Infection Trojan Horse Crypt. YCS

maxr397 · le 3 août 2010

Bonjour,

je me permets de poster car aujourd'hui AVG a détecté un "Trojan Horse Crypt. YCS" qu'il a alors placé en quarantaine. Le soucis est qu'ensuite j'ai eu plusieurs choses curieuses telles que le changement de mes préférences de windows update, le changement de thème ainsi que l'explorer qui a freezé plusieurs fois. J'ai exécuté une analyse avg en mode sans échec mais je n'ai rien trouvé de plus...

Voici ci-dessous le rapport HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:49:56, on 03.08.2010

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Windows\Dell\PanelMgr\SSMMgr.exe

C:\Windows\twain_32\Dell\Dell2335\Scan2Pc.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\PuTTY\pageant.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\AVG\AVG9\avgui.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896'>http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157'>http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [Dell PanelMgr] C:\Windows\Dell\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [2335dn Scan2PC] "C:\Windows\twain_32\Dell\Dell2335\Scan2Pc.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe

O4 - Startup: Shortcut to pageant.exe.lnk = C:\Program Files\PuTTY\pageant.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\XML Spy Suite\spy.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\XML Spy Suite\spy.htm (HKCU)

O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\XML Spy Suite\spy.htm (HKCU)

O13 - Gopher Prefix:

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = **

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = **

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = **

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe

O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--

End of file - 4531 bytes

Merci d'avance pour votre réponse.

Modifié le 5 août 2010 par maxr397

Apollo · le 3 août 2010

Bonjour,

STP, poste tes rapports sans balises code ou quote. Colle-les tels que copiés dans le fichier texte.

Télécharge random's system information tool (RSIT) par random/random et sauvegarde-le sur le Bureau.

Double-clique sur RSIT.exe afin de lancer RSIT.

Important :
* Sous Vista : il faut lancer le fichier par clic-droit -> Exécuter en tant qu'administrateur

* Sous Windows 7 : Il faut mettre le fichier RSIT.exe sur le bureau, faire un clic droit dessus et dans Propriétés, onglet Compatibilité, cocher la case "Exécuter ce programme en mode compatibilité pour" et dans le menu choisir Vista SP2 et la case dans Niveau de privilège.
Valide par Appliquer.
Clique Continue à l'écran Disclaimer.
Si l'outil HIjackThis (version à jour) n'est pas présent ou non détecté sur l'ordinateur, RSIT le téléchargera et tu devras accepter la licence.
Lorsque l'analyse sera terminée, deux fichiers texte s'ouvriront. Poste le contenu de log.txt (<<qui sera affiché)
ainsi que de info.txt (<<qui sera réduit dans la Barre des Tâches).

@++

maxr397 · le 3 août 2010

tout d'abord merci de ta réponse.

voici le fichier info.txt

info.txt logfile of random's system information tool 1.08 2010-08-03 18:47:32

======Uninstall list======

-->"C:\Program Files\InstallShield Installation Information\{91029ED4-04B8-40EF-A70F-30C9AA538358}\Setup.exe" -runfromtemp -l0x0009 -removeonly

µTorrent-->"C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}

7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"

Add-in ODF pour Microsoft Word-->MsiExec.exe /I{E6738F45-D704-4D83-9E51-24695E717D09}

Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe -maintain plugin

Adobe Reader 9.3.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}

Adobe Shockwave Player 11.5-->"C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe"

Advertising Center-->MsiExec.exe /X{B2EC4A38-B545-4A00-8214-13FE0E915E6D}

Apple Application Support-->MsiExec.exe /I{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}

Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}

AVG 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL

AvgAdmin 9.0-->C:\Program Files\AVG\AVG9 Admin\Common\setup.exe /UNINSTALL

CASE Studio 2 ver.-->"C:\Program Files\RKSoft\CASEStudio2\Uninstall_CS2_GBI\unins000.exe"

Complément Microsoft Enregistrer en tant que PDF ou XPS pour programmes Microsoft Office 2007-->MsiExec.exe /X{90120000-00B2-040C-0000-0000000FF1CE}

