Virus de pop ups.

Question

Bonjour, j'ai été asser stupide pour télécharger un fichier pas très safe.. et maintenant je recois des pop ups sans arrêt.. je ne suis pas super bonne avec les ordinateurs.. et en ce moment je suis en train de scanner mon ordi avec Avast... mais de ce que j'ai lu.. ca sert à rien avec ce virus... quelqu'un s'aurait-il comment s'en débarasser?  
J'utilise Mozilla Firefox...Windows XP...

dédétraqué · Answer

Salut mia928


Arrête le scan d'Avast

On va vérifier cela, télécharge RSIT (de random/random) sur le bureau ici :
http://images.malwareremoval.com/random/RSIT.exe

- Double clique sur RSIT.exe qui est sur le bureau
- Clique sur Continue dans la fenêtre
- RSIT téléchargera HijackThis si il n'est pas présent où détecté, alors il faudra accepter la licence
- Poste le contenue des deux rapports, log.txt et info.txt(réduit dans la barre des tâches) à la fin de l'analyse

Utilise cjoint.com pour poster en lien tes rapports :
https://www.cjoint.com/

- Clique sur Parcourir pour aller chercher le rapport C:\rsit\log.txt
- Clique sur Ouvrir ensuite sur Créer le lien Cjoint

- Fais un copier/coller du lien qui est devant Le lien a été créé: dans ta prochaine réponse.

Et fais la même chose avec l'autre rapport C:\rsit\info.txt


@++  :)

mia928 · Answer

Salut dédétraqué, merci de ton aide!
J'ai suivie tes étapes et voice les rapports:

Log: https://www.cjoint.com/?etcaE8qKtd
Info: https://www.cjoint.com/?etcaZNDi4u

dédétraqué · Answer

Salut mia928


On va avoir beaucoup de boulot, on commence :

Télécharge et installe UsbFix par El Desaparecido , C_XX & Chimay8
http://pagesperso-orange.fr/NosTools/Chiquitine29/UsbFix.exe

(!) Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) susceptible d'avoir été infectées sans les ouvrir.

* Double clic sur le raccourci UsbFix présent sur ton bureau .

* Au menu principal choisis l'option " F " pour français et tape sur [entrée] .

* Au second menu Choisis l'option " 1 " (recherche) et tape sur [entrée]

* Laisse travailler l'outil.

* Ensuite poste le rapport UsbFix.txt qui apparaitra.

Note : Le rapport UsbFix.txt est sauvegardé a la racine du disque. ( C:\UsbFix.txt )

( CTRL+A Pour tout selectionner , CTRL+C pour copier et CTRL+V pour coller )

Note2 : "Process.exe", une composante de l'outil, est détecté par certains antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) comme étant un RiskTool.
Il ne s'agit pas d'un virus, mais d'un utilitaire destiné à mettre fin à des processus.
Mis entre de mauvaises mains, cet utilitaire pourrait arrêter des logiciels de sécurité (Antivirus, Firewall...) d'où l'alerte émise par ces antivirus.


* Tuto : http://pagesperso-orange.fr/NosTools/usbfix.html 


@++  :)

mia928 · Answer

Salut dédétraqué.

Voici le rapport: https://www.cjoint.com/?etcxsoT2Ij

Autre que ma webcam.. je n'avais rien d'autre de pluggé dans mon ordi.. mais j'ai pluggé ma clé USB au cas ou?

Merci encore. :)

dédétraqué · Answer

Salut mia928 


(!) Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, caméra, Carte SD, etc...) susceptible d avoir été infectés sans les ouvrir

* Double clic sur le raccourci UsbFix présent sur ton bureau

* Au menu principal choisis l'option " F " pour français et tape sur [entrée] .

* Au second menu Choisis l'option " 2 " ( Suppression ) et tape sur [entrée]

* Ton bureau disparaîtra et le pc redémarrera.

* Au redémarrage, UsbFix scannera ton PC, laisse travailler l'outil.

* Ensuite poste le rapport UsbFix.txt qui apparaîtra avec le bureau.

* Note : Le rapport UsbFix.txt est sauvegardé a la racine du disque.( C:\UsbFix.txt )

( CTRL+A Pour tout sélectionner , CTRL+C pour copier et CTRL+V pour coller ) 


-----


Faire un scan de ce fichier Jrupya.exe ici :

https://www.virustotal.com/gui/


Clique sur Parcourir et copie/colle ceci :
C:\WINDOWS\Jrupya.exe
Après tu clique sur Envoyer le fichier et attendre le résultat de l'analyse.

Si il te dit que le fichier a déjà été analysé, sélectionne le bouton :
Reanalyse le fichier maintenant et attendre le résultat de l'analyse, poste le résultat au complet.

Poste le résultat au complet

Aide : http://bibou0007.com/scans-en-ligne-f75/tutorial-sur-virustotal-t190.htm


@++   :)

