Infection rootkit TDSS ?? [RESOLU]

[Bastos17]

Bonsoir à tous

 

Cela fait quelques jours que mon PC débloque légèrement . Ça a commencé avec une erreur avec Windows Update (code 80072EFE), puis des ralentissements du PC, des redirections des résultats sur Google (vers monstermarketplace.com) et un magnifique blue screen avec "STOP c0000c64 HARD ERROR".

 

Les scans avec Avira, Spybot et MBAM sont négatifs (du moins, ils l'étaient avant-hier). Après plusieurs recherche, je trouve que le rootkit TDSS est souvent cité dans des cas comme le mien (pour les 3 premiers symptômes). J'ai aussi vu qu'un scan Hijackthis était souvent demandé, je l'ai fait.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:14:58, on 26/04/2011

Platform: Unknown Windows (WinNT 6.01.3505 SP1)

MSIE: Internet Explorer v8.00 (8.00.7601.17514)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe

C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Windows\PLFSetI.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Users\Bastos\Desktop\HwMonTray.exe

C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner.exe

C:\Users\Bastos\Desktop\HWMonitor.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Users\Bastos\AppData\Local\Microsoft\Windows Sidebar\Gadgets\GPUMonitor.gadget\GPUMonitor.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN : Hotmail, Messenger, Bing, Actualité et Sport

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN : Hotmail, Messenger, Bing, Actualité et Sport

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll

O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"

O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe

O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" /T

O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" /S

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [iSW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Startup: HwMonTray.lnk = C:\Users\Bastos\Desktop\HwMonTray.exe

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O13 - Gopher Prefix:

O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.64.0.cab

O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab

O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe

O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe

O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

 

--

End of file - 9114 bytes

 

J'épère qu'une âme charitable voudra bien m'aider

 

Merci d'avance !!

 

PS : Peut-on modifier le titre du sujet ?

Modifié le 3 mai 2011 par Bastos17

[bernard53]

Bonsoir

 

Je constate que tu as W7 et que tu installé Zone alarme en complément.

Windows 7 a un Pare feu compétant qui n'as rien a voir avec celui de XP.

En plus de cela il existe des incompatibilité entre Zone alarme et W7 dans certains cas.

Donc désinstaller celui-ci car fort possible qu'il soit en cause pour ton ralentissement. A essayer de toute façon s.t.p

 

Ensuite pour Windows Update fait ceci .

 

Télécharge WinUpdateFix de Xplode sur le bureau

http://www.teamxscript.org/Xplode/WinUpdateFix.exe

 

 

Lance-le en cliquant sur l'icône, il ne nécessite pas d'installation.

Sous Vista/7, faire un clic droit sur l'icône et Exécuter en tant qu'administrateur.

 

Clique sur le bouton Démarrer pour les trois cadres Services - BITS - Service de cryptographie si nécessaire.

Coche les cases devant les lignes suivantes (en gras) en appuyant sur Tous :

-Effacer le catalogue des mises à jour

-Réinscire les DLL

-Vider le dossier SoftwareDistribution

-Réinitialiser les paramètres Winsock

-Supprimer les fichiers temporaires

-Réinitialiser les descripteurs de sécurité

-Supprimer le proxy

-Restaurer les policies

-Effacer la file d'attente BITS

 

 

 

 

Clique sur le bouton Exécuter

Un message t'avertira de la réussite de l'opération.

Il te sera demandé de redémarrer dans le cas d'une réinitialisation des paramètres Winsocks, fais-le en validant par OK

 

 

Pour tester le résultat :

Sous Vista/7 : Dans le panneau de configuration, Windows Update, clique sur Rechercher des mises à jour.

[Bastos17]

Merci de ton aide !

 

Cependant, le lien de WinUpdateFix est mort =/ et ils ne parlent même pas de ce soft sur leur site. Je réessayerais plus tard.

 

ZoneAlarm est désinstallé, reste plus qu'a voir si les ralentissements venaient de lui.

 

Pour ce qui est de l'erreur c0000c64 HARD ERROR, tu n'as pas d'idée de ce quelle signifie, ni d'où elle peut provenir? Car Google ne le sais pas lui ...

[bernard53]

voici un nouveau lien pour"WinUpdateFix"

 

http://sd-1.archive-host.com/membres/up/17959594961240255/WinUpdateFix.exe

 

pour ton "c0000c64 HARD ERROR"

 

 

 

Télécharger whocrashedSetup

 

Ou <<ICI>>

 

Installer le logiciel et une fois installé cliquez sur Analyse

 

Laisse Internet connecté . Si tu as une anomalie mets-le rapport ici.

