DR GUARD SUPRESSION RAPPORT

Bonjour,
VOICI LES RAPPORTS DE SUPPRESSION DE DR GUARD
List'em by g3n-h@ckm@n 1.3.2.0

User : aziz (Administrators)
Update on 09/03/2010 by g3n-h@ckm@n ::::: 05.30
Start at: 15:37:03 | 10/03/2010
Contact : https://forums.commentcamarche.net/forum/virus-securite-7

AMD Athlon(tm) 64 Processor 3000+
Microsoft Windows 7 Ultimate (6.1.7600 64-bit) #
Internet Explorer 8.0.7600.16385
Windows Firewall Status : Enabled
AV : Dr. Guard 1.0 [ Enabled | (!) Outdated ]
AV : Kaspersky Internet Security 7.0.0.119 [ (!) Disabled | Updated ]
FW : Kaspersky Internet Security[ (!) Disabled ]7.0.0.119

C:\ -> Local Fixed Disk | 143,03 Go (36,71 Go free) [HDD] | NTFS
D:\ -> CD-ROM Disc
E:\ -> Removable Disk
F:\ -> Removable Disk
G:\ -> Removable Disk
H:\ -> Removable Disk
K:\ -> Local Fixed Disk | 596,02 Go (484,82 Go free) [Elements] | FAT32

Boot: Normal

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\List_Kill'em\List_Kill'em.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\List_Kill'em\FxEx.scr
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\List_Kill'em\pv.exe

======================
Keys "Run"
======================
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
msnmsgr REG_SZ "C:\program files (x86)\windows live\messenger\msnmsgr .exe" /background
uTorrent REG_SZ "C:\Users\aziz\Downloads\utorrent(2).exe"
OfficeSyncProcess REG_SZ "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"
SpybotSD TeaTimer REG_SZ C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avast5 REG_SZ "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
AVP REG_SZ "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

=====================
Other Keys
=====================
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
ConsentPromptBehaviorAdmin REG_DWORD 5 (0x5)
ConsentPromptBehaviorUser REG_DWORD 3 (0x3)
EnableInstallerDetection REG_DWORD 1 (0x1)
EnableLUA REG_DWORD 1 (0x1)
EnableSecureUIAPaths REG_DWORD 1 (0x1)
EnableUIADesktopToggle REG_DWORD 0 (0x0)
EnableVirtualization REG_DWORD 1 (0x1)
PromptOnSecureDesktop REG_DWORD 1 (0x1)
ValidateAdminCodeSignatures REG_DWORD 0 (0x0)
dontdisplaylastusername REG_DWORD 0 (0x0)
legalnoticecaption REG_SZ
legalnoticetext REG_SZ
scforceoption REG_DWORD 0 (0x0)
shutdownwithoutlogon REG_DWORD 1 (0x1)
undockwithoutlogon REG_DWORD 1 (0x1)
FilterAdministratorToken REG_DWORD 0 (0x0)
DisableTaskMgr REG_DWORD 0 (0x0)

===============
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

===============
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
NoActiveDesktop REG_DWORD 1 (0x1)
ForceActiveDesktopOn REG_DWORD 0 (0x0)
NoActiveDesktopChanges REG_DWORD 0 (0x0)

===============
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLS REG_SZ app_dll.dll,C:\PROGRA~2\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~2\KASPER~1\KASPER~1.0\adialhk.dll

===============
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
DefaultDomainName REG_SZ
DefaultUserName REG_SZ
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile

===============

===============
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} REG_SZ Groove GFS Stub Execution Hook

===============
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

===============
ActivX controls
===============
[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}]
[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]

===============
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3af36230-a269-11d1-b5bf-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C9E9A340-D1F1-11D0-821E-444553540600}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]

==============
BHO :
======
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{53707962-6F74-2D53-2644-206D7942484F}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]

===
DNS
===

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C911677C-65C2-47C4-A883-06B8E6C22275}: DhcpNameServer=212.27.40.240 212.27.40.241
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C911677C-65C2-47C4-A883-06B8E6C22275}: DhcpNameServer=212.27.40.240 212.27.40.241
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C911677C-65C2-47C4-A883-06B8E6C22275}: DhcpNameServer=212.27.40.240 212.27.40.241
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.40.240 212.27.40.241
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.40.240 212.27.40.241
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=212.27.40.240 212.27.40.241

================
Internet Explorer :
================
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
Start Page REG_SZ https://www.msn.com/fr-fr/?ocid=iehp

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page REG_SZ http://www.durable.com/recherche

========
Services
========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

Ndisuio : 0x3 ( OK = 3 )
EapHost : 0x3 ( OK = 2 )
Wlansvc : 0x3 ( OK = 2 )
SharedAccess : 0x4 ( OK = 2 )
windefend : 0x2 ( OK = 2 )
wuauserv : 0x2 ( OK = 2 )
wscsvc : 0x4 ( OK = 2 )

