[résolu] IE 8 NE FONCTIONNE PLUS SUITE ERADICATION MALWARE

[Thanos]

salut

 

Rend toi à cette adresse => http://www.virustotal.com/

 

Tu as une case nommée "Parcourir": tu cliques dessus et une fenêtre s'ouvre=> copie/colle ceci dans le champs à droite de "Nom du Fichier" en bas de page >> C:\Windows\system32\DRIVERS\serial.sys

 

Clique maintenant sur "ouvrir" en bas de la fenêtre puis sur "Envoyer le fichier". Le scan de ce fichier va débuter. Tu n'as plus qu'à sélectionner puis copier /coller l'analyse dans ton prochain message.

Note: les fichiers uploadés sont mis en attente, car le virusscan est sollicité! patiente (un message t'indique le temps que ca prendra pour faire analyser)

 

Note: il arrive parfois que le fichier ait déjà été analysé. Si c'est le cas, clique sur le bouton Reanalyse file now

 

Fais de même avec C:\Windows\system32\drivers\atapi.sys

 

Poste les rapports stp

[leducs]

Bonjour,

voici les rapports :

 

 

Fichier serial.sys reçu le 2010.05.08 11:20:56 (UTC)

 

Antivirus Version Dernière mise à jour Résultat

a-squared 4.5.0.50 2010.05.08 -

AhnLab-V3 2010.05.08.00 2010.05.07 -

AntiVir 8.2.1.236 2010.05.07 -

Antiy-AVL 2.0.3.7 2010.05.07 -

Authentium 5.2.0.5 2010.05.08 -

Avast 4.8.1351.0 2010.05.07 -

Avast5 5.0.332.0 2010.05.07 -

AVG 9.0.0.787 2010.05.08 -

BitDefender 7.2 2010.05.08 -

CAT-QuickHeal 10.00 2010.05.07 -

ClamAV 0.96.0.3-git 2010.05.08 -

Comodo 4791 2010.05.08 -

DrWeb 5.0.2.03300 2010.05.08 -

eSafe 7.0.17.0 2010.05.06 -

eTrust-Vet 35.2.7474 2010.05.07 -

F-Prot 4.5.1.85 2010.05.08 -

F-Secure 9.0.15370.0 2010.05.08 -

Fortinet 4.1.133.0 2010.05.08 -

GData 21 2010.05.08 -

Ikarus T3.1.1.84.0 2010.05.08 -

Jiangmin 13.0.900 2010.05.08 -

Kaspersky 7.0.0.125 2010.05.08 -

McAfee 5.400.0.1158 2010.05.08 -

McAfee-GW-Edition 2010.1 2010.05.07 -

Microsoft 1.5703 2010.05.08 -

NOD32 5096 2010.05.07 -

Norman 6.04.12 2010.05.08 -

nProtect 2010-05-08.01 2010.05.08 -

Panda 10.0.2.7 2010.05.07 -

PCTools 7.0.3.5 2010.05.07 -

Prevx 3.0 2010.05.08 -

Rising 22.46.05.04 2010.05.08 -

Sophos 4.53.0 2010.05.08 -

Sunbelt 6278 2010.05.08 -

Symantec 20091.2.0.41 2010.05.08 -

TheHacker 6.5.2.0.277 2010.05.07 -

TrendMicro 9.120.0.1004 2010.05.08 -

TrendMicro-HouseCall 9.120.0.1004 2010.05.08 -

VBA32 3.12.12.4 2010.05.06 -

ViRobot 2010.5.8.2306 2010.05.08 -

VirusBuster 5.0.27.0 2010.05.07 -

Information additionnelle

File size: 83456 bytes

MD5...: 6d663022db3e7058907784ae14b69898

SHA1..: 9721f86a794211f2a094dff5288f2bc53037f4b1

SHA256: 54263888c64a7f010d3b5e399369b0f3ff3af0a0de8adb502b98277533e4d45f

ssdeep: 1536:O1TbSapq9rUoT/xdk/9dldqU7WXK61XM4ImL9mQJQD:iTbSapwAA/xdkrfX

R61Xws4qQ

 

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x13408

timedatestamp.....: 0x47918f6e (Sat Jan 19 05:49:34 2008)

machinetype.......: 0x14c (I386)

 

( 8 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x45af 0x4600 6.40 7ffa244dc6404025cf571bf91d6d708b

