Souci avec un rootkit?

Fermé

Codename5281 - 21 févr. 2010 à 14:36
Utilisateur anonyme - 12 mars 2010 à 14:14

Bonjour à tous,

Après avoir navigué sur bon nombre de forums pour essayer, sans succès, de trouver une réponse à mes questions, je viens demander de l'aide à la communauté CCM.

Voici mon problème: hier soir, alors que je navigais sur internet avec Mozilla Firefox, mon PC a commencé à ramer sérieusement. J'ai alors ouvert mon gestionnaire des tâches, et constatant que c'était le processus jre.exe (Java Runtime Environment) qui faisait des siennes, j'ai tenté de le fermer. Cependant, cela a mené après quelques minutes à un freeze total de mes fenêtres. J'ai rebooté mon pc, et dès lors, après quelques minutes d'utilisation, la chose se répétait, avec un processus identique.

Plus étrange, au bout du troisième reboot, le freeze s'est accompagné d'un bip continu de ma carte mère. Je me suis alors renseigné là dessus, et voyant que cela pouvait avoir plusieurs causes, j'ai testé ma mémoire vive avec memtest, sans erreur, j'ai vérifié les voltages de mon alimentation via le bios, aucun problème, ainsi que les températures de mes CPU et GPU, pas de souci non plus. Concernant la mémoire, j'ai pu lancer en live CD des distrib linux et BartPE, sans bug, donc pas de souci de ce côté là.

Plus tard, je me suis aperçu d'un comportement encore plus bizarre de mon PC: en cours de bug, j'ai pu ouvrir mon gestionnaire des tâches, m'apercevoir que le processus consommant toutes les ressources de mon PC n'était plus le même (cela peut varier entre searchindexer.exe, winlogon.exe, svchost.exe, et d'autres processus système ou utilisateur), constater un freeze du gestionnaire des tâches (tous les processus à 0% d'utilisation ressources système, wtf?), et là, apparaît une fenêtre windows style 16 bits qui me demande d'insérer le volume I: (lecteur de carte mémoire)... Le PC étant clairement en train de travailler (diode disque dur et ventirad en acceleré) j'ai commencé à soupçonner la présence d'un rootkit.

J'ai pu effectuer une analyse HijackThis, sans résultat positif flagrant (je peux fournir le log au cas où), mais l'analyse antivirus avec Avira AntiVir a fait freezer le PC. Une analyse avec GMER a freezé également, tout comme une analyse Dr Web Cure It. MBAM a trouvé des entrées registre vérolées qu'il a supprimé, sans effet au reboot. Enfin, ComboFix m'a supprimé quatre fichiers mais je ne saurais pas vous dire lesquels, puisque la création du log au reboot final a fait freezer mon PC.

Voila, actuellement, mon PC est utilisable un certain temps, visiblement ce sont des processus antivirus qui provoquent un freeze, et le comportement bizarre du gestionnaire des tâches avant un freeze (un a deux processus à 50% d'utilisation -je suis en dual core- puis tous les processus, même le "non utilisé", sont à 0%, puis freeze et utilisation du disque dur et du processeur). Je précise que j'ai déconnecté mon PC de l'internet des les premiers symptômes, et que l'entrée dans le mode sans échec m'est impossible (reboot).

En vous remerciant par avance de vos renseignements et de votre aide...
Cordialement,

A voir également:

Souci avec un rootkit?
Anti rootkit - Télécharger - Antivirus & Antimalwares
Rootkit hunter - Télécharger - Antivirus & Antimalwares
Anti rootkit gratuit - Télécharger - Antivirus & Antimalwares
Malwarebytes anti-rootkit - Télécharger - Antivirus & Antimalwares
Avg anti rootkit - Télécharger - Antivirus & Antimalwares

10 réponses

Réponse 1 / 10

Utilisateur anonyme
22 févr. 2010 à 06:32

▶ Clique sur le menu Demarrer /Panneau de configuration/Options des dossiers/ puis dans l'onglet Affichage
* - Coche Afficher les fichiers et dossiers cachés
* - Décoche Masquer les extensions des fichiers dont le type est connu
* - Décoche Masquer les fichiers protégés du système d'exploitation (recommandé)

▶ clique sur Appliquer, puis OK.

N'oublie pas de recacher à nouveau les fichiers cachés et protégés du système d'exploitation en fin de désinfection, c'est important

Fais analyser le(s) fichier(s) suivants sur Virustotal :

Virus Total

* Clique sur Parcourir en haut, choisis Poste de travail et cherche ces fichiers :

c:\windows\system32\7A004F5EDB.sys
c:\windows\system32\F1BE1573B3.sys

* Clique maintenant sur Envoyer le fichier. et laisse travailler tant que "Situation actuelle : en cours d'analyse" est affiché.
* Il est possible que le fichier soit mis en file d'attente en raison d'un grand nombre de demandes d'analyses. En ce cas, il te faudra patienter sans actualiser la page.
* Lorsque l'analyse est terminée ("Situation actuelle: terminé"), clique sur Formaté
* Une nouvelle fenêtre de ton navigateur va apparaître
* Clique alors sur les deux fleches
* Fais un clic droit sur la page, et choisis Sélectionner tout, puis copier
* Enfin colle le résultat dans ta prochaine réponse.

Note : Pour analyser un autre fichier, clique en bas sur Autre fichier.

Codename5281
12 mars 2010 à 14:10

Désolé j'étais encore en déplacement!
Merci pour l'aide, tout est rentré en ordre maintenant!
A bientôt!

Réponse 2 / 10

Utilisateur anonyme
21 févr. 2010 à 14:53

salut :

Desactive ton antivirus le temps de la manip ainsi que ton parefeu si présent(car il est detecté a tort comme infection)

▶ Télécharge List_Kill'em et enregistre le sur ton bureau

▶ Branche clés usb , disques durs externes , mp3 , mp4 , etc..

double clique ( clic droit "executer en tant qu'administrateur" pour Vista/7 ) sur le raccourci sur ton bureau pour lancer l'installation

coche la case "creer une icone sur le bureau"

une fois terminée , clic sur "terminer" et le programme se lancera seul

choisis la langue puis choisis l'option 1 = Mode Recherche

▶ laisse travailler l'outil

à l'apparition de la fenetre blanche , c'est un peu long , c'est normal , le programme n'est pas bloqué.

un rapport du nom de catchme apparait sur ton bureau , ignore-le,ne le poste pas , mais ne le supprime pas pour l instant, le scan n'est pas fini.

▶ Poste le contenu du rapport qui s'ouvre aux 100 % du scan à l'ecran "COMPLETED"

tu peux supprimer le rapport catchme.log de ton bureau maintenant.

Codename5281
21 févr. 2010 à 15:21

Merci de ta réponse,
C'est en cours depuis une binne quinzaine de minutes, et arrêté à 90% pour l'instant. Au niveau des processus, j'ai un system.exe qui me bouffe 45% des ressources.
Je te poste le log dès que c'est fini.

Codename5281
21 févr. 2010 à 15:37

Voila le rapport (MBR Rootkit infection, huh?):

List'em by g3n-h@ckm@n 1.2.5.3

User : Jay (Administrateurs)
Update on 19/02/2010 by g3n-h@ckm@n ::::: 13.15
Start at: 15:03:00 | 21/02/2010
Contact : https://forums.commentcamarche.net/forum/virus-securite-7

AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 8.0.6001.18702
Windows Firewall Status : Enabled
AV : Avira AntiVir PersonalEdition 8.0.1.30 [ (!) Disabled | Updated ]
FW : Norton Internet Worm Protection[ (!) Disabled ]2006

C:\ -> Disque fixe local | 113,27 Go (75,22 Go free) [ACER] | NTFS
D:\ -> Disque fixe local | 113,73 Go (3,89 Go free) [ACERDATA] | FAT32
E:\ -> Disque CD-ROM
G:\ -> Disque CD-ROM
I:\ -> Disque amovible | 1,87 Go (1,07 Go free) | FAT
J:\ -> Disque amovible
K:\ -> Disque amovible
L:\ -> Disque amovible
O:\ -> Disque fixe local | 465,76 Go (130,39 Go free) [FreeAgent Drive] | NTFS

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Astase\UltraBackup\4.9\bin\tbsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\List_Kill'em\List_Kill'em.scr
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Jay\Local Settings\temp\C.tmp\pv.exe

======================
Keys "Run"
======================
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
PC Suite Tray REG_SZ "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
DAEMON Tools Lite REG_SZ "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AdobeUpdater

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RTHDCPL REG_SZ RTHDCPL.EXE
avgnt REG_SZ "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz REG_SZ nwiz.exe /install
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
OODefragTray REG_SZ C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

=====================
Other Keys
=====================
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
dontdisplaylastusername REG_DWORD 0 (0x0)
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
shutdownwithoutlogon REG_DWORD 1 (0x1)
undockwithoutlogon REG_DWORD 1 (0x1)
InstallVisualStyle REG_EXPAND_SZ C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
InstallTheme REG_EXPAND_SZ C:\WINDOWS\Resources\Themes\Royale.theme
DisableRegistryTools REG_DWORD 0 (0x0)

===============
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
NoDriveAutoRun REG_DWORD 67108863 (0x3ffffff)
NoDriveTypeAutoRun REG_DWORD 323 (0x143)
NoDrives REG_DWORD 0 (0x0)
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run