=========
Atapi.sys
=========

%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: C:\Program Files (x86)\List_Kill'em
## C:\> hashdeep.exe C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
##
24128,02062c0b390b7729edc9e69c680a6f3c,0261683c6dc2706dce491a1cdc954ac9c9e649376ec30760bb4e225e18dc5273,C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: C:\Program Files (x86)\List_Kill'em
## C:\> hashdeep.exe C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys
##
24128,02062c0b390b7729edc9e69c680a6f3c,0261683c6dc2706dce491a1cdc954ac9c9e649376ec30760bb4e225e18dc5273,C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: C:\Program Files (x86)\List_Kill'em
## C:\> hashdeep.exe C:\Windows.old\Windows\$NtServicePackUninstall$\atapi.sys
##
95360,cdfe4411a69c224bd1d11b2da92dac51,0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d,C:\Windows.old\Windows\$NtServicePackUninstall$\atapi.sys
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: C:\Program Files (x86)\List_Kill'em
## C:\> hashdeep.exe C:\Windows.old\Windows\ServicePackFiles\i386\atapi.sys
##
96512,9f3a2f5aa6875c72bf062c712cfa2674,b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9,C:\Windows.old\Windows\ServicePackFiles\i386\atapi.sys
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## Invoked from: C:\Program Files (x86)\List_Kill'em
## C:\> hashdeep.exe C:\Windows.old\Windows\system32\drivers\atapi.sys
##
96512,9f3a2f5aa6875c72bf062c712cfa2674,b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9,C:\Windows.old\Windows\system32\drivers\atapi.sys

Référence :
==========

Win 2000_SP2 : ff953a8f08ca3f822127654375786bbe
Win XP_32b : a64013e98426e1877cb653685c5c0009
Win XP_SP2_32b : CDFE4411A69C224BD1D11B2DA92DAC51
Win XP_SP3_32b : 9F3A2F5AA6875C72BF062C712CFA2674
Vista_32b : e03e8c99d15d0381e02743c36afc7c6f
Vista_SP1_32b : 2d9c903dc76a66813d350a562de40ed9
Vista_SP2_32b : 1F05B78AB91C9075565A9D8A4B880BC4
Vista_SP2_64b : 1898FAE8E07D97F2F6C2D5326C633FAC
Windows 7_32b : 80C40F7FDFC376E4C5FEEC28B41C119E
Windows 7_64b : 02062C0B390B7729EDC9E69C680A6F3C

=======
Drive :
=======

¤¤¤¤¤¤¤¤¤¤ Files/folders :

Present !! : C:\Windows\Tasks\At1.job
Present !! : C:\Windows\Tasks\At2.job
Present !! : C:\Windows\Tasks\At3.job
Present !! : C:\Windows\Tasks\At4.job
Present !! : C:\Windows\Tasks\At5.job
Present !! : C:\Windows\Tasks\At6.job
Present !! : C:\Windows\Tasks\At7.job
Present !! : C:\Windows\Tasks\At8.job
Present !! : C:\Windows\Tasks\At9.job
Present !! : C:\Windows\Tasks\At1.job
Present !! : C:\Windows\Tasks\At10.job
Present !! : C:\Windows\Tasks\At11.job
Present !! : C:\Windows\Tasks\At12.job
Present !! : C:\Windows\Tasks\At13.job
Present !! : C:\Windows\Tasks\At14.job
Present !! : C:\Windows\Tasks\At15.job
Present !! : C:\Windows\Tasks\At16.job
Present !! : C:\Windows\Tasks\At17.job
Present !! : C:\Windows\Tasks\At18.job
Present !! : C:\Windows\Tasks\At19.job
Present !! : C:\Windows\Tasks\At2.job
Present !! : C:\Windows\Tasks\At20.job
Present !! : C:\Windows\Tasks\At21.job
Present !! : C:\Windows\Tasks\At22.job
Present !! : C:\Windows\Tasks\At23.job
Present !! : C:\Windows\Tasks\At24.job
Present !! : C:\Windows\Tasks\At3.job
Present !! : C:\Windows\Tasks\At4.job
Present !! : C:\Windows\Tasks\At5.job
Present !! : C:\Windows\Tasks\At6.job
Present !! : C:\Windows\Tasks\At7.job
Present !! : C:\Windows\Tasks\At8.job
Present !! : C:\Windows\Tasks\At9.job
Present !! : C:\Users\aziz\Local Settings\Temp\b.dat
Present !! : C:\Users\aziz\Local Settings\Temp\drg.dat
Present !! : C:\Users\aziz\LOCAL Settings\Temp\lsnfier.exe
Present !! : C:\Users\aziz\LOCAL Settings\Temp\b.dat
Present !! : C:\Users\aziz\LOCAL Settings\Temp\drg.dat
Present !! : C:\Users\aziz\LOCAL Settings\Temp\drgr.dat

¤¤¤¤¤¤¤¤¤¤ Keys :

Present !! : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
Present !! : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
Present !! : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Present !! : "HKCU\SOFTWARE\Dr. Guard"
Present !! : HKCR\OutlookAddin.Addin
Present !! : HKCR\OutlookAddin.Addin.1
Present !! : HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\OutlookAddin.Addin

============

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-10 15:55:51
Windows 6.1.7600 WOW64 FAT NTAPI

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

¤¤¤¤¤¤¤¤¤¤ Cracks | Keygens | Serials

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

End of scan : 16:00:14,39