Besoin d'un coup de pouce

[MisTer KaliMan]

Bonjour à tous,

 

Je viens vers vous, pour que vous puissiez m'analizer le rapport Combofix suivant :

 

ComboFix 12-07-16.01 - Sabrina 17/07/2012 12:55:03.1.2 - x86

Microsoft Windows 7 Édition Familiale Premium 6.1.7601.1.1252.33.1036.18.3072.2207 [GMT 2:00]

Lancé depuis: c:\users\Sabrina\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\facemoods.com

c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.crx

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoods.png

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsApp.dll

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsEng.dll

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe

c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll

c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe

.

Une copie infectée de c:\windows\system32\userinit.exe a été trouvée et désinfectée

Copie restaurée à partir de - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe

.

.

((((((((((((((((((((((((((((( Fichiers créés du 2012-06-17 au 2012-07-17 ))))))))))))))))))))))))))))))))))))

.

.

2012-07-17 11:03 . 2012-07-17 11:03 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2012-07-17 11:03 . 2012-07-17 11:03 -------- d-----w- c:\users\Kevin\AppData\Local\temp

2012-07-17 11:03 . 2012-07-17 14:59 -------- d-----w- c:\users\Sabrina\AppData\Local\temp

2012-07-17 11:03 . 2012-07-17 11:03 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-17 10:53 . 2012-07-17 11:04 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1E89C016-F53A-4FCF-86EA-4F5C169788EF}\offreg.dll

2012-07-16 12:57 . 2012-07-16 12:57 -------- d-----w- c:\users\Sabrina\AppData\Local\Futuremark_Corporation

2012-07-16 12:57 . 2012-07-16 12:57 -------- d-----w- c:\users\Sabrina\AppData\Local\IsolatedStorage

2012-07-16 12:56 . 2012-07-16 12:56 -------- d-----w- c:\programdata\Futuremark

2012-07-16 12:56 . 2012-07-16 12:56 -------- d-----w- c:\program files\Futuremark

2012-07-11 18:10 . 2012-07-11 18:10 -------- d-----w- c:\users\Sabrina\AppData\Local\OCCT

2012-07-11 17:47 . 2012-07-11 17:49 -------- d--h--w- c:\windows\msdownld.tmp

2012-07-11 16:56 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys

2012-07-08 09:50 . 2004-08-09 15:43 94208 ----a-w- c:\windows\AMCap.exe

2012-07-08 09:50 . 2012-07-10 08:23 -------- d-----w- c:\program files\Trust

2012-07-08 09:50 . 2012-07-10 08:23 -------- d-----w- c:\windows\Pixart

2012-07-06 11:33 . 2012-07-06 11:33 -------- d-----w- c:\users\Sabrina\AppData\Local\Apple Computer

2012-07-06 11:33 . 2009-05-18 11:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2012-07-06 11:33 . 2008-04-17 10:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll

2012-07-06 11:31 . 2012-07-06 11:31 -------- d-----w- c:\program files\iPod

2012-07-06 11:31 . 2012-07-06 11:56 -------- d-----w- c:\program files\iTunes

2012-07-06 11:31 . 2012-07-06 11:33 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2012-07-06 11:31 . 2012-07-06 11:31 -------- d-----w- c:\programdata\Apple Computer

2012-07-05 21:51 . 2012-07-17 14:59 -------- d-----w- c:\users\Sabrina\AppData\Roaming\Skype

2012-07-05 21:51 . 2012-07-05 21:51 -------- d-----w- c:\program files\Common Files\Skype

2012-07-05 21:51 . 2012-07-05 21:51 -------- d-----r- c:\program files\Skype

2012-07-05 21:50 . 2012-07-05 21:51 -------- d-----w- c:\programdata\Skype

2012-07-05 09:38 . 2012-07-06 11:35 -------- d-----w- c:\users\Sabrina\AppData\Roaming\Apple Computer

2012-07-04 16:52 . 2012-07-04 16:52 -------- d-----w- c:\users\Kevin\AppData\Roaming\Apple Computer