===============
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
NoCDBurning REG_DWORD 1 (0x1)
HonorAutoRunSetting REG_DWORD 1 (0x1)
NoDriveAutoRun REG_DWORD 67108863 (0x3ffffff)
NoDriveTypeAutoRun REG_DWORD 323 (0x143)
NoDrives REG_DWORD 0 (0x0)

===============
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

===============
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
AutoRestartShell REG_DWORD 1 (0x1)
DefaultUserName REG_SZ Jay
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PowerdownAfterShutdown REG_SZ 0
ReportBootOk REG_SZ 1
Shell REG_SZ Explorer.exe
ShutdownWithoutLogon REG_SZ 0
System REG_SZ
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,
VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
SfcQuota REG_DWORD -1 (0xffffffff)
allocatecdroms REG_SZ 0
allocatedasd REG_SZ 0
allocatefloppies REG_SZ 0
cachedlogonscount REG_SZ 10
forceunlocklogon REG_DWORD 0 (0x0)
passwordexpirywarning REG_DWORD 14 (0xe)
scremoveoption REG_SZ 0
AllowMultipleTSSessions REG_DWORD 1 (0x1)
UIHost REG_EXPAND_SZ logonui.exe
LogonType REG_DWORD 1 (0x1)
Background REG_SZ 0 0 0
DebugServerCommand REG_SZ no
SFCDisable REG_DWORD 0 (0x0)
WinStationsDisabled REG_SZ 0
HibernationPreviouslyEnabled REG_DWORD 1 (0x1)
ShowLogonOptions REG_DWORD 0 (0x0)
AltDefaultUserName REG_SZ Jay
AltDefaultDomainName REG_SZ JAY
DefaultDomainName REG_SZ JAY
ChangePasswordUseKerberos REG_DWORD 1 (0x1)

===============
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon]

===============
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{AEB6717E-7E19-11d0-97EE-00C04FD91972} REG_SZ
{56F9679E-7826-4C84-81F3-532071A8BCC5} REG_SZ

===============
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
%windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
C:\Program Files\totalcmd\TOTALCMD.EXE REG_SZ C:\Program Files\totalcmd\TOTALCMD.EXE:*:Enabled:Total Commander 32 bit international version, file manager replacement for Windows
C:\WINDOWS\system32\mmc.exe REG_SZ C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console
C:\Program Files\Java\jre1.6.0_01\launch4j-tmp\RKMediaCenter.exe REG_SZ C:\Program Files\Java\jre1.6.0_01\launch4j-tmp\RKMediaCenter.exe:*:Enabled:Java(TM) Platform SE binary
C:\Program Files\FileZilla FTP Client\filezilla.exe REG_SZ C:\Program Files\FileZilla FTP Client\filezilla.exe:*:Enabled:FileZilla FTP Client
%windir%\Network Diagnostic\xpnetdiag.exe REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
C:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe REG_SZ C:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4
C:\Program Files\Windows Live\Messenger\wlcsdk.exe REG_SZ C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
C:\Program Files\Windows Live\Messenger\msnmsgr.exe REG_SZ C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
C:\UDK\The Ball UDK Demo\Binaries\Win32\UDK.exe REG_SZ C:\UDK\The Ball UDK Demo\Binaries\Win32\UDK.exe:*:Enabled:UDK
C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe REG_SZ C:\Program Files\Lionhead Studios Ltd\Black & White\runblack.exe:*:Enabled:lh
C:\Program Files\C.E.W\OpenLieroX.exe REG_SZ C:\Program Files\C.E.W\OpenLieroX.exe:*:Enabled:OpenLieroX
C:\Program Files\Freeplayer\vlc\vlc.exe REG_SZ C:\Program Files\Freeplayer\vlc\vlc.exe:*:Enabled:VLC media player
C:\Program Files\VideoLAN\VLC\vlc.exe REG_SZ C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player
C:\Program Files\EasyPHP 3.0\mysql\bin\mysqld.exe REG_SZ C:\Program Files\EasyPHP 3.0\mysql\bin\mysqld.exe:*:Enabled:mysqld
C:\Program Files\Microsoft ActiveSync\rapimgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
C:\Program Files\Microsoft ActiveSync\wcescomm.exe REG_SZ C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
C:\Program Files\Vuze\Azureus.exe REG_SZ C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
%windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
%windir%\Network Diagnostic\xpnetdiag.exe REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
C:\Program Files\Windows Live\Messenger\wlcsdk.exe REG_SZ C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
C:\Program Files\Windows Live\Messenger\msnmsgr.exe REG_SZ C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
C:\Program Files\Microsoft ActiveSync\rapimgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
C:\Program Files\Microsoft ActiveSync\wcescomm.exe REG_SZ C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe REG_SZ C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

===============
ActivX controls
===============
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{03F998B2-0E00-11D3-A498-00104B6EB52E}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{051D0E35-F4E3-4C8D-B411-AB0875F4C683}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0CCA191D-13A6-4E29-B746-314DEE697D83}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{13EC55CF-D993-475B-9ACA-F4A384957956}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{17492023-C23A-453E-A040-C7C580BBF700}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{20A60F0D-9AFA-4515-A0FD-83BD84642501}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{210D0CBC-8B17-48D1-B294-1A338DD2EB3A}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{474F00F5-3853-492C-AC3A-476512BBC336}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{4871A87A-BFDD-4106-8153-FFDE2BAC2967}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{74D05D43-3236-11D4-BDCD-00C04F9A3B61}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{C3F79A2B-B9B4-4A66-B012-3EE46475B072}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{F5A7706B-B9C0-4C89-A715-7A0C6B05DD48}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}

===============
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\KB910393
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1325db73-d9f1-48f8-8895-6d814ec58889}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1BC46932-21B2-4130-86E0-B4EB4F7A7A7B}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{283807B5-2C60-11D0-A31D-00AA00B92C03}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3af36230-a269-11d1-b5bf-0000f8051515}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3F1D6C36-6409-34CE-62A2-2D9372B1DD8A}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{407408d4-94ed-4d86-ab69-a7f649d112ee}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4278c270-a269-11d1-b5bf-0000f8051515}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4593B9A9-89FD-4151-04B3-854C11F68BF6}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{45ea75a0-a269-11d1-b5bf-0000f8051515}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f216970-c90c-11d1-b5c7-0000f8051515}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f645220-306d-11d2-995d-00c04f98bbc9}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{55A1A907-BD1B-BB65-C185-56F3C65EC446}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A8D6EE0-3E18-11D0-821E-444553540000}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{630b1da0-b465-11d1-9948-00c04f98bbc9}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4340}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9381D8F2-0288-11D0-9501-00AA00B911A5}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A59C25A1-F636-A4F6-A353-4C3AD5C52678}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B508B3F1-A24A-32C0-B310-85786919EF28}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BDE0FA43-6952-4BA8-8C58-09AF690F88E1}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C9E9A340-D1F1-11D0-821E-444553540600}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CC2A9BA0-3BDD-11D0-821E-444553540000}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D27CDB6E-AE6D-11cf-96B8-444553540000}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E8EA5BD6-D931-4001-ABF6-81BAA500360A}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EA29D410-CE41-4953-A862-2DE706A1DAD7}
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{FDC11A6F-17D1-48f9-9EA3-9051954BAA24}

==============
BHO :
======
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

================
Internet Explorer :
================
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
Start Page REG_SZ https://www.msn.com/fr-fr/?ocid=iehp

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page REG_SZ https://news.google.com/topstories?hl=en-US&gl=US&ceid=US:en

========
Services
========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

Ndisuio : 0x4 ( OK = 3 )
EapHost : 0x3 ( OK = 2 )
SharedAccess : 0x2 ( OK = 2 )
wuauserv : 0x2 ( OK = 2 )

=========
Atapi.sys
=========

%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: C:\Documents and Settings\Jay\Local Settings\temp\C.tmp
## C:\> hashdeep C:\WINDOWS\System32\Drivers\atapi.sys
##
96512,9f3a2f5aa6875c72bf062c712cfa2674,b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9,C:\WINDOWS\System32\Drivers\atapi.sys

Sources
=======

C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
C:\WINDOWS\system32\drivers\atapi.sys

Référence :
==========

Win XP_32b : a64013e98426e1877cb653685c5c0009
Win XP_SP2_32b : CDFE4411A69C224BD1D11B2DA92DAC51
Win XP_SP3_32b : 9F3A2F5AA6875C72BF062C712CFA2674
Vista_32b : e03e8c99d15d0381e02743c36afc7c6f
Vista_SP1_32b : 2d9c903dc76a66813d350a562de40ed9
Vista_SP2_32b : 1F05B78AB91C9075565A9D8A4B880BC4
Vista_SP2_64b : 1898FAE8E07D97F2F6C2D5326C633FAC
Windows 7_32b : 80C40F7FDFC376E4C5FEEC28B41C119E
Windows 7_64b : 02062C0B390B7729EDC9E69C680A6F3C

O:\Autorun.inf :
----------------
[autorun]
icon = .\FreeAgentDesktop.ico
=======
Drive :
=======

Défragmenteur de disque Windows
Copyright (c) 2001 Microsoft Corp. et Executive Software International Inc.

Rapport d'analyse
113 Go total, 75,22 Go libre (66%), 3% fragmenté (fragmentation du fichier 6%)

Il ne vous est pas nécessaire de défragmenter ce volume.