mia928 · Answer

Salut dédétraqué Voici le rapport de UsbFix: ############################## | UsbFix V6.105 | User : Zamboni (Administrateurs) # UTILISAT-3CF45A Update on 17/04/2010 by El Desaparecido , C_XX & Chimay8 Start at: 21:49:18 | 2010-04-18 Website : http://pagesperso-orange.fr/NosTools/index.html Contact : FindyKill.Contact@gmail.com Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz Microsoft Windows XP Édition familiale (5.1.2600 32-bit) # Service Pack 3 Internet Explorer 7.0.5730.13 Windows Firewall Status : Enabled AV : avast! antivirus 4.8.1296 [VPS 090807-0] 4.8.1296 [ Enabled | (!) Outdated ] A:\ -> Lecteur de disquettes 3 ½ pouces C:\ -> Disque fixe local # 232.88 Go (63.07 Go free) # NTFS D:\ -> Disque CD-ROM # 641.38 Mo (0 Mo free) [SC4DELUXE2] # CDFS E:\ -> Disque amovible # 982.72 Mo (291.5 Mo free) [ZAMBONI!!!] # FAT ################## | Elements infectieux | Supprimé ! C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job Supprimé ! C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job Supprimé ! C:\DOCUME~1\Zamboni\LOCALS~1\Temp\a.dat Supprimé ! C:\DOCUME~1\Zamboni\LOCALS~1\Temp\Jxp.exe Supprimé ! C:\DOCUME~1\Zamboni\LOCALS~1\Temp\Jxq.exe Supprimé ! C:\DOCUME~1\Zamboni\LOCALS~1\Temp\AutoRun.exe Supprimé ! C:\Recycler\S-1-5-21-117609710-838170752-839522115-1004 Supprimé ! C:\Recycler\S-1-5-21-117609710-838170752-839522115-1007 Supprimé ! C:\Recycler\S-1-5-21-117609710-838170752-839522115-1008 (!) Non supprimé ! D:\autorun.inf ################## | Registre | Supprimé ! [HKCU\SOFTWARE\XML] Supprimé ! [HKCU\SOFTWARE\YVIBBBHA8C] Supprimé ! [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "YVIBBBHA8C" ################## | Mountpoints2 | Supprimé ! HKCU\...\Explorer\MountPoints2\{e257465e-8034-11de-bc89-001d6030997d}\Shell\AutoRun\Command ################## | Listing des fichiers présent | [2008-07-03 02:49|--a------|0] C:\AUTOEXEC.BAT [2009-08-17 09:30|-rahs----|217] C:\boot.ini [2006-03-02 09:00|-rahs----|4952] C:\Bootfont.bin [2009-01-04 02:34|--a------|4630] C:\cmd.txt [2008-07-03 02:49|--a------|0] C:\CONFIG.SYS [2008-07-03 02:49|-rahs----|0] C:\IO.SYS [2008-08-02 09:46|--a------|3553] C:\logfile [2008-07-03 02:49|-rahs----|0] C:\MSDOS.SYS [2006-03-02 09:00|-rahs----|47564] C:\NTDETECT.COM [2008-10-17 15:05|-rahs----|252240] C: tldr [?|?|?] C:\pagefile.sys [2010-02-08 20:37|--a------|445] C:\Sys_LogWin.log [2010-04-18 21:58|--a--c---|2420] C:\UsbFix.txt [2003-08-27 05:01|-r-------|153718] D:\00000000.016 [2003-08-27 05:01|-r-------|308280] D:\00000000.256 [2003-08-27 05:01|-r-------|2048] D:\00000001.TMP [2003-08-27 05:01|-r-------|317440] D:\00000002.TMP [2003-08-27 05:01|-r-------|41472] D:\DRVMGT.DLL [2003-08-27 05:12|-r-------|61030094] D:\EP1.dat [2003-08-25 08:03|-r-------|19976] D:\Graphics Rules.sgr [2003-08-25 08:04|-r-------|18351823] D:\Intro.dat [2003-08-27 05:47|-r-------|147456] D:\RunGame.exe [2003-07-12 21:31|-r-------|10134] D:\SC4.ico [2003-08-27 05:01|-r-------|12400] D:\SECDRV.SYS [2003-08-27 05:12|-r-------|144548065] D:\SimCity_1.dat [2003-08-27 05:12|-r-------|169267053] D:\SimCity_2.dat [2003-08-27 05:12|-r-------|115072687] D:\SimCity_3.dat [2003-08-27 05:12|-r-------|122372241] D:\Sound.dat [2003-08-25 08:10|-r-------|10420] D:\Video Cards.sgr [2003-08-27 05:47|-r-------|59] D:\autorun.inf [2010-01-18 14:34|--ah-----|165] E:\~$la Karianne diapo.pptx [2010-01-09 18:08|--a------|27136] E:\Secte 51.doc [2008-10-19 10:05|---------|1846094] E:\01 The End.wma [2008-10-19 10:05|--a------|4499788] E:\09 Mama (Guest Vocal).wma [2008-10-19 10:05|--a------|3848372] E:\06 I Don't Love You.wma [2008-10-19 10:05|---------|2611326] E:\11 Teenagers.wma [2008-09-16 10:51|---------|4828438] E:\13 Famous Last Words.wma [2008-10-19 10:05|---------|3161110] E:\02 Dead!.wma [2009-04-01 21:06|--a------|980992] E:\Le massacre des animaux en Chine.ppt [2009-04-15 11:13|--a------|6543360] E: abarnac de colllis kel sorte de kesions c sa!!!.ppt [2010-01-18 22:45|--a------|4392960] E:\Londre.ppt [2009-06-12 12:17|--a------|666624] E:\Mes financements.doc ################## | Vaccination | # C:\autorun.inf -> Dossier créé par UsbFix (El Desaparecido). # E:\autorun.inf -> Dossier créé par UsbFix (El Desaparecido). ################## | Upload | Veuillez envoyer le fichier : C:\UsbFix_Upload_Me_UTILISAT-3CF45A.zip : https://www.ionos.fr/?affiliate_id=77097 Merci pour votre contribution . ################## | ! Fin du rapport # UsbFix V6.105 ! | Voici le résultat de Virus Total : Antivirus Version Dernière mise à jour Résultat a-squared 4.5.0.50 2010.04.19 - AhnLab-V3 5.0.0.2 2010.04.18 - AntiVir 7.10.6.116 2010.04.18 - Antiy-AVL 2.0.3.7 2010.04.16 - Authentium 5.2.0.5 2010.04.16 W32/FakeAlert.FT.gen!Eldorado Avast 4.8.1351.0 2010.04.18 - Avast5 5.0.332.0 2010.04.18 - AVG 9.0.0.787 2010.04.18 - BitDefender 7.2 2010.04.19 - CAT-QuickHeal 10.00 2010.04.17 - ClamAV 0.96.0.3-git 2010.04.18 - Comodo 4641 2010.04.19 Heur.Packed.Unknown DrWeb 5.0.2.03300 2010.04.19 - eSafe 7.0.17.0 2010.04.18 - eTrust-Vet 35.2.7433 2010.04.18 - F-Prot 4.5.1.85 2010.04.18 W32/FakeAlert.FT.gen!Eldorado F-Secure 9.0.15370.0 2010.04.19 - Fortinet 4.0.14.0 2010.04.18 - GData 19 2010.04.19 - Ikarus T3.1.1.80.0 2010.04.19 - Jiangmin 13.0.900 2010.04.18 - Kaspersky 7.0.0.125 2010.04.19 - McAfee 5.400.0.1158 2010.04.19 Downloader-CEW McAfee-GW-Edition 6.8.5 2010.04.18 - Microsoft 1.5605 2010.04.18 - NOD32 5039 2010.04.18 a variant of Win32/Kryptik.DTU Norman 6.04.11 2010.04.16 - nProtect 2010-04-18.01 2010.04.18 - Panda 10.0.2.7 2010.04.18 - PCTools 7.0.3.5 2010.04.19 - Prevx 3.0 2010.04.19 High Risk Cloaked Malware Rising 22.43.06.03 2010.04.18 - Sophos 4.52.0 2010.04.18 Mal/FakeAV-CX Sunbelt 6193 2010.04.19 VirTool.Win32.Obfuscator.hg!b (v) Symantec 20091.2.0.41 2010.04.19 - TheHacker 6.5.2.0.264 2010.04.18 - TrendMicro 9.120.0.1004 2010.04.15 - VBA32 3.12.12.4 2010.04.15 - ViRobot 2010.4.17.2282 2010.04.18 - VirusBuster 5.0.27.0 2010.04.18 Trojan.Codecpack.Gen.4 Information additionnelle File size: 169984 bytes MD5...: ea5451a1762a117e7cc528071c760aaa SHA1..: 406f45c169567ad403cf77db7e6dd8701a11b0e6 SHA256: ea7bececcf77f0ccfe00d30be7962b9fff3c2274482df8a688dd761c0cb2cfb2 ssdeep: 3072:haGuHqnPHuPYG9D+vnFmDQ8ouGJdCspJhWsBAxYpIBH0NH:WH/D+dmDUDCm JkSsY2hQ PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x5878 timedatestamp.....: 0x4b5c84a2 (Sun Jan 24 17:34:26 2010) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 CODE 0x1000 0xadcc 0xae00 6.03 0b54165ad2871cc1347370541aa8b411 INIT 0xc000 0x31ad2 0x1dc00 7.42 296e6da1396f7fbfee8cc3adad0e9c7a .rdata 0x3e000 0x138 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b .bss 0x3f000 0x689 0x800 0.00 c99a74c555371a433d121f551d6c6398 ( 9 imports ) > KERNEL32.DLL: GetLastError, FreeResource, SetThreadLocale, GetACP, ExitProcess, SetEvent, InitializeCriticalSection, SetLastError, ReadFile, GetCommandLineA, FormatMessageA, GlobalDeleteAtom, GetModuleHandleA, GetStringTypeA, MulDiv, GetUserDefaultLCID, EnumCalendarInfoA, GlobalFindAtomA, GetCurrentProcessId, LockResource, FindClose, GetFullPathNameA, FindFirstFileA, DeleteCriticalSection, GetProcessHeap, GetProcAddress, RaiseException, GetOEMCP, VirtualAlloc, GetLocaleInfoA, GetStdHandle, GetThreadLocale, EnterCriticalSection, GetStartupInfoA, WriteFile, GetCurrentProcess, GetFileType, ExitThread, GetVersion, CloseHandle, Sleep, GetLocalTime, CompareStringA, LocalFree, GetVersionExA, GlobalAlloc, LocalAlloc, lstrcatA, GetModuleFileNameA, GetFileSize, SetEndOfFile, SizeofResource, ResetEvent, LoadLibraryExA, SetHandleCount, GetFileAttributesA, CreateThread, lstrcpyA, lstrcpynA, LocalReAlloc, SetErrorMode, GetCPInfo, VirtualAllocEx, lstrlenA, lstrcmpA, GetStringTypeW, GetEnvironmentStrings, SetFilePointer, MoveFileA, HeapFree, LoadResource, WideCharToMultiByte, HeapDestroy, HeapAlloc, GetTickCount, VirtualFree, GetDiskFreeSpaceA, GetSystemDefaultLangID, lstrcmpiA, FindResourceA, GetDateFormatA, FreeLibrary, MoveFileExA, CreateEventA, GetCurrentThread, CreateFileA, VirtualQuery, GlobalAddAtomA, DeleteFileA, LoadLibraryA, WaitForSingleObject, GetCurrentThreadId > SHLWAPI.DLL: PathIsDirectoryA, PathIsContentTypeA, SHStrDupA, SHQueryValueExA, PathGetCharTypeA, SHDeleteKeyA, PathFileExistsA, SHEnumValueA > oleaut32.dll: SafeArrayGetUBound, SysStringLen, GetErrorInfo, VariantCopyInd, SysAllocStringLen, OleLoadPicture, VariantChangeType, SysReAllocStringLen, SafeArrayGetElement > comctl32.dll: ImageList_Destroy, ImageList_DrawEx, ImageList_DragShowNolock, ImageList_Remove, ImageList_Read > comdlg32.dll: ChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA > gdi32.dll: GetDCOrgEx, GetDIBColorTable > msvcrt.dll: mbstowcs, exit, abs, memcpy, wcschr, sprintf, memcmp, swprintf, srand, wcscspn, log, time, rand, wcsncmp, fabs, log10, memmove > user32.dll: CheckMenuItem, EnumChildWindows, GetActiveWindow, SetWindowPos, CreateMenu, GetMenuItemID, CharLowerA, DispatchMessageW, IsChild, FindWindowA, FrameRect, GetScrollPos, DeferWindowPos, EnumWindows, GetKeyState, GetMenuItemCount, GetCursorPos, DefWindowProcA, GetParent, CharLowerBuffA, GetCursor, GetWindow, GetFocus, GetLastActivePopup > VERSION.DLL: GetFileVersionInfoA ( 0 exports ) RDS...: NSRL Reference Data Set - pdfid.: - trid..: Windows Screen Saver (37.1%) Win32 Executable Generic (24.1%) Win32 Dynamic Link Library (generic) (21.4%) Clipper DOS Executable (5.7%) Generic Win/DOS Executable (5.6%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned Symantec Reputation Network: Suspicious.Insight https://www.broadcom.com/support/security-center http://info.prevx.com/aboutprogramtext.asp?PX5=02E4FCEF0064525798A40274DA8D34003E127DDE Merci!