Corel PaintShop Photo Pro X3-->c:\Program Files\Corel\Corel PaintShop Photo Pro\X3\Setup\{DEAEB5DB-04FA-489D-94EF-8600898B93EE}\SetupARP.exe /arp

Corel PaintShop Photo Pro X3-->MsiExec.exe /I{DE4BF4BE-3CDC-43B5-BBDA-DDDA73103111}

Dell 2335 Fax-->C:\Program Files\InstallShield Installation Information\{E3CAE4F2-97CE-4985-8732-2206EF495147}\Setup.exe -runfromtemp -l0x0009 -removeonly -removeonly

Dell 2335dn MFP Software Uninstall-->C:\Program Files\DELL\Dell 2335dn MFP\Install\setup.exe /Uninstall

HijackThis 2.0.2-->"C:\Program Files\HijackThis\HijackThis.exe" /uninstall

ICA-->MsiExec.exe /I{DEAEB5DB-04FA-489D-94EF-8600898B93EE}

IETester v0.4.2 (remove only)-->"C:\Program Files\IETester\uninstall.exe"

IPM_PSP_CL-->MsiExec.exe /I{DE99075E-7D25-4B96-B32E-BFE6FBFAA644}

IPM_PSP_COM-->MsiExec.exe /I{DEF8C145-CC4F-4DAA-AD5C-E707C07AEE50}

Java 2 Runtime Environment, SE v1.4.2_06-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}

Java 2 SDK, SE v1.4.2_06-->MsiExec.exe /I{35A3A4F4-B792-11D6-A78A-00B0D0142060}

Java 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020FF}

Java SE Development Kit 6 Update 20-->MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160200}

Ma-Config.com-->MsiExec.exe /X{14E3D14B-7852-477D-ACE2-895AF4322804}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client

Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}

Microsoft Office Excel 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall EXCEL /dll OSETUP.DLL

Microsoft Office Excel 2007-->MsiExec.exe /X{90120000-0016-0000-0000-0000000FF1CE}

Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}

Microsoft Office PowerPoint 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall POWERPOINT /dll OSETUP.DLL

Microsoft Office PowerPoint 2007-->MsiExec.exe /X{90120000-0018-0000-0000-0000000FF1CE}

Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}

Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}

Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}

Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}

Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}

Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}

Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}

Microsoft Office Visio MUI (English) 2007-->MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}

Microsoft Office Visio Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPRO /dll OSETUP.DLL

Microsoft Office Visio Professional 2007-->MsiExec.exe /X{90120000-0051-0000-0000-0000000FF1CE}

Microsoft Office Word 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall WORD /dll OSETUP.DLL

Microsoft Office Word 2007-->MsiExec.exe /X{90120000-001B-0000-0000-0000000FF1CE}

Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}

Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}

MozBackup 1.4.10-->C:\Program Files\MozBackup\Uninstall.exe

Mozilla Firefox (3.6.-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

Mozilla Sunbird (0.9)-->C:\Program Files\Mozilla Sunbird\uninstall\uninst.exe

Mozilla Thunderbird (3.0.6)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}

Nero 9 Lite-->C:\Program Files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe REMOVESERIALNUMBER="XM2C-50A9-HH4M-0ZM8-4X06-9P25-5A46-618P-AH19-6647"

Nero ControlCenter-->MsiExec.exe /X{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}

Nero Installer-->MsiExec.exe /X{E8A80433-302B-4FF1-815D-FCC8EAC482FF}

Nero Online Upgrade-->MsiExec.exe /X{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}

Nero StartSmart-->MsiExec.exe /X{7748AC8C-18E3-43BB-959B-088FAEA16FB2}

neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}

Notepad++-->C:\Program Files\Notepad++\uninstall.exe

Opera 10.60-->MsiExec.exe /X{1D2C96C3-A3F3-49E7-B839-95279DED837F}

PSPPContent-->MsiExec.exe /I{DE8B9311-ADE7-4EDE-B121-326CAA3D225D}

PSPPRO_DCRAW-->MsiExec.exe /I{DEF1928A-FC01-48E7-A7E6-4651D42EF6A1}

PuTTY version 0.57-->"C:\Program Files\PuTTY\unins000.exe"