¤¤¤¤¤¤¤¤¤¤ Files/folders :

Present !! : C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Present !! : C:\WINDOWS\aucfg.ini
Present !! : C:\WINDOWS\kb913800.exe
Present !! : C:\WINDOWS\System32\clauth1.dll
Present !! : C:\WINDOWS\System32\clauth2.dll
Present !! : C:\WINDOWS\System32\drivers\etc\hosts.msn
Present !! : C:\WINDOWS\System32\lsprst7.dll
Present !! : C:\WINDOWS\System32\lsprst7.tgz
Present !! : C:\WINDOWS\System32\SET*.tmp
Present !! : C:\WINDOWS\System32\ssprs.dll
Present !! : C:\WINDOWS\System32\sysprs7.dll
Present !! : C:\WINDOWS\System32\sysprs7.tgz
Present !! : C:\Documents and Settings\Jay\Local Settings\Temp\9.tmp
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_1490.dat
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_774.dat
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\catchme.dll
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\egX9rYTw.dll
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\hGu8YnFX.dll
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\I64xG6fq.dll
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\NEventMessages.dll
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\sfextra.dll
Present !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\u2nOvr41.dll

¤¤¤¤¤¤¤¤¤¤ Keys :

Present !! : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
Present !! : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Present !! : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Present !! : HKEY_USERS\S-1-5-21-3715763573-1312033059-2079873494-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe"
Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe"
Present !! : HKCR\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d}
Present !! : HKCR\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d}
Present !! : HKCR\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179}
Present !! : HKCR\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d}
Present !! : HKCR\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d}
Present !! : HKCR\Interface\{4897bba6-48d9-468c-8efa-846275d7701b}
Present !! : HKCR\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d}
Present !! : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C80B7FF6-CE60-4079-935E-520C045C30A6}
Present !! : HKLM\Software\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}

============

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 15:10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruibofaqacf]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\hjgruiowvubuoy.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruibofaqacf\main]
"aid"="10002"
"sid"="0"
"cmddelay"=dword:00003840

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hjgruibofaqacf\modules]
"hjgruirk.sys"="\systemroot\system32\drivers\hjgruiowvubuoy.sys"
"hjgruicmd.dll"="\systemroot\system32\hjgruinnauaklx.dll"
"hjgruilog.dat"="\systemroot\system32\hjgruitidkbkfq.dat"
"hjgruiwsp.dll"="\systemroot\system32\hjgruihslrajyg.dll"
"hjgrui.dat"="\systemroot\system32\hjgruiybpnvqyt.dat"
"hjgruiwsp8.dll"="\systemroot\system32\hjgruisxbnetae.dll"
"hjgruiconz.dll"="\systemroot\system32\hjgruidbsivlab.dll"
"hjgruiwsp8p.dll"="\systemroot\system32\hjgruiufykruom.dll"
"hjgruicont.dll"="\systemroot\system32\hjgruisvxewfob.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:8e,bd,4f,95,98,0e,ca,c1,54,be,ed,ec,3f,68,15,f9,e6,62,8a,6d,d6,..
"p0"="C:\Program Files\DAEMON Tools Lite\"
"u0"=hex:d4,c3,97,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,b2,5b,bb,9a,8d,dd,66,f4,4e,da,4f,2a,b2,c4,a0,5c,04,..
"hdf12"=hex:26,92,eb,af,47,8b,53,a0,4f,1d,71,ea,9b,e6,18,ce,fb,fa,ec,15,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:d5,9a,65,ce,56,7d,51,fa,2a,49,05,69,47,7d,04,fa,54,b7,4e,9e,b5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:f3,8b,47,0f,3d,3f,77,56,4a,73,de,d9,e5,ef,66,cf,38,47,07,93,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:61,7f,b4,99,77,e4,d1,ae,30,7e,5b,b3,a6,a3,df,42,b1,87,39,24,03,..
"p0"="C:\Program Files\DAEMON Tools Lite\"
"u0"=hex:d4,c3,97,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,b2,5b,bb,9a,8d,dd,66,f4,4e,da,4f,2a,b2,c4,a0,5c,04,..
"hdf12"=hex:26,92,eb,af,47,8b,53,a0,4f,1d,71,ea,9b,e6,18,ce,fb,fa,ec,15,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:d5,9a,65,ce,56,7d,51,fa,2a,49,05,69,47,7d,04,fa,54,b7,4e,9e,b5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:f3,8b,47,0f,3d,3f,77,56,4a,73,de,d9,e5,ef,66,cf,38,47,07,93,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:82,f7,ce,c3,36,0f,a6,c5,45,80,2a,f4,d2,67,87,c3,59,bf,38,85,9e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,26,d6,3b,1c,af,28,8c,f3,92,7a,28,c2,b6,50,48,cb,c8,..
"khjeh"=hex:3f,46,13,e3,26,5d,3e,16,4a,77,a7,2d,c2,67,fd,26,7d,e0,9d,40,42,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:a5,03,73,2f,cc,ad,a1,b6,51,52,19,ad,d5,81,fd,8a,c7,28,45,81,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"h0"=dword:00000001
"hdf12"=hex:61,7f,b4,99,77,e4,d1,ae,30,7e,5b,b3,a6,a3,df,42,b1,87,39,24,03,..
"p0"="C:\Program Files\DAEMON Tools Lite\"
"u0"=hex:d4,c3,97,02,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,b2,5b,bb,9a,8d,dd,66,f4,4e,da,4f,2a,b2,c4,a0,5c,04,..
"hdf12"=hex:26,92,eb,af,47,8b,53,a0,4f,1d,71,ea,9b,e6,18,ce,fb,fa,ec,15,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:d5,9a,65,ce,56,7d,51,fa,2a,49,05,69,47,7d,04,fa,54,b7,4e,9e,b5,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:f3,8b,47,0f,3d,3f,77,56,4a,73,de,d9,e5,ef,66,cf,38,47,07,93,c7,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="C7C017C7F3E7418B8B7986B4D3CB3A27C53D9F1F5E8C95FE35704907F56CCE5CC67E28C4B90B177BD2A14EF7C8934B236FEDFE3D993B8280C6408137E38723D710EB826492F3940984C107CD4C55735875E5EEF9891DDD9865EF87363CE05213B9E3AE3282BB114C77F503E475F52115919B29C7F284526A4AF39DDD1356DCA21E7A160B10EC0972C50DF4BF594CEBBA3E3CCA6F9FB7AEAB72F5E9D9833AEC335C740A21C6099CBA4E8776B594A70A3E3D25D48D5A7062A89ECF772BA9D4C903554A3D7933818E7A379D03EFC6C85B2992EBAE10FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CC038D530D6EB34520F76E2F980B1A8D9A19E34DCB83CE140E36FFA6ADC10335445451B73805DAFE7B880C87011E59065BC6EBC515EC9B94573850221BA314DD9C6F3D275AD3E4DE19EF87DAE2C52CD7929946306E9A1B6CAB10202F2B91C1B1C84870E57771992A4E60B9B810D6435371E895DFE78909738874A6837F397E16AB8F094E31B526E04BCD765C931BF7E9558BB034F6A947CC961B846584BA04DE4A099D07B9B86B4A34E723DFADCBB47DF1789D12162E16A0EAF9AD154E568EBFEFDDC528FBD7F1DFCCE642B9E19E00FB41D4B6AB14960CB69683265BDABD12E8217874C288D414360F4285B4F2D6E3B0733C891D24DAA6D150236FDB94C786C8C34DD14E15880256E7AAD1DBDABD6929C243E3169DA90011AFACE3E843525E00DA496256BAF26A61C1FD965AEE5414211405DD46DA9951C5AD21CEB6A9D5B294AB95D9F86695111B3A4054B7AF287DB53DACAAE6D2F7237898F30F04FFECDC75AC750C48BA2528C53527A8B8D2F3851A64B20918AA811B02E39105B279666A3AD2A82FC66352EAB6CF1F905E73917FDA06E6AF87A961249A45B355D7F633F07813D7C511647A0604453B83B9CF3199CABA2A9FE863DC8A61D888E4B74ADAC9F6C63B7F2AC3B15017548DDD85507E84C094B53678AA3BB529BD37EA038FBAF02568123B3533FADCAEE2806264F5C6614C8525116F817273A76D65A7B921D03A1FD022309433EBFDCEF4DBF95D7A4A15BD2200112D7A6FAAE5B2DEB1C5CA1125A71D28D10CD6BD5B98E1611B956D264ED62A7310BBDA7DAE5487872E9055D7DEA97E4AD07D43E2C49376570CBC11DA6FC055AA8D05BB09C7812DD9EEE8DEC9AF4282E42D04FED36D6A4A14BA6A5FE181C1E302058EF9F4EE4E08417D78C2A7100B0287FF3CAFA1791EA368049A2B79A44E525C4B9D093AD8BAE9975762D37BD7590D00B9BE3A7A98DED9164D9ED4BC4D1E4B936B26772AEB24D4FC8422DF971237EA88116CFF9FAC1E7A5BF1F4FFE62067AEF0C25B16179835F5712D3DE1A2F3D02376F58D4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83299EC0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x83299ec0
NDIS: Generic Marvell Yukon Chipset based Ethernet Controller -> SendCompleteHandler -> 0x83354330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x01D1C4581
malicious code @ sector 0x01D1C4584 !
PE file found in sector at 0x01D1C459A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