mia928 · Answer

Si tu as access, ceci est plus facile à lire: http://www.virustotal.com/fr/analisis/ea7bececcf77f0ccfe00d30be7962b9fff3c2274482df8a688dd761c0cb2cfb2-1271639186

dédétraqué · Answer

Salut mia928


-Télécharge et installe MalwareByte's Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

- Mets le à jour

---

- Redémarre en mode sans échec :

Au redémarrage de ton PC tapote sur la touche F8 ou F5, sur l'écran suivant déplace toi avec les flèches de direction et choisis Mode sans échec. Choisis ta session habituelle et non la session Administrateur

---

- Double clique sur le raccourci de MalwareByte's Anti-Malware qui est sur le bureau.
- Sélectionne Exécuter un examen complet si ce n'est pas déjà fait
- clique sur Rechercher

- Une fois le scan terminé, une fenêtre s'ouvre, clique sur  sur OK

- Si MalwareByte's n'a rien détecté, clique sur OK  Un rapport va apparaître ferme-le.

- Si MalwareByte's a détecté des infections, clique sur Afficher les résultats  ensuite sur Supprimer la sélection

- Enregistre le rapport sur ton Bureau comme cela il sera plus facile à retrouver, poste ensuite ce rapport.

Note : Si MalwareByte's  a besoin de redémarrer pour terminer la suppression, accepte en cliquant sur OK

Tutoriel pour MalwareByte's ici : 
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/


@++   :)

mia928 · Answer

Choisis ta session habituelle et non la session Administrateur 

Ca va tu encore fonctionner si ma session habituelle est admisnitrateur?
Sinon.. j'ai une session "invité" que je n'utilise pas..?

dédétraqué · Answer

Salut mia928


Tu le fais sur ta session même si administrateur.


@++   :)

mia928 · Answer

Salut dédétraqué.

J'ai essayer d'executer le programme, mais une fenêtre d'erreur apparait en me disant que ce n'est pas une application Win32 valide.

Aurais-ce rapport avec WinZip?

dédétraqué · Answer

Salut mia928 


Tu clique bien sur le raccourci de Malwarebyte sur le bureau?