QuickTime-->MsiExec.exe /I{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}

Realtek Ethernet Controller Driver For Windows Vista and Later-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\Setup.exe -runfromtemp -removeonly

Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly

Rep-Listing-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{887EF08A-011E-477C-B6CB-01E540538ADB}\setup.exe" -l0x40c -removeonly

Safari-->MsiExec.exe /I{EAFEF30E-3789-49C7-A6D9-77C12E005BAC}

Setup-->MsiExec.exe /I{DE612A3D-0DCC-4055-BB6A-0036F31158A0}

SPSS Statistics 17.0-->MsiExec.exe /X{46B65150-F8AA-42F2-94FB-2729A8AE5F7E}

TortoiseSVN 1.6.9.19725 (32 bit)-->MsiExec.exe /X{4B6A3B5E-D26E-4690-A061-F3E2FB10F0E5}

UltraCompare v7.00-->MsiExec.exe /I{DA7ADA42-C7F3-436D-ADAE-B0CE1E4A5C22}

UltraEdit-32 Uninstall-->C:\PROGRA~1\ULTRAE~1\UEDIT32.EXE /UNINSTALL

UltraVNC 1.0.8.2-->"C:\Program Files\UltraVNC\unins000.exe"

VLC media player 1.1.1-->C:\Program Files\VideoLAN\VLC\uninstall.exe

XML Spy Suite 4.4-->MsiExec.exe /I{4059B475-06E5-4E5C-8549-B7857AB33668}

Zattoo4 4.0.5-->C:\Program Files\Zattoo4\uninst.exe

======System event log======

Computer Name: Marsalis.****

Event Code: 1014

Message: Name resolution for the name **** timed out after none of the configured DNS servers responded.

Record Number: 860

Source Name: Microsoft-Windows-DNS-Client

Time Written: 20100422093113.657210-000

Event Type: Warning

User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Marsalis.****

Event Code: 1014

Message: Name resolution for the name **** timed out after none of the configured DNS servers responded.

Record Number: 858

Source Name: Microsoft-Windows-DNS-Client

Time Written: 20100422092843.616147-000

Event Type: Warning

User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Marsalis.****

Event Code: 1014

Message: Name resolution for the name **** timed out after none of the configured DNS servers responded.

Record Number: 857

Source Name: Microsoft-Windows-DNS-Client

Time Written: 20100422092613.575083-000

Event Type: Warning

User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Marsalis.****

Event Code: 1014

Message: Name resolution for the name **** timed out after none of the configured DNS servers responded.

Record Number: 849

Source Name: Microsoft-Windows-DNS-Client

Time Written: 20100422092351.375633-000

Event Type: Warning

User: NT AUTHORITY\NETWORK SERVICE

Computer Name: marsalis

Event Code: 41

Message: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Record Number: 334

Source Name: Microsoft-Windows-Kernel-Power

Time Written: 20100422074737.022409-000

Event Type: Critical

User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: marsalis

Event Code: 1530

Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

5 user registry handles leaked from \Registry\User\S-1-5-21-3678589622-2439322646-1881941484-1001:

Process 500 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3678589622-2439322646-1881941484-1001

Process 500 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3678589622-2439322646-1881941484-1001\Software\Microsoft\SystemCertificates\My

Process 500 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3678589622-2439322646-1881941484-1001\Software\Microsoft\SystemCertificates\CA

Process 500 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3678589622-2439322646-1881941484-1001\Software\Microsoft\SystemCertificates\Disallowed

Record Number: 459

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20100426103216.724574-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: ugarte

Event Code: 11

Message: Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 764) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3F31C91E-2545-4B7B-9311-9529E8BFFEF6}), Method number (10). User Action: Contact your application vendor for an updated version of the application.