.rdata 0x6000 0x1fc 0x200 3.80 d478e7cc89eddeed1f48dfcc9c505a46

.data 0x7000 0x138 0x200 1.79 27bb04f0f079113479e41125a0422ad3

PAGESRP0 0x8000 0x5244 0x5400 6.40 e4fee979eb1b04a5f5893a085c956278

PAGESER 0xe000 0x4054 0x4200 6.30 89baddaa189d720deea9769304575595

INIT 0x13000 0x2f72 0x3000 6.32 307520b88f9791e0a641a49c79ccc8d8

.rsrc 0x16000 0x2488 0x2600 3.28 86cc43b7f745c9a445bde3d3576032b8

.reloc 0x19000 0xb58 0xc00 6.58 18128a23d8439e63c57d44d0df218b2f

 

( 3 imports )

> ntoskrnl.exe: DbgBreakPoint, memmove, ExAllocatePoolWithTag, memset, PoSetPowerState, KeWaitForSingleObject, KeInitializeDpc, KeInitializeTimer, ExAllocatePoolWithQuotaTag, KeInsertQueueDpc, KeDelayExecutionThread, MmLockPagableSectionByHandle, MmQuerySystemSize, KeQuerySystemTime, KeSetEvent, KeSetTimer, IofCallDriver, PoCallDriver, IoWriteErrorLogEntry, IoAllocateErrorLogEntry, memcpy, KeCancelTimer, IoInvalidateDeviceState, KeInitializeEvent, IoCreateDevice, RtlAppendUnicodeStringToString, MmLockPagableDataSection, RtlInitUnicodeString, RtlAppendUnicodeToString, IoAttachDeviceToDeviceStack, IoQueryDeviceDescription, ZwClose, IoOpenDeviceRegistryKey, RtlDeleteRegistryValue, IoDeleteSymbolicLink, IoSetDeviceInterfaceState, IoRegisterDeviceInterface, RtlWriteRegistryValue, IoCreateSymbolicLink, IoConnectInterrupt, RtlQueryRegistryValues, ZwQueryValueKey, ZwSetValueKey, ZwEnumerateKey, IoReportDetectedDevice, ZwOpenKey, PoStartNextPowerIrp, PoRequestPowerIrp, KeClearEvent, KeTickCount, KeBugCheckEx, RtlUnwind, MmUnlockPagableImageSection, IoCancelIrp, IoDetachDevice, IoDeleteDevice, IoGetConfigurationInformation, IoWMIRegistrationControl, IoDisconnectInterrupt, ExFreePoolWithTag, KeRemoveQueueDpc, MmUnmapIoSpace, MmMapIoSpace, _allmul, IoAcquireCancelSpinLock, KeSynchronizeExecution, IoReleaseCancelSpinLock, RtlIntegerToUnicodeString, IofCompleteRequest

> HAL.dll: WRITE_PORT_BUFFER_UCHAR, KfReleaseSpinLock, HalTranslateBusAddress, HalGetInterruptVector, KeGetCurrentIrql, ExAcquireFastMutex, ExReleaseFastMutex, WRITE_PORT_UCHAR, KdComPortInUse, READ_PORT_UCHAR, KfRaiseIrql, KfLowerIrql, KfAcquireSpinLock

> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

 

( 0 exports )

 

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: Serial Device Driver

original name: serial.sys

internal name: serial.sys

file version.: 6.0.6001.18000 (longhorn_rtm.080118-1840)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

 

 

 

 

Fichier atapi.sys reçu le 2010.05.08 11:25:58 (UTC)

 