@++   :)

mia928 · Answer

Salut dédétraqué,
J'ai enregistrer le fichier, et puisque j'utilise Firefox, une fenetre d'enregistrement apparait.. et lorque j'ouvre mon téléchargement, ca me demande d'executer ou non le fichier.. j'execute et la la fenêtre d'erreur apparait..

J'ai jamais eu de lien sur mon bureau pour aucun des programmes que tu m'as fait télécharger depuis le début.

Voila ce qui apparait: 

1- http://tinypic.com/images/goodbye.jpg
2- http://tinypic.com/images/goodbye.jpg
3- http://tinypic.com/images/goodbye.jpg
4- http://tinypic.com/images/goodbye.jpg

Merci!

dédétraqué · Answer

Salut mia928


On va voir si un autre outil passe :

Télécharge AD-Remover sur ton Bureau. (Merci à C_XX)
http://pagesperso-orange.fr/NosTools/C_XX/AD-R.exe

Miroir:
https://www.androidworld.fr/

/!\ Ferme toutes applications en cours /!\

/!\ Désactive provisoirement et seulement le temps de l'utilisation de AD-Remover, la protection en temps réel de ton Antivirus et de tes Antispywares, qui peuvent gêner fortement la procédure de recherche et de nettoyage de l'outil.
 
- Double-clique sur l'icône Ad-remover située sur ton Bureau.
(Vista/7 - Faire un clique droit sur l'icône AD-Remover située sur ton Bureau et choisir exécuter en tant qu'administrateur.)
- Sur la page, clique sur le bouton « Scanner »
- Confirme lancement du scan
- Laisse travailler l'outil.
- Poste le rapport qui apparaît à la fin.

(Le rapport est sauvegardé aussi sous C:\Ad-report(Scan/clean).Txt)

(CTRL+A pour tout sélectionner, CTRL+C pour copier et CTRL+V pour coller)


@++   :)

mia928 · Answer

Salut dédétraqué, ce lien à bel et bien fonctionner.

je l'ai mit sous un lien pour faire plus beau. :)

https://www.cjoint.com/?eteOyPTdDI

Merci!

dédétraqué · Answer

Salut mia928


/!\ Ferme toutes applications en cours /!\

/!\ Désactive provisoirement et seulement le temps de l'utilisation de AD-Remover, la protection en temps réel de ton Antivirus et de tes Antispywares, qui peuvent gêner fortement la procédure de recherche et de nettoyage de l'outil.
 
- Double-clique sur l'icône Ad-remover située sur ton Bureau.
(Vista/7 - Faire un clique droit sur l'icône AD-Remover située sur ton Bureau et choisir exécuter en tant qu'administrateur.)
- Sur la page, clique sur le bouton « Nettoyer »
- Confirme lancement du scan
- Laisse travailler l'outil.
- Poste le rapport qui apparaît à la fin.

(Le rapport est sauvegardé aussi sous C:\Ad-report(Scan/clean).Txt)

(CTRL+A pour tout sélectionner, CTRL+C pour copier et CTRL+V pour coller)


-----


Refais un scan avec RSIT et poste le contenu du rapport log.txt à la fin de l'analyse

Le rapport est dans le dossier ici C:\rsit


@++   :)

mia928 · Answer

Salut dédétraqué

Voice le rapport après le nettoyage:
https://www.cjoint.com/?etfasSKQQ2


Et voice le nouveau RSIT:
https://www.cjoint.com/?etfcm5uHPC

Merci! :)

dédétraqué · Answer

Salut mia928


Télécharge WORT (de dj QUIOU) sur le bureau.
http://pc-system.fr/

Redémarre en mode sans échec :

Au redémarrage de ton PC tapote sur la touche F8 ou F5, sur l'écran suivant déplace toi avec les flèches de direction et choisis Mode sans échec. Choisis ta session habituelle et non la session Administrateur


Double clique sur le fichier WORT.exe et sélectionne le bureau à l'aide du bouton "Parcourir". Suis les instructions et double clique sur le fichier Wareout Removal Tool.bat qui vient d'être créé sur le bureau. Sélectionne l'option 1 et valide par entrée.


Poste un nouveau RSIT


@++   :)
P.S. Moi je vais me coucher, a demain

mia928 · Answer

Salut dédétraqué
J'ai tenté redémarrer en mode sans échec, mais lorsque j'ai choisi l'option sans echec.. l'écran est devenu noir avec la ligne blanche clignonante dans le coin gauche en haut...
Est obligatoire de le faire en mode sans échec?

mia928 · Answer

Désolé.. j'ai du aller me coucher puisque j'avais de l'école le lendemain..

mia928 · Answer

Jme sens mal d'insister.. mais est-ce que quelqu'un d'autre pourrait continuer d'où dédétraqué l'a laisser?

dédétraqué · Answer

Salut mia928


Faut pas être pressé, moi aussi j'ai une vie

Double clique sur le raccourci d'HijackThis sur ton Bureau, clique sur Do a scan system only coche la case devant la(les) ligne(s) suivante(s) si présente(s)
Si pas de raccourci sur le bureau, il ce trouve ici :
C:\Program Files	rend micro\Zamboni.exe

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) 
O17 - HKLM\System\CCS\Services\Tcpip\..\{49FB0EE6-BD79-47B9-9447-7A4EB8719FC9}: NameServer = 93.188.163.59,93.188.166.129     
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD858D84-1819-414D-A266-0A0139343FF5}: NameServer = 93.188.163.59,93.188.166.129     
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.59,93.188.166.129     
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.163.59,93.188.166.129     
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.59,93.188.166.129


- Ferme les fenêtres en cours sauf HijackThis, clique sur Fix checked 

- Quitte HijackThis


-----


Clique sur démarrer/Exécuter et tape regedit et OK
Presse : CTRL et F
Tout cocher sauf Mot entier seulement
Ecrire ou copier/coller : 93.188.163.59
Clique : Suivant
Si trouvé ==> clic-droit et supprimer 
relancer la recherche jusqu'à l'annonce de FIN 
Après fais la même chose avec : 93.188.166.129


-----


Télécharge OTM (de Old_Timer) sur le bureau :

http://www.geekstogo.com/forum/files/file/402-otm-oldtimers-move-it/


Double-clique sur OTM.exe sur le bureau

- Copie le texte qui se trouve en gras ci-dessous et colle le dans le cadre de gauche de OTM nommé Paste Instructions for Items to be Moved

 :files 
C:\WINDOWS\Jrupya.exe

:commands 
[emptytemp]

- Clique sur MoveIt! pour lancer la suppression.
- Ferme OTM

Ton PC va redémarrer pour finir la suppression, si il ne le fais pas lui-même, redémarre le.

Poste le rapport de OTMoveIt qui se trouve dans C:\_OTM\MovedFiles.


@++   :)

mia928 · Answer

Salut dédétraqué
Jme sens mal la.. je pensais pas que tu allais revenir.. désolé..

