposer de télécharger et installer la console de récupération, clique sur "Oui" au message, autorise le téléchargement dans ton firewall si demandé, puis accepte le message de contrat utilisateur final.
  
• Le bureau disparaît, c'est normal, et il va revenir.
  
• Ne ferme pas la fenêtre qui s'ouvre, tu te retrouverais avec un bureau vide.
  
• Lorsque l'analyse sera terminée, un rapport apparaîtra.
  
• Copie-colle ce rapport dans ta prochaine réponse.
  Le rapport se trouve dans : C:\Combofix.txt (si jamais).
  

 

Tu peux voir ces opérations dans le guide officiel (seul autorisé) :

http://www.bleepingcomputer.com/combofix/f...iliser-combofix

[jojom]

ComboFix 10-03-05.06 - moi 06/03/2010 17:10:23.3.2 - x86

Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6002.2.1252.33.1036.18.3582.2531 [GMT 1:00]

Lancé depuis: c:\users\moi\Desktop\ComboFix.exe

SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

 

.

((((((((((((((((((((((((((((( Fichiers créés du 2010-02-06 au 2010-03-06 ))))))))))))))))))))))))))))))))))))

.

 

2010-03-06 16:18 . 2010-03-06 16:19 -------- d-----w- c:\users\moi\AppData\Local\temp

2010-03-06 16:18 . 2010-03-06 16:18 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-03-06 16:18 . 2010-03-06 16:18 -------- d-----w- c:\users\maman\AppData\Local\temp

2010-03-06 16:18 . 2010-03-06 16:18 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-06 15:13 . 2010-03-06 15:14 -------- d-----w- C:\rsit

2010-03-06 14:39 . 2010-03-06 14:57 -------- d-----w- c:\program files\ZHPDiag

2010-03-06 13:44 . 2010-03-06 15:56 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-03-06 13:44 . 2010-03-06 14:02 -------- d-----w- c:\programdata\Hitman Pro

2010-03-06 13:44 . 2010-03-06 13:44 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-03-06 03:52 . 2010-03-06 04:05 35 ----a-w- c:\users\moi\AppData\Roaming\SetValue.bat

2010-03-06 03:45 . 2010-03-06 03:45 -------- d-----w- C:\$AVG

2010-03-06 03:43 . 2010-03-06 03:43 -------- d-----w- c:\program files\AVG

2010-03-06 00:44 . 2010-03-06 00:44 -------- d-----w- C:\VundoFix Backups

2010-03-05 23:34 . 2010-03-05 23:34 -------- d-----w- c:\program files\Nexus

2010-03-05 17:10 . 2010-03-05 17:10 -------- d-----w- c:\users\moi\VstPlugins

2010-02-26 00:56 . 2010-02-26 00:56 -------- d-----w- c:\users\moi\AppData\Roaming\Malwarebytes

2010-02-26 00:56 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-26 00:56 . 2010-02-26 00:56 -------- d-----w- c:\programdata\Malwarebytes

2010-02-26 00:56 . 2010-02-26 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-26 00:56 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 01:55 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll

2010-02-24 01:54 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll

2010-02-24 01:54 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll

2010-02-24 01:54 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

2010-02-24 01:54 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll

2010-02-24 01:54 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll

2010-02-24 01:54 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe

2010-02-24 01:54 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2010-02-24 01:54 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe

2010-02-24 01:54 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2010-02-24 01:54 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll

2010-02-24 01:54 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

2010-02-24 01:54 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-06 16:17 . 2006-11-02 15:48 683422 ----a-w- c:\windows\system32\perfh00C.dat

2010-03-06 16:17 . 2006-11-02 15:48 127848 ----a-w- c:\windows\system32\perfc00C.dat

2010-03-06 16:09 . 2008-10-28 22:25 -------- d-----w- c:\programdata\NVIDIA

2010-03-06 15:56 . 2009-08-16 13:04 87029 ----a-w- c:\programdata\nvModes.dat

2010-03-06 15:56 . 2008-12-04 17:29 -------- d-----w- c:\program files\Steam

2010-03-06 04:13 . 2008-11-15 01:23 -------- d-----w- c:\program files\Curse

2010-03-06 04:13 . 2008-10-15 14:00 -------- d-----w- c:\program files\World of Warcraft

2010-03-06 04:05 . 2010-03-06 03:52 691 ----a-w- c:\users\moi\AppData\Roaming\GetValue.vbs

2010-03-06 00:47 . 2008-11-01 15:00 -------- d-----w- c:\program files\CCleaner

2010-03-06 00:31 . 2008-11-21 19:46 -------- d-----w- c:\users\moi\AppData\Roaming\uTorrent

2010-03-05 14:33 . 2010-01-24 01:40 -------- d-----w- c:\users\moi\AppData\Roaming\vlc

2010-02-28 08:17 . 2008-10-28 19:28 56576 ----a-w- c:\users\moi\AppData\Local\GDIPFONTCACHEV1.DAT

2010-02-26 00:53 . 2008-12-09 15:18 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-14 08:15 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-02-11 14:33 . 2010-01-09 17:49 -------- d-----w- c:\users\moi\AppData\Roaming\Mumble

2010-02-02 15:43 . 2009-04-09 14:10 -------- d-----w- c:\users\moi\AppData\Roaming\dvdcss

2010-02-01 20:04 . 2008-11-15 14:56 -------- d-----w- c:\program files\Common Files\Adobe

2010-01-27 19:04 . 2008-11-15 14:48 1 ----a-w- c:\users\moi\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-01-24 08:16 . 2009-03-22 14:50 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-20 20:17 . 2010-01-20 20:17 -------- d-----w- c:\users\moi\AppData\Roaming\streamripper

2010-01-20 20:17 . 2008-10-29 17:47 -------- d-----w- c:\users\moi\AppData\Roaming\Winamp

2010-01-20 20:17 . 2010-01-20 20:17 -------- d-----w- c:\program files\Streamripper

2010-01-20 11:35 . 2008-10-29 00:11 -------- d-----w- c:\programdata\Messenger Plus!