Record Number: 399

Source Name: Microsoft-Windows-RPC-Events

Time Written: 20100426085448.261988-000

Event Type: Warning

User: NT AUTHORITY\LOCAL SERVICE

Computer Name: ugarte

Event Code: 1530

Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

1 user registry handles leaked from \Registry\User\S-1-5-21-3678589622-2439322646-1881941484-1001:

Process 3628 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3678589622-2439322646-1881941484-1001

Record Number: 377

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20100423084538.995210-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: marsalis

Event Code: 1530

Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

1 user registry handles leaked from \Registry\User\S-1-5-21-3678589622-2439322646-1881941484-1000:

Process 720 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3678589622-2439322646-1881941484-1000

Record Number: 198

Source Name: Microsoft-Windows-User Profiles Service

Time Written: 20100422075829.879147-000

Event Type: Warning

User: NT AUTHORITY\SYSTEM

Computer Name: marsalis

Event Code: 1008

Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 115

Source Name: Microsoft-Windows-Search

Time Written: 20100422083939.000000-000

Event Type: Warning

User:

=====Security event log=====

Computer Name: 37L4247D28-05

Event Code: 4735

Message: A security-enabled local group was changed.

Subject:

Security ID: S-1-5-18

Account Name: 37L4247D28-05$

Account Domain: WORKGROUP

Logon ID: 0x3e7

Group:

Security ID: S-1-5-32-551

Group Name: Backup Operators

Group Domain: Builtin

Changed Attributes:

SAM Account Name: -

SID History: -

Additional Information:

Privileges: -

Record Number: 5

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100421162805.761239-000

Event Type: Audit Success

User:

Computer Name: 37L4247D28-05

Event Code: 4731

Message: A security-enabled local group was created.

Subject:

Security ID: S-1-5-18

Account Name: 37L4247D28-05$

Account Domain: WORKGROUP

Logon ID: 0x3e7

New Group:

Security ID: S-1-5-32-551

Group Name: Backup Operators

Group Domain: Builtin

Attributes:

SAM Account Name: Backup Operators

SID History: -

Additional Information:

Privileges: -

Record Number: 4

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100421162805.761239-000

Event Type: Audit Success

User:

Computer Name: 37L4247D28-05

Event Code: 4902

Message: The Per-user audit policy table was created.

Number of Elements: 0

Policy ID: 0x23300

Record Number: 3

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100421162805.745639-000

Event Type: Audit Success

User:

Computer Name: 37L4247D28-05

Event Code: 4624

Message: An account was successfully logged on.

Subject:

Security ID: S-1-0-0

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 0

New Logon:

Security ID: S-1-5-18

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x3e7

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x4

Process Name:

Network Information:

Workstation Name: -

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process: -

Authentication Package: -

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Record Number: 2

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100421162805.620838-000

Event Type: Audit Success

User:

Computer Name: 37L4247D28-05

Event Code: 4608

Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.

Record Number: 1

Source Name: Microsoft-Windows-Security-Auditing

Time Written: 20100421162805.620838-000

Event Type: Audit Success

User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"FP_NO_HOST_CHECK"=NO

"NUMBER_OF_PROCESSORS"=4

"OS"=Windows_NT

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\PROGRA~1\ULTRAE~1;C:\Program Files\TortoiseSVN\bin;C:\Program Files\QuickTime\QTSystem\

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 30 Stepping 5, GenuineIntel

"PROCESSOR_LEVEL"=6

"PROCESSOR_REVISION"=1e05

"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"USERNAME"=SYSTEM

"windir"=%SystemRoot%

"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

et le fichier log.txt

Logfile of random's system information tool 1.08 (written by random/random)

Run by maxime at 2010-08-03 18:48:44

Microsoft Windows 7 Professional Service Pack 2

System drive C: has 33 GB (44%) free of 76 GB

Total RAM: 3191 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 18:48:47, on 03.08.2010

Platform: Windows 7 (WinNT 6.00.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Windows\Dell\PanelMgr\SSMMgr.exe

C:\Windows\twain_32\Dell\Dell2335\Scan2Pc.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\PuTTY\pageant.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\AVG\AVG9\avgui.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\UltraEdit\UEDIT32.EXE

C:\Users\******\Desktop\RSIT.exe

C:\Program Files\trend micro\maxime.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN : Hotmail, Messenger, Actualité, Sport et Vidéo

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN : Hotmail, Messenger, Actualité, Sport et Vidéo

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN : Hotmail, Messenger, Actualité, Sport et Vidéo