Souci avec un rootkit?

Codename5281 -  
 gen-hackman -
Bonjour à tous,

Après avoir navigué sur bon nombre de forums pour essayer, sans succès, de trouver une réponse à mes questions, je viens demander de l'aide à la communauté CCM.

Voici mon problème: hier soir, alors que je navigais sur internet avec Mozilla Firefox, mon PC a commencé à ramer sérieusement. J'ai alors ouvert mon gestionnaire des tâches, et constatant que c'était le processus jre.exe (Java Runtime Environment) qui faisait des siennes, j'ai tenté de le fermer. Cependant, cela a mené après quelques minutes à un freeze total de mes fenêtres. J'ai rebooté mon pc, et dès lors, après quelques minutes d'utilisation, la chose se répétait, avec un processus identique.

Plus étrange, au bout du troisième reboot, le freeze s'est accompagné d'un bip continu de ma carte mère. Je me suis alors renseigné là dessus, et voyant que cela pouvait avoir plusieurs causes, j'ai testé ma mémoire vive avec memtest, sans erreur, j'ai vérifié les voltages de mon alimentation via le bios, aucun problème, ainsi que les températures de mes CPU et GPU, pas de souci non plus. Concernant la mémoire, j'ai pu lancer en live CD des distrib linux et BartPE, sans bug, donc pas de souci de ce côté là.

Plus tard, je me suis aperçu d'un comportement encore plus bizarre de mon PC: en cours de bug, j'ai pu ouvrir mon gestionnaire des tâches, m'apercevoir que le processus consommant toutes les ressources de mon PC n'était plus le même (cela peut varier entre searchindexer.exe, winlogon.exe, svchost.exe, et d'autres processus système ou utilisateur), constater un freeze du gestionnaire des tâches (tous les processus à 0% d'utilisation ressources système, wtf?), et là, apparaît une fenêtre windows style 16 bits qui me demande d'insérer le volume I: (lecteur de carte mémoire)... Le PC étant clairement en train de travailler (diode disque dur et ventirad en acceleré) j'ai commencé à soupçonner la présence d'un rootkit.

J'ai pu effectuer une analyse HijackThis, sans résultat positif flagrant (je peux fournir le log au cas où), mais l'analyse antivirus avec Avira AntiVir a fait freezer le PC. Une analyse avec GMER a freezé également, tout comme une analyse Dr Web Cure It. MBAM a trouvé des entrées registre vérolées qu'il a supprimé, sans effet au reboot. Enfin, ComboFix m'a supprimé quatre fichiers mais je ne saurais pas vous dire lesquels, puisque la création du log au reboot final a fait freezer mon PC.

Voila, actuellement, mon PC est utilisable un certain temps, visiblement ce sont des processus antivirus qui provoquent un freeze, et le comportement bizarre du gestionnaire des tâches avant un freeze (un a deux processus à 50% d'utilisation -je suis en dual core- puis tous les processus, même le "non utilisé", sont à 0%, puis freeze et utilisation du disque dur et du processeur). Je précise que j'ai déconnecté mon PC de l'internet des les premiers symptômes, et que l'entrée dans le mode sans échec m'est impossible (reboot).

En vous remerciant par avance de vos renseignements et de votre aide...
Cordialement,
Configuration: Acer Aspire T180: Windows XP MCE SP3, Athlon64x2, 1GoDDR, HDD 250Go + EDD500Go

10 réponses

  1. gen-hackman
     
    ▶ Clique sur le menu Demarrer /Panneau de configuration/Options des dossiers/ puis dans l'onglet Affichage
    * - Coche Afficher les fichiers et dossiers cachés
    * - Décoche Masquer les extensions des fichiers dont le type est connu
    * - Décoche Masquer les fichiers protégés du système d'exploitation (recommandé)

    ▶ clique sur Appliquer, puis OK.

    N'oublie pas de recacher à nouveau les fichiers cachés et protégés du système d'exploitation en fin de désinfection, c'est important

    Fais analyser le(s) fichier(s) suivants sur Virustotal :

    Virus Total

    * Clique sur Parcourir en haut, choisis Poste de travail et cherche ces fichiers :

    c:\windows\system32\7A004F5EDB.sys
    c:\windows\system32\F1BE1573B3.sys

    * Clique maintenant sur Envoyer le fichier. et laisse travailler tant que "Situation actuelle : en cours d'analyse" est affiché.
    * Il est possible que le fichier soit mis en file d'attente en raison d'un grand nombre de demandes d'analyses. En ce cas, il te faudra patienter sans actualiser la page.
    * Lorsque l'analyse est terminée ("Situation actuelle: terminé"), clique sur Formaté
    * Une nouvelle fenêtre de ton navigateur va apparaître
    * Clique alors sur les deux fleches
    * Fais un clic droit sur la page, et choisis Sélectionner tout, puis copier
    * Enfin colle le résultat dans ta prochaine réponse.

    Note : Pour analyser un autre fichier, clique en bas sur Autre fichier.
    1
    1. Codename5281
       
      Désolé j'étais encore en déplacement!
      Merci pour l'aide, tout est rentré en ordre maintenant!
      A bientôt!
      0
  2. gen-hackman
     
    salut :

    Desactive ton antivirus le temps de la manip ainsi que ton parefeu si présent(car il est detecté a tort comme infection)

    ▶ Télécharge List_Kill'em et enregistre le sur ton bureau

    ▶ Branche clés usb , disques durs externes , mp3 , mp4 , etc..

    double clique ( clic droit "executer en tant qu'administrateur" pour Vista/7 ) sur le raccourci sur ton bureau pour lancer l'installation

    coche la case "creer une icone sur le bureau"

    une fois terminée , clic sur "terminer" et le programme se lancera seul

    choisis la langue puis choisis l'option 1 = Mode Recherche

    ▶ laisse travailler l'outil

    à l'apparition de la fenetre blanche , c'est un peu long , c'est normal , le programme n'est pas bloqué.

    un rapport du nom de catchme apparait sur ton bureau , ignore-le,ne le poste pas , mais ne le supprime pas pour l instant, le scan n'est pas fini.

    ▶ Poste le contenu du rapport qui s'ouvre aux 100 % du scan à l'ecran "COMPLETED"

    tu peux supprimer le rapport catchme.log de ton bureau maintenant.

    0
    1. Codename5281
       
      Merci de ta réponse,
      C'est en cours depuis une binne quinzaine de minutes, et arrêté à 90% pour l'instant. Au niveau des processus, j'ai un system.exe qui me bouffe 45% des ressources.
      Je te poste le log dès que c'est fini.
      0
    2. Codename5281
       
      Voila le rapport (MBR Rootkit infection, huh?):

      List'em by g3n-h@ckm@n 1.2.5.3

      User : Jay (Administrateurs)
      Update on 19/02/2010 by g3n-h@ckm@n ::::: 13.15
      Start at: 15:03:00 | 21/02/2010
      Contact : https://forums.commentcamarche.net/forum/virus-securite-7

      AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
      Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
      Internet Explorer 8.0.6001.18702
      Windows Firewall Status : Enabled
      AV : Avira AntiVir PersonalEdition 8.0.1.30 [ (!) Disabled | Updated ]
      FW : Norton Internet Worm Protection[ (!) Disabled ]2006

      C:\ -> Disque fixe local | 113,27 Go (75,22 Go free) [ACER] | NTFS
      D:\ -> Disque fixe local | 113,73 Go (3,89 Go free) [ACERDATA] | FAT32
      E:\ -> Disque CD-ROM
      G:\ -> Disque CD-ROM
      I:\ -> Disque amovible | 1,87 Go (1,07 Go free) | FAT
      J:\ -> Disque amovible
      K:\ -> Disque amovible
      L:\ -> Disque amovible
      O:\ -> Disque fixe local | 465,76 Go (130,39 Go free) [FreeAgent Drive] | NTFS

      ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\alg.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\inetsrv\inetinfo.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\WINDOWS\system32\oodag.exe
      C:\WINDOWS\System32\snmp.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Astase\UltraBackup\4.9\bin\tbsd.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe
      C:\WINDOWS\system32\SearchIndexer.exe
      C:\WINDOWS\ehome\mcrdsvc.exe
      C:\Program Files\Windows Media Player\WMPNetwk.exe
      C:\WINDOWS\system32\taskmgr.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\WINDOWS\RTHDCPL.EXE
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      C:\WINDOWS\system32\RUNDLL32.EXE
      C:\WINDOWS\system32\oodtray.exe
      C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
      C:\Program Files\DAEMON Tools Lite\DTLite.exe
      C:\WINDOWS\system32\wbem\wmiprvse.exe
      C:\WINDOWS\system32\wbem\wmiapsrv.exe
      C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
      C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
      C:\WINDOWS\system32\wbem\wmiprvse.exe
      C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
      C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
      C:\Program Files\List_Kill'em\List_Kill'em.scr
      C:\WINDOWS\system32\cmd.exe
      C:\Documents and Settings\Jay\Local Settings\temp\C.tmp\pv.exe

      ======================
      Keys "Run"
      ======================
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      PC Suite Tray REG_SZ "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
      DAEMON Tools Lite REG_SZ "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      RTHDCPL REG_SZ RTHDCPL.EXE
      avgnt REG_SZ "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
      NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      nwiz REG_SZ nwiz.exe /install
      NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      OODefragTray REG_SZ C:\WINDOWS\system32\oodtray.exe

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

      =====================
      Other Keys
      =====================
      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      dontdisplaylastusername REG_DWORD 0 (0x0)
      legalnoticecaption REG_SZ
      legalnoticetext REG_SZ
      shutdownwithoutlogon REG_DWORD 1 (0x1)
      undockwithoutlogon REG_DWORD 1 (0x1)
      InstallVisualStyle REG_EXPAND_SZ C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
      InstallTheme REG_EXPAND_SZ C:\WINDOWS\Resources\Themes\Royale.theme
      DisableRegistryTools REG_DWORD 0 (0x0)

      ===============
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
      NoDriveAutoRun REG_DWORD 67108863 (0x3ffffff)
      NoDriveTypeAutoRun REG_DWORD 323 (0x143)
      NoDrives REG_DWORD 0 (0x0)
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run

      ===============
      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
      NoCDBurning REG_DWORD 1 (0x1)
      HonorAutoRunSetting REG_DWORD 1 (0x1)
      NoDriveAutoRun REG_DWORD 67108863 (0x3ffffff)
      NoDriveTypeAutoRun REG_DWORD 323 (0x143)
      NoDrives REG_DWORD 0 (0x0)