Antivirus Version Dernière mise à jour Résultat

a-squared 4.5.0.50 2010.05.08 -

AhnLab-V3 2010.05.08.00 2010.05.07 -

AntiVir 8.2.1.236 2010.05.07 -

Antiy-AVL 2.0.3.7 2010.05.07 -

Authentium 5.2.0.5 2010.05.08 -

Avast 4.8.1351.0 2010.05.07 -

Avast5 5.0.332.0 2010.05.07 -

AVG 9.0.0.787 2010.05.08 -

BitDefender 7.2 2010.05.08 -

CAT-QuickHeal 10.00 2010.05.07 -

ClamAV 0.96.0.3-git 2010.05.08 -

Comodo 4791 2010.05.08 -

DrWeb 5.0.2.03300 2010.05.08 -

eSafe 7.0.17.0 2010.05.06 -

eTrust-Vet 35.2.7474 2010.05.07 -

F-Prot 4.5.1.85 2010.05.08 -

F-Secure 9.0.15370.0 2010.05.08 -

Fortinet 4.1.133.0 2010.05.08 -

GData 21 2010.05.08 -

Ikarus T3.1.1.84.0 2010.05.08 -

Jiangmin 13.0.900 2010.05.08 -

Kaspersky 7.0.0.125 2010.05.08 -

McAfee 5.400.0.1158 2010.05.08 -

McAfee-GW-Edition 2010.1 2010.05.07 -

Microsoft 1.5703 2010.05.08 -

NOD32 5096 2010.05.07 -

Norman 6.04.12 2010.05.08 -

nProtect 2010-05-08.01 2010.05.08 -

Panda 10.0.2.7 2010.05.07 -

PCTools 7.0.3.5 2010.05.07 -

Prevx 3.0 2010.05.08 -

Rising 22.46.05.04 2010.05.08 -

Sophos 4.53.0 2010.05.08 -

Sunbelt 6278 2010.05.08 -

Symantec 20091.2.0.41 2010.05.08 -

TheHacker 6.5.2.0.277 2010.05.07 -

TrendMicro 9.120.0.1004 2010.05.08 -

TrendMicro-HouseCall 9.120.0.1004 2010.05.08 -

VBA32 3.12.12.4 2010.05.06 -

ViRobot 2010.5.8.2306 2010.05.08 -

VirusBuster 5.0.27.0 2010.05.07 -

Information additionnelle

File size: 19944 bytes

MD5...: 1f05b78ab91c9075565a9d8a4b880bc4

SHA1..: 218442cd7afecbc8d102c4e31d9ef3528642191b

SHA256: 737be9f9376dab0ccdfed93ea6d67f0c432367ea63cd772a453485be769af3bd

ssdeep: 384:zzY0Vgd1RrKzBpWk4UwWFSn8G6FuT+quHpBjbOjBMwzt8:zz/Vgd1gzQUSuB

xkMwzt8

 

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x5005

timedatestamp.....: 0x49e01eed (Sat Apr 11 04:39:09 2009)

machinetype.......: 0x14c (I386)

 

( 6 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x19b0 0x1a00 6.30 4ac8c9f82cf23d85316bd85d3d8e4efb

.rdata 0x3000 0xae 0x200 1.49 3d541e69f96e97a837841ad289adeac7

.data 0x4000 0xc 0x200 0.18 7c80b151582aa6280e754b477343e54e

INIT 0x5000 0x364 0x400 4.51 f238fffd3a9917d72f4888f4276b3b06

.rsrc 0x6000 0x3f8 0x400 3.38 5c8a106a7c9416fb469c83dfab844abd

.reloc 0x7000 0x8a 0x200 1.37 064d7db7c16955d4dc6d3f7afb703e06

 

( 2 imports )

> ataport.SYS: AtaPortNotification, AtaPortWritePortUchar, AtaPortWritePortUlong, AtaPortGetPhysicalAddress, AtaPortConvertPhysicalAddressToUlong, AtaPortGetScatterGatherList, AtaPortReadPortUchar, AtaPortStallExecution, AtaPortGetParentBusType, AtaPortRequestCallback, AtaPortWritePortBufferUshort, AtaPortGetUnCachedExtension, AtaPortCompleteRequest, AtaPortMoveMemory, AtaPortCompleteAllActiveRequests, AtaPortReleaseRequestSenseIrb, AtaPortBuildRequestSenseIrb, AtaPortReadPortUshort, AtaPortReadPortBufferUshort, AtaPortInitialize, AtaPortGetDeviceBase, AtaPortDeviceStateChange

> NTOSKRNL.exe: KeTickCount

 

( 0 exports )

 

RDS...: NSRL Reference Data Set

-

pdfid.: -

trid..: Generic Win/DOS Executable (49.9%)

DOS Executable Generic (49.8%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

sigcheck:

publisher....: Microsoft Corporation

copyright....: © Microsoft Corporation. All rights reserved.

product......: Microsoft_ Windows_ Operating System

description..: ATAPI IDE Miniport Driver

original name: atapi.sys

internal name: atapi.sys

file version.: 6.0.6002.18005 (lh_sp2rtm.090410-1830)

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

[leducs]

Bonjour,

 

je précise que Outlook s'est remis à fonctionner et que je n'ai plus l'avertissement concernant la modification du moteur de recherche d'IE8 ni la page de pub depuis ce matin.

Par contre Windows Update me renvoie toujours la même erreur.