Modifié le 27 avril 2011 par bernard53

[Bastos17]

Merci

 

Pour le Blue screen, c'est mon soft VPN AnchorFree qui l'a provoqué :

 

Crash Dump Analysis

--------------------------------------------------------------------------------

Crash dump directory: C:\Windows\Minidump

 

Crash dumps are enabled on your computer.

 

On Wed 27/04/2011 19:28:31 GMT your computer crashed

crash dump file: C:\Windows\Minidump\042711-34585-01.dmp

This was probably caused by the following module: hssdrv.sys (HssDrv+0x1F6C)

Bugcheck code: 0xD1 (0x0, 0x2, 0x0, 0xFFFFFFFF8B680D11)

Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\drivers\hssdrv.sys

product: Hotspot Shield® Routing Driver

company: AnchorFree Inc.

description: Hotspot Shield Routing Driver

Bug check description: This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hssdrv.sys (Hotspot Shield Routing Driver, AnchorFree Inc.).

Google query: hssdrv.sys AnchorFree Inc. DRIVER_IRQL_NOT_LESS_OR_EQUAL

 

On Wed 27/04/2011 19:28:31 GMT your computer crashed

crash dump file: C:\Windows\memory.dmp

This was probably caused by the following module: hssdrv.sys (HssDrv+0x1F6C)

Bugcheck code: 0xD1 (0x0, 0x2, 0x0, 0xFFFFFFFF8B680D11)

Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\drivers\hssdrv.sys

product: Hotspot Shield® Routing Driver

company: AnchorFree Inc.

description: Hotspot Shield Routing Driver

Bug check description: This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hssdrv.sys (Hotspot Shield Routing Driver, AnchorFree Inc.).

Google query: hssdrv.sys AnchorFree Inc. DRIVER_IRQL_NOT_LESS_OR_EQUAL

 

Pas d'autres choix que de le supprimer ? Parce qu'il est plutôt pratique pour regarder des séries US.

 

Par contre pour Windows Update, toujours l'erreur 80072EFE

[bernard53]

Pour ceci.

Par contre pour Windows Update, toujours l'erreur 80072EFE

 

 

Télécharge load_tdsskiller de Loup Blanc sur ton Bureau

http://fradesch.perso.cegetel.net/transf/Load_tdsskiller.exe

 

Cet outil est conçu pour automatiser différentes tâches proposées par TDSSKiller, un fix de Kaspersky.

 

Lance load_tdsskiller en double-cliquant dessus. Clic droit et exécuter en tant qu'administrateur avec Vista/Seven

 

A cette fenêtre lance le scan.

 

 

Tu peux récupérer le rapport en validant Report

 

Si une détection est faite valide Cure puis

 

 

redémarres le pc pour confirmer la suppression de celle-ci.

 

 

INFO::

 

How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

[Bastos17]

Je commence à croire que mon PC ne veut pas être désinfecté

Lorsque je lance l'appli, ça se lance, ça télécharge et ça ouvre une petite fenêtre avec une barre d'avancement 10 - 20 %... jusqu'à 80% où là elle disparait. Ensuite le Bloc Note se lance mais pas de TDSSKiller.

J'ai essayé en lançant directement ce TDSSKiller, mais là aussi, la fenêtre d'avancement se ferme à 80% puis rien. Même en mode sans échec. :cry:

[bernard53]

Ok fait ceci alors.

 

essai avec cet autre lien.

http://support.kaspersky.com/downloads/utils/tdsskiller.zip

 

 

Sinon::

 

Télécharge ComboFix <ICI>>

 

Pour les Utilisateurs de VISTA: Clic-droit et choisis "Exécuter en tant qu'administrateur".

Pour VISTA : pas d'installation de la console de récupération.

 

>> Lors de son exécution, ComboFix va vérifier si la Console de récupération Microsoft Windows est installée.

 

Avec des infections comme celles d'aujourd'hui, il est fortement conseillé de l'avoir préinstallée sur votre PC avant toute suppression de nuisibles.

Elle permettra de démarrer dans un mode spécial, de récupération (réparation), qui nous permet de vous aider plus facilement si jamais votre ordinateur rencontre un problème après une tentative de nettoyage.

 

Suis les invites pour permettre à ComboFix de télécharger et installer la Console de récupération Microsoft Windows, et lorsque cela est demandé, accepte le Contrat de Licence Utilisateur Final pour l'installer.

>> Une fois sur ton bureau double clique dessus pour le lancer.

Note importante : Si la Console de récupération Microsoft Windows est déjà installée, ComboFix continuera ses procédures de suppression de nuisibles.