      ===============
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

      ===============
      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
      AutoRestartShell REG_DWORD 1 (0x1)
      DefaultUserName REG_SZ Jay
      LegalNoticeCaption REG_SZ
      LegalNoticeText REG_SZ
      PowerdownAfterShutdown REG_SZ 0
      ReportBootOk REG_SZ 1
      Shell REG_SZ Explorer.exe
      ShutdownWithoutLogon REG_SZ 0
      System REG_SZ
      Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
      VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
      SfcQuota REG_DWORD -1 (0xffffffff)
      allocatecdroms REG_SZ 0
      allocatedasd REG_SZ 0
      allocatefloppies REG_SZ 0
      cachedlogonscount REG_SZ 10
      forceunlocklogon REG_DWORD 0 (0x0)
      passwordexpirywarning REG_DWORD 14 (0xe)
      scremoveoption REG_SZ 0
      AllowMultipleTSSessions REG_DWORD 1 (0x1)
      UIHost REG_EXPAND_SZ logonui.exe
      LogonType REG_DWORD 1 (0x1)
      Background REG_SZ 0 0 0
      DebugServerCommand REG_SZ no
      SFCDisable REG_DWORD 0 (0x0)
      WinStationsDisabled REG_SZ 0
      HibernationPreviouslyEnabled REG_DWORD 1 (0x1)
      ShowLogonOptions REG_DWORD 0 (0x0)
      AltDefaultUserName REG_SZ Jay
      AltDefaultDomainName REG_SZ JAY
      DefaultDomainName REG_SZ JAY
      ChangePasswordUseKerberos REG_DWORD 1 (0x1)

      ===============
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon]

      ===============
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
      {AEB6717E-7E19-11d0-97EE-00C04FD91972} REG_SZ
      {56F9679E-7826-4C84-81F3-532071A8BCC5} REG_SZ

      ===============
      [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
      %windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
      C:\Program Files\totalcmd\TOTALCMD.EXE REG_SZ C:\Program Files\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows
      C:\WINDOWS\system32\mmc.exe REG_SZ C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console
      C:\Program Files\Java\jre1.6.0_01\launch4j-tmp\RKMediaCenter.exe REG_SZ C:\Program Files\Java\jre1.6.0_01\launch4j-tmp\RKMediaCenter.exe:*:Enabled:Java(TM) Platform SE binary
      C:\Program Files\FileZilla FTP Client\filezilla.exe REG_SZ C:\Program Files\FileZilla FTP Client\filezilla.exe:*:Enabled:FileZilla FTP Client
      %windir%\Network Diagnostic\xpnetdiag.exe REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
      C:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe REG_SZ C:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4
      C:\Program Files\Windows Live\Messenger\wlcsdk.exe REG_SZ C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
      C:\Program Files\Windows Live\Messenger\msnmsgr.exe REG_SZ C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
      C:\UDK\The Ball UDK Demo\Binaries\Win32\UDK.exe REG_SZ C:\UDK\The Ball UDK Demo\Binaries\Win32\UDK.exe:*:Enabled:UDK
      C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe REG_SZ C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe:*:Enabled:lh
      C:\Program Files\C.E.W\OpenLieroX.exe REG_SZ C:\Program Files\C.E.W\OpenLieroX.exe:*:Enabled:OpenLieroX
      C:\Program Files\Freeplayer\vlc\vlc.exe REG_SZ C:\Program Files\Freeplayer\vlc\vlc.exe:*:Enabled:VLC media player
      C:\Program Files\VideoLAN\VLC\vlc.exe REG_SZ C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player
      C:\Program Files\EasyPHP 3.0\mysql\bin\mysqld.exe REG_SZ C:\Program Files\EasyPHP 3.0\mysql\bin\mysqld.exe:*:Enabled:mysqld
      C:\Program Files\Microsoft ActiveSync\rapimgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
      C:\Program Files\Microsoft ActiveSync\wcescomm.exe REG_SZ C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
      C:\Program Files\Microsoft ActiveSync\WCESMgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
      C:\Program Files\Vuze\Azureus.exe REG_SZ C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
      %windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
      %windir%\Network Diagnostic\xpnetdiag.exe REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
      C:\Program Files\Windows Live\Messenger\wlcsdk.exe REG_SZ C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
      C:\Program Files\Windows Live\Messenger\msnmsgr.exe REG_SZ C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
      C:\Program Files\Microsoft ActiveSync\rapimgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
      C:\Program Files\Microsoft ActiveSync\wcescomm.exe REG_SZ C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
      C:\Program Files\Microsoft ActiveSync\WCESMgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

      ===============
      ActivX controls
      ===============
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{03F998B2-0E00-11D3-A498-00104B6EB52E}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{051D0E35-F4E3-4C8D-B411-AB0875F4C683}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0CCA191D-13A6-4E29-B746-314DEE697D83}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{13EC55CF-D993-475B-9ACA-F4A384957956}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{17492023-C23A-453E-A040-C7C580BBF700}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{20A60F0D-9AFA-4515-A0FD-83BD84642501}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{210D0CBC-8B17-48D1-B294-1A338DD2EB3A}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{474F00F5-3853-492C-AC3A-476512BBC336}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{4871A87A-BFDD-4106-8153-FFDE2BAC2967}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}
      HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}

      ===============
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\KB910393
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1325db73-d9f1-48f8-8895-6d814ec58889}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1BC46932-21B2-4130-86E0-B4EB4F7A7A7B}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{283807B5-2C60-11D0-A31D-00AA00B92C03}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3af36230-a269-11d1-b5bf-0000f8051515}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3F1D6C36-6409-34CE-62A2-2D9372B1DD8A}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{407408d4-94ed-4d86-ab69-a7f649d112ee}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4278c270-a269-11d1-b5bf-0000f8051515}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4593B9A9-89FD-4151-04B3-854C11F68BF6}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{45ea75a0-a269-11d1-b5bf-0000f8051515}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f216970-c90c-11d1-b5c7-0000f8051515}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f645220-306d-11d2-995d-00c04f98bbc9}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{55A1A907-BD1B-BB65-C185-56F3C65EC446}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A8D6EE0-3E18-11D0-821E-444553540000}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{630b1da0-b465-11d1-9948-00c04f98bbc9}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4340}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9381D8F2-0288-11D0-9501-00AA00B911A5}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A59C25A1-F636-A4F6-A353-4C3AD5C52678}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B508B3F1-A24A-32C0-B310-85786919EF28}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BDE0FA43-6952-4BA8-8C58-09AF690F88E1}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C9E9A340-D1F1-11D0-821E-444553540600}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CC2A9BA0-3BDD-11D0-821E-444553540000}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D27CDB6E-AE6D-11cf-96B8-444553540000}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E8EA5BD6-D931-4001-ABF6-81BAA500360A}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EA29D410-CE41-4953-A862-2DE706A1DAD7}
      HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FDC11A6F-17D1-48f9-9EA3-9051954BAA24}

      ==============
      BHO :
      ======
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

      ================
      Internet Explorer :
      ================
      [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
      Start Page REG_SZ https://www.msn.com/fr-fr/?ocid=iehp

      [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
      Start Page REG_SZ https://news.google.com/topstories?hl=en-US&gl=US&ceid=US:en

      ========
      Services
      ========
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

      Ndisuio : 0x4 ( OK = 3 )
      EapHost : 0x3 ( OK = 2 )
      SharedAccess : 0x2 ( OK = 2 )
      wuauserv : 0x2 ( OK = 2 )

      =========
      Atapi.sys
      =========

      %%%% HASHDEEP-1.0
      %%%% size,md5,sha256,filename
      ## Invoked from: C:\Documents and Settings\Jay\Local Settings\temp\C.tmp
      ## C:\> hashdeep C:\WINDOWS\System32\Drivers\atapi.sys
      ##
      96512,9f3a2f5aa6875c72bf062c712cfa2674,b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9,C:\WINDOWS\System32\Drivers\atapi.sys


      Sources
      =======

      C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
      C:\WINDOWS\ServicePackFiles\i386\atapi.sys
      C:\WINDOWS\system32\drivers\atapi.sys

      Référence :
      ==========

      Win XP_32b : a64013e98426e1877cb653685c5c0009
      Win XP_SP2_32b : CDFE4411A69C224BD1D11B2DA92DAC51
      Win XP_SP3_32b : 9F3A2F5AA6875C72BF062C712CFA2674
      Vista_32b : e03e8c99d15d0381e02743c36afc7c6f
      Vista_SP1_32b : 2d9c903dc76a66813d350a562de40ed9
      Vista_SP2_32b : 1F05B78AB91C9075565A9D8A4B880BC4
      Vista_SP2_64b : 1898FAE8E07D97F2F6C2D5326C633FAC
      Windows 7_32b : 80C40F7FDFC376E4C5FEEC28B41C119E
      Windows 7_64b : 02062C0B390B7729EDC9E69C680A6F3C


      O:\Autorun.inf :
      ----------------
      [autorun]
      icon = .\FreeAgentDesktop.ico
      =======
      Drive :
      =======

      Défragmenteur de disque Windows
      Copyright (c) 2001 Microsoft Corp. et Executive Software International Inc.

      Rapport d'analyse
      113 Go total, 75,22 Go libre (66%), 3% fragmenté (fragmentation du fichier 6%)

      Il ne vous est pas nécessaire de défragmenter ce volume.

      ¤¤¤¤¤¤¤¤¤¤ Files/folders :

      Present !! : C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
      Present !! : C:\WINDOWS\aucfg.ini
      Present !! : C:\WINDOWS\kb913800.exe
      Present !! : C:\WINDOWS\System32\clauth1.dll
      Present !! : C:\WINDOWS\System32\clauth2.dll
      Present !! : C:\WINDOWS\System32\drivers\etc\hosts.msn
      Present !! : C:\WINDOWS\System32\lsprst7.dll
      Present !! : C:\WINDOWS\System32\lsprst7.tgz
      Present !! : C:\WINDOWS\System32\SET*.tmp
      Present !! : C:\WINDOWS\System32\ssprs.dll
      Present !! : C:\WINDOWS\System32\sysprs7.dll
      Present !! : C:\WINDOWS\System32\sysprs7.tgz
      Present !! : C:\Documents and Settings\Jay\Local Settings\Temp\9.tmp
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_1490.dat
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_774.dat
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\catchme.dll
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\egX9rYTw.dll
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\hGu8YnFX.dll
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\I64xG6fq.dll
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\NEventMessages.dll
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\sfextra.dll
      Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\u2nOvr41.dll

      ¤¤¤¤¤¤¤¤¤¤ Keys :

      Present !! : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
      Present !! : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
      Present !! : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
      Present !! : HKEY_USERS\S-1-5-21-3715763573-1312033059-2079873494-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
      Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe"
      Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe"
      Present !! : HKCR\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d}
      Present !! : HKCR\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d}
      Present !! : HKCR\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179}
      Present !! : HKCR\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d}
      Present !! : HKCR\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d}
      Present !! : HKCR\Interface\{4897bba6-48d9-468c-8efa-846275d7701b}
      Present !! : HKCR\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d}
      Present !! : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C80B7FF6-CE60-4079-935E-520C045C30A6}
      Present !! : HKLM\Software\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}

      ============

      catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-02-21 15:10:19
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ...

      scanning hidden services & system hive ...