J'ai réouvri HiJackThis.. mais je n'ai pas vu ce que tu as décris..

Voici ce que je vois:

Le seul lien que j'ai pu mettre sur mon bureau est celui ci: http://tinypic.com/images/goodbye.jpg

2- http://tinypic.com/images/goodbye.jpg

3- http://tinypic.com/images/goodbye.jpg

4- http://tinypic.com/images/goodbye.jpg

Et ensuite le document texte ouvre lorsque c'est fini.

NOTE: Aujour'dhui, je n'ai plus de pop ups ca l'air... mais mon ordi est-il encore à risque que cela revient?

Merci encore et encore!

dédétraqué · Answer

Salut mia928 


Faudrait bien lire ce que j'explique, toi tu as utilisé RSIT et moi je te demande avec HijackThis, comme je voie qu'il n'est pas sur le bureau tu le trouvera ici :
C:\Program Files	rend micro\Zamboni.exe


Oui finir la procédure, encore infection


@++   :)

mia928 · Answer

Salut dédétraqué

T'as bien raison! desolé.. je ne savais pas où trouver le HiJackThis..

Voici les résultats... de ce que je comprend... ca supprimer mes ficher internet temporaires?

All processes killed
========== FILES ==========
C:\WINDOWS\Jrupya.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes
 
User: Invité
->Temp folder emptied: 1172706 bytes
->Temporary Internet Files folder emptied: 50149369 bytes
->FireFox cache emptied: 4640398 bytes
->Flash cache emptied: 1797 bytes
 
User: LocalService
->Temp folder emptied: 115616 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Moi
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 734035 bytes
 
User: Utilisateur
 
User: Zamboni
->Temp folder emptied: 2143820 bytes
->Temporary Internet Files folder emptied: 10372734 bytes
->Java cache emptied: 75310575 bytes
->FireFox cache emptied: 89637142 bytes
->Flash cache emptied: 150780 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3090235 bytes
%systemroot%\System32 .tmp files removed: 3072 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49676 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23969900 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 250.00 mb
 
 
OTM by OldTimer - Version 3.1.10.2 log created on 04192010_221154

Files moved on Reboot...
File move failed. C:\WINDOWS	emp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS	emp\Perflib_Perfdata_778.dat not found!

Registry entries deleted on Reboot...


Merci! :D

dédétraqué · Answer

Salut mia928 


Effectivement on a fais le ménage des fichiers temp.

Refais un scan avec RSIT et poste le contenu du rapport log.txt à la fin de l'analyse

Le rapport est dans le dossier ici C:\rsit


@++   :)

mia928 · Answer

Salut dédétraqué

Voila le rapport: 	https://www.cjoint.com/?eudRzJP8fg

Merci!

dédétraqué · Answer

Salut mia928


Cela est bon, on va vérifier si rien de caché :

Faire un scan avec Nod32 en ligne (il faut utiliser Internet Explorer) ici :

https://www.eset.com/int/home/online-scanner/

(coche toutes les cases à chaque fois, sauf les deux dernières a la fin du scan, sinon le rapport est supprimer) 
A la fin, colle le rapport : C:\Program Files\EsetOnlineScanner\log.txt


@++   :)

mia928 · Answer

Salut dédétraqué

Voici le rapport:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0a3b0c1e05dbe24cbf6e0778eb00c548
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-20 04:31:11
# local_time=2010-04-20 01:31:11 (-0400, Atlantique (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775129 100 98 0 207096428 21979802 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108142
# found=12
# cleaned=12
# scan_time=8199
C:\UsbFix_Upload_Me_UTILISAT-3CF45A.zip	multiple threats (deleted - quarantined)	00000000000000000000000000000000	C
C:\Ad-Remover\Quarantine\C\Program Files\Windows Live\Messenger\Riched20.dll.vir	Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\balligomingo.over.you.45026(2).exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\balligomingo.over.you.45026(3).exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\balligomingo.over.you.45026.exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\MallTycoonSetup-dm.exe	Win32/Adware.Trymedia application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\Pet_Pals_Animal_Doctor_Setup-dm.exe	Win32/Adware.Trymedia application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\System Volume Information\_restore{F61F9CA3-36E7-44DC-95CB-4D9E05BBB1AB}\RP937\A0106155.dll	Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\UsbFix\Quarantine\C\DOCUME~1\Zamboni\LOCALS~1\Temp\Jxp.exe.UsbFix	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\UsbFix\Quarantine\C\DOCUME~1\Zamboni\LOCALS~1\Temp\Jxq.exe.UsbFix	a variant of Win32/Kryptik.DTU trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002262.tmp	Win32/Olmarik.XO trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTM\MovedFiles\04192010_221154\C_WINDOWS\Jrupya.exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0a3b0c1e05dbe24cbf6e0778eb00c548
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-20 06:51:25
# local_time=2010-04-20 03:51:25 (-0400, Atlantique (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775129 100 98 0 207104767 21152941 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108405
# found=1
# cleaned=1
# scan_time=8273
C:\System Volume Information\_restore{F61F9CA3-36E7-44DC-95CB-4D9E05BBB1AB}\RP938\A0106303.exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C

Merci toujours!

dédétraqué · Answer

Salut mia928


Ton rapport est propre, seulement un point de restauration système infecté que l'on va purger.

Pour des raisons de sécurité et surtout pour garder ton PC propre, on va désactiver la restauration système sur tous les lecteurs :

- Clique droit sur le Poste de travail sur le bureau, dans propriété tu cliques sur l'onglet Restauration système

- Coche la case désactiver la restauration et applique 

Redémarre l'ordinateur et réactive la restauration système.

Tutoriel XP :  http://www.libellules.ch/desactiver_restauration.php


-----


On va faire un ménage des outils téléchargés pour la désinfection, télécharge Tools Cleaner sur le bureau :

http://pc-system.fr/


- Double clique sur ToolsCleaner2.exe sur le bureau
- Clique sur Recherche et laisse le scan agir.
- Clique sur Suppression pour finaliser.
- Tu peux, si tu le souhaites, te servir des Options facultatives.
- Clique sur Quitter pour obtenir le rapport.
- Poste le rapport (TCleaner.txt) qui se trouve à la racine de ton disque dur (C:\).
- Si des outils restes après le passage de Tools Cleaner, tu pourras les supprimer manuellement ainsi que tous les rapports qui on été généré lors de la désinfection.


-----


Important de mettre à jour Windows et tes logiciels :
Mettre Windows(catégories critique, Services Pack et Services Release) à jour : http://www.windowsupdate.com/windowsupdate/v6/default.aspx

Faire un scan de vulnérabilités afin de vérifier que tes logiciels soit à jour sans failles de sécurités et mettre à jour :
https://www.malekal.com/tester-la-vulnerabilite-de-son-systeme-2/

Faire un ménage des fichiers inutiles et de la base de registre : 
https://www.malekal.com/tutoriel-ccleaner/

Dis moi quand cela est fais où si tu as des soucis et on passe à la résolution du sujet par la suite.