 

Lorsque le scan sera complet, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

 

>>Ne pas cliquer dans la fenêtre de Combofix durant l’analyse, ceci provoquerait le gel du programme

Modifié le 28 avril 2011 par bernard53

[Bastos17]

Bon toujours rien avec TDSSKiller =/

Mais il y a du nouveau !! Combofix fait crasher mon PC !! Je commence à désespérer ....

 

Le rapport WhoCrashed :

 

Crash Dump Analysis

--------------------------------------------------------------------------------

 

Crash dump directory: C:\Windows\Minidump

 

Crash dumps are enabled on your computer.

 

On Fri 29/04/2011 19:16:38 GMT your computer crashed

crash dump file: C:\Windows\Minidump\042911-24538-01.dmp

This was probably caused by the following module: ntkrnlpa.exe (nt+0x415CB)

Bugcheck code: 0xA (0x1, 0x2, 0x0, 0xFFFFFFFF83092A1C)

Error: IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\ntkrnlpa.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

 

On Fri 29/04/2011 19:16:38 GMT your computer crashed

crash dump file: C:\Windows\memory.dmp

This was probably caused by the following module: ntkrpamp.exe (nt!Kei386EoiHelper+0x29D3)

Bugcheck code: 0xA (0x1, 0x2, 0x0, 0xFFFFFFFF83092A1C)

Error: IRQL_NOT_LESS_OR_EQUAL

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: ntkrpamp.exe .

Google query: ntkrpamp.exe IRQL_NOT_LESS_OR_EQUAL

 

On Fri 29/04/2011 19:02:23 GMT your computer crashed

crash dump file: C:\Windows\Minidump\042911-31995-01.dmp

This was probably caused by the following module: hal.sys (hal+0x590F)

Bugcheck code: 0xA (0x1, 0x2, 0x0, 0xFFFFFFFF83087A1C)

Error: IRQL_NOT_LESS_OR_EQUAL

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hal.sys .

Google query: hal.sys IRQL_NOT_LESS_OR_EQUAL

 

On Fri 29/04/2011 18:55:54 GMT your computer crashed

crash dump file: C:\Windows\Minidump\042911-29920-01.dmp

This was probably caused by the following module: Unknown (0x00000001)

Bugcheck code: 0x1000008E (0xFFFFFFFFC0000005, 0x1, 0xFFFFFFFFAC1F19F8, 0x0)

Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M

Bug check description: This indicates that a kernel-mode program generated an exception which the error handler did not catch.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: Unknown .

Google query: Unknown KERNEL_MODE_EXCEPTION_NOT_HANDLED_M

 

On Fri 29/04/2011 18:30:29 GMT your computer crashed

crash dump file: C:\Windows\Minidump\042911-32729-01.dmp

This was probably caused by the following module: hal.sys (hal+0x590F)

Bugcheck code: 0xA (0x1, 0x2, 0x0, 0xFFFFFFFF830BBA1C)

Error: IRQL_NOT_LESS_OR_EQUAL

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hal.sys .

Google query: hal.sys IRQL_NOT_LESS_OR_EQUAL

 

On Fri 29/04/2011 17:29:02 GMT your computer crashed

crash dump file: C:\Windows\Minidump\042911-26800-01.dmp

This was probably caused by the following module: ntkrnlpa.exe (nt+0x415CB)

Bugcheck code: 0xA (0x16, 0x2, 0x0, 0xFFFFFFFF8304BF66)

Error: IRQL_NOT_LESS_OR_EQUAL

file path: C:\Windows\system32\ntkrnlpa.exe

product: Microsoft® Windows® Operating System

company: Microsoft Corporation

description: NT Kernel & System

Bug check description: This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.

 

On Wed 27/04/2011 19:28:31 GMT your computer crashed

crash dump file: C:\Windows\Minidump\042711-34585-01.dmp

This was probably caused by the following module: hssdrv.sys (HssDrv+0x1F6C)

Bugcheck code: 0xD1 (0x0, 0x2, 0x0, 0xFFFFFFFF8B680D11)

Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL

Bug check description: This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.

A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: hssdrv.sys .