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruibofaqacf]
      "start"=dword:00000001
      "type"=dword:00000001
      "group"="file system"
      "imagepath"=str(2):"\systemroot\system32\drivers\hjgruiowvubuoy.sys"

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruibofaqacf\main]
      "aid"="10002"
      "sid"="0"
      "cmddelay"=dword:00003840

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruibofaqacf\modules]
      "hjgruirk.sys"="\systemroot\system32\drivers\hjgruiowvubuoy.sys"
      "hjgruicmd.dll"="\systemroot\system32\hjgruinnauaklx.dll"
      "hjgruilog.dat"="\systemroot\system32\hjgruitidkbkfq.dat"
      "hjgruiwsp.dll"="\systemroot\system32\hjgruihslrajyg.dll"
      "hjgrui.dat"="\systemroot\system32\hjgruiybpnvqyt.dat"
      "hjgruiwsp8.dll"="\systemroot\system32\hjgruisxbnetae.dll"
      "hjgruiconz.dll"="\systemroot\system32\hjgruidbsivlab.dll"
      "hjgruiwsp8p.dll"="\systemroot\system32\hjgruiufykruom.dll"
      "hjgruicont.dll"="\systemroot\system32\hjgruisvxewfob.dll"
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
      "h0"=dword:00000001
      "hdf12"=hex:8e,bd,4f,95,98,0e,ca,c1,54,be,ed,ec,3f,68,15,f9,e6,62,8a,6d,d6,..
      "p0"="C:\Program Files\DAEMON Tools Lite\"
      "u0"=hex:d4,c3,97,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
      "a0"=hex:20,01,00,00,b2,5b,bb,9a,8d,dd,66,f4,4e,da,4f,2a,b2,c4,a0,5c,04,..
      "hdf12"=hex:26,92,eb,af,47,8b,53,a0,4f,1d,71,ea,9b,e6,18,ce,fb,fa,ec,15,d7,..

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
      "hdf12"=hex:d5,9a,65,ce,56,7d,51,fa,2a,49,05,69,47,7d,04,fa,54,b7,4e,9e,b5,..
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
      "h0"=dword:00000000
      "khjeh"=hex:f3,8b,47,0f,3d,3f,77,56,4a,73,de,d9,e5,ef,66,cf,38,47,07,93,c7,..
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
      "s1"=dword:2df9c43f
      "s2"=dword:110480d0
      "h0"=dword:00000002

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
      "h0"=dword:00000001
      "hdf12"=hex:61,7f,b4,99,77,e4,d1,ae,30,7e,5b,b3,a6,a3,df,42,b1,87,39,24,03,..
      "p0"="C:\Program Files\DAEMON Tools Lite\"
      "u0"=hex:d4,c3,97,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
      "a0"=hex:20,01,00,00,b2,5b,bb,9a,8d,dd,66,f4,4e,da,4f,2a,b2,c4,a0,5c,04,..
      "hdf12"=hex:26,92,eb,af,47,8b,53,a0,4f,1d,71,ea,9b,e6,18,ce,fb,fa,ec,15,d7,..

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
      "hdf12"=hex:d5,9a,65,ce,56,7d,51,fa,2a,49,05,69,47,7d,04,fa,54,b7,4e,9e,b5,..

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
      "h0"=dword:00000000
      "khjeh"=hex:f3,8b,47,0f,3d,3f,77,56,4a,73,de,d9,e5,ef,66,cf,38,47,07,93,c7,..
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
      "p0"="C:\Program Files\DAEMON Tools Lite\"
      "h0"=dword:00000000
      "khjeh"=hex:82,f7,ce,c3,36,0f,a6,c5,45,80,2a,f4,d2,67,87,c3,59,bf,38,85,9e,..

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
      "a0"=hex:20,01,00,00,26,d6,3b,1c,af,28,8c,f3,92,7a,28,c2,b6,50,48,cb,c8,..
      "khjeh"=hex:3f,46,13,e3,26,5d,3e,16,4a,77,a7,2d,c2,67,fd,26,7d,e0,9d,40,42,..

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
      "khjeh"=hex:a5,03,73,2f,cc,ad,a1,b6,51,52,19,ad,d5,81,fd,8a,c7,28,45,81,99,..
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
      "h0"=dword:00000001
      "hdf12"=hex:61,7f,b4,99,77,e4,d1,ae,30,7e,5b,b3,a6,a3,df,42,b1,87,39,24,03,..
      "p0"="C:\Program Files\DAEMON Tools Lite\"
      "u0"=hex:d4,c3,97,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
      "a0"=hex:20,01,00,00,b2,5b,bb,9a,8d,dd,66,f4,4e,da,4f,2a,b2,c4,a0,5c,04,..
      "hdf12"=hex:26,92,eb,af,47,8b,53,a0,4f,1d,71,ea,9b,e6,18,ce,fb,fa,ec,15,d7,..

      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
      "hdf12"=hex:d5,9a,65,ce,56,7d,51,fa,2a,49,05,69,47,7d,04,fa,54,b7,4e,9e,b5,..
      [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
      "h0"=dword:00000000
      "khjeh"=hex:f3,8b,47,0f,3d,3f,77,56,4a,73,de,d9,e5,ef,66,cf,38,47,07,93,c7,..

      scanning hidden registry entries ...

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
      "OODEFRAG10.00.00.01WORKSTATION"="C7C017C7F3E7418B8B7986B4D3CB3A27C53D9F1F5E8C95FE35704907F56CCE5CC67E28C4B90B177BD2A14EF7C8934B236FEDFE3D993B8280C6408137E38723D710EB826492F3940984C107CD4C55735875E5EEF9891DDD9865EF87363CE05213B9E3AE3282BB114C77F503E475F52115919B29C7F284526A4AF39DDD1356DCA21E7A160B10EC0972C50DF4BF594CEBBA3E3CCA6F9FB7AEAB72F5E9D9833AEC335C740A21C6099CBA4E8776B594A70A3E3D25D48D5A7062A89ECF772BA9D4C903554A3D7933818E7A379D03EFC6C85B2992EBAE10FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CC038D530D6EB34520F76E2F980B1A8D9A19E34DCB83CE140E36FFA6ADC10335445451B73805DAFE7B880C87011E59065BC6EBC515EC9B94573850221BA314DD9C6F3D275AD3E4DE19EF87DAE2C52CD7929946306E9A1B6CAB10202F2B91C1B1C84870E57771992A4E60B9B810D6435371E895DFE78909738874A6837F397E16AB8F094E31B526E04BCD765C931BF7E9558BB034F6A947CC961B846584BA04DE4A099D07B9B86B4A34E723DFADCBB47DF1789D12162E16A0EAF9AD154E568EBFEFDDC528FBD7F1DFCCE642B9E19E00FB41D4B6AB14960CB69683265BDABD12E8217874C288D414360F4285B4F2D6E3B0733C891D24DAA6D150236FDB94C786C8C34DD14E15880256E7AAD1DBDABD6929C243E3169DA90011AFACE3E843525E00DA496256BAF26A61C1FD965AEE5414211405DD46DA9951C5AD21CEB6A9D5B294AB95D9F86695111B3A4054B7AF287DB53DACAAE6D2F7237898F30F04FFECDC75AC750C48BA2528C53527A8B8D2F3851A64B20918AA811B02E39105B279666A3AD2A82FC66352EAB6CF1F905E73917FDA06E6AF87A961249A45B355D7F633F07813D7C511647A0604453B83B9CF3199CABA2A9FE863DC8A61D888E4B74ADAC9F6C63B7F2AC3B15017548DDD85507E84C094B53678AA3BB529BD37EA038FBAF02568123B3533FADCAEE2806264F5C6614C8525116F817273A76D65A7B921D03A1FD022309433EBFDCEF4DBF95D7A4A15BD2200112D7A6FAAE5B2DEB1C5CA1125A71D28D10CD6BD5B98E1611B956D264ED62A7310BBDA7DAE5487872E9055D7DEA97E4AD07D43E2C49376570CBC11DA6FC055AA8D05BB09C7812DD9EEE8DEC9AF4282E42D04FED36D6A4A14BA6A5FE181C1E302058EF9F4EE4E08417D78C2A7100B0287FF3CAFA1791EA368049A2B79A44E525C4B9D093AD8BAE9975762D37BD7590D00B9BE3A7A98DED9164D9ED4BC4D1E4B936B26772AEB24D4FC8422DF971237EA88116CFF9FAC1E7A5BF1F4FFE62067AEF0C25B16179835F5712D3DE1A2F3D02376F58D4"
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
      "DeviceNotSelectedTimeout"="15"
      "GDIProcessHandleQuota"=dword:00002710
      "Spooler"="yes"
      "swapdisk"=""
      "TransmissionRetryTimeout"="90"
      "USERProcessHandleQuota"=dword:00002710

      scanning hidden files ...

      scan completed successfully
      hidden processes: 0
      hidden services: 0
      hidden files: 0


      Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

      device: opened successfully
      user: MBR read successfully
      called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83299EC0]<<
      kernel: MBR read successfully
      detected MBR rootkit hooks:
      \Driver\ACPI -> 0x83299ec0
      NDIS: Generic Marvell Yukon Chipset based Ethernet Controller -> SendCompleteHandler -> 0x83354330
      Warning: possible MBR rootkit infection !
      copy of MBR has been found in sector 0x01D1C4581
      malicious code @ sector 0x01D1C4584 !
      PE file found in sector at 0x01D1C459A !
      MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

      ==========
      Programs
      ==========

      Acro Software
      Adobe
      Adventure Game Studio 3.1.2 SP1
      AntiVir PersonalEdition Classic
      ArcSoft
      Astase
      Brother
      C.E.W
      CCleaner
      commercial
      Compil Games
      DAEMON Tools Lite
      Debugging Tools for Windows (x86)
      DIFX
      DivX
      EASEUS
      EasyPHP 3.0
      FastCaisse
      Fichiers communs
      FileZilla FTP Client
      Firebird
      Flickr Uploadr
      FreeMind
      Game_Maker8
      Google
      GPLGS
      Install Creator
      InstallShield Installation Information
      Internet Explorer
      Java
      Journal de sauvegarde
      K-Lite Codec Pack
      List_Kill'em
      Macromedia
      MadTracker
      Malwarebytes' Anti-Malware
      Maxis
      Messenger
      Messenger Plus! Live
      Microsoft
      Microsoft ActiveSync
      Microsoft CAPICOM 2.1.0.2
      Microsoft Chart Controls
      microsoft frontpage
      Microsoft Money 2005
      Microsoft Office
      Microsoft Visual Studio
      Microsoft Visual Studio 8
      Microsoft Windows Script
      Microsoft Works
      Microsoft.NET
      Movie Maker
      Mozilla Firefox
      MSBuild
      msn
      MSN Gaming Zone
      MSXML 4.0
      NetMeeting
      Nokia
      OO Software
      Outlook Express
      PC Connectivity Solution
      PSPad editor
      Realtek
      Reference Assemblies
      Seagate
      Sega
      Services en ligne
      Skyline
      SpeedFan
      Spybot - Search & Destroy
      StepMania
      Symbian
      Trend Micro
      TuneUp Utilities 2008
      Uninstall Information
      Unity
      VideoLAN
      Vuze
      Windows Desktop Search
      Windows Live
      Windows Media Connect 2
      Windows Media Player
      Windows NT
      Windows Plus
      WindowsUpdate
      WinRAR
      xerox