==========
Programs
==========

Acro Software
Adobe
Adventure Game Studio 3.1.2 SP1
AntiVir PersonalEdition Classic
ArcSoft
Astase
Brother
C.E.W
CCleaner
commercial
Compil Games
DAEMON Tools Lite
Debugging Tools for Windows (x86)
DIFX
DivX
EASEUS
EasyPHP 3.0
FastCaisse
Fichiers communs
FileZilla FTP Client
Firebird
Flickr Uploadr
FreeMind
Game_Maker8
Google
GPLGS
Install Creator
InstallShield Installation Information
Internet Explorer
Java
Journal de sauvegarde
K-Lite Codec Pack
List_Kill'em
Macromedia
MadTracker
Malwarebytes' Anti-Malware
Maxis
Messenger
Messenger Plus! Live
Microsoft
Microsoft ActiveSync
Microsoft CAPICOM 2.1.0.2
Microsoft Chart Controls
microsoft frontpage
Microsoft Money 2005
Microsoft Office
Microsoft Visual Studio
Microsoft Visual Studio 8
Microsoft Windows Script
Microsoft Works
Microsoft.NET
Movie Maker
Mozilla Firefox
MSBuild
msn
MSN Gaming Zone
MSXML 4.0
NetMeeting
Nokia
OO Software
Outlook Express
PC Connectivity Solution
PSPad editor
Realtek
Reference Assemblies
Seagate
Sega
Services en ligne
Skyline
SpeedFan
Spybot - Search & Destroy
StepMania
Symbian
Trend Micro
TuneUp Utilities 2008
Uninstall Information
Unity
VideoLAN
Vuze
Windows Desktop Search
Windows Live
Windows Media Connect 2
Windows Media Player
Windows NT
Windows Plus
WindowsUpdate
WinRAR
xerox

============
Drive C:
============

Boot.bak
boot.ini
cmdcons
cmldr
ComboFix
Config.Msi
config.sys
Documents and Settings
drv
eDS_PSD_drive.vmdf
games
GUIDE
i386
IO.SYS
Kill'em
List'em.txt
logwmemory.bin
MSDOS.SYS
MSOCache
NTDETECT.COM
ntldr
NVIDIA
pagefile.sys
PDOXUSRS.NET
Program Files
Qoobox
sqmdata00.sqm
sqmdata01.sqm
sqmnoopt00.sqm
sqmnoopt01.sqm
SYSINFO
System Volume Information
Temp
VALUEADD
WINDOWS

¤¤¤¤¤¤¤¤¤¤ Cracks | Keygens | Serials

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

End of scan : 15:34:01,43

Réponse 3 / 10

Utilisateur anonyme
21 févr. 2010 à 15:37

pas de soucis

Réponse 4 / 10

Utilisateur anonyme
21 févr. 2010 à 15:58

bien on a trouvé le rootkit

execute ces deux petites applications que je viens de te concocter et remets les rapports

http://sd-1.archive-host.com/membres/up/829108531491024/Temp_Tools/Remove_File_codename.exe
http://sd-1.archive-host.com/membres/up/829108531491024/Temp_Tools/Remove_Key_Codename.exe

ensuite :

▶ Relance List_Kill'em(soit en clic droit pour vista/7),avec le raccourci sur ton bureau.
mais cette fois-ci :

▶ choisis l'option 2 = Mode Suppression

laisse travailler l'outil.

en fin de scan un rapport s'ouvre

▶ colle le contenu dans ta reponse

ensuite:

▶ Relance List_Kill'em(soit en clic droit pour vista/7),avec le raccourci sur ton bureau.
mais cette fois-ci :

▶ choisis l'option 6 = Restore MBR

laisse travailler l'outil.

en fin de scan un rapport s'ouvre

▶ colle le contenu dans ta reponse

Codename5281
21 févr. 2010 à 16:20

Rapports des deux applications:
Remove file:
"file:"
Remove key:
"key:
key:"

Rapport Kill'em:
Kill'em by g3n-h@ckm@n 1.2.5.3

User : Jay (Administrateurs)
Update on 19/02/2010 by g3n-h@ckm@n ::::: 13.15
Start at: 16:01:32 | 21/02/2010
Contact : https://forums.commentcamarche.net/forum/virus-securite-7

AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Microsoft Windows XP Professionnel (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 8.0.6001.18702
Windows Firewall Status : Enabled
AV : Avira AntiVir PersonalEdition 8.0.1.30 [ (!) Disabled | Updated ]
FW : Norton Internet Worm Protection[ (!) Disabled ]2006

C:\ -> Disque fixe local | 113,27 Go (75,21 Go free) [ACER] | NTFS
D:\ -> Disque fixe local | 113,73 Go (3,89 Go free) [ACERDATA] | FAT32
E:\ -> Disque CD-ROM
G:\ -> Disque CD-ROM
I:\ -> Disque amovible | 1,87 Go (1,07 Go free) | FAT
J:\ -> Disque amovible
K:\ -> Disque amovible
L:\ -> Disque amovible
O:\ -> Disque fixe local | 465,76 Go (130,39 Go free) [FreeAgent Drive] | NTFS

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Astase\UltraBackup\4.9\bin\tbsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\oodtray.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\List_Kill'em\List_Kill'em.scr
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Jay\Local Settings\temp\12.tmp\ERUNT.EXE
C:\Documents and Settings\Jay\Local Settings\temp\12.tmp\pv.exe

Detections :
==========

¤¤¤¤¤¤¤¤¤¤ Files/folders :

Quarantined & Deleted !! : C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Quarantined & Deleted !! : C:\WINDOWS\aucfg.ini
Quarantined & Deleted !! : C:\WINDOWS\kb913800.exe

Quarantined & Deleted !! : C:\WINDOWS\System32\clauth1.dll
Quarantined & Deleted !! : C:\WINDOWS\System32\clauth2.dll
Quarantined & Deleted !! : C:\WINDOWS\System32\drivers\etc\hosts.msn
Quarantined & Deleted !! : C:\WINDOWS\System32\lsprst7.dll
Quarantined & Deleted !! : C:\WINDOWS\System32\lsprst7.tgz
Quarantined & Deleted !! : C:\WINDOWS\System32\SET299.tmp
Quarantined & Deleted !! : C:\WINDOWS\System32\SET29A.tmp
Quarantined & Deleted !! : C:\WINDOWS\System32\SET2E8.tmp
Quarantined & Deleted !! : C:\WINDOWS\System32\SET2EA.tmp
Quarantined & Deleted !! : C:\WINDOWS\System32\SET2F6.tmp
Quarantined & Deleted !! : C:\WINDOWS\System32\ssprs.dll
Quarantined & Deleted !! : C:\WINDOWS\System32\sysprs7.dll
Quarantined & Deleted !! : C:\WINDOWS\System32\sysprs7.tgz
Quarantined & Deleted !! : C:\Documents and Settings\Jay\Local Settings\Temp\9.tmp
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_1490.dat
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\Perflib_Perfdata_774.dat
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\egX9rYTw.dll
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\hGu8YnFX.dll
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\I64xG6fq.dll
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\NEventMessages.dll
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\sfextra.dll
Quarantined & Deleted !! : C:\Documents and Settings\Jay\LOCAL Settings\Temp\u2nOvr41.dll

==============
host file OK !
==============

========
Registry
========

Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
Deleted : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Deleted : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe"
Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe"
Deleted : HKCR\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d}
Deleted : HKCR\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d}
Deleted : HKCR\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179}
Deleted : HKCR\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d}
Deleted : HKCR\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d}
Deleted : HKCR\Interface\{4897bba6-48d9-468c-8efa-846275d7701b}
Deleted : HKCR\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d}
Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C80B7FF6-CE60-4079-935E-520C045C30A6}
========
Services
=========

Ndisuio : Start = 3
EapHost : Start = 2
Ip6Fw : Start = 2
SharedAccess : Start = 2
wuauserv : Start = 2
wscsvc : Start = 2

============
Disk Cleaned
============

=================
anti-ver blaster : OK !!
=================

================
Prefetch cleaned
================

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

Rapport MBR:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x83299ec0
NDIS: Generic Marvell Yukon Chipset based Ethernet Controller -> SendCompleteHandler -> 0x83354330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x01D1C4581
malicious code @ sector 0x01D1C4584 !
PE file found in sector at 0x01D1C459A !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Voila... C'est quoi le principe de fonctionnement de tout ces programmes, rapidement?

Codename5281
21 févr. 2010 à 16:22

Tiens, en fermant les fichiers texte j'ai eu droit à un freeze et bip carte mère... Let's reboot

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question

Réponse 5 / 10

Utilisateur anonyme
21 févr. 2010 à 16:50

ok relance les deux petites applications en mode sans echec stp et enregistre les rapports

Codename5281
21 févr. 2010 à 16:55

J'ai pas accès au mode sans échec, mon pc reboote une fois les fichiers système chargés.

Réponse 6 / 10

Utilisateur anonyme
21 févr. 2010 à 17:04

/!\ ATTENTION SUIVRE SCRUPULEUSEMENT A LA LETTRE CES INDICATIONS/!\

▶ Surtout , pense à l'enregistrement à renommer Combofix en "ton prenom.exe" avant qu'il soit enregistré sur ton disque dur

_______________________________________________________________
>Ce logiciel n'est à utiliser que prescrit par un helper qualifié et formé à l'outil.<
>>>>>>>Ne pas utiliser en dehors de ce cas de figure : dangereux!<<<<<<<<
======================================================

▶ On va utiliser ComboFix.exe. Rends toi sur cette page web pour obtenir les liens de téléchargement, ainsi que des instructions pour exécuter l'outil:

https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix

Avant d'utiliser ComboFix :
______________________________________________________________________
>> referme les fenêtres de tous les programmes en cours.
>> Désactive provisoirement et seulement le temps de l'utilisation de ComboFix,
>>la protection en temps réel de ton Antivirus et de tes Antispywares,
>>qui peuvent gêner fortement la procédure de recherche et de nettoyage de l'outil.
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

▶ !!!!!NE TOUCHE A RIEN PENDANT LE TRAVAIL DE COMBOFIX (SOURIS/CLAVIER.....)!!!!!