[Thanos]

ok leducs: on va utiliser un autre programme car je suspecte une infection =>

 

• Fais un clic sur le bouton droit de ta souris ICI
  
• Choisis Enregistrer la cible (du lien) sous > une fenêtre s'ouvre >>
  
• Dans le champs à droite de "Nom du Fichier" en bas de page, modifie le nom présent (ComboFix.exe) et met ceci >> leducs.exe
  
• Enregistre-le fichier sur le Bureau: pour cela clique sur le bouton Enregistrer.
  
• Assure toi que tous les programmes soient fermés avant de lancer le fix!
  
• Fait un double clique sur leducs.exe.
  
• Note: Ne ferme pas la fenêtre qui vient de s'ouvrir , tu te retrouverais avec un bureau vide !
  

[leducs]

Dois-je poster le rapport du fix ici ?

[Thanos]

oui stp

si tu as fermé le rapport, tu le trouveras par défaut dans le répertoire C:\, son nom est ComboFix.txt

[leducs]

Voici le rapport :

 

ComboFix 10-05-07.07 - User 08/05/2010 23:44:02.1.2 - x86

Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6002.2.1252.33.1036.18.3326.2293 [GMT 2:00]

Lancé depuis: c:\users\User\Desktop\leducs.exe

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

* Un nouveau point de restauration a été créé

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\users\Public\mdsys.s

c:\users\Public\mdusys.s

c:\users\Public\winbrd.jpg

c:\users\User\AppData\Roaming\PnkBstrK.sys

 

Une copie infectée de c:\windows\system32\drivers\serial.sys a été trouvée et désinfectée

Copie restaurée à partir de - Kitty had a snack

.

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-08 au 2010-05-08 ))))))))))))))))))))))))))))))))))))

.

 

2010-05-08 21:51 . 2010-05-08 21:51 -------- d-----w- c:\users\User\AppData\Local\temp

2010-05-08 21:51 . 2010-05-08 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-05-08 21:51 . 2010-05-08 21:51 -------- d-----w- c:\users\Antoine\AppData\Local\temp

2010-05-08 21:51 . 2010-05-08 21:51 -------- d-----w- c:\users\Administrateur\AppData\Local\temp

2010-05-06 07:33 . 2010-05-06 07:33 -------- d-----w- c:\users\Administrateur\AppData\Roaming\Malwarebytes

2010-05-06 07:12 . 2010-05-07 05:07 -------- d-----w- c:\users\User\AppData\Local\fcixgmnmu

2010-05-01 06:16 . 2010-05-01 06:16 -------- d-----w- c:\program files\iPod

2010-05-01 06:15 . 2010-05-01 06:15 -------- d-----w- c:\program files\Bonjour

2010-05-01 06:15 . 2010-05-01 06:15 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-05-01 01:06 . 2010-05-07 05:25 -------- d-----w- c:\program files\trend micro

2010-05-01 01:06 . 2010-05-07 05:25 -------- d-----w- C:\rsit

2010-04-30 21:01 . 2010-01-06 10:08 57856 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

2010-04-30 21:01 . 2010-01-06 10:08 545280 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2010-04-30 21:01 . 2010-01-06 10:08 4726272 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\libs\cooliris190.dll

2010-04-30 21:01 . 2010-01-06 10:08 4725760 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\libs\cooliris192.dll

2010-04-30 21:01 . 2010-01-06 10:08 344064 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2010-04-30 21:01 . 2010-01-06 10:08 153600 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2010-04-30 21:01 . 2010-01-06 10:08 103424 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

2010-04-30 21:01 . 2009-11-25 20:03 61952 ----a-w- c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll

2010-04-30 20:50 . 2010-04-30 20:50 -------- d-----w- c:\users\User\AppData\Roaming\Malwarebytes

2010-04-30 20:50 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-30 20:50 . 2010-04-30 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-30 20:50 . 2010-04-30 20:50 -------- d-----w- c:\programdata\Malwarebytes

2010-04-30 20:50 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-30 19:01 . 2010-04-30 19:01 -------- d-----w- c:\users\Administrateur\AppData\Roaming\Apple Computer

2010-04-30 19:00 . 2010-04-30 19:00 -------- d-----w- c:\users\Administrateur\AppData\Local\Apple Computer

2010-04-30 18:46 . 2010-04-30 19:52 -------- d-----w- c:\users\User\AppData\Local\hdfyjcetf

2010-04-28 01:30 . 2010-05-02 04:42 -------- d-----w- c:\users\User\AppData\Roaming\dvdcss

2010-04-26 22:08 . 2010-05-06 00:44 -------- d-----w- c:\users\User\AppData\Roaming\vlc