      ============
      Drive C:
      ============

      Boot.bak
      boot.ini
      cmdcons
      cmldr
      ComboFix
      Config.Msi
      config.sys
      Documents and Settings
      drv
      eDS_PSD_drive.vmdf
      games
      GUIDE
      i386
      IO.SYS
      Kill'em
      List'em.txt
      logwmemory.bin
      MSDOS.SYS
      MSOCache
      NTDETECT.COM
      ntldr
      NVIDIA
      pagefile.sys
      PDOXUSRS.NET
      Program Files
      Qoobox
      sqmdata00.sqm
      sqmdata01.sqm
      sqmnoopt00.sqm
      sqmnoopt01.sqm
      SYSINFO
      System Volume Information
      Temp
      VALUEADD
      WINDOWS

      ¤¤¤¤¤¤¤¤¤¤ Cracks | Keygens | Serials





      ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

      End of scan : 15:34:01,43
      0
  3. gen-hackman
     
    bien on a trouvé le rootkit

    execute ces deux petites applications que je viens de te concocter et remets les rapports

    http://sd-1.archive-host.com/membres/up/829108531491024/Temp_Tools/Remove_File_codename.exe
    http://sd-1.archive-host.com/membres/up/829108531491024/Temp_Tools/Remove_Key_Codename.exe

    ensuite :

    ▶ Relance List_Kill'em(soit en clic droit pour vista/7),avec le raccourci sur ton bureau.
    mais cette fois-ci :

    ▶ choisis l'option 2 = Mode Suppression

    laisse travailler l'outil.

    en fin de scan un rapport s'ouvre

    ▶ colle le contenu dans ta reponse

    ensuite:

    ▶ Relance List_Kill'em(soit en clic droit pour vista/7),avec le raccourci sur ton bureau.
    mais cette fois-ci :

    ▶ choisis l'option 6 = Restore MBR

    laisse travailler l'outil.

    en fin de scan un rapport s'ouvre

    ▶ colle le contenu dans ta reponse
    0
    1. Codename5281
       
      Rapports des deux applications:
      Remove file:
      "file:"
      Remove key:
      "key:
      key:"

      Rapport Kill'em:
      Kill'em by g3n-h@ckm@n 1.2.5.3

      User : Jay (Administrateurs)
      Update on 19/02/2010 by g3n-h@ckm@n ::::: 13.15
      Start at: 16:01:32 | 21/02/2010
      Contact : https://forums.commentcamarche.net/forum/virus-securite-7

      AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
      Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
      Internet Explorer 8.0.6001.18702
      Windows Firewall Status : Enabled
      AV : Avira AntiVir PersonalEdition 8.0.1.30 [ (!) Disabled | Updated ]
      FW : Norton Internet Worm Protection[ (!) Disabled ]2006

      C:\ -> Disque fixe local | 113,27 Go (75,21 Go free) [ACER] | NTFS
      D:\ -> Disque fixe local | 113,73 Go (3,89 Go free) [ACERDATA] | FAT32
      E:\ -> Disque CD-ROM
      G:\ -> Disque CD-ROM
      I:\ -> Disque amovible | 1,87 Go (1,07 Go free) | FAT
      J:\ -> Disque amovible
      K:\ -> Disque amovible
      L:\ -> Disque amovible
      O:\ -> Disque fixe local | 465,76 Go (130,39 Go free) [FreeAgent Drive] | NTFS


      ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\nvsvc32.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\alg.exe
      C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\inetsrv\inetinfo.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\WINDOWS\system32\oodag.exe
      C:\WINDOWS\System32\snmp.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Astase\UltraBackup\4.9\bin\tbsd.exe
      C:\WINDOWS\Explorer.EXE
      C:\Program Files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe
      C:\WINDOWS\system32\SearchIndexer.exe
      C:\WINDOWS\ehome\mcrdsvc.exe
      C:\Program Files\Windows Media Player\WMPNetwk.exe
      C:\WINDOWS\system32\taskmgr.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\WINDOWS\RTHDCPL.EXE
      C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
      C:\WINDOWS\system32\RUNDLL32.EXE
      C:\WINDOWS\system32\oodtray.exe
      C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
      C:\Program Files\DAEMON Tools Lite\DTLite.exe
      C:\WINDOWS\system32\wbem\wmiapsrv.exe
      C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
      C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
      C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
      C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
      C:\WINDOWS\system32\notepad.exe
      C:\Program Files\List_Kill'em\List_Kill'em.scr
      C:\WINDOWS\system32\cmd.exe
      C:\WINDOWS\system32\wbem\wmiprvse.exe
      C:\Documents and Settings\Jay\Local Settings\temp\12.tmp\ERUNT.EXE
      C:\Documents and Settings\Jay\Local Settings\temp\12.tmp\pv.exe

      Detections :
      ==========


      ¤¤¤¤¤¤¤¤¤¤ Files/folders :

      Quarantined & Deleted !! : C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
      Quarantined & Deleted !! : C:\WINDOWS\aucfg.ini
      Quarantined & Deleted !! : C:\WINDOWS\kb913800.exe

      Quarantined & Deleted !! : C:\WINDOWS\System32\clauth1.dll
      Quarantined & Deleted !! : C:\WINDOWS\System32\clauth2.dll
      Quarantined & Deleted !! : C:\WINDOWS\System32\drivers\etc\hosts.msn
      Quarantined & Deleted !! : C:\WINDOWS\System32\lsprst7.dll
      Quarantined & Deleted !! : C:\WINDOWS\System32\lsprst7.tgz
      Quarantined & Deleted !! : C:\WINDOWS\System32\SET299.tmp
      Quarantined & Deleted !! : C:\WINDOWS\System32\SET29A.tmp
      Quarantined & Deleted !! : C:\WINDOWS\System32\SET2E8.tmp
      Quarantined & Deleted !! : C:\WINDOWS\System32\SET2EA.tmp
      Quarantined & Deleted !! : C:\WINDOWS\System32\SET2F6.tmp
      Quarantined & Deleted !! : C:\WINDOWS\System32\ssprs.dll
      Quarantined & Deleted !! : C:\WINDOWS\System32\sysprs7.dll
      Quarantined & Deleted !! : C:\WINDOWS\System32\sysprs7.tgz
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\Local Settings\Temp\9.tmp
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_1490.dat
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_774.dat
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\egX9rYTw.dll
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\hGu8YnFX.dll
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\I64xG6fq.dll
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\NEventMessages.dll
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\sfextra.dll
      Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\u2nOvr41.dll

      ==============
      host file OK !
      ==============

      ========
      Registry
      ========

      Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
      Deleted : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
      Deleted : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
      Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe"
      Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe"
      Deleted : HKCR\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d}
      Deleted : HKCR\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d}
      Deleted : HKCR\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179}
      Deleted : HKCR\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d}
      Deleted : HKCR\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d}
      Deleted : HKCR\Interface\{4897bba6-48d9-468c-8efa-846275d7701b}
      Deleted : HKCR\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d}
      Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C80B7FF6-CE60-4079-935E-520C045C30A6}
      ========
      Services
      =========

      Ndisuio : Start = 3
      EapHost : Start = 2
      Ip6Fw : Start = 2
      SharedAccess : Start = 2
      wuauserv : Start = 2
      wscsvc : Start = 2

      ============
      Disk Cleaned
      ============

      =================
      anti-ver blaster : OK !!
      =================

      ================
      Prefetch cleaned
      ================



      ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

      Rapport MBR:
      Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

      device: opened successfully
      user: MBR read successfully
      kernel: MBR read successfully
      detected MBR rootkit hooks:
      \Driver\ACPI -> 0x83299ec0
      NDIS: Generic Marvell Yukon Chipset based Ethernet Controller -> SendCompleteHandler -> 0x83354330
      Warning: possible MBR rootkit infection !
      copy of MBR has been found in sector 0x01D1C4581
      malicious code @ sector 0x01D1C4584 !
      PE file found in sector at 0x01D1C459A !
      MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
      original MBR restored successfully !


      Voila... C'est quoi le principe de fonctionnement de tout ces programmes, rapidement?
      0
    2. Codename5281
       
      Tiens, en fermant les fichiers texte j'ai eu droit à un freeze et bip carte mère... Let's reboot
      0
  4. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  5. gen-hackman
     
    ok relance les deux petites applications en mode sans echec stp et enregistre les rapports
    0
    1. Codename5281
       
      J'ai pas accès au mode sans échec, mon pc reboote une fois les fichiers système chargés.
      0
  6. gen-hackman
     

    /!\ ATTENTION SUIVRE SCRUPULEUSEMENT A LA LETTRE CES INDICATIONS/!\

    ▶ Surtout , pense à l'enregistrement à renommer Combofix en "ton prenom.exe" avant qu'il soit enregistré sur ton disque dur

    _______________________________________________________________
    >Ce logiciel n'est à utiliser que prescrit par un helper qualifié et formé à l'outil.<
    >>>>>>>Ne pas utiliser en dehors de ce cas de figure : dangereux!<<<<<<<<
    ======================================================


    ▶ On va utiliser ComboFix.exe. Rends toi sur cette page web pour obtenir les liens de téléchargement, ainsi que des instructions pour exécuter l'outil:

    https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix

    Avant d'utiliser ComboFix :
    ______________________________________________________________________
    >> referme les fenêtres de tous les programmes en cours.
    >> Désactive provisoirement et seulement le temps de l'utilisation de ComboFix,
    >>la protection en temps réel de ton Antivirus et de tes Antispywares,
    >>qui peuvent gêner fortement la procédure de recherche et de nettoyage de l'outil.

    °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°


    ▶ !!!!!NE TOUCHE A RIEN PENDANT LE TRAVAIL DE COMBOFIX (SOURIS/CLAVIER.....)!!!!!

    ▶ n'oublie pas de reactiver la garde de ton Antivirus et de tes Antispywares, avant de te reconnecter à internet.

    >> Reviens sur le forum, et

    ▶ copie et colle la totalité du contenu de C:\Combofix.txt dans ton prochain message.

    0
    1. Codename5281
       
      Voila le log:

      ComboFix 10-02-20.04 - Jay 21/02/2010 17:31:05.2.2 - x86
      Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.767.372 [GMT 1:00]
      Lancé depuis: c:\documents and settings\Jay\Bureau\Jay.exe
      AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
      FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
      .

      (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
      .

      O:\Autorun.inf
      .
      ---- Exécution préalable -------
      .
      c:\documents and settings\All Users\Application Data\anige.vbs
      c:\documents and settings\All Users\Application Data\pysilujigo.vbs
      C:\Thumbs.db
      c:\windows\azoname.exe
      c:\windows\bupupa.inf
      c:\windows\opapy.vbs
      c:\windows\patch.exe
      c:\windows\system32\drivers\downld\6203812.exe
      c:\windows\system32\hjgruidbsivlab.dll
      c:\windows\system32\hjgruihslrajyg.dll
      c:\windows\system32\hjgruinnauaklx.dll
      c:\windows\system32\hjgruisvxewfob.dll
      c:\windows\system32\hjgruitidkbkfq.dat
      c:\windows\system32\hjgruiufykruom.dll
      c:\windows\system32\hjgruiybpnvqyt.dat
      c:\windows\system32\Thumbs.db

      .
      ((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_hjgruibofaqacf
      -------\Service_hjgruibofaqacf


      ((((((((((((((((((((((((((((( Fichiers créés du 2010-01-21 au 2010-02-21 ))))))))))))))))))))))))))))))))))))
      .