2010-01-20 11:32 . 2008-10-28 20:48 -------- d-----w- c:\program files\Messenger Plus! Live

2010-01-09 17:32 . 2010-01-09 17:32 -------- d-----w- c:\program files\Mumble

2010-01-06 15:38 . 2010-02-24 01:54 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll

2010-01-06 15:38 . 2010-02-24 01:54 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll

2010-01-06 15:38 . 2010-02-24 01:54 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll

2010-01-06 15:38 . 2010-02-24 01:54 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll

2010-01-02 06:38 . 2010-01-22 08:57 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32 . 2010-01-22 08:57 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-01-02 06:32 . 2010-01-22 08:57 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-01-02 04:57 . 2010-01-22 08:57 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2009-12-11 11:43 . 2010-02-09 20:03 302080 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-11 11:43 . 2010-02-09 20:03 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys

2009-12-11 01:39 . 2009-09-24 00:24 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-08 20:01 . 2010-02-09 20:03 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys

2009-12-08 20:01 . 2010-02-09 20:03 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-08 20:01 . 2010-02-09 20:03 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 17:26 . 2010-02-09 20:03 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\steam\steam.exe" [2010-02-28 1217872]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]

"BigDogPath"="c:\windows\VM_STI.EXE" [2004-06-09 40960]

"Diamondback"="c:\program files\Razer\Diamondback\razerhid.exe" [2007-02-14 147456]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

 

c:\users\moi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2009-12-31 0]

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

TrayMin200.exe.lnk - c:\program files\Philips\SPC 200NC PC Camera\TrayMin200.exe [2008-10-28 278528]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=myokent.dll

"midi2"=wdmaud.drv

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(b):82,70,b5,25,e8,f4,c9,01

 

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-16 721904]

R2 HerculesDJControlMP3;Hercules DJ Control MP3;c:\program files\Hercules\Audio\DJ Console Series\HerculesDJControlMP3.EXE [2007-11-21 17408]

R3 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr.sys [2009-08-05 54632]

R3 fsssvc;Service Windows Live Contrôle parental;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]

R3 HDJCtrl;Hercules DJ Control MP3 Service;c:\windows\system32\Drivers\HDJCtrl.sys [2008-05-12 17408]

R3 HDJMidi;Hercules DJ Control MP3 MIDI;c:\windows\system32\DRIVERS\HDJMidi.sys [2008-06-04 95744]

R3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2009-05-29 234864]

R3 PL-40R;CASIO USB MIDI;c:\windows\system32\Drivers\pl40rwdm.sys [2004-10-01 18048]

R3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;c:\windows\system32\DRIVERS\WlanUZXP.sys [2009-08-06 260608]

R3 ZDPSp60;ZDPSp60 NDIS Protocol Driver;c:\windows\system32\Drivers\ZDPSp60.sys [x]

S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-09-24 108289]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-07-14 239648]

S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\Drivers\Razerlow.sys [2005-04-24 13225]

 

 

--- Autres Services/Pilotes en mémoire ---

 

*Deregistered* - wehgscl

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

.

------- Examen supplémentaire -------

.

FF - ProfilePath - c:\users\moi\AppData\Roaming\Mozilla\Firefox\Profiles\moqphw04.default\

FF - prefs.js: browser.search.selectedEngine - Megaupload - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=fr-FR&FORM=MIMWA5&q=

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-06 17:19

Windows 6.0.6002 Service Pack 2 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wehgscl]

 

.

Heure de fin: 2010-03-06 17:21:36

ComboFix-quarantined-files.txt 2010-03-06 16:21

ComboFix2.txt 2010-03-06 03:14

ComboFix3.txt 2010-03-06 02:45

 

Avant-CF: 89 538 342 912 octets libres

Après-CF: 89 507 713 024 octets libres

 

- - End Of File - - 9C0F5789EFA04E56253A35CC8155DB6D

[Falkra]

Tu as déjà utilisé combofix, sans doute seul, c'est dangereux et ça nous prive d'informations, même chose avec Avenger, tout aussi dangereux voire plus : ne jamais utiliser sans supervision de membres formés à ces outils !

 

 

ComboFix a déjà supprimé des nuisibles, mais on va continuer avec un script sur-mesure.

 

Rend toi sur cette page afin de télécharger le fichier CFScript sur le Bureau => http://senduit.com/1d2bd4

Patiente une seconde: le téléchargement va se lancer automatiquement.

• Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture
  
  
• Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!
  Ne touche à rien tant que le scan n'est pas terminé.
  
• Quand CF finit de s'exécuter, il affiche cette boîte de message:
  
  
• Cliquer sur OK va faire débuter l'envoi automatique du fichier archivé (zip).
  
  
• Une fois le scan achevé, le pc va certainement redémarrer: un rapport va s'afficher, poste son contenu.
  
• Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt
  

Note1: Le script proposé est spécifique au cas de cet utilisateur : vous ne devez en aucun cas l'utiliser sur votre pc!

 

Note2: un fichier qui se trouve sur le pc va être expédié au créateur de ComboFix pour analyse.

Dans le cas où le site de téléchargement se trouve hors ligne, tu verras le message ci-dessous =>

Il te suffira seulement de faire un double clic sur le fichier CF-Submit.htm qui se trouve dans le répertoire C:\ pour envoyer le fichier.

Le rapport de ComboFix ne s'affichera qu'après la fin de la fonction d'envoi.