@++ :)

mia928 · Answer

J'ai fait tout ce que tu m'as demandé sans problème!
Voici le rapport:  

[ Rapport ToolsCleaner version 2.3.11 (par A.Rothstein & dj QUIOU) ]

--> Recherche: 

C:\UsbFix.txt: trouvé !
C:\_OTM: trouvé !
C:\UsbFix: trouvé !
C:\Rsit: trouvé !
C:\Ad-remover: trouvé !
C:\Ad-Remover\Backup\Ad-R.exe: trouvé !
C:\Documents and Settings\Zamboni\Bureau\OTM.exe: trouvé !
C:\Documents and Settings\Zamboni\Bureau\Ad-R.exe: trouvé !
C:\Documents and Settings\Zamboni\Bureau\Rsit.exe: trouvé !
C:\Documents and Settings\Zamboni\Bureau\WORT.exe: trouvé !
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\UsbFix.exe: trouvé !
C:\Documents and Settings\Zamboni\Recent\UsbFix.lnk: trouvé !
C:\Program Files\Mozilla Firefox\WareOut Removal Tool.bat: trouvé !
C:\Program Files\Mozilla Firefox\WORT: trouvé !
C:\Program Files\Mozilla Firefox\WORT\catchme.exe: trouvé !
C:\Program Files	rend micro\HijackThis.exe: trouvé !
C:\Program Files	rend micro\hijackthis.log: trouvé !

---------------------------------
--> Suppression: 

C:\Ad-Remover\Backup\Ad-R.exe: supprimé !
C:\Documents and Settings\Zamboni\Bureau\OTM.exe: supprimé !
C:\Documents and Settings\Zamboni\Bureau\Ad-R.exe: supprimé !
C:\Program Files\Mozilla Firefox\WareOut Removal Tool.bat: supprimé !
C:\Program Files\Mozilla Firefox\WORT\catchme.exe: supprimé !
C:\Program Files	rend micro\HijackThis.exe: supprimé !
C:\UsbFix.txt: supprimé !
C:\Documents and Settings\Zamboni\Bureau\Rsit.exe: supprimé !
C:\Documents and Settings\Zamboni\Bureau\WORT.exe: supprimé !
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\UsbFix.exe: supprimé !
C:\Documents and Settings\Zamboni\Recent\UsbFix.lnk: supprimé !
C:\Program Files	rend micro\hijackthis.log: supprimé !
C:\_OTM: supprimé !
C:\UsbFix: supprimé !
C:\Rsit: supprimé !
C:\Ad-remover: supprimé !
C:\Program Files\Mozilla Firefox\WORT: supprimé !

dédétraqué · Answer

Salut mia928 


Super si tout va bien, je te donne quelques consignes de sécurité :

-  Windows Update  parfaitement à jour http://www.windowsupdate.com/windowsupdate/v6/default.aspx (catégories critique, Services Pack et Services Release)
- pare-feu bien paramétré, je te conseil ZoneAlarm : 
https://www.malekal.com/tutoriel-zonealarm-firewall/
- antivirus bien paramétré et mis à jour régulièrement (quotidiennement s'il le faut) avec un scan complet régulier (journalier s'il le faut).
- une attitude prudente vis à vis de la navigation (pas de sites douteux : cracks, warez, sexe...) et vis à vis de la messagerie (fichiers joints aux messages doivent être scannés avant d'être ouverts)
- pas de téléchargement illégal, qui est le principal facteur d'infection (µTorrent, BitTorrent, eMule, Limewire, etc..)   https://forum.malekal.com/viewtopic.php?t=893&start=
- une attitude vigilante (être à l'affût d'un fonctionnement inhabituel de son système)
- nettoyage hebdomadaire du système (suppression des fichiers inutiles, nettoyage de la base de registre, scandisk, defrag)
- scan hebdomadaire antispyware, je conseil MalwareByte's Anti-Malware :
https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
- un contrôle régulier de la console JAVA pour s'assurer qu'elle est à jour :
https://www.java.com/en/download/uninstalltool.jsp 
- faire régulièrement un scan de vulnérabilités afin de vérifier que tes logiciels soit à jour sans failles de sécurités :
https://www.malekal.com/tester-la-vulnerabilite-de-son-systeme-2/


De bonne lecture si tu veux en savoir plus sur la sécurité et le fonctionnement de Windows :
http://www.malekal.com/menu_windows_general.php
http://www.malekal.com/menu_windows_securite.php

Si tu considères ton problème comme résolu, tu pourras mettre en résolu :
https://www.commentcamarche.net/infos/25917-marquer-un-fil-de-discussion-comme-etant-resolu/

Bonne journée/soirée et bon surf   


@++  :)

mia928 · Answer

Merci infiniment!
Mais le problème de sites publicitaires ou de recherches, etc est quand même la lorsque je fais des recherches Google..

Mais c'est bien de savoir que mon ordinateur est plus safe qu'avant!

dédétraqué · Answer

Salut mia928


Tu as encore des redirections Google?


@++   :)

mia928 · Answer

Salut dédétraqué

Effectivement, j'ai encore des problèmes avec Google.
Mais j'ai pourtant supprimer le virus, non?

dédétraqué · Answer

Salut mia928


Télécharge combofix.exe (de sUBs) sur le bureau :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.geekstogo.com/forum/files/file/197-combofix-by-subs/

Important Désactive ton Antivirus, antispyware et Pare feu avant le scan avec Combofix :
https://forum.pcastuces.com/default.asp
https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

==> Sauvegarde ton travail et ferme toutes les fenêtres actives, il peut y avoir un redémarrage du PC. Ne lance aucun programme tant que Combofix n'est pas fini. <==

Double clique sur combofix.exe, clique sur OUI et valide par Entrée 

Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

Combofix est détecté par certains antivirus comme une infection, ne pas en tenir compte, il s'agit d'un faux positif, continue la procédure


@++   :)

mia928 · Answer

Salut dédétraqué.
Tout à bien fonctionner, voici le rapport: https://www.cjoint.com/?evwXtSP6Vb

Merci!

dédétraqué · Answer

Salut mia928 


Cela me dit que le lien n'est pas ou n'est plus disponible, copie/colle le rapport direct sur le forum.


@++   :)

mia928 · Answer

Salut dédétraqué
Désolé pour le lien... mais je ne pouvais pas envoyer le message parce qu'il était trop long... alors je vais le couper en deux.

ComboFix 10-04-21.01 - Zamboni 2010-04-21  17:03:21.1.2 - x86
Microsoft Windows XP Édition familiale  5.1.2600.3.1252.2.1036.18.3071.2574 [GMT -3:00]
Lancé depuis: c:\documents and settings\Zamboni\Bureau\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090807-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Zamboni\Application Data\.#
c:\documents and settings\Zamboni\Application Data\EurekaLog
c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((((((   Fichiers créés du 2010-03-21 au 2010-04-21  ))))))))))))))))))))))))))))))))))))
.