      2010-02-21 15:16 . 2010-02-21 15:16 -------- d-----w- C:\Kill'em
      2010-02-21 15:00 . 2010-02-21 15:00 -------- d-----w- C:\Remove_File
      2010-02-21 14:02 . 2010-02-21 14:02 -------- d-----w- c:\program files\List_Kill'em
      2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\Jay\Application Data\Malwarebytes
      2010-02-20 23:01 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
      2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
      2010-02-20 23:00 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
      2010-02-20 23:00 . 2010-02-20 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
      2010-02-20 22:49 . 2010-02-20 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
      2010-02-20 22:22 . 2010-02-20 22:22 -------- d-----w- c:\documents and settings\Jay\DoctorWeb
      2010-02-20 20:12 . 2010-02-20 20:13 -------- d-----w- c:\program files\SpeedFan
      2010-02-20 17:51 . 2010-02-20 17:51 -------- d-----w- C:\games
      2010-02-07 23:13 . 2010-02-08 07:35 -------- d-----w- c:\program files\DAEMON Tools Lite
      2010-02-07 22:54 . 2005-10-03 00:05 356437 ----a-w- c:\windows\system32\GDS32.DLL
      2010-02-07 22:54 . 2010-02-07 22:54 -------- d-----w- c:\program files\Firebird
      2010-02-07 22:53 . 2010-02-07 22:56 -------- d-----w- c:\program files\FastCaisse
      2010-02-07 13:51 . 2010-02-07 13:51 -------- d-----w- c:\program files\Maxis
      2010-02-07 13:34 . 2010-02-07 13:34 -------- d-----w- c:\program files\Sega
      2010-02-04 10:38 . 2010-02-04 10:38 50354 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\uninstall.exe
      2010-02-04 10:38 . 2010-02-04 10:38 -------- d-----w- c:\documents and settings\Jay\Application Data\Facebook
      2010-02-03 23:17 . 2010-02-03 23:17 -------- d-----w- c:\program files\Adventure Game Studio 3.1.2 SP1
      2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Application Data\Unity
      2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\Unity
      2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\Jay\Application Data\PACE Anti-Piracy
      2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
      2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\program files\Fichiers communs\PACE Anti-Piracy
      2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\PACE Anti-Piracy
      2010-02-03 22:43 . 2010-02-03 22:43 -------- d-----w- c:\program files\Unity
      2010-02-03 22:24 . 2010-02-03 22:24 -------- d-----w- c:\program files\Game_Maker8
      2010-02-03 22:23 . 2010-02-03 22:59 -------- d-----w- c:\documents and settings\Jay\.Game Develop
      2010-02-03 22:22 . 2010-02-03 22:59 -------- d-----w- c:\program files\Compil Games
      2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\axfbootloader.dll
      2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
      2010-01-25 22:51 . 2010-01-25 22:51 -------- d-----w- c:\program files\GPLGS
      2010-01-25 12:13 . 2010-01-25 12:13 -------- d-----w- c:\program files\EASEUS
      2010-01-24 20:54 . 2010-01-24 20:54 -------- d-----w- c:\documents and settings\Jay\Application Data\WindSolutions
      2010-01-22 17:08 . 2010-01-22 14:54 34503600 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_fre_web.exe
      2010-01-22 17:08 . 2010-01-22 17:08 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
      2010-01-22 17:08 . 2010-01-22 17:08 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
      2010-01-22 17:08 . 2010-01-22 17:08 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
      2010-01-22 17:08 . 2010-01-22 17:08 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe

      .
      (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-02-21 12:32 . 2007-07-31 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
      2010-02-16 13:14 . 2008-06-30 10:16 -------- d-----w- c:\documents and settings\Jay\Application Data\FileZilla
      2010-02-14 11:59 . 2006-12-13 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
      2010-02-07 23:21 . 2006-12-21 20:46 -------- d-----w- c:\documents and settings\Jay\Application Data\Azureus
      2010-02-07 23:13 . 2007-12-30 12:27 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
      2010-02-07 23:13 . 2009-08-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
      2010-02-07 13:34 . 2006-08-11 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
      2010-01-22 22:48 . 2008-01-25 19:27 -------- d-----w- c:\documents and settings\Jay\Application Data\dvdcss
      2010-01-22 17:30 . 2007-01-20 18:53 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia
      2010-01-22 17:09 . 2007-01-20 18:47 -------- d-----w- c:\program files\Fichiers communs\PCSuite
      2010-01-22 17:08 . 2008-04-03 20:08 -------- d-----w- c:\program files\Fichiers communs\Nokia
      2010-01-22 17:08 . 2007-01-20 18:47 -------- d-----w- c:\program files\Nokia
      2010-01-22 17:08 . 2007-04-20 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
      2010-01-22 14:16 . 2006-08-11 17:43 95554 ----a-w- c:\windows\system32\perfc00C.dat
      2010-01-22 14:16 . 2006-08-11 17:43 540272 ----a-w- c:\windows\system32\perfh00C.dat
      2010-01-17 22:06 . 2010-01-17 22:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
      2010-01-17 22:02 . 2010-01-17 22:02 -------- d-----w- c:\program files\Microsoft ActiveSync
      2010-01-17 11:17 . 2010-01-17 11:17 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia Ovi Suite
      2010-01-17 10:46 . 2010-01-17 10:46 -------- d-----w- c:\program files\PC Connectivity Solution
      2010-01-17 10:45 . 2010-01-17 10:45 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
      2010-01-17 10:45 . 2010-01-17 10:45 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
      2010-01-17 10:45 . 2010-01-17 10:45 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
      2010-01-17 10:45 . 2010-01-17 10:45 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
      2010-01-17 10:45 . 2010-01-17 10:45 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
      2010-01-17 10:45 . 2010-01-17 10:45 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
      2010-01-17 10:40 . 2010-01-17 10:40 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
      2010-01-17 10:40 . 2010-01-17 10:40 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller(2).exe
      2010-01-15 10:03 . 2006-12-02 09:51 125200 -c--a-w- c:\documents and settings\Jay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2010-01-15 02:34 . 2009-09-04 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
      2010-01-15 01:00 . 2010-01-15 01:00 -------- d-----w- c:\program files\CCleaner
      2010-01-15 00:21 . 2007-06-11 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
      2010-01-14 23:53 . 2010-01-14 23:53 -------- d-----w- c:\program files\OO Software
      2010-01-14 23:44 . 2009-08-11 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
      2010-01-14 23:35 . 2007-06-11 19:34 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
      2010-01-10 23:46 . 2010-01-10 23:46 312128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
      2010-01-09 09:46 . 2008-01-09 18:52 -------- d-----w- c:\program files\Microsoft Works
      2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
      2009-12-25 20:32 . 2009-08-15 14:31 -------- d-----w- c:\program files\C.E.W
      2009-12-21 19:07 . 2006-03-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
      2009-12-17 07:41 . 2004-08-10 20:00 347648 ----a-w- c:\windows\system32\mspaint.exe
      2009-12-14 07:09 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
      2009-12-09 10:08 . 2005-09-29 18:28 2147328 ----a-w- c:\windows\system32\ntoskrnl.exe
      2009-12-09 10:08 . 2005-09-29 18:28 2025984 ----a-w- c:\windows\system32\ntkrnlpa.exe
      2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
      2009-11-27 17:13 . 2005-08-30 04:16 1297920 ----a-w- c:\windows\system32\quartz.dll
      2009-11-27 17:13 . 2004-08-10 20:00 17920 ----a-w- c:\windows\system32\msyuv.dll
      2009-11-27 16:08 . 2004-08-10 20:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
      2009-11-27 16:08 . 2004-08-10 20:00 85504 ----a-w- c:\windows\system32\avifil32.dll
      2009-11-27 16:08 . 2004-08-10 20:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
      2009-11-27 16:08 . 2004-08-10 20:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
      2009-11-27 16:08 . 2004-08-10 20:00 11264 ----a-w- c:\windows\system32\msrle32.dll
      2009-10-15 14:42 . 2009-10-15 14:42 14078 ----a-w- c:\program files\Fichiers communs\suvosa.dl
      2009-10-15 14:42 . 2009-10-15 14:42 13260 ----a-w- c:\program files\Fichiers communs\kafako.com
      2009-10-15 14:42 . 2009-10-15 14:42 10994 ----a-w- c:\program files\Fichiers communs\yjoseceqeq.dl
      2008-08-25 20:00 . 2008-08-25 20:04 330 -c-h-tr- c:\program files\Journal de sauvegarde
      2008-04-14 02:34 . 2009-02-24 19:57 60416 -csha-w- c:\windows\NiwradSoft Shell Pack\Backup\msimn.exe
      2009-07-19 19:17 . 2009-07-19 19:17 88 --sh--r- c:\windows\system32\7A004F5EDB.sys
      2008-01-21 15:56 . 2008-01-21 15:55 88 -csha-r- c:\windows\system32\F1BE1573B3.sys
      2009-07-19 19:19 . 2008-01-21 15:50 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
      .

      ------- Sigcheck -------

      [-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\explorer.exe
      [7] 2008-04-14 . F2317622D29F9FF0F88AEECD5F60F0DD . 1037824 . . [6.00.2900.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe
      [-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
      [-] 2007-06-13 . D0288319660EDCFED07C7E74C4EA38A5 . 1037312 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
      [-] 2007-06-13 . B795475444D6D57A572C14B9E1A29839 . 1037312 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
      .
      ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
      "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
      "avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
      "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
      "nwiz"="nwiz.exe" [2009-06-10 1657376]
      "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
      "OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

      [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
      "ForceClassicControlPanel"= 1 (0x1)

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
      BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
      @="Driver"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
      c:\program files\Fichiers communs\Nokia\MPlatform\NokiaMServer [X]

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
      2008-08-14 05:58 611712 ----a-w- c:\program files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
      2006-06-26 20:45 1211176 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
      2005-02-16 15:15 221184 ----a-w- c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
      2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
      2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
      2009-07-19 18:53 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "Lavasoft Ad-Aware Service"=2 (0x2)
      "FirebirdServerDefaultInstance"=3 (0x3)
      "FirebirdGuardianDefaultInstance"=2 (0x2)
      "ProtexisLicensing"=2 (0x2)

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
      "ctfmon.exe"=c:\windows\system32\ctfmon.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
      "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
      "IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
      "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
      "nwiz"=nwiz.exe /install
      "ehTray"=c:\windows\ehome\ehtray.exe
      "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
      "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
      "ISUSPM Startup"=c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
      "ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
      "_BackupService"="c:\program files\Astase\UltraBackup\4.9\bin\tbs.exe" -start
      "thnotify"="c:\program files\Astase\UltraBackup\4.9\bin\thtrayagent.exe" /start

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\WINDOWS\\system32\\mmc.exe"=
      "c:\\Program Files\\Java\\jre1.6.0_01\\launch4j-tmp\\RKMediaCenter.exe"=
      "c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\Fichiers communs\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
      "c:\\Program Files\\C.E.W\\OpenLieroX.exe"=
      "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
      "c:\\Program Files\\EasyPHP 3.0\\mysql\\bin\\mysqld.exe"=
      "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
      "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
      "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
      "c:\\Program Files\\Vuze\\Azureus.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "5353:TCP"= 5353:TCP:Adobe CSI CS4
      "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
      "65533:TCP"= 65533:TCP:Services
      "52344:TCP"= 52344:TCP:Services
      "3246:TCP"= 3246:TCP:Services
      "2479:TCP"= 2479:TCP:Services
      "6114:TCP"= 6114:TCP:Services