Google query: hssdrv.sys DRIVER_IRQL_NOT_LESS_OR_EQUAL

 

EDIT : Si ça peut aider, voici le log de TDSSKiller :

 

2011/04/30 21:59:53.0304 2920 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/04/30 21:59:53.0714 2920 ================================================================================

2011/04/30 21:59:53.0714 2920 SystemInfo:

2011/04/30 21:59:53.0714 2920

2011/04/30 21:59:53.0714 2920 OS Version: 6.1.7601 ServicePack: 1.0

2011/04/30 21:59:53.0714 2920 Product type: Workstation

2011/04/30 21:59:53.0714 2920 ComputerName: BASTOS-PC

2011/04/30 21:59:53.0714 2920 UserName: Bastos

2011/04/30 21:59:53.0714 2920 Windows directory: C:\Windows

2011/04/30 21:59:53.0714 2920 System windows directory: C:\Windows

2011/04/30 21:59:53.0714 2920 Processor architecture: Intel x86

2011/04/30 21:59:53.0714 2920 Number of processors: 2

2011/04/30 21:59:53.0714 2920 Page size: 0x1000

2011/04/30 21:59:53.0714 2920 Boot type: Normal boot

2011/04/30 21:59:53.0714 2920 ================================================================================

2011/04/30 21:59:54.0034 2920 !crdlk

 

J'ai aussi essayé avec Norman TDSS Cleaner, résultat : Unable to load nsak.sys Error (0x00000001).

Idem avec TDSS Remover => "Error while creating or starting service"

 

Le debug log de TDSS Remover :

.\main.cpp(3998) : Debug log started at 30.04.2011 - 20:06:27

.\main.cpp(3999) : Program Version: 1.8.0.0

.\main.cpp(4003) : OS Version: Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 32-bit

.\main.cpp(4011) : ---------------------------------------

.\service.cpp(90) : Creating service...

.\service.cpp(109) : Allready exists

.\service.cpp(128) : Starting service...

.\service.cpp(149) : StartService() ERROR 31

Modifié le 30 avril 2011 par Bastos17

[Bastos17]

J'ai enfin réussis à lancer ComboFix en mode sans échec !!!

 

Le log :

ComboFix 11-04-29.01 - Bastos 01/05/2011 14:46:16.1.2 - x86 NETWORK

Microsoft Windows 7 Édition Intégrale 6.1.7601.1.1252.33.1033.18.3067.2495 [GMT 2:00]

Lancé depuis: c:\users\Bastos\Desktop\ComboFix.exe

AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Un nouveau point de restauration a été créé

.

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Bastos\Documents\BackupRegistry03-04-2011.reg

.

.

((((((((((((((((((((((((((((( Fichiers créés du 2011-04-01 au 2011-05-01 ))))))))))))))))))))))))))))))))))))

.

.

2011-05-01 12:51 . 2011-05-01 12:51 -------- d-----w- c:\users\Guest\AppData\Local\temp

2011-05-01 12:51 . 2011-05-01 12:51 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-04-28 17:02 . 2011-04-30 19:59 -------- d-----w- C:\tdsskiller

2011-04-27 19:28 . 2011-04-27 19:28 -------- d-----w- c:\programdata\ZA_PreservedFiles

2011-04-26 16:41 . 2011-04-26 16:41 -------- d-----w- c:\program files\Trend Micro

2011-04-25 15:36 . 2011-04-25 15:49 -------- d-----w- c:\users\Bastos\AppData\Local\ApplicationHistory

2011-04-25 15:34 . 2011-04-25 15:34 -------- d-----w- c:\program files\DNsoft.be

2011-04-25 15:31 . 2011-04-25 15:31 -------- d-----w- c:\windows\system32\URTTEMP

2011-04-25 13:12 . 2011-04-25 13:12 -------- d-----w- c:\users\Bastos\AppData\Roaming\Malwarebytes

2011-04-25 13:12 . 2010-11-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-25 13:12 . 2011-04-25 13:12 -------- d-----w- c:\programdata\Malwarebytes

2011-04-25 13:12 . 2011-04-25 13:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-25 13:12 . 2010-11-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-24 21:28 . 2011-04-24 21:28 -------- d-----w- c:\users\Bastos\AppData\Roaming\Intel

2011-04-24 21:28 . 2011-04-24 21:28 -------- d-----w- c:\users\Public\Roaming

2011-04-24 21:28 . 2011-04-24 21:28 -------- d-----w- c:\users\Guest\Roaming

2011-04-24 21:28 . 2011-04-24 21:28 -------- d-----w- c:\users\Default\Roaming

2011-04-24 21:28 . 2011-04-24 21:28 -------- d-----w- c:\users\Bastos\Roaming

2011-04-24 21:28 . 2011-04-24 21:28 -------- d-----w- c:\programdata\Roaming

2011-04-24 21:25 . 2011-04-24 21:25 -------- d-----w- c:\program files\Cisco

2011-04-24 21:25 . 2011-04-24 21:25 -------- d-----w- c:\program files\Common Files\Intel