2012-07-04 11:50 . 2012-07-04 11:50 -------- d-----w- c:\users\Sabrina\AppData\Local\Apple

2012-07-04 11:50 . 2012-07-04 11:50 -------- d-----w- c:\program files\Apple Software Update

2012-07-04 11:49 . 2012-07-04 11:49 -------- d-----w- c:\program files\Bonjour

2012-07-04 11:49 . 2012-07-06 11:31 -------- d-----w- c:\program files\Common Files\Apple

2012-07-04 11:49 . 2012-07-04 11:50 -------- d-----w- c:\programdata\Apple

2012-06-22 15:53 . 2012-06-22 15:53 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-22 15:53 . 2012-06-22 15:53 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-06-21 05:40 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-21 05:40 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-21 05:40 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-21 05:40 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-21 05:40 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-21 05:40 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 05:40 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-21 05:39 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 05:39 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-20 11:25 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll

2012-06-18 10:50 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

.

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-30 17:48 . 2012-05-30 17:48 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-05-30 17:48 . 2011-10-05 05:53 472864 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-15 03:03 . 2012-06-13 14:02 981504 ----a-w- c:\windows\system32\wininet.dll

2012-05-01 04:44 . 2012-06-13 13:59 164352 ----a-w- c:\windows\system32\profsvc.dll

2012-04-26 04:45 . 2012-06-13 14:00 58880 ----a-w- c:\windows\system32\rdpwsx.dll

2012-04-26 04:45 . 2012-06-13 14:00 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-04-26 04:41 . 2012-06-13 14:00 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-04-25 10:11 . 2012-04-25 10:11 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-04-25 10:11 . 2012-04-25 10:11 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2012-04-24 04:36 . 2012-06-13 13:41 140288 ----a-w- c:\windows\system32\cryptsvc.dll

2012-04-24 04:36 . 2012-06-13 13:41 103936 ----a-w- c:\windows\system32\cryptnet.dll

2012-04-24 04:36 . 2012-06-13 13:41 1158656 ----a-w- c:\windows\system32\crypt32.dll

2012-04-20 03:16 . 2012-06-13 14:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2012-06-22 15:53 . 2011-10-05 05:45 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-03 17417392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-03 1246544]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2011-10-10 813584]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2009-07-20 10:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"facemoods"="c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

.

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [x]

R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Futuremark\Futuremark SystemInfo\FMSISvc.exe [x]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]

R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 WatAdminSvc;Service Windows Activation Technologies;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [x]

S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [x]

S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [x]

.

.

--- Autres Services/Pilotes en mémoire ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://start.facemoods.com/?a=ddrnw

uInternet Settings,ProxyOverride = *.local

IE: E&xporter vers Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Sabrina\AppData\Roaming\Mozilla\Firefox\Profiles\yyarx873.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: nglayout.initialpaint.delay - 600

FF - user.js: content.notify.interval - 600000

FF - user.js: content.max.tokenizing.time - 1800000

FF - user.js: content.switch.threshold - 600000

.

- - - - ORPHELINS SUPPRIMES - - - -

.

AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.11\uninstall.exe

.

.

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

.

[HKEY_USERS\S-1-5-21-3502149156-1646783459-378533256-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"

.

[HKEY_USERS\S-1-5-21-3502149156-1646783459-378533256-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs chargées dans les processus actifs ---------------------

.

- - - - - - - > 'Explorer.exe'(4024)

c:\program files\Logitech\SetPoint\lgscroll.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\program files\NVIDIA Corporation\Display\nvxdsync.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\WUDFHost.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\taskhost.exe

c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

c:\windows\system32\conhost.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\NVIDIA Corporation\Display\nvtray.exe

.

**************************************************************************

.

Heure de fin: 2012-07-17 17:01:56 - La machine a redémarré

ComboFix-quarantined-files.txt 2012-07-17 15:01

.

Avant-CF: 446 594 543 616 octets libres

Après-CF: 446 819 373 056 octets libres

.

- - End Of File - - 4D76E2EC131DC3D3AF410848C29C22B3

 

 

D'avance je vous remercis et bonne journée à tous.

 

Bien cordialement.