      R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [31/03/2007 21:37 2996]
      R2 ThalliumServer;Astase ThalliumBackup Storage Service;c:\program files\Astase\UltraBackup\4.9\bin\tbsd.exe [14/10/2007 11:31 1929728]
      R2 thpassivesvc;Astase ThalliumBackup Client Background Service;c:\program files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe [14/10/2007 11:31 618496]
      S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/12/2007 13:27 691696]
      S1 jdlgmfib;jdlgmfib;\??\c:\windows\system32\drivers\jdlgmfib.sys --> c:\windows\system32\drivers\jdlgmfib.sys [?]
      S2 AdobeAdobeAlerter;Adobe LM Service AdobeAdobeAlerter;c:\windows\TEMP\evbupehsdi.exe service --> c:\windows\TEMP\evbupehsdi.exe service [?]
      S2 cmjwu;cmjwu;\??\c:\windows\system32\drivers\miayk.sys --> c:\windows\system32\drivers\miayk.sys [?]
      S2 gupdate1c98986541bab5f;Google Update Service (gupdate1c98986541bab5f);c:\program files\Google\Update\GoogleUpdate.exe [08/02/2009 01:43 133104]
      S2 ibkqqmi;ibkqqmi;\??\c:\windows\system32\drivers\cdmumqhiyj.sys --> c:\windows\system32\drivers\cdmumqhiyj.sys [?]
      S3 BTCAMDRV;Mobiola Web Camera driver;c:\windows\system32\drivers\BTCamDrv.sys [24/02/2007 22:44 228352]
      S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [17/01/2010 11:46 136704]
      S3 sfr0901;SFR Connexion Adapter V9;c:\windows\system32\drivers\sfr0901.sys [24/02/2008 20:54 26496]
      S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
      S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
      UxTuneUp
      .
      Contenu du dossier 'Tâches planifiées'

      2010-02-21 c:\windows\Tasks\1-Click Maintenance.job
      - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 07:09]

      2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

      2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

      2010-02-21 c:\windows\Tasks\User_Feed_Synchronization-{7FFA8037-D4E6-4E0A-940E-DACBF666952F}.job
      - c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
      .
      .
      ------- Examen supplémentaire -------
      .
      uStart Page = hxxp://news.google.com/
      uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
      uInternet Connection Wizard,ShellNext = hxxp://fr.fr.acer.yahoo.com/
      uInternet Settings,ProxyOverride = *.local
      uSearchAssistant = hxxp://www.google.com/ie
      uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
      IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
      Trusted Zone: localhost
      DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
      DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version4/windows-ie/en/AMClient.cab
      DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://82.127.76.211:91/VatDec.cab
      FF - ProfilePath - c:\documents and settings\Jay\Application Data\Mozilla\Firefox\Profiles\xvu7etdj.default\
      FF - prefs.js: browser.startup.homepage - hxxp://news.google.fr/
      FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
      FF - plugin: c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
      FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
      FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
      FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
      FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
      FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

      ---- PARAMETRES FIREFOX ----
      .
      - - - - ORPHELINS SUPPRIMES - - - -

      HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
      MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe



      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-02-21 17:37
      Windows 5.1.2600 Service Pack 3 NTFS

      Recherche de processus cachés ...

      Recherche d'éléments en démarrage automatique cachés ...

      Recherche de fichiers cachés ...

      Scan terminé avec succès
      Fichiers cachés: 0

      **************************************************************************
      .
      --------------------- CLES DE REGISTRE BLOQUEES ---------------------

      [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
      "Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
      4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
      "OODEFRAG10.00.00.01WORKSTATION"="C7C017C7F3E7418B8B7986B4D3CB3A27C53D9F1F5E8C95FE35704907F56CCE5CC67E28C4B90B177BD2A14EF7C8934B236FEDFE3D993B8280C6408137E38723D710EB826492F3940984C107CD4C55735875E5EEF9891DDD9865EF87363CE05213B9E3AE3282BB114C77F503E475F52115919B29C7F284526A4AF39DDD1356DCA21E7A160B10EC0972C50DF4BF594CEBBA3E3CCA6F9FB7AEAB72F5E9D9833AEC335C740A21C6099CBA4E8776B594A70A3E3D25D48D5A7062A89ECF772BA9D4C903554A3D7933818E7A379D03EFC6C85B2992EBAE10FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CC038D530D6EB34520F76E2F980B1A8D9A19E34DCB83CE140E36FFA6ADC10335445451B73805DAFE7B880C87011E59065BC6EBC515EC9B94573850221BA314DD9C6F3D275AD3E4DE19EF87DAE2C52CD7929946306E9A1B6CAB10202F2B91C1B1C84870E57771992A4E60B9B810D6435371E895DFE78909738874A6837F397E16AB8F094E31B526E04BCD765C931BF7E9558BB034F6A947CC961B846584BA04DE4A099D07B9B86B4A34E723DFADCBB47DF1789D12162E16A0EAF9AD154E568EBFEFDDC528FBD7F1DFCCE642B9E19E00FB41D4B6AB14960CB69683265BDABD12E8217874C288D414360F4285B4F2D6E3B0733C891D24DAA6D150236FDB94C786C8C34DD14E15880256E7AAD1DBDABD6929C243E3169DA90011AFACE3E843525E00DA496256BAF26A61C1FD965AEE5414211405DD46DA9951C5AD21CEB6A9D5B294AB95D9F86695111B3A4054B7AF287DB53DACAAE6D2F7237898F30F04FFECDC75AC750C48BA2528C53527A8B8D2F3851A64B20918AA811B02E39105B279666A3AD2A82FC66352EAB6CF1F905E73917FDA06E6AF87A961249A45B355D7F633F07813D7C511647A0604453B83B9CF3199CABA2A9FE863DC8A61D888E4B74ADAC9F6C63B7F2AC3B15017548DDD85507E84C094B53678AA3BB529BD37EA038FBAF02568123B3533FADCAEE2806264F5C6614C8525116F817273A76D65A7B921D03A1FD022309433EBFDCEF4DBF95D7A4A15BD2200112D7A6FAAE5B2DEB1C5CA1125A71D28D10CD6BD5B98E1611B956D264ED62A7310BBDA7DAE5487872E9055D7DEA97E4AD07D43E2C49376570CBC11DA6FC055AA8D05BB09C7812DD9EEE8DEC9AF4282E42D04FED36D6A4A14BA6A5FE181C1E302058EF9F4EE4E08417D78C2A7100B0287FF3CAFA1791EA368049A2B79A44E525C4B9D093AD8BAE9975762D37BD7590D00B9BE3A7A98DED9164D9ED4BC4D1E4B936B26772AEB24D4FC8422DF971237EA88116CFF9FAC1E7A5BF1F4FFE62067AEF0C25B16179835F5712D3DE1A2F3D02376F58D4"

      [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
      "Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
      4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\
      .
      --------------------- DLLs chargées dans les processus actifs ---------------------

      - - - - - - - > 'winlogon.exe'(768)
      c:\windows\system32\SETUPAPI.dll

      - - - - - - - > 'lsass.exe'(824)
      c:\windows\system32\setupapi.dll
      .
      Heure de fin: 2010-02-21 17:40:35
      ComboFix-quarantined-files.txt 2010-02-21 16:40

      Avant-CF: 80 768 126 976 octets libres
      Après-CF: 80 868 048 896 octets libres

      Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
      - - End Of File - - D2C6820D207F758B2738E34DD2159775
      0
  7. gen-hackman
     
    refais l'option 6 de List_Kill'em

    ensuite :

    Télécharge OTL de OLDTimer

    enregistre le sur ton Bureau.

    ▶ Double clic ( pour vista / 7 => clic droit "executer en tant qu'administrateur") sur OTL.exe pour le lancer.

    ▶ Coche les 2 cases Lop et Purity

    ▶ Coche la case devant scan all users

    ▶ règle-le sur "60 Days"

    ▶ dans la colonne de gauche , mets tout sur "all"

    ne modifie pas ceci :

    "files created whithin" et "files modified whithin"


    ▶Clic sur Run Scan.

    A la fin du scan, le Bloc-Notes va s'ouvrir avec le rapport (OTL.txt).

    Ce fichier est sur ton Bureau (en général C:\Documents and settings\le_nom_de_ta_session\OTL.txt)

    ▶▶▶ NE LE POSTE PAS SUR LE FORUM

    Pour me le transmettre clique sur ce lien : http://www.cijoint.fr/

    ▶ Clique sur Parcourir et cherche le fichier ci-dessus.

    ▶ Clique sur Ouvrir.

    ▶ Clique sur "Cliquez ici pour déposer le fichier".

    Un lien de cette forme :

    http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt

    est ajouté dans la page.

    ▶ Copie ce lien dans ta réponse.

    ▶▶ Tu feras la meme chose avec le "Extra.txt".
    0
    1. Codename5281
       
      OTL: http://www.cijoint.fr/cjlink.php?file=cj201002/cijHd3vk9e.txt
      Extras: http://www.cijoint.fr/cjlink.php?file=cj201002/cijdVrla9I.txt

      Merci encore par avance...
      0
  8. gen-hackman
     
    rapport de list_kill'em option 6 comme demandé ????
    0
    1. Codename5281
       
      Tu ne l'avais pas demandé, mais le voila:

      Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

      device: opened successfully
      user: MBR read successfully
      kernel: MBR read successfully
      user & kernel MBR OK
      copy of MBR has been found in sector 0x01D1C4581
      malicious code @ sector 0x01D1C4584 !
      PE file found in sector at 0x01D1C459A !

      En gros ça n'a pas bougé si je comprends bien...
      0
    2. Codename5281
       
      Sur d'autres forums on parle d'utiliser la commande fixmbr de la console de récupération. C'est une solution valable?
      0
  9. gen-hackman
     
    0
    1. Codename5281
       
      "Refais l'option 6 de List_Kill'em"
      Choisir à nouveau l'option, mais quant au log... :p Enfin bref. J'ai tenté un mbrfix, après avoir lu pas mal d'autres forums, et refait une analyse avec Combofix. J'attends de voir.
      0
    2. Codename5281
       
      Donc si j'ai bien compris, le rootkit est parti avec le fixmbr. Bah tant mieux! Voila le log. Après ça je vais repasser mes supports à l'antivirus et puis ça devrait être bon :p

      ComboFix 10-02-21.02 - Jay 21/02/2010 21:57:11.3.2 - x86
      Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.767.252 [GMT 1:00]
      Lancé depuis: c:\documents and settings\Jay\Bureau\Jay.exe
      AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
      FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
      .

      (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\windows\system32\Thumbs.db

      .
      ((((((((((((((((((((((((((((( Fichiers créés du 2010-01-21 au 2010-02-21 ))))))))))))))))))))))))))))))))))))
      .