2011-04-24 21:25 . 2011-04-24 21:25 -------- d-----w- c:\programdata\Intel

2011-04-24 21:25 . 2011-04-24 21:25 -------- d-----w- c:\program files\Intel

2011-04-22 18:37 . 2011-04-22 18:41 -------- d-----w- c:\users\Bastos\AppData\Roaming\HandBrake

2011-04-22 18:37 . 2011-04-22 18:37 -------- d-----w- c:\users\Bastos\AppData\Local\HandBrake

2011-04-22 18:37 . 2011-04-22 18:37 -------- d-----w- c:\program files\Handbrake

2011-04-07 18:00 . 2011-04-16 19:10 234768 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-04-07 17:57 . 2011-04-07 17:57 -------- d-----w- c:\users\Bastos\AppData\Local\PunkBuster

2011-04-07 17:23 . 2011-04-16 19:10 138264 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-04-04 21:41 . 2011-04-07 17:23 138056 ----a-w- c:\users\Bastos\AppData\Roaming\PnkBstrK.sys

2011-04-04 21:37 . 2011-04-16 19:10 234768 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-04-04 21:37 . 2011-04-07 17:22 75136 ----a-w- c:\windows\system32\PnkBstrA.exe

2011-04-04 19:08 . 2011-04-04 19:08 -------- d-----w- c:\program files\EA Games

.

.

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-02 09:53 . 2010-12-17 17:35 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-03-29 20:32 . 2011-03-29 20:32 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys

2011-02-24 16:30 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll

2011-02-19 06:30 . 2011-03-27 21:20 805376 ----a-w- c:\windows\system32\FntCache.dll

2011-02-19 06:30 . 2011-03-27 21:20 1076736 ----a-w- c:\windows\system32\DWrite.dll

2011-02-19 06:30 . 2011-03-27 21:20 739840 ----a-w- c:\windows\system32\d2d1.dll

2011-02-18 16:29 . 2011-03-07 19:06 46592 ----a-w- c:\windows\system32\vsutil_loc040c.dll

2011-02-18 16:28 . 2010-12-17 18:36 1238528 ----a-w- c:\windows\system32\zpeng25.dll

2011-02-18 16:28 . 2010-12-17 18:36 69120 ----a-w- c:\windows\system32\zlcomm.dll

2011-02-18 16:28 . 2010-12-17 18:36 104448 ----a-w- c:\windows\system32\zlcommdb.dll

2011-02-03 05:54 . 2011-02-21 18:24 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

.

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]

"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-09-11 544768]

"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]

"LManager"="c:\program files\Launch Manager\LManager.exe" [2008-06-16 809480]

"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-06-08 9267816]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-17 281768]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-16 3420776]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

.

c:\users\Bastos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

HwMonTray.lnk - c:\users\Bastos\Desktop\HwMonTray.exe [2010-12-21 163840]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKLM\~\startupfolder\C:^Users^Bastos^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^taskmgr.lnk]

backup=c:\windows\pss\taskmgr.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2008-02-28 16:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite]

2009-11-19 15:19 598016 ----a-r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]

2008-02-18 15:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]

2010-12-17 19:08 395640 ----a-w- c:\program files\uTorrent\uTorrent.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

"WiFiSiStr"=

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe"

"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" /S

"RivaTuner"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" /T

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-17 135336]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-07-09 20328]

R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-08-19 24576]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [2009-10-26 25088]

R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-10-26 25088]

R3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2011-04-12 311744]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-11-02 227600]

R3 NETw5s32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [x]

R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-09-07 123496]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [x]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt; [x]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-03-29 218688]

S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2010-11-09 7430144]

S3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclock.sys [2009-09-15 38248]

.

.

--- Autres Services/Pilotes en mémoire ---

.

*Deregistered* - klmd25

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.google.com/

IE: E&xporter vers Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Bastos\AppData\Roaming\Mozilla\Firefox\Profiles\zn99zf54.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/webhp?rls=ig

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Ext: Battlefield Play4Free: battlefieldplay4free@ea.com - %profile%\extensions\battlefieldplay4free@ea.com

.

.

------- Associations de fichier -------

.

.scr=AutoCADScriptFile

.

- - - - ORPHELINS SUPPRIMES - - - -

.

HKLM-RunOnce-<NO NAME> - (no file)

.

.

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Heure de fin: 2011-05-01 14:52:50

ComboFix-quarantined-files.txt 2011-05-01 12:52

.

Avant-CF: 86 668 701 696 octets libres

Après-CF: 86 741 512 192 octets libres

.

- - End Of File - - 32EC5EF33CAE8E61ED55CDA2F7CC1D1D

 

J'espère que ça pourra faire avancer le schmilblick ^^