2010-04-26 22:07 . 2010-04-26 22:07 -------- d-----w- c:\program files\VideoLAN

2010-04-26 21:11 . 2010-04-26 21:11 -------- d-----w- c:\program files\MSECache

2010-04-24 14:34 . 2010-04-24 14:34 653576 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2010-04-23 20:19 . 2010-04-23 20:19 -------- d-----w- c:\windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP

2010-04-23 20:19 . 2010-04-23 20:19 -------- d-----w- c:\programdata\THQ

2010-04-23 19:25 . 2010-04-23 19:25 -------- d-----w- c:\users\Antoine\Images

2010-04-23 19:25 . 2010-04-23 19:25 -------- d-----w- c:\users\Antoine\Sounds

2010-04-20 02:55 . 2010-04-20 02:55 77542 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{095EEF8C-F689-6A5A-0367-15DE9404F5EB}\ARPPRODUCTICON.exe

2010-04-20 02:51 . 2010-04-20 02:51 -------- d-----w- c:\programdata\ATI

2010-04-19 23:22 . 2010-04-19 23:22 -------- d-----w- c:\users\Antoine\AppData\Roaming\Reg.C9ECCBDBA4E09304DEEFB106465BC17F6D6749B9.1

2010-04-19 23:22 . 2010-04-19 23:22 -------- d-----w- c:\users\Antoine\AppData\Roaming\app

2010-04-19 23:22 . 2010-04-23 13:57 -------- d-----w- c:\users\Antoine\AppData\Roaming\Dofus 2.0

2010-04-19 23:22 . 2010-04-19 23:22 -------- d-----w- c:\users\Antoine\AppData\Roaming\Dofus.C9ECCBDBA4E09304DEEFB106465BC17F6D6749B9.1

2010-04-19 23:22 . 2009-12-02 13:58 38208 ----a-w- c:\users\Antoine\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-04-19 23:13 . 2010-04-19 23:14 -------- d-----w- c:\users\User\AppData\Roaming\Dofus 2.0

2010-04-19 23:13 . 2010-04-19 23:13 -------- d-----w- c:\users\User\AppData\Roaming\Dofus-2.C9ECCBDBA4E09304DEEFB106465BC17F6D6749B9.1

2010-04-19 23:11 . 2010-04-19 23:11 -------- d-----w- c:\program files\Dofus 2.0

2010-04-18 22:42 . 2010-04-18 22:42 86576 ----a-w- c:\users\Antoine\AppData\Roaming\Microsoft\Services Windows Live\Raccourci Galerie de Photos Windows Live.exe

2010-04-18 22:42 . 2010-04-18 22:42 392728 ----a-w- c:\users\Antoine\AppData\Roaming\Microsoft\Services Windows Live\Services Windows Live.dll

2010-04-18 22:42 . 2010-04-18 22:42 135680 ----a-w- c:\users\Antoine\AppData\Roaming\Microsoft\Notification de cadeaux MSN\lsnfier.exe

2010-04-18 22:42 . 2010-04-18 22:42 132672 ----a-w- c:\users\Antoine\AppData\Roaming\Microsoft\Services Windows Live\Raccourci Windows Live Messenger.exe

2010-04-17 00:26 . 2010-04-17 00:27 -------- d-----w- c:\users\User\AppData\Local\Google

2010-04-17 00:26 . 2010-04-17 00:27 -------- d-----w- c:\program files\Google

2010-04-14 21:03 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-04-14 21:03 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2010-04-14 21:03 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2010-04-14 21:03 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-04-14 21:03 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-04-14 21:03 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-04-14 21:03 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-04-14 21:03 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll

2010-04-14 21:03 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys

2010-04-14 09:00 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll

2010-04-14 09:00 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll

2010-04-14 01:00 . 2010-02-12 10:32 293376 ----a-w- c:\windows\system32\browserchoice.exe

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-08 21:48 . 2009-04-11 16:24 672056 ----a-w- c:\windows\system32\perfh00C.dat

2010-05-08 21:48 . 2009-04-11 16:24 124228 ----a-w- c:\windows\system32\perfc00C.dat

2010-05-08 21:25 . 2009-11-12 13:34 -------- d-----w- c:\program files\Steam

2010-05-08 20:10 . 2009-11-12 13:34 -------- d-----w- c:\program files\Common Files\Steam

2010-05-04 16:51 . 2010-05-04 16:51 -------- d-----w- c:\users\User\AppData\Roaming\FreeAudioPack

2010-05-04 16:51 . 2010-05-04 16:51 -------- d-----w- c:\program files\Free Audio Pack