      2010-02-21 20:47 . 2010-02-21 20:47 -------- d-----w- C:\Kill'em
      2010-02-21 20:03 . 2010-02-21 20:03 -------- d-----w- c:\program files\Sophos
      2010-02-21 19:34 . 2010-02-21 19:34 -------- d-----w- c:\documents and settings\LocalService\Menu Démarrer
      2010-02-21 19:34 . 2009-03-30 08:32 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
      2010-02-21 19:34 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
      2010-02-21 19:34 . 2009-02-13 10:28 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
      2010-02-21 19:34 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
      2010-02-21 19:33 . 2010-02-21 19:33 -------- d-----w- c:\program files\Avira
      2010-02-21 19:33 . 2010-02-21 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
      2010-02-21 15:00 . 2010-02-21 15:00 -------- d-----w- C:\Remove_File
      2010-02-21 14:02 . 2010-02-21 14:02 -------- d-----w- c:\program files\List_Kill'em
      2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\Jay\Application Data\Malwarebytes
      2010-02-20 23:01 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
      2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
      2010-02-20 23:00 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
      2010-02-20 23:00 . 2010-02-20 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
      2010-02-20 22:49 . 2010-02-20 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
      2010-02-20 22:22 . 2010-02-20 22:22 -------- d-----w- c:\documents and settings\Jay\DoctorWeb
      2010-02-20 20:12 . 2010-02-20 20:13 -------- d-----w- c:\program files\SpeedFan
      2010-02-20 17:51 . 2010-02-20 17:51 -------- d-----w- C:\games
      2010-02-07 23:13 . 2010-02-08 07:35 -------- d-----w- c:\program files\DAEMON Tools Lite
      2010-02-07 22:54 . 2005-10-03 00:05 356437 ----a-w- c:\windows\system32\GDS32.DLL
      2010-02-07 22:54 . 2010-02-07 22:54 -------- d-----w- c:\program files\Firebird
      2010-02-07 22:53 . 2010-02-07 22:56 -------- d-----w- c:\program files\FastCaisse
      2010-02-07 13:51 . 2010-02-07 13:51 -------- d-----w- c:\program files\Maxis
      2010-02-07 13:34 . 2010-02-07 13:34 -------- d-----w- c:\program files\Sega
      2010-02-04 10:38 . 2010-02-04 10:38 50354 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\uninstall.exe
      2010-02-04 10:38 . 2010-02-04 10:38 -------- d-----w- c:\documents and settings\Jay\Application Data\Facebook
      2010-02-03 23:17 . 2010-02-03 23:17 -------- d-----w- c:\program files\Adventure Game Studio 3.1.2 SP1
      2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Application Data\Unity
      2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\Unity
      2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\Jay\Application Data\PACE Anti-Piracy
      2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
      2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\program files\Fichiers communs\PACE Anti-Piracy
      2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\PACE Anti-Piracy
      2010-02-03 22:43 . 2010-02-03 22:43 -------- d-----w- c:\program files\Unity
      2010-02-03 22:24 . 2010-02-03 22:24 -------- d-----w- c:\program files\Game_Maker8
      2010-02-03 22:23 . 2010-02-03 22:59 -------- d-----w- c:\documents and settings\Jay\.Game Develop
      2010-02-03 22:22 . 2010-02-03 22:59 -------- d-----w- c:\program files\Compil Games
      2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\axfbootloader.dll
      2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
      2010-01-25 22:51 . 2010-01-25 22:51 -------- d-----w- c:\program files\GPLGS
      2010-01-25 12:13 . 2010-01-25 12:13 -------- d-----w- c:\program files\EASEUS
      2010-01-24 20:54 . 2010-01-24 20:54 -------- d-----w- c:\documents and settings\Jay\Application Data\WindSolutions

      .
      (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-02-21 20:54 . 2006-08-11 17:43 95554 ----a-w- c:\windows\system32\perfc00C.dat
      2010-02-21 20:54 . 2006-08-11 17:43 540272 ----a-w- c:\windows\system32\perfh00C.dat
      2010-02-16 13:14 . 2008-06-30 10:16 -------- d-----w- c:\documents and settings\Jay\Application Data\FileZilla
      2010-02-14 11:59 . 2006-12-13 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
      2010-02-07 23:21 . 2006-12-21 20:46 -------- d-----w- c:\documents and settings\Jay\Application Data\Azureus
      2010-02-07 23:13 . 2007-12-30 12:27 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
      2010-02-07 23:13 . 2009-08-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
      2010-02-07 13:34 . 2006-08-11 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
      2010-01-22 22:48 . 2008-01-25 19:27 -------- d-----w- c:\documents and settings\Jay\Application Data\dvdcss
      2010-01-22 17:30 . 2007-01-20 18:53 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia
      2010-01-22 17:09 . 2007-01-20 18:47 -------- d-----w- c:\program files\Fichiers communs\PCSuite
      2010-01-22 17:08 . 2008-04-03 20:08 -------- d-----w- c:\program files\Fichiers communs\Nokia
      2010-01-22 17:08 . 2007-01-20 18:47 -------- d-----w- c:\program files\Nokia
      2010-01-22 17:08 . 2007-04-20 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
      2010-01-22 17:08 . 2010-01-22 17:08 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
      2010-01-22 17:08 . 2010-01-22 17:08 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
      2010-01-22 17:08 . 2010-01-22 17:08 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
      2010-01-22 17:08 . 2010-01-22 17:08 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
      2010-01-22 14:54 . 2010-01-22 17:08 34503600 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_fre_web.exe
      2010-01-17 22:06 . 2010-01-17 22:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
      2010-01-17 22:02 . 2010-01-17 22:02 -------- d-----w- c:\program files\Microsoft ActiveSync
      2010-01-17 11:17 . 2010-01-17 11:17 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia Ovi Suite
      2010-01-17 10:46 . 2010-01-17 10:46 -------- d-----w- c:\program files\PC Connectivity Solution
      2010-01-17 10:45 . 2010-01-17 10:45 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
      2010-01-17 10:45 . 2010-01-17 10:45 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
      2010-01-17 10:45 . 2010-01-17 10:45 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
      2010-01-17 10:45 . 2010-01-17 10:45 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
      2010-01-17 10:45 . 2010-01-17 10:45 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
      2010-01-17 10:45 . 2010-01-17 10:45 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
      2010-01-17 10:40 . 2010-01-17 10:40 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
      2010-01-17 10:40 . 2010-01-17 10:40 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller(2).exe
      2010-01-15 10:03 . 2006-12-02 09:51 125200 -c--a-w- c:\documents and settings\Jay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2010-01-15 02:34 . 2009-09-04 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
      2010-01-15 01:00 . 2010-01-15 01:00 -------- d-----w- c:\program files\CCleaner
      2010-01-15 00:21 . 2007-06-11 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
      2010-01-14 23:53 . 2010-01-14 23:53 -------- d-----w- c:\program files\OO Software
      2010-01-14 23:44 . 2009-08-11 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
      2010-01-14 23:35 . 2007-06-11 19:34 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
      2010-01-10 23:46 . 2010-01-10 23:46 312128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
      2010-01-09 09:46 . 2008-01-09 18:52 -------- d-----w- c:\program files\Microsoft Works
      2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
      2009-12-25 20:32 . 2009-08-15 14:31 -------- d-----w- c:\program files\C.E.W
      2009-12-21 19:07 . 2006-03-04 04:00 916480 ------w- c:\windows\system32\wininet.dll
      2009-12-17 07:41 . 2004-08-10 20:00 347648 ----a-w- c:\windows\system32\mspaint.exe
      2009-12-14 07:09 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
      2009-12-09 10:08 . 2005-09-29 18:28 2147328 ------w- c:\windows\system32\ntoskrnl.exe
      2009-12-09 10:08 . 2005-09-29 18:28 2025984 ------w- c:\windows\system32\ntkrnlpa.exe
      2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
      2009-11-27 17:13 . 2005-08-30 04:16 1297920 ----a-w- c:\windows\system32\quartz.dll
      2009-11-27 17:13 . 2004-08-10 20:00 17920 ----a-w- c:\windows\system32\msyuv.dll
      2009-11-27 16:08 . 2004-08-10 20:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
      2009-11-27 16:08 . 2004-08-10 20:00 85504 ----a-w- c:\windows\system32\avifil32.dll
      2009-11-27 16:08 . 2004-08-10 20:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
      2009-11-27 16:08 . 2004-08-10 20:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
      2009-11-27 16:08 . 2004-08-10 20:00 11264 ----a-w- c:\windows\system32\msrle32.dll
      2009-10-15 14:42 . 2009-10-15 14:42 14078 ----a-w- c:\program files\Fichiers communs\suvosa.dl
      2009-10-15 14:42 . 2009-10-15 14:42 13260 ----a-w- c:\program files\Fichiers communs\kafako.com
      2009-10-15 14:42 . 2009-10-15 14:42 10994 ----a-w- c:\program files\Fichiers communs\yjoseceqeq.dl
      2008-08-25 20:00 . 2008-08-25 20:04 330 -c-h-tr- c:\program files\Journal de sauvegarde
      2008-04-14 02:34 . 2009-02-24 19:57 60416 -csha-w- c:\windows\NiwradSoft Shell Pack\Backup\msimn.exe
      2009-07-19 19:17 . 2009-07-19 19:17 88 --sh--r- c:\windows\system32\7A004F5EDB.sys
      2008-01-21 15:56 . 2008-01-21 15:55 88 -csha-r- c:\windows\system32\F1BE1573B3.sys
      2009-07-19 19:19 . 2008-01-21 15:50 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
      .

      ------- Sigcheck -------

      [-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\explorer.exe
      [7] 2008-04-14 . F2317622D29F9FF0F88AEECD5F60F0DD . 1037824 . . [6.00.2900.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe
      [-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
      [-] 2007-06-13 . D0288319660EDCFED07C7E74C4EA38A5 . 1037312 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
      [-] 2007-06-13 . B795475444D6D57A572C14B9E1A29839 . 1037312 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
      .
      ((((((((((((((((((((((((((((( SnapShot@2010-02-21_16.37.28 )))))))))))))))))))))))))))))))))))))))))
      .
      + 2008-07-29 07:05 . 2008-07-29 07:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
      - 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
      + 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
      - 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
      + 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
      + 2010-02-21 20:52 . 2010-02-21 20:52 16384 c:\windows\temp\Perflib_Perfdata_594.dat
      + 2010-02-21 20:52 . 2010-02-21 20:52 16384 c:\windows\temp\Perflib_Perfdata_244.dat
      - 2006-08-11 17:43 . 2010-01-22 14:16 72760 c:\windows\system32\perfc009.dat
      + 2006-08-11 17:43 . 2010-02-21 20:54 72760 c:\windows\system32\perfc009.dat
      + 2007-07-31 18:40 . 2009-05-11 08:11 28520 c:\windows\system32\drivers\ssmdrv.sys
      + 2008-07-29 07:05 . 2008-07-29 07:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
      + 2008-07-29 02:54 . 2008-07-29 02:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
      - 2008-07-29 01:54 . 2008-07-29 01:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
      + 2006-08-11 17:43 . 2010-02-21 20:54 448040 c:\windows\system32\perfh009.dat
      - 2006-08-11 17:43 . 2010-01-22 14:16 448040 c:\windows\system32\perfh009.dat
      + 2007-08-25 15:38 . 2010-02-21 20:54 170657 c:\windows\system32\inetsrv\MetaBase.bin
      + 2008-07-29 07:05 . 2008-07-29 07:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
      - 2008-07-29 06:05 . 2008-07-29 06:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
      + 2008-07-29 07:05 . 2008-07-29 07:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
      .
      ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
      "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
      "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
      "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
      "nwiz"="nwiz.exe" [2009-06-10 1657376]
      "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
      "OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
      "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