2010-04-20 23:45 . 2010-04-20 23:45	411368	----a-w-	c:\windows\system32\deployJava1.dll
2010-04-20 23:44 . 2010-04-20 23:44	79488	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-04-20 23:44 . 2010-04-20 23:44	152576	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-04-20 02:12 . 2010-04-20 02:12	--------	d-----w-	c:\program files\ESET
2010-04-18 23:56 . 2010-04-20 23:27	--------	d-----w-	c:\program files	rend micro
2010-04-16 21:16 . 2010-04-16 21:16	--------	d-----w-	c:\program files\Ares
2010-04-13 10:26 . 2010-04-13 10:26	--------	d-----w-	c:\program files\iPod
2010-04-13 10:26 . 2010-04-13 10:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-13 10:24 . 2010-04-13 10:24	--------	d-----w-	c:\program files\QuickTime
2010-04-13 10:22 . 2010-04-13 10:22	--------	d-----w-	c:\program files\Bonjour
2010-04-13 10:20 . 2010-04-13 10:20	73000	----a-w-	c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-10 22:30 . 2010-04-10 22:30	532	----a-w-	c:\windows\eReg.dat
2010-04-10 22:29 . 2010-04-10 22:29	--------	d-----w-	c:\program files\Maxis

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 23:47 . 2008-07-03 19:45	--------	d-----w-	c:\program files\CCleaner
2010-04-20 23:37 . 2008-07-03 19:46	--------	d-----w-	c:\program files\Fichiers communs\Adobe
2010-04-18 23:14 . 2009-02-14 00:15	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-17 00:31 . 2008-08-14 20:43	--------	d-----w-	c:\program files\Fichiers communs\DVDVIDEOSOFT
2010-04-16 21:26 . 2010-03-08 00:58	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\LimeWire
2010-04-16 21:07 . 2009-02-24 21:15	--------	d-----w-	c:\program files\Google
2010-04-13 10:27 . 2008-12-28 12:06	--------	d-----w-	c:\program files\iTunes
2010-04-13 10:26 . 2008-12-28 12:05	--------	d-----w-	c:\program files\Fichiers communs\Apple
2010-03-23 02:46 . 2010-02-05 21:26	50354	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook\uninstall.exe
2010-03-23 02:46 . 2010-02-05 21:26	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\Facebook
2010-03-15 03:49 . 2010-03-15 03:49	--------	d-----w-	c:\program files\Fichiers communs\Java
2010-03-15 03:49 . 2010-03-15 03:49	503808	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\msvcp71.dll
2010-03-15 03:49 . 2010-03-15 03:49	499712	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\jmc.dll
2010-03-15 03:49 . 2010-03-15 03:49	348160	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\msvcr71.dll
2010-03-15 03:49 . 2010-03-15 03:49	61440	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28a3a294-n\decora-sse.dll
2010-03-15 03:49 . 2010-03-15 03:49	12800	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28a3a294-n\decora-d3d.dll
2010-03-15 03:49 . 2009-02-16 10:37	--------	d-----w-	c:\program files\Java
2010-03-15 03:48 . 2006-03-02 12:00	85608	----a-w-	c:\windows\system32\perfc00C.dat
2010-03-15 03:48 . 2006-03-02 12:00	513410	----a-w-	c:\windows\system32\perfh00C.dat
2010-03-14 16:48 . 2009-11-11 17:56	79488	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:34 . 2006-03-02 12:00	832512	----a-w-	c:\windows\system32\wininet.dll
2010-03-11 12:34 . 2009-10-27 15:14	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-03-11 12:34 . 2006-03-02 12:00	17408	----a-w-	c:\windows\system32\corpol.dll
2010-03-09 11:10 . 2006-03-02 12:00	430080	----a-w-	c:\windows\system32\vbscript.dll
2010-03-08 01:03 . 2010-03-08 01:03	--------	d-----w-	c:\documents and settings\All Users\Application Data\SiComponents
2010-03-06 05:30 . 2010-03-06 05:30	5582848	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook
pfbplugin_1_0_3.dll
2010-03-03 20:36 . 2010-02-17 01:14	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\FrostWire
2010-02-24 13:11 . 2006-03-02 12:00	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 01:32 . 2010-02-17 01:32	0	-c--a-w-	c:\documents and settings\Zamboni\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-02-16 19:06 . 2006-03-02 12:00	2148352	----a-w-	c:\windows\system32
toskrnl.exe
2010-02-16 19:06 . 2004-08-19 16:04	2026496	----a-w-	c:\windows\system32
tkrnlpa.exe
2010-02-12 14:46 . 2010-02-12 14:46	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-02-12 14:46 . 2010-02-12 14:46	107808	----a-w-	c:\windows\system32\dns-sd.exe
2010-02-12 04:34 . 2006-03-02 12:00	100864	----a-w-	c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-03-02 12:00	226880	----a-w-	c:\windows\system32\drivers	cpip6.sys
2010-02-09 20:14 . 2008-08-30 20:17	58402	-c--a-w-	c:\windows\War3Unin.dat
2010-02-08 01:42 . 2010-02-08 01:42	180224	----a-w-	c:\windows\system32\WinVd32.sys
2010-02-08 01:42 . 2010-02-08 01:42	7680	----a-w-	c:\windows\system32\WinFLsrv.exe
2010-02-01 22:04 . 2010-02-01 22:04	847040	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04	5578752	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook
pfbplugin_1_0_1.dll
2010-01-28 12:19 . 2010-01-24 18:58	21035	----a-w-	c:\windows\system32\drivers\AegisP.sys
2008-11-02 21:06 . 2008-11-02 21:06	89408	-c--a-w-	c:\program files\setup spiral frog.exe
2008-09-30 01:36 . 2008-09-30 01:36	5408074	-c--a-w-	c:\program files\Last.fm-1.5.2.38918.exe
2008-08-14 19:17 . 2008-08-14 19:17	611424	-c--a-w-	c:\program files\setuppad.exe
2008-08-02 05:35 . 2008-08-02 05:35	1283912	-c--a-w-	c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
.