2010-05-01 06:16 . 2009-08-20 01:49 -------- d-----w- c:\program files\Common Files\Apple

2010-04-30 19:00 . 2009-12-27 17:55 116608 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2010-04-23 20:19 . 2009-10-20 20:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-04-23 19:59 . 2009-08-19 15:31 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-04-22 12:17 . 2009-08-22 04:35 -------- d-----w- c:\users\Antoine\AppData\Roaming\Apple Computer

2010-04-20 02:55 . 2009-08-19 16:25 -------- d-----w- c:\program files\ATI Technologies

2010-04-20 02:53 . 2009-08-19 16:25 -------- d-----w- c:\program files\ATI

2010-04-20 02:38 . 2009-08-20 00:07 -------- d-----w- c:\programdata\ma-config.com

2010-04-20 02:38 . 2009-08-20 00:07 -------- d-----w- c:\program files\ma-config.com

2010-04-14 21:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-04-08 11:20 . 2010-04-08 11:20 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 11:20 . 2010-04-08 11:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-04-06 20:38 . 2009-08-30 02:42 -------- d-----w- c:\programdata\Logitech

2010-04-05 20:31 . 2010-04-05 20:31 47328 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{D416E000-D999-470A-BCAC-98E717CC1AFC}\ARPPRODUCTICON.exe

2010-04-05 20:31 . 2010-04-05 20:31 334048 ----a-r- c:\users\User\AppData\Roaming\Microsoft\Installer\{D416E000-D999-470A-BCAC-98E717CC1AFC}\NewShortcut2_439CCEF89767436AB00754ACFDCFF417.exe

2010-04-05 20:31 . 2010-04-05 20:31 -------- d-----w- c:\program files\VirginMega

2010-04-05 20:31 . 2010-02-11 19:50 -------- d-----w- c:\programdata\Downloaded Installations

2010-03-31 02:27 . 2010-03-31 02:26 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-03-31 02:25 . 2010-03-31 02:25 -------- d-----w- c:\program files\QuickTime

2010-03-31 02:24 . 2010-03-31 02:24 -------- d-----w- c:\program files\Apple Software Update

2010-03-30 23:22 . 2010-03-30 23:15 -------- d-----w- c:\program files\Tracker Software

2010-03-23 14:08 . 2009-08-20 02:57 -------- d-----w- c:\program files\Safari

2010-03-23 14:08 . 2010-03-23 14:08 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe

2010-03-10 17:04 . 2010-03-10 17:04 1688360 ----a-w- c:\users\Public\SkypeSetup.exe

2010-03-03 04:22 . 2010-04-20 02:45 5340160 ----a-w- c:\windows\system32\drivers\atipmdag.sys

2010-03-03 04:22 . 2010-04-20 02:45 5340160 ----a-w- c:\windows\system32\drivers\atikmdag.sys

2010-03-03 04:16 . 2010-04-20 02:45 143360 ----a-w- c:\windows\system32\atiapfxx.exe

2010-03-03 04:16 . 2010-04-20 02:45 446464 ----a-w- c:\windows\system32\aticfx32.dll

2010-03-03 04:13 . 2010-04-20 02:45 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll

2010-03-03 04:12 . 2010-04-20 02:45 372736 ----a-w- c:\windows\system32\atieclxx.exe

2010-03-03 04:11 . 2010-04-20 02:45 172032 ----a-w- c:\windows\system32\atiesrxx.exe

2010-03-03 04:10 . 2010-04-20 02:45 159744 ----a-w- c:\windows\system32\atitmmxx.dll

2010-03-03 04:10 . 2010-04-20 02:45 356352 ----a-w- c:\windows\system32\atipdlxx.dll

2010-03-03 04:09 . 2010-04-20 02:45 274432 ----a-w- c:\windows\system32\Oemdspif.dll

2010-03-03 04:09 . 2010-04-20 02:45 11776 ----a-w- c:\windows\system32\atimuixx.dll

2010-03-03 04:09 . 2010-04-20 02:45 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2010-03-03 04:06 . 2010-04-20 02:45 3131392 ----a-w- c:\windows\system32\atidxx32.dll

2010-03-03 03:46 . 2010-04-20 02:45 3703808 ----a-w- c:\windows\system32\atiumdag.dll

2010-03-03 03:45 . 2010-04-20 02:45 14226944 ----a-w- c:\windows\system32\atioglxx.dll

2010-03-03 03:24 . 2010-04-20 02:45 2993152 ----a-w- c:\windows\system32\atiumdva.dll