      [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
      "DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

      [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
      "ForceClassicControlPanel"= 1 (0x1)

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

      [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
      BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
      @="Driver"

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
      c:\program files\Fichiers communs\Nokia\MPlatform\NokiaMServer [X]

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
      2008-08-14 05:58 611712 ----a-w- c:\program files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
      2006-06-26 20:45 1211176 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
      2005-02-16 15:15 221184 ----a-w- c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
      2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
      2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
      2009-07-19 18:53 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
      "Lavasoft Ad-Aware Service"=2 (0x2)
      "FirebirdServerDefaultInstance"=3 (0x3)
      "FirebirdGuardianDefaultInstance"=2 (0x2)
      "ProtexisLicensing"=2 (0x2)

      [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
      "ctfmon.exe"=c:\windows\system32\ctfmon.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
      "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
      "IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
      "MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
      "nwiz"=nwiz.exe /install
      "ehTray"=c:\windows\ehome\ehtray.exe
      "NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
      "NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
      "ISUSPM Startup"=c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
      "ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
      "_BackupService"="c:\program files\Astase\UltraBackup\4.9\bin\tbs.exe" -start
      "thnotify"="c:\program files\Astase\UltraBackup\4.9\bin\thtrayagent.exe" /start

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\WINDOWS\\system32\\mmc.exe"=
      "c:\\Program Files\\Java\\jre1.6.0_01\\launch4j-tmp\\RKMediaCenter.exe"=
      "c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\Fichiers communs\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
      "c:\\Program Files\\C.E.W\\OpenLieroX.exe"=
      "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
      "c:\\Program Files\\EasyPHP 3.0\\mysql\\bin\\mysqld.exe"=
      "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
      "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
      "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
      "c:\\Program Files\\Vuze\\Azureus.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "5353:TCP"= 5353:TCP:Adobe CSI CS4
      "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
      "65533:TCP"= 65533:TCP:Services
      "52344:TCP"= 52344:TCP:Services
      "3246:TCP"= 3246:TCP:Services
      "2479:TCP"= 2479:TCP:Services
      "6114:TCP"= 6114:TCP:Services

      R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [31/03/2007 21:37 2996]
      R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [21/02/2010 20:34 108289]
      R2 ThalliumServer;Astase ThalliumBackup Storage Service;c:\program files\Astase\UltraBackup\4.9\bin\tbsd.exe [14/10/2007 11:31 1929728]
      R2 thpassivesvc;Astase ThalliumBackup Client Background Service;c:\program files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe [14/10/2007 11:31 618496]
      S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/12/2007 13:27 691696]
      S1 jdlgmfib;jdlgmfib;\??\c:\windows\system32\drivers\jdlgmfib.sys --> c:\windows\system32\drivers\jdlgmfib.sys [?]
      S2 AdobeAdobeAlerter;Adobe LM Service AdobeAdobeAlerter;c:\windows\TEMP\evbupehsdi.exe service --> c:\windows\TEMP\evbupehsdi.exe service [?]
      S2 cmjwu;cmjwu;\??\c:\windows\system32\drivers\miayk.sys --> c:\windows\system32\drivers\miayk.sys [?]
      S2 gupdate1c98986541bab5f;Google Update Service (gupdate1c98986541bab5f);c:\program files\Google\Update\GoogleUpdate.exe [08/02/2009 01:43 133104]
      S2 ibkqqmi;ibkqqmi;\??\c:\windows\system32\drivers\cdmumqhiyj.sys --> c:\windows\system32\drivers\cdmumqhiyj.sys [?]
      S3 BTCAMDRV;Mobiola Web Camera driver;c:\windows\system32\drivers\BTCamDrv.sys [24/02/2007 22:44 228352]
      S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11.tmp --> c:\windows\system32\11.tmp [?]
      S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [17/01/2010 11:46 136704]
      S3 sfr0901;SFR Connexion Adapter V9;c:\windows\system32\drivers\sfr0901.sys [24/02/2008 20:54 26496]
      S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
      S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
      UxTuneUp
      .
      Contenu du dossier 'Tâches planifiées'

      2010-02-21 c:\windows\Tasks\1-Click Maintenance.job
      - c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 07:09]

      2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

      2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

      2010-02-21 c:\windows\Tasks\User_Feed_Synchronization-{7FFA8037-D4E6-4E0A-940E-DACBF666952F}.job
      - c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
      .
      .
      ------- Examen supplémentaire -------
      .
      uStart Page = hxxp://news.google.com/
      uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
      uInternet Connection Wizard,ShellNext = hxxp://fr.fr.acer.yahoo.com/
      uInternet Settings,ProxyOverride = *.local
      uSearchAssistant = hxxp://www.google.com/ie
      uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
      IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
      Trusted Zone: localhost
      DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
      DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version4/windows-ie/en/AMClient.cab
      DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://82.127.76.211:91/VatDec.cab
      FF - ProfilePath - c:\documents and settings\Jay\Application Data\Mozilla\Firefox\Profiles\xvu7etdj.default\
      FF - prefs.js: browser.startup.homepage - hxxp://news.google.fr/
      FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
      FF - plugin: c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
      FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
      FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
      FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
      FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
      FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

      ---- PARAMETRES FIREFOX ----
      .

      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-02-21 22:11
      Windows 5.1.2600 Service Pack 3 NTFS

      Recherche de processus cachés ...

      Recherche d'éléments en démarrage automatique cachés ...

      Recherche de fichiers cachés ...

      Scan terminé avec succès
      Fichiers cachés: 0

      **************************************************************************

      [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
      "ImagePath"="\??\c:\windows\system32\11.tmp"
      .
      --------------------- CLES DE REGISTRE BLOQUEES ---------------------

      [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
      "Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
      4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\

      [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
      "OODEFRAG10.00.00.01WORKSTATION"="C7C017C7F3E7418B8B7986B4D3CB3A27C53D9F1F5E8C95FE35704907F56CCE5CC67E28C4B90B177BD2A14EF7C8934B236FEDFE3D993B8280C6408137E38723D710EB826492F3940984C107CD4C55735875E5EEF9891DDD9865EF87363CE05213B9E3AE3282BB114C77F503E475F52115919B29C7F284526A4AF39DDD1356DCA21E7A160B10EC0972C50DF4BF594CEBBA3E3CCA6F9FB7AEAB72F5E9D9833AEC335C740A21C6099CBA4E8776B594A70A3E3D25D48D5A7062A89ECF772BA9D4C903554A3D7933818E7A379D03EFC6C85B2992EBAE10FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CC038D530D6EB34520F76E2F980B1A8D9A19E34DCB83CE140E36FFA6ADC10335445451B73805DAFE7B880C87011E59065BC6EBC515EC9B94573850221BA314DD9C6F3D275AD3E4DE19EF87DAE2C52CD7929946306E9A1B6CAB10202F2B91C1B1C84870E57771992A4E60B9B810D6435371E895DFE78909738874A6837F397E16AB8F094E31B526E04BCD765C931BF7E9558BB034F6A947CC961B846584BA04DE4A099D07B9B86B4A34E723DFADCBB47DF1789D12162E16A0EAF9AD154E568EBFEFDDC528FBD7F1DFCCE642B9E19E00FB41D4B6AB14960CB69683265BDABD12E8217874C288D414360F4285B4F2D6E3B0733C891D24DAA6D150236FDB94C786C8C34DD14E15880256E7AAD1DBDABD6929C243E3169DA90011AFACE3E843525E00DA496256BAF26A61C1FD965AEE5414211405DD46DA9951C5AD21CEB6A9D5B294AB95D9F86695111B3A4054B7AF287DB53DACAAE6D2F7237898F30F04FFECDC75AC750C48BA2528C53527A8B8D2F3851A64B20918AA811B02E39105B279666A3AD2A82FC66352EAB6CF1F905E73917FDA06E6AF87A961249A45B355D7F633F07813D7C511647A0604453B83B9CF3199CABA2A9FE863DC8A61D888E4B74ADAC9F6C63B7F2AC3B15017548DDD85507E84C094B53678AA3BB529BD37EA038FBAF02568123B3533FADCAEE2806264F5C6614C8525116F817273A76D65A7B921D03A1FD022309433EBFDCEF4DBF95D7A4A15BD2200112D7A6FAAE5B2DEB1C5CA1125A71D28D10CD6BD5B98E1611B956D264ED62A7310BBDA7DAE5487872E9055D7DEA97E4AD07D43E2C49376570CBC11DA6FC055AA8D05BB09C7812DD9EEE8DEC9AF4282E42D04FED36D6A4A14BA6A5FE181C1E302058EF9F4EE4E08417D78C2A7100B0287FF3CAFA1791EA368049A2B79A44E525C4B9D093AD8BAE9975762D37BD7590D00B9BE3A7A98DED9164D9ED4BC4D1E4B936B26772AEB24D4FC8422DF971237EA88116CFF9FAC1E7A5BF1F4FFE62067AEF0C25B16179835F5712D3DE1A2F3D02376F58D4"

      [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
      "Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
      4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\
      .
      --------------------- DLLs chargées dans les processus actifs ---------------------

      - - - - - - - > 'winlogon.exe'(768)
      c:\windows\system32\SETUPAPI.dll

      - - - - - - - > 'lsass.exe'(824)
      c:\windows\system32\setupapi.dll

      - - - - - - - > 'explorer.exe'(1792)
      c:\program files\Windows Desktop Search\deskbar.dll
      c:\program files\Windows Desktop Search\fr-fr\dbres.dll.mui
      c:\program files\Windows Desktop Search\dbres.dll
      c:\program files\Windows Desktop Search\wordwheel.dll
      c:\program files\Windows Desktop Search\fr-fr\msnlExtRes.dll.mui
      c:\program files\Windows Desktop Search\msnlExtRes.dll
      c:\windows\system32\SETUPAPI.dll
      c:\windows\system32\webcheck.dll
      c:\windows\system32\NETSHELL.dll
      c:\windows\system32\credui.dll
      c:\windows\system32\eappprxy.dll
      c:\windows\system32\WPDShServiceObj.dll
      c:\windows\system32\PortableDeviceTypes.dll
      c:\windows\system32\PortableDeviceApi.dll
      .
      Heure de fin: 2010-02-21 22:15:32
      ComboFix-quarantined-files.txt 2010-02-21 21:15
      ComboFix2.txt 2010-02-21 16:40

      Avant-CF: 81 007 484 928 octets libres
      Après-CF: 81 017 688 064 octets libres

      Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
      - - End Of File - - E38A498E26C19377EEDE5CB09299CD1A
      0
  10. gen-hackman
     
    hello tu as fait quoi pour remettre nickel ?
    0