(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"WeatherEye"="c:\documents and settings\Zamboni\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VM30xSnap"="VM30xSnap.exe Vimicro USB PC Camera (ZC030x)" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Window  UDP Control Servic"="winlogon.exe" [2008-04-14 512000]
"SlipStream"="c:\program files\Netscape Accélérateur\slipcore.exe" [2006-04-06 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
Belkin Wireless G Desktop Card Client Utility.lnk - c:\program files\Belkin\F5D7000v7032\Belkinwcui.exe [2010-1-28 1560576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\!SASWinLogon]
2008-12-22 15:05	356352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05	40368	----a-w-	c:\program files\Adobe\Reader 8.0\Readereader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 18:43	69632	-c----r-	c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 20:36	455968	----a-w-	c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-10 15:28	16126464	-c----r-	c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-04-04 17:22	1822720	-c----r-	c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 15:17	61440	-c--a-w-	c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AresChatServer"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"c:\Documents and Settings\All Users\Documents\Warcraft III\Warcraft III.exe"=
"c:\WINDOWS\system32\dpvsetup.exe"=
"c:\WINDOWS\system32\rtcshare.exe"=
"c:\Program Files\Windows Live\Messenger\wlcsdk.exe"=
"c:\Documents and Settings\All Users\Documents\Warcraft III\War3.exe"=
"c:\Program Files\LimeWire\LimeWire.exe"=
"c:\Program Files\Windows Live\Messenger\msnmsgr.exe"=
"c:\Program Files\Bonjour\mDNSResponder.exe"=
"c:\Program Files\iTunes\iTunes.exe"=
"c:\Program Files\Ares\Ares.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-04 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-07-04 20560]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2010-02-07 17984]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-07-03 35840]
R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2010-01-24 303616]
R3 VM30xx86;Vimicro USB PC Camera (ZC030x);c:\windows\system32\drivers\vm30xx86.sys [2009-02-24 1294336]
S2 gupdate1c996c4f9b01916;Google Update Service (gupdate1c996c4f9b01916);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 133104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 20:34	451872	----a-w-	c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe
.
Contenu du dossier 'Tâches planifiées'

2010-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:15]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:15]

2010-04-21 c:\windows\Tasks\User_Feed_Synchronization-{1976200C-4A2E-4FAC-9D4C-74B0D23C66DA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:36]

mia928 · Answer

------- Examen supplémentaire ------- . uStart Page = hxxp://facebook.com/ uInternet Settings,ProxyOverride = *.local IE: Save YouTube Video - c:\program files\Fichiers communs\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm IE: Save YouTube Video as MP3 - c:\program files\Fichiers communs\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm LSP: c:\progra~1\NETSCA~2\sliplsp.dll DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://download.playfirst.com/play/game/chocolatier2/Chocolatier2Web.1.0.0.10.cab FF - ProfilePath - c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/ FF - component: c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\documents and settings\Zamboni\Application Data\Facebook pfbplugin_1_0_1.dll FF - plugin: c:\documents and settings\Zamboni\Application Data\Facebook pfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\extensions\piclens@cooliris.com\plugins pcoolirisplugin.dll FF - plugin: c:\program files\Google\Google Earth\plugin pgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.23 pGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin ew_plugin pdeployJava1.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- PARAMETRES FIREFOX ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.mozilla.org/en-US/firefox/new/?redirect_source=firefox-com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . . ------- Associations de fichier ------- . .scr=AutoCADLTScriptFile . - - - - ORPHELINS SUPPRIMES - - - - HKCU-Run-ares vista - c:\documents and settings\Zamboni\Mes documents\Ma musique\Ares Vista\Ares.exe MSConfigStartUp-InCD - c:\program files\Nero\Nero 7\InCD\InCD.exe AddRemove-Ad-Remover - c:\ad-remover\Un-ADR.exe AddRemove-{2AD17134-DA34-41BB-8DFB-364061E6229A}_is1 - c:\documents and settings\Zamboni\Mes documents\Ma musique\Ares Vista\unins000.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-21 17:09 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... c:\windows\system32\sys_drv.dat 6024 bytes c:\windows\system32\sys_drv_2.dat 5020 bytes c:\windows\system32\WinFLdrv.sys 17984 bytes executable c:\documents and settings\Zamboni\Application Data\systemfl.$dk 990 bytes Scan terminé avec succès Fichiers cachés: 4 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8ADE68C8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28 \Driver\ACPI -> ACPI.sys @ 0xf735dcb8 \Driver\atapi -> atapi.sys @ 0xf7318b3a IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Belkin Wireless G Desktop Card #2 -> SendCompleteHandler -> NDIS.sys @ 0xf7221bb0 PacketIndicateHandler -> NDIS.sys @ 0xf7210a0d SendHandler -> NDIS.sys @ 0xf7224b40 user & kernel MBR OK ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_USERS\S-1-5-21-117609710-838170752-839522115-1007\Software\FunWebProducts\Settings\MSNMessenger] @DACL=(02 0000) "SessionCount"=dword:00000018 "SessionTimestamp"=dword:00012814 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs] @DACL=(02 0000) @="{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs] @DACL=(02 0000) @="{A9571378-68A1-443d-B082-284F960C6D17}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid] @DACL=(02 0000) @="{00020420-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32] @DACL=(02 0000) @="{00020420-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib] @DACL=(02 0000) @="{29D67D3C-509A-4544-903F-C8C1B8236554}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib] @DACL=(02 0000) @="{E47CAEE0-DEEA-464A-9326-3F2801535A4D}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32] @DACL=(02 0000) @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib] @DACL=(02 0000) @="{D518921A-4A03-425E-9873-B9A71756821E}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0] @DACL=(02 0000) @="HtmldocPlugin 1.0 Type Library" [HKEY_LOCAL_MACHINE\software\Fun Web Products\MSNMessenger] @DACL=(02 0000) "DLLFile"="F3REPROX.DLL" "DLLDir"="c:\Program Files\MyWebSearch\bar\2.bin\" "MSNBackgrounds"="c:\Program Files\Fun Web Products\MSNMessenger\MSNBackgrounds\" [HKEY_LOCAL_MACHINE\software\Fun Web Products\ScreenSaver] @DACL=(02 0000) "ImagesDir"="c:\Program Files\FunWebProducts\ScreenSaver\Images\" "PM"="efkfpetrqjgksgnteltlofgnoiiiiqkngkmimlfhsnfeogokhehfhghhhihjhkhlhmhnifigihiiijik" [HKEY_LOCAL_MACHINE\software\Fun Web Products\Settings] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\FunWebProducts\Installer] @DACL=(02 0000) "Dir"="c:\Program Files\FunWebProducts\Installr\" "CurInstall"="2" "sr"="0" "pl"="12" "CheckForConnection"="1" "CacheDir"="c:\Program Files\FunWebProducts\Installr\Cache\" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|ù*9~*] "C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h-€|ÿÿÿÿ¤*€|ù*9~*] "C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€-€|ÿÿÿÿÀ*€|ù*9~*] "C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL" [HKEY_LOCAL_MACHINE\software\MyWebSearch\bar] @DACL=(02 0000) "UseFWB"="0" "pid"="ZNxmk571YYCA" "fwp"="0" "mwsask"="US|CA|GB" "tiec"="208976" "Dir"="c:\Program Files\MyWebSearch\bar\" "PluginPath"="c:\PROGRA~1\MYWEBS~1\bar\2.bin\" "UninstallString"="\"c:\Program Files\MyWebSearch\bar\2.bin\m3highin