▶ n'oublie pas de reactiver la garde de ton Antivirus et de tes Antispywares, avant de te reconnecter à internet.

>> Reviens sur le forum, et

▶ copie et colle la totalité du contenu de C:\Combofix.txt dans ton prochain message.

Codename5281
21 févr. 2010 à 17:42

Voila le log:

ComboFix 10-02-20.04 - Jay 21/02/2010 17:31:05.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.767.372 [GMT 1:00]
Lancé depuis: c:\documents and settings\Jay\Bureau\Jay.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

O:\Autorun.inf
.
---- Exécution préalable -------
.
c:\documents and settings\All Users\Application Data\anige.vbs
c:\documents and settings\All Users\Application Data\pysilujigo.vbs
C:\Thumbs.db
c:\windows\azoname.exe
c:\windows\bupupa.inf
c:\windows\opapy.vbs
c:\windows\patch.exe
c:\windows\system32\drivers\downld\6203812.exe
c:\windows\system32\hjgruidbsivlab.dll
c:\windows\system32\hjgruihslrajyg.dll
c:\windows\system32\hjgruinnauaklx.dll
c:\windows\system32\hjgruisvxewfob.dll
c:\windows\system32\hjgruitidkbkfq.dat
c:\windows\system32\hjgruiufykruom.dll
c:\windows\system32\hjgruiybpnvqyt.dat
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hjgruibofaqacf
-------\Service_hjgruibofaqacf

((((((((((((((((((((((((((((( Fichiers créés du 2010-01-21 au 2010-02-21 ))))))))))))))))))))))))))))))))))))
.

2010-02-21 15:16 . 2010-02-21 15:16 -------- d-----w- C:\Kill'em
2010-02-21 15:00 . 2010-02-21 15:00 -------- d-----w- C:\Remove_File
2010-02-21 14:02 . 2010-02-21 14:02 -------- d-----w- c:\program files\List_Kill'em
2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\Jay\Application Data\Malwarebytes
2010-02-20 23:01 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-20 23:00 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 23:00 . 2010-02-20 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 22:49 . 2010-02-20 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-20 22:22 . 2010-02-20 22:22 -------- d-----w- c:\documents and settings\Jay\DoctorWeb
2010-02-20 20:12 . 2010-02-20 20:13 -------- d-----w- c:\program files\SpeedFan
2010-02-20 17:51 . 2010-02-20 17:51 -------- d-----w- C:\games
2010-02-07 23:13 . 2010-02-08 07:35 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-02-07 22:54 . 2005-10-03 00:05 356437 ----a-w- c:\windows\system32\GDS32.DLL
2010-02-07 22:54 . 2010-02-07 22:54 -------- d-----w- c:\program files\Firebird
2010-02-07 22:53 . 2010-02-07 22:56 -------- d-----w- c:\program files\FastCaisse
2010-02-07 13:51 . 2010-02-07 13:51 -------- d-----w- c:\program files\Maxis
2010-02-07 13:34 . 2010-02-07 13:34 -------- d-----w- c:\program files\Sega
2010-02-04 10:38 . 2010-02-04 10:38 50354 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\uninstall.exe
2010-02-04 10:38 . 2010-02-04 10:38 -------- d-----w- c:\documents and settings\Jay\Application Data\Facebook
2010-02-03 23:17 . 2010-02-03 23:17 -------- d-----w- c:\program files\Adventure Game Studio 3.1.2 SP1
2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Application Data\Unity
2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\Unity
2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\Jay\Application Data\PACE Anti-Piracy
2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\program files\Fichiers communs\PACE Anti-Piracy
2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\PACE Anti-Piracy
2010-02-03 22:43 . 2010-02-03 22:43 -------- d-----w- c:\program files\Unity
2010-02-03 22:24 . 2010-02-03 22:24 -------- d-----w- c:\program files\Game_Maker8
2010-02-03 22:23 . 2010-02-03 22:59 -------- d-----w- c:\documents and settings\Jay\.Game Develop
2010-02-03 22:22 . 2010-02-03 22:59 -------- d-----w- c:\program files\Compil Games
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-25 22:51 . 2010-01-25 22:51 -------- d-----w- c:\program files\GPLGS
2010-01-25 12:13 . 2010-01-25 12:13 -------- d-----w- c:\program files\EASEUS
2010-01-24 20:54 . 2010-01-24 20:54 -------- d-----w- c:\documents and settings\Jay\Application Data\WindSolutions
2010-01-22 17:08 . 2010-01-22 14:54 34503600 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_fre_web.exe
2010-01-22 17:08 . 2010-01-22 17:08 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-01-22 17:08 . 2010-01-22 17:08 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-01-22 17:08 . 2010-01-22 17:08 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-01-22 17:08 . 2010-01-22 17:08 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 12:32 . 2007-07-31 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic
2010-02-16 13:14 . 2008-06-30 10:16 -------- d-----w- c:\documents and settings\Jay\Application Data\FileZilla
2010-02-14 11:59 . 2006-12-13 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-07 23:21 . 2006-12-21 20:46 -------- d-----w- c:\documents and settings\Jay\Application Data\Azureus
2010-02-07 23:13 . 2007-12-30 12:27 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-07 23:13 . 2009-08-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-07 13:34 . 2006-08-11 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-22 22:48 . 2008-01-25 19:27 -------- d-----w- c:\documents and settings\Jay\Application Data\dvdcss
2010-01-22 17:30 . 2007-01-20 18:53 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia
2010-01-22 17:09 . 2007-01-20 18:47 -------- d-----w- c:\program files\Fichiers communs\PCSuite
2010-01-22 17:08 . 2008-04-03 20:08 -------- d-----w- c:\program files\Fichiers communs\Nokia
2010-01-22 17:08 . 2007-01-20 18:47 -------- d-----w- c:\program files\Nokia
2010-01-22 17:08 . 2007-04-20 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-22 14:16 . 2006-08-11 17:43 95554 ----a-w- c:\windows\system32\perfc00C.dat
2010-01-22 14:16 . 2006-08-11 17:43 540272 ----a-w- c:\windows\system32\perfh00C.dat
2010-01-17 22:06 . 2010-01-17 22:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-01-17 22:02 . 2010-01-17 22:02 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-17 11:17 . 2010-01-17 11:17 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia Ovi Suite
2010-01-17 10:46 . 2010-01-17 10:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-17 10:45 . 2010-01-17 10:45 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-17 10:45 . 2010-01-17 10:45 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-17 10:45 . 2010-01-17 10:45 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-17 10:45 . 2010-01-17 10:45 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-17 10:45 . 2010-01-17 10:45 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-17 10:45 . 2010-01-17 10:45 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-17 10:40 . 2010-01-17 10:40 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-17 10:40 . 2010-01-17 10:40 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller(2).exe
2010-01-15 10:03 . 2006-12-02 09:51 125200 -c--a-w- c:\documents and settings\Jay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 02:34 . 2009-09-04 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 01:00 . 2010-01-15 01:00 -------- d-----w- c:\program files\CCleaner
2010-01-15 00:21 . 2007-06-11 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-14 23:53 . 2010-01-14 23:53 -------- d-----w- c:\program files\OO Software
2010-01-14 23:44 . 2009-08-11 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-14 23:35 . 2007-06-11 19:34 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-01-10 23:46 . 2010-01-10 23:46 312128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-09 09:46 . 2008-01-09 18:52 -------- d-----w- c:\program files\Microsoft Works
2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 20:32 . 2009-08-15 14:31 -------- d-----w- c:\program files\C.E.W
2009-12-21 19:07 . 2006-03-04 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 07:41 . 2004-08-10 20:00 347648 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:09 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:08 . 2005-09-29 18:28 2147328 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:08 . 2005-09-29 18:28 2025984 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:13 . 2005-08-30 04:16 1297920 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:13 . 2004-08-10 20:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:08 . 2004-08-10 20:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:08 . 2004-08-10 20:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:08 . 2004-08-10 20:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:08 . 2004-08-10 20:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:08 . 2004-08-10 20:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-10-15 14:42 . 2009-10-15 14:42 14078 ----a-w- c:\program files\Fichiers communs\suvosa.dl
2009-10-15 14:42 . 2009-10-15 14:42 13260 ----a-w- c:\program files\Fichiers communs\kafako.com
2009-10-15 14:42 . 2009-10-15 14:42 10994 ----a-w- c:\program files\Fichiers communs\yjoseceqeq.dl
2008-08-25 20:00 . 2008-08-25 20:04 330 -c-h-tr- c:\program files\Journal de sauvegarde
2008-04-14 02:34 . 2009-02-24 19:57 60416 -csha-w- c:\windows\NiwradSoft Shell Pack\Backup\msimn.exe
2009-07-19 19:17 . 2009-07-19 19:17 88 --sh--r- c:\windows\system32\7A004F5EDB.sys
2008-01-21 15:56 . 2008-01-21 15:55 88 -csha-r- c:\windows\system32\F1BE1573B3.sys
2009-07-19 19:19 . 2008-01-21 15:50 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . F2317622D29F9FF0F88AEECD5F60F0DD . 1037824 . . [6.00.2900.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe
[-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . D0288319660EDCFED07C7E74C4EA38A5 . 1037312 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2007-06-13 . B795475444D6D57A572C14B9E1A29839 . 1037312 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Fichiers communs\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 05:58 611712 ----a-w- c:\program files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-06-26 20:45 1211176 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 15:15 221184 ----a-w- c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-19 18:53 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"FirebirdServerDefaultInstance"=3 (0x3)
"FirebirdGuardianDefaultInstance"=2 (0x2)
"ProtexisLicensing"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"nwiz"=nwiz.exe /install
"ehTray"=c:\windows\ehome\ehtray.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"ISUSPM Startup"=c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
"_BackupService"="c:\program files\Astase\UltraBackup\4.9\bin\tbs.exe" -start
"thnotify"="c:\program files\Astase\UltraBackup\4.9\bin\thtrayagent.exe" /start