2010-03-03 03:23 . 2010-04-20 02:45 50176 ----a-w- c:\windows\system32\coinst.dll

2010-03-03 03:20 . 2010-04-20 02:45 53248 ----a-w- c:\windows\system32\aticalrt.dll

2010-03-03 03:20 . 2010-04-20 02:45 53248 ----a-w- c:\windows\system32\aticalcl.dll

2010-03-03 03:18 . 2010-04-20 02:45 3657728 ----a-w- c:\windows\system32\aticaldd.dll

2010-03-03 03:08 . 2010-04-20 02:45 52224 ----a-w- c:\windows\system32\atimpc32.dll

2010-03-03 03:08 . 2010-04-20 02:45 52224 ----a-w- c:\windows\system32\amdpcom32.dll

2010-03-03 03:08 . 2010-04-20 02:45 237568 ----a-w- c:\windows\system32\atiadlxx.dll

2010-03-03 03:07 . 2010-04-20 02:45 12800 ----a-w- c:\windows\system32\atiglpxx.dll

2010-03-03 03:07 . 2010-04-20 02:45 15360 ----a-w- c:\windows\system32\atigktxx.dll

2010-03-03 03:07 . 2010-04-20 02:45 152064 ----a-w- c:\windows\system32\drivers\atikmpag.sys

2010-03-03 03:06 . 2010-04-20 02:45 27648 ----a-w- c:\windows\system32\atiuxpag.dll

2010-03-03 03:06 . 2010-04-20 02:45 20480 ----a-w- c:\windows\system32\atiu9pag.dll

2010-03-03 03:06 . 2010-04-20 02:45 23040 ----a-w- c:\windows\system32\atitmpxx.dll

2010-03-03 03:05 . 2010-04-20 02:45 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2010-02-25 19:55 . 2010-04-20 02:45 201875 ----a-w- c:\windows\system32\atiicdxx.dat

2010-02-24 22:08 . 2009-08-22 03:45 116608 ----a-w- c:\users\Antoine\AppData\Local\GDIPFONTCACHEV1.DAT

2010-02-24 08:16 . 2009-10-02 23:48 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-24 03:29 . 2009-08-19 15:03 116608 ----a-w- c:\users\User\AppData\Local\GDIPFONTCACHEV1.DAT

2010-02-23 16:15 . 2010-04-20 02:45 1105 ----a-w- c:\windows\system32\atipblag.dat

2010-02-23 06:39 . 2010-03-30 20:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-23 06:33 . 2010-03-30 20:33 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-02-23 06:33 . 2010-03-30 20:33 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-02-23 04:55 . 2010-03-30 20:33 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2010-02-20 23:06 . 2010-03-10 21:13 24064 ----a-w- c:\windows\system32\nshhttp.dll

2010-02-20 23:05 . 2010-03-10 21:13 30720 ----a-w- c:\windows\system32\httpapi.dll

2010-02-20 20:53 . 2010-03-10 21:13 411648 ----a-w- c:\windows\system32\drivers\http.sys

.

 

------- Sigcheck -------

 

[-] 2009-04-11 . A43FF743C9DBAC2264C0D750DA02DEE1 . 3956224 . . [6.0.6000.16386] . . c:\windows\explorer.exe

 

[-] 2009-08-24 . 690D53BD10A804BB6D0A772D1C0E6907 . 247296 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-10 2221352]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-25 8129056]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-03-02 98304]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]

 

c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Aero_Shake_1.3.exe - Raccourci.lnk.disabled [2009-8-24 850]

Logitech Touch Mouse Server.lnk.disabled [2010-1-16 1034]

Windows 7 0.4.exe - Raccourci.lnk.disabled [2009-8-24 656]

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-30 813584]

TruDirectTray.lnk - c:\program files\TruDirect\TruDirectTray.exe [2008-2-18 421888]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk

backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup

backupExtension=.CommonStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVI]

2007-07-26 13:05 20480 ----a-w- c:\program files\GIGABYTE\ET6\ETcall.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-02-17 05:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UpdateService\ISUSPM.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-02-17 05:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-04-28 13:06 142120 ----a-w- d:\program files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]

2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2010-03-02 20:23 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-08-21 00:04 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(b):62,22,80,d4,a9,ba,c9,01

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1235014201-2838751705-2400226032-1000]

"EnableNotificationsRef"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1235014201-2838751705-2400226032-1001]

"EnableNotificationsRef"=dword:00000002

 