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\launch4j-tmp\\RKMediaCenter.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Fichiers communs\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\C.E.W\\OpenLieroX.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\EasyPHP 3.0\\mysql\\bin\\mysqld.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6114:TCP"= 6114:TCP:Services

R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [31/03/2007 21:37 2996]
R2 ThalliumServer;Astase ThalliumBackup Storage Service;c:\program files\Astase\UltraBackup\4.9\bin\tbsd.exe [14/10/2007 11:31 1929728]
R2 thpassivesvc;Astase ThalliumBackup Client Background Service;c:\program files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe [14/10/2007 11:31 618496]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/12/2007 13:27 691696]
S1 jdlgmfib;jdlgmfib;\??\c:\windows\system32\drivers\jdlgmfib.sys --> c:\windows\system32\drivers\jdlgmfib.sys [?]
S2 AdobeAdobeAlerter;Adobe LM Service AdobeAdobeAlerter;c:\windows\TEMP\evbupehsdi.exe service --> c:\windows\TEMP\evbupehsdi.exe service [?]
S2 cmjwu;cmjwu;\??\c:\windows\system32\drivers\miayk.sys --> c:\windows\system32\drivers\miayk.sys [?]
S2 gupdate1c98986541bab5f;Google Update Service (gupdate1c98986541bab5f);c:\program files\Google\Update\GoogleUpdate.exe [08/02/2009 01:43 133104]
S2 ibkqqmi;ibkqqmi;\??\c:\windows\system32\drivers\cdmumqhiyj.sys --> c:\windows\system32\drivers\cdmumqhiyj.sys [?]
S3 BTCAMDRV;Mobiola Web Camera driver;c:\windows\system32\drivers\BTCamDrv.sys [24/02/2007 22:44 228352]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [17/01/2010 11:46 136704]
S3 sfr0901;SFR Connexion Adapter V9;c:\windows\system32\drivers\sfr0901.sys [24/02/2008 20:54 26496]
S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contenu du dossier 'Tâches planifiées'

2010-02-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 07:09]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

2010-02-21 c:\windows\Tasks\User_Feed_Synchronization-{7FFA8037-D4E6-4E0A-940E-DACBF666952F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://news.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://fr.fr.acer.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: localhost
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version4/windows-ie/en/AMClient.cab
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://82.127.76.211:91/VatDec.cab
FF - ProfilePath - c:\documents and settings\Jay\Application Data\Mozilla\Firefox\Profiles\xvu7etdj.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.fr/
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
.
- - - - ORPHELINS SUPPRIMES - - - -

HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 17:37
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="C7C017C7F3E7418B8B7986B4D3CB3A27C53D9F1F5E8C95FE35704907F56CCE5CC67E28C4B90B177BD2A14EF7C8934B236FEDFE3D993B8280C6408137E38723D710EB826492F3940984C107CD4C55735875E5EEF9891DDD9865EF87363CE05213B9E3AE3282BB114C77F503E475F52115919B29C7F284526A4AF39DDD1356DCA21E7A160B10EC0972C50DF4BF594CEBBA3E3CCA6F9FB7AEAB72F5E9D9833AEC335C740A21C6099CBA4E8776B594A70A3E3D25D48D5A7062A89ECF772BA9D4C903554A3D7933818E7A379D03EFC6C85B2992EBAE10FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CC038D530D6EB34520F76E2F980B1A8D9A19E34DCB83CE140E36FFA6ADC10335445451B73805DAFE7B880C87011E59065BC6EBC515EC9B94573850221BA314DD9C6F3D275AD3E4DE19EF87DAE2C52CD7929946306E9A1B6CAB10202F2B91C1B1C84870E57771992A4E60B9B810D6435371E895DFE78909738874A6837F397E16AB8F094E31B526E04BCD765C931BF7E9558BB034F6A947CC961B846584BA04DE4A099D07B9B86B4A34E723DFADCBB47DF1789D12162E16A0EAF9AD154E568EBFEFDDC528FBD7F1DFCCE642B9E19E00FB41D4B6AB14960CB69683265BDABD12E8217874C288D414360F4285B4F2D6E3B0733C891D24DAA6D150236FDB94C786C8C34DD14E15880256E7AAD1DBDABD6929C243E3169DA90011AFACE3E843525E00DA496256BAF26A61C1FD965AEE5414211405DD46DA9951C5AD21CEB6A9D5B294AB95D9F86695111B3A4054B7AF287DB53DACAAE6D2F7237898F30F04FFECDC75AC750C48BA2528C53527A8B8D2F3851A64B20918AA811B02E39105B279666A3AD2A82FC66352EAB6CF1F905E73917FDA06E6AF87A961249A45B355D7F633F07813D7C511647A0604453B83B9CF3199CABA2A9FE863DC8A61D888E4B74ADAC9F6C63B7F2AC3B15017548DDD85507E84C094B53678AA3BB529BD37EA038FBAF02568123B3533FADCAEE2806264F5C6614C8525116F817273A76D65A7B921D03A1FD022309433EBFDCEF4DBF95D7A4A15BD2200112D7A6FAAE5B2DEB1C5CA1125A71D28D10CD6BD5B98E1611B956D264ED62A7310BBDA7DAE5487872E9055D7DEA97E4AD07D43E2C49376570CBC11DA6FC055AA8D05BB09C7812DD9EEE8DEC9AF4282E42D04FED36D6A4A14BA6A5FE181C1E302058EF9F4EE4E08417D78C2A7100B0287FF3CAFA1791EA368049A2B79A44E525C4B9D093AD8BAE9975762D37BD7590D00B9BE3A7A98DED9164D9ED4BC4D1E4B936B26772AEB24D4FC8422DF971237EA88116CFF9FAC1E7A5BF1F4FFE62067AEF0C25B16179835F5712D3DE1A2F3D02376F58D4"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\setupapi.dll
.
Heure de fin: 2010-02-21 17:40:35
ComboFix-quarantined-files.txt 2010-02-21 16:40

Avant-CF: 80 768 126 976 octets libres
Après-CF: 80 868 048 896 octets libres

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D2C6820D207F758B2738E34DD2159775

Réponse 7 / 10

Utilisateur anonyme
21 févr. 2010 à 18:07

refais l'option 6 de List_Kill'em

ensuite :

Télécharge OTL de OLDTimer

▶ enregistre le sur ton Bureau.

▶ Double clic ( pour vista / 7 => clic droit "executer en tant qu'administrateur") sur OTL.exe pour le lancer.

▶ Coche les 2 cases Lop et Purity

▶ Coche la case devant scan all users

▶ règle-le sur "60 Days"

▶ dans la colonne de gauche , mets tout sur "all"

ne modifie pas ceci :

"files created whithin" et "files modified whithin"

▶Clic sur Run Scan.

A la fin du scan, le Bloc-Notes va s'ouvrir avec le rapport (OTL.txt).

Ce fichier est sur ton Bureau (en général C:\Documents and settings\le_nom_de_ta_session\OTL.txt)

▶▶▶ NE LE POSTE PAS SUR LE FORUM

Pour me le transmettre clique sur ce lien : http://www.cijoint.fr/

▶ Clique sur Parcourir et cherche le fichier ci-dessus.

▶ Clique sur Ouvrir.

▶ Clique sur "Cliquez ici pour déposer le fichier".

Un lien de cette forme :

http://www.cijoint.fr/cjlink.php?file=cjge368/cijSKAP5fU.txt

est ajouté dans la page.

▶ Copie ce lien dans ta réponse.

▶▶ Tu feras la meme chose avec le "Extra.txt".

Codename5281
21 févr. 2010 à 18:19

OTL: http://www.cijoint.fr/cjlink.php?file=cj201002/cijHd3vk9e.txt
Extras: http://www.cijoint.fr/cjlink.php?file=cj201002/cijdVrla9I.txt

Merci encore par avance...

Réponse 8 / 10

Utilisateur anonyme
21 févr. 2010 à 19:45

rapport de list_kill'em option 6 comme demandé ????

Codename5281
21 févr. 2010 à 20:26

Tu ne l'avais pas demandé, mais le voila:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C4581
malicious code @ sector 0x01D1C4584 !
PE file found in sector at 0x01D1C459A !

En gros ça n'a pas bougé si je comprends bien...

Codename5281
21 févr. 2010 à 20:30

Sur d'autres forums on parle d'utiliser la commande fixmbr de la console de récupération. C'est une solution valable?

Réponse 9 / 10

Utilisateur anonyme
21 févr. 2010 à 21:44

tu es sur que je l ai pas demandé ????

^^

https://forums.commentcamarche.net/forum/affich-16702456-souci-avec-un-rootkit#12

Codename5281
21 févr. 2010 à 22:10

"Refais l'option 6 de List_Kill'em"
Choisir à nouveau l'option, mais quant au log... :p Enfin bref. J'ai tenté un mbrfix, après avoir lu pas mal d'autres forums, et refait une analyse avec Combofix. J'attends de voir.

Codename5281
21 févr. 2010 à 22:18

Donc si j'ai bien compris, le rootkit est parti avec le fixmbr. Bah tant mieux! Voila le log. Après ça je vais repasser mes supports à l'antivirus et puis ça devrait être bon :p

ComboFix 10-02-21.02 - Jay 21/02/2010 21:57:11.3.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.767.252 [GMT 1:00]
Lancé depuis: c:\documents and settings\Jay\Bureau\Jay.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-01-21 au 2010-02-21 ))))))))))))))))))))))))))))))))))))
.

2010-02-21 20:47 . 2010-02-21 20:47 -------- d-----w- C:\Kill'em
2010-02-21 20:03 . 2010-02-21 20:03 -------- d-----w- c:\program files\Sophos
2010-02-21 19:34 . 2010-02-21 19:34 -------- d-----w- c:\documents and settings\LocalService\Menu Démarrer
2010-02-21 19:34 . 2009-03-30 08:32 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-21 19:34 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-21 19:34 . 2009-02-13 10:28 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-21 19:34 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-21 19:33 . 2010-02-21 19:33 -------- d-----w- c:\program files\Avira
2010-02-21 19:33 . 2010-02-21 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-02-21 15:00 . 2010-02-21 15:00 -------- d-----w- C:\Remove_File
2010-02-21 14:02 . 2010-02-21 14:02 -------- d-----w- c:\program files\List_Kill'em
2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\Jay\Application Data\Malwarebytes
2010-02-20 23:01 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 23:01 . 2010-02-20 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-20 23:00 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 23:00 . 2010-02-20 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 22:49 . 2010-02-20 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-02-20 22:22 . 2010-02-20 22:22 -------- d-----w- c:\documents and settings\Jay\DoctorWeb
2010-02-20 20:12 . 2010-02-20 20:13 -------- d-----w- c:\program files\SpeedFan
2010-02-20 17:51 . 2010-02-20 17:51 -------- d-----w- C:\games
2010-02-07 23:13 . 2010-02-08 07:35 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-02-07 22:54 . 2005-10-03 00:05 356437 ----a-w- c:\windows\system32\GDS32.DLL
2010-02-07 22:54 . 2010-02-07 22:54 -------- d-----w- c:\program files\Firebird
2010-02-07 22:53 . 2010-02-07 22:56 -------- d-----w- c:\program files\FastCaisse
2010-02-07 13:51 . 2010-02-07 13:51 -------- d-----w- c:\program files\Maxis
2010-02-07 13:34 . 2010-02-07 13:34 -------- d-----w- c:\program files\Sega
2010-02-04 10:38 . 2010-02-04 10:38 50354 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\uninstall.exe
2010-02-04 10:38 . 2010-02-04 10:38 -------- d-----w- c:\documents and settings\Jay\Application Data\Facebook
2010-02-03 23:17 . 2010-02-03 23:17 -------- d-----w- c:\program files\Adventure Game Studio 3.1.2 SP1
2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Application Data\Unity
2010-02-03 22:52 . 2010-02-03 22:52 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\Unity
2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\Jay\Application Data\PACE Anti-Piracy
2010-02-03 22:50 . 2010-02-03 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\program files\Fichiers communs\PACE Anti-Piracy
2010-02-03 22:50 . 2010-02-03 22:50 -------- d-----w- c:\documents and settings\Jay\Local Settings\Application Data\PACE Anti-Piracy
2010-02-03 22:43 . 2010-02-03 22:43 -------- d-----w- c:\program files\Unity
2010-02-03 22:24 . 2010-02-03 22:24 -------- d-----w- c:\program files\Game_Maker8
2010-02-03 22:23 . 2010-02-03 22:59 -------- d-----w- c:\documents and settings\Jay\.Game Develop
2010-02-03 22:22 . 2010-02-03 22:59 -------- d-----w- c:\program files\Compil Games
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-25 22:51 . 2010-01-25 22:51 -------- d-----w- c:\program files\GPLGS
2010-01-25 12:13 . 2010-01-25 12:13 -------- d-----w- c:\program files\EASEUS
2010-01-24 20:54 . 2010-01-24 20:54 -------- d-----w- c:\documents and settings\Jay\Application Data\WindSolutions

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-21 20:54 . 2006-08-11 17:43 95554 ----a-w- c:\windows\system32\perfc00C.dat
2010-02-21 20:54 . 2006-08-11 17:43 540272 ----a-w- c:\windows\system32\perfh00C.dat
2010-02-16 13:14 . 2008-06-30 10:16 -------- d-----w- c:\documents and settings\Jay\Application Data\FileZilla
2010-02-14 11:59 . 2006-12-13 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-07 23:21 . 2006-12-21 20:46 -------- d-----w- c:\documents and settings\Jay\Application Data\Azureus
2010-02-07 23:13 . 2007-12-30 12:27 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-07 23:13 . 2009-08-13 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-07 13:34 . 2006-08-11 17:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-22 22:48 . 2008-01-25 19:27 -------- d-----w- c:\documents and settings\Jay\Application Data\dvdcss
2010-01-22 17:30 . 2007-01-20 18:53 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia
2010-01-22 17:09 . 2007-01-20 18:47 -------- d-----w- c:\program files\Fichiers communs\PCSuite
2010-01-22 17:08 . 2008-04-03 20:08 -------- d-----w- c:\program files\Fichiers communs\Nokia
2010-01-22 17:08 . 2007-01-20 18:47 -------- d-----w- c:\program files\Nokia
2010-01-22 17:08 . 2007-04-20 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-01-22 17:08 . 2010-01-22 17:08 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\pcswpcsi.exe
2010-01-22 17:08 . 2010-01-22 17:08 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstCCD.exe
2010-01-22 17:08 . 2010-01-22 17:08 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-01-22 17:08 . 2010-01-22 17:08 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Installer\CommonCustomActions\UninstPCS.exe
2010-01-22 14:54 . 2010-01-22 17:08 34503600 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{9249D7E7-33E7-4CC8-BB0B-3DF3C3CB2568}\Nokia_PC_Suite_7_1_40_1_fre_web.exe
2010-01-17 22:06 . 2010-01-17 22:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-01-17 22:02 . 2010-01-17 22:02 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-17 11:17 . 2010-01-17 11:17 -------- d-----w- c:\documents and settings\Jay\Application Data\Nokia Ovi Suite
2010-01-17 10:46 . 2010-01-17 10:46 -------- d-----w- c:\program files\PC Connectivity Solution
2010-01-17 10:45 . 2010-01-17 10:45 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-01-17 10:45 . 2010-01-17 10:45 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-01-17 10:45 . 2010-01-17 10:45 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-01-17 10:45 . 2010-01-17 10:45 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-01-17 10:45 . 2010-01-17 10:45 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-01-17 10:45 . 2010-01-17 10:45 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-01-17 10:40 . 2010-01-17 10:40 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-01-17 10:40 . 2010-01-17 10:40 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller(2).exe
2010-01-15 10:03 . 2006-12-02 09:51 125200 -c--a-w- c:\documents and settings\Jay\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 02:34 . 2009-09-04 18:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-15 01:00 . 2010-01-15 01:00 -------- d-----w- c:\program files\CCleaner
2010-01-15 00:21 . 2007-06-11 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-14 23:53 . 2010-01-14 23:53 -------- d-----w- c:\program files\OO Software
2010-01-14 23:44 . 2009-08-11 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-14 23:35 . 2007-06-11 19:34 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-01-10 23:46 . 2010-01-10 23:46 312128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-09 09:46 . 2008-01-09 18:52 -------- d-----w- c:\program files\Microsoft Works
2009-12-31 16:50 . 2005-05-10 00:17 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 20:32 . 2009-08-15 14:31 -------- d-----w- c:\program files\C.E.W
2009-12-21 19:07 . 2006-03-04 04:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 07:41 . 2004-08-10 20:00 347648 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:09 . 2004-08-10 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:08 . 2005-09-29 18:28 2147328 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:08 . 2005-09-29 18:28 2025984 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-01-19 04:26 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:13 . 2005-08-30 04:16 1297920 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:13 . 2004-08-10 20:00 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:08 . 2004-08-10 20:00 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:08 . 2004-08-10 20:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:08 . 2004-08-10 20:00 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:08 . 2004-08-10 20:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:08 . 2004-08-10 20:00 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-10-15 14:42 . 2009-10-15 14:42 14078 ----a-w- c:\program files\Fichiers communs\suvosa.dl
2009-10-15 14:42 . 2009-10-15 14:42 13260 ----a-w- c:\program files\Fichiers communs\kafako.com
2009-10-15 14:42 . 2009-10-15 14:42 10994 ----a-w- c:\program files\Fichiers communs\yjoseceqeq.dl
2008-08-25 20:00 . 2008-08-25 20:04 330 -c-h-tr- c:\program files\Journal de sauvegarde
2008-04-14 02:34 . 2009-02-24 19:57 60416 -csha-w- c:\windows\NiwradSoft Shell Pack\Backup\msimn.exe
2009-07-19 19:17 . 2009-07-19 19:17 88 --sh--r- c:\windows\system32\7A004F5EDB.sys
2008-01-21 15:56 . 2008-01-21 15:55 88 -csha-r- c:\windows\system32\F1BE1573B3.sys
2009-07-19 19:19 . 2008-01-21 15:50 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . F2317622D29F9FF0F88AEECD5F60F0DD . 1037824 . . [6.00.2900.5512] . . c:\windows\NiwradSoft Shell Pack\Backup\explorer.exe
[-] 2008-04-14 . E2C2F42C096F1C3110F663C2EF90B815 . 1544704 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . D0288319660EDCFED07C7E74C4EA38A5 . 1037312 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2007-06-13 . B795475444D6D57A572C14B9E1A29839 . 1037312 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-21_16.37.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 07:05 . 2008-07-29 07:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
- 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
- 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2010-02-21 20:52 . 2010-02-21 20:52 16384 c:\windows\temp\Perflib_Perfdata_594.dat
+ 2010-02-21 20:52 . 2010-02-21 20:52 16384 c:\windows\temp\Perflib_Perfdata_244.dat
- 2006-08-11 17:43 . 2010-01-22 14:16 72760 c:\windows\system32\perfc009.dat
+ 2006-08-11 17:43 . 2010-02-21 20:54 72760 c:\windows\system32\perfc009.dat
+ 2007-07-31 18:40 . 2009-05-11 08:11 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2008-07-29 07:05 . 2008-07-29 07:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 02:54 . 2008-07-29 02:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
- 2008-07-29 01:54 . 2008-07-29 01:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2006-08-11 17:43 . 2010-02-21 20:54 448040 c:\windows\system32\perfh009.dat
- 2006-08-11 17:43 . 2010-01-22 14:16 448040 c:\windows\system32\perfh009.dat
+ 2007-08-25 15:38 . 2010-02-21 20:54 170657 c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-07-29 07:05 . 2008-07-29 07:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
- 2008-07-29 06:05 . 2008-07-29 06:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Fichiers communs\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 05:58 611712 ----a-w- c:\program files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-06-26 20:45 1211176 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 15:15 221184 ----a-w- c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 02:34 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-19 18:53 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=2 (0x2)
"FirebirdServerDefaultInstance"=3 (0x3)
"FirebirdGuardianDefaultInstance"=2 (0x2)
"ProtexisLicensing"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"IMEKRMIG6.1"=c:\windows\ime\imkr6_1\IMEKRMIG.EXE
"MSPY2002"=c:\windows\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"nwiz"=nwiz.exe /install
"ehTray"=c:\windows\ehome\ehtray.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"ISUSPM Startup"=c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
"_BackupService"="c:\program files\Astase\UltraBackup\4.9\bin\tbs.exe" -start
"thnotify"="c:\program files\Astase\UltraBackup\4.9\bin\thtrayagent.exe" /start