R1 SysTool;SysTool Overclocking Utility;c:\windows\system32\DRIVERS\SysTool.sys [2006-11-10 24064]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-17 136176]

R3 3xHybrid;Pinnacle PCTV 100i-110i-300i-310i-MCE;c:\windows\system32\DRIVERS\3xHybrid.sys [2006-11-22 1121536]

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-04-22 9728]

R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-04-22 3072]

R3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2010-04-03 243056]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-03-03 172032]

S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-08-19 108289]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [2010-03-03 5340160]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-03-03 152064]

S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [2009-06-17 40720]

S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [2009-06-17 10384]

S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]

S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\DRIVERS\sis163u.sys [2009-08-19 218624]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-03-17 12:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contenu du dossier 'Tâches planifiées'

 

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-17 00:27]

 

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-17 00:27]

 

2010-05-08 c:\windows\Tasks\User_Feed_Synchronization-{89D9A1F0-E9B9-45AC-9323-F48F7B905538}.job

- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]

 

2010-05-08 c:\windows\Tasks\User_Feed_Synchronization-{DF8F623A-220A-4AA8-B290-097C64F04650}.job

- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]

.

.

------- Examen supplémentaire -------

.

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

IE: E&xporter vers Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

LSP: c:\windows\system32\wpclsp.dll

FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\

FF - component: c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll

FF - component: c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\nmuixs17.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll

FF - plugin: d:\program files\Sony Setup\Media Go\npmediago.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHELINS SUPPRIMES - - - -

 

MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

AddRemove-Dofus 1.28.0 - c:\users\Antoine\Desktop\Dofus\uninstall.exe

 

 

 

**************************************************************************

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés:

 

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

 

[HKEY_USERS\S-1-5-21-1235014201-2838751705-2400226032-1000\Software\SecuROM\License information*]

"datasecu"=hex:d8,f0,ef,9e,d5,fd,1c,c0,7d,2b,3d,c5,08,18,e8,c7,a6,4d,6f,81,4b,

5f,2a,07,53,59,52,d9,ba,b5,73,dc,e3,15,7f,22,91,ce,bb,62,f0,a9,82,b2,ef,39,\

"rkeysecu"=hex:51,97,b0,97,83,4d,f4,dd,b5,e8,cb,9d,e4,46,2f,36

.

Heure de fin: 2010-05-08 23:54:13

ComboFix-quarantined-files.txt 2010-05-08 21:54

 

Avant-CF: 41 108 279 296 octets libres

Après-CF: 67 022 299 136 octets libres

 

- - End Of File - - 91FDFB90AB5A1F905857C3922EA2260D

[leducs]

Bonjour,

 

Windows Update, outlook et IE8 refonctionnent mais la page de pub est encore présente.

[Thanos]

bien ComboFix a nettoyé l'infection: je vais te demander de poster un nouveau rapport GMER (comme fait précédemment) pour confirmer

[leducs]

Voici le rapport GMER :

 

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-09 20:09:08

Windows 6.0.6002 Service Pack 2

Running: b2yhw3th.exe; Driver: C:\Users\User\AppData\Local\Temp\ugliypow.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT 8F6D206C ZwCreateThread

SSDT 8F6D2058 ZwOpenProcess

SSDT 8F6D205D ZwOpenThread

SSDT 8F6D2067 ZwTerminateProcess

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!KeSetEvent + 221 826CB984 4 Bytes [6C, 20, 6D, 8F] {INSB ; AND [EBP-0x71], CH}

.text ntkrnlpa.exe!KeSetEvent + 3F1 826CBB54 4 Bytes [58, 20, 6D, 8F] {POP EAX; AND [EBP-0x71], CH}

.text ntkrnlpa.exe!KeSetEvent + 40D 826CBB70 4 Bytes [5D, 20, 6D, 8F] {POP EBP; AND [EBP-0x71], CH}

.text ntkrnlpa.exe!KeSetEvent + 621 826CBD84 4 Bytes [67, 20, 6D, 8F] {AND [DI-0x71], CH}

.text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x90802000, 0x2ECEB2, 0xE8000020]

PAGE spsys.sys!?SPVersion@@3PADA + 1ABF 9E25903F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]

PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 9E2590AF 1 Byte [16]

PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 9E2590AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...]

PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 9E259130 6 Bytes [0E, 83, 78, 14, 01, 75]

PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 9E259137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...]

PAGE ...

 

---- Registry - GMER 1.0.15 ----

 

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL

Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

 

---- EOF - GMER 1.0.15 ----