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\launch4j-tmp\\RKMediaCenter.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Fichiers communs\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\C.E.W\\OpenLieroX.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\EasyPHP 3.0\\mysql\\bin\\mysqld.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6114:TCP"= 6114:TCP:Services

R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [31/03/2007 21:37 2996]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [21/02/2010 20:34 108289]
R2 ThalliumServer;Astase ThalliumBackup Storage Service;c:\program files\Astase\UltraBackup\4.9\bin\tbsd.exe [14/10/2007 11:31 1929728]
R2 thpassivesvc;Astase ThalliumBackup Client Background Service;c:\program files\Astase\UltraBackup\4.9\bin\thpassiveclientsvc.exe [14/10/2007 11:31 618496]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [30/12/2007 13:27 691696]
S1 jdlgmfib;jdlgmfib;\??\c:\windows\system32\drivers\jdlgmfib.sys --> c:\windows\system32\drivers\jdlgmfib.sys [?]
S2 AdobeAdobeAlerter;Adobe LM Service AdobeAdobeAlerter;c:\windows\TEMP\evbupehsdi.exe service --> c:\windows\TEMP\evbupehsdi.exe service [?]
S2 cmjwu;cmjwu;\??\c:\windows\system32\drivers\miayk.sys --> c:\windows\system32\drivers\miayk.sys [?]
S2 gupdate1c98986541bab5f;Google Update Service (gupdate1c98986541bab5f);c:\program files\Google\Update\GoogleUpdate.exe [08/02/2009 01:43 133104]
S2 ibkqqmi;ibkqqmi;\??\c:\windows\system32\drivers\cdmumqhiyj.sys --> c:\windows\system32\drivers\cdmumqhiyj.sys [?]
S3 BTCAMDRV;Mobiola Web Camera driver;c:\windows\system32\drivers\BTCamDrv.sys [24/02/2007 22:44 228352]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\11.tmp --> c:\windows\system32\11.tmp [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [17/01/2010 11:46 136704]
S3 sfr0901;SFR Connexion Adapter V9;c:\windows\system32\drivers\sfr0901.sys [24/02/2008 20:54 26496]
S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contenu du dossier 'Tâches planifiées'

2010-02-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 07:09]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

2010-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 00:43]

2010-02-21 c:\windows\Tasks\User_Feed_Synchronization-{7FFA8037-D4E6-4E0A-940E-DACBF666952F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://news.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://fr.fr.acer.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: localhost
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} - hxxp://install.anark.com/client/version4/windows-ie/en/AMClient.cab
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://82.127.76.211:91/VatDec.cab
FF - ProfilePath - c:\documents and settings\Jay\Application Data\Mozilla\Firefox\Profiles\xvu7etdj.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.fr/
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\Jay\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 22:11
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\11.tmp"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="C7C017C7F3E7418B8B7986B4D3CB3A27C53D9F1F5E8C95FE35704907F56CCE5CC67E28C4B90B177BD2A14EF7C8934B236FEDFE3D993B8280C6408137E38723D710EB826492F3940984C107CD4C55735875E5EEF9891DDD9865EF87363CE05213B9E3AE3282BB114C77F503E475F52115919B29C7F284526A4AF39DDD1356DCA21E7A160B10EC0972C50DF4BF594CEBBA3E3CCA6F9FB7AEAB72F5E9D9833AEC335C740A21C6099CBA4E8776B594A70A3E3D25D48D5A7062A89ECF772BA9D4C903554A3D7933818E7A379D03EFC6C85B2992EBAE10FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D9DB7CE019D40AA5CC038D530D6EB34520F76E2F980B1A8D9A19E34DCB83CE140E36FFA6ADC10335445451B73805DAFE7B880C87011E59065BC6EBC515EC9B94573850221BA314DD9C6F3D275AD3E4DE19EF87DAE2C52CD7929946306E9A1B6CAB10202F2B91C1B1C84870E57771992A4E60B9B810D6435371E895DFE78909738874A6837F397E16AB8F094E31B526E04BCD765C931BF7E9558BB034F6A947CC961B846584BA04DE4A099D07B9B86B4A34E723DFADCBB47DF1789D12162E16A0EAF9AD154E568EBFEFDDC528FBD7F1DFCCE642B9E19E00FB41D4B6AB14960CB69683265BDABD12E8217874C288D414360F4285B4F2D6E3B0733C891D24DAA6D150236FDB94C786C8C34DD14E15880256E7AAD1DBDABD6929C243E3169DA90011AFACE3E843525E00DA496256BAF26A61C1FD965AEE5414211405DD46DA9951C5AD21CEB6A9D5B294AB95D9F86695111B3A4054B7AF287DB53DACAAE6D2F7237898F30F04FFECDC75AC750C48BA2528C53527A8B8D2F3851A64B20918AA811B02E39105B279666A3AD2A82FC66352EAB6CF1F905E73917FDA06E6AF87A961249A45B355D7F633F07813D7C511647A0604453B83B9CF3199CABA2A9FE863DC8A61D888E4B74ADAC9F6C63B7F2AC3B15017548DDD85507E84C094B53678AA3BB529BD37EA038FBAF02568123B3533FADCAEE2806264F5C6614C8525116F817273A76D65A7B921D03A1FD022309433EBFDCEF4DBF95D7A4A15BD2200112D7A6FAAE5B2DEB1C5CA1125A71D28D10CD6BD5B98E1611B956D264ED62A7310BBDA7DAE5487872E9055D7DEA97E4AD07D43E2C49376570CBC11DA6FC055AA8D05BB09C7812DD9EEE8DEC9AF4282E42D04FED36D6A4A14BA6A5FE181C1E302058EF9F4EE4E08417D78C2A7100B0287FF3CAFA1791EA368049A2B79A44E525C4B9D093AD8BAE9975762D37BD7590D00B9BE3A7A98DED9164D9ED4BC4D1E4B936B26772AEB24D4FC8422DF971237EA88116CFF9FAC1E7A5BF1F4FFE62067AEF0C25B16179835F5712D3DE1A2F3D02376F58D4"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:d0,1b,23,d0,cf,b9,03,0e,20,c2,d5,1d,7b,e4,a0,c1,fc,1e,30,d4,f4,
4c,04,1f,08,6c,4c,17,a9,24,a7,89,05,d2,9f,92,e5,51,d4,bc,ff,e7,e0,0b,60,98,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(1792)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\fr-fr\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\fr-fr\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2010-02-21 22:15:32
ComboFix-quarantined-files.txt 2010-02-21 21:15
ComboFix2.txt 2010-02-21 16:40

Avant-CF: 81 007 484 928 octets libres
Après-CF: 81 017 688 064 octets libres

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - E38A498E26C19377EEDE5CB09299CD1A

Réponse 10 / 10

Utilisateur anonyme
12 mars 2010 à 14:14

hello tu as fait quoi pour remettre nickel ?

Discussions similaires

Rootkit détecté par AVG mais ne fait rien?

help rootkit

Avast détecte un rootkit

win32 Rootkit

hacker defender 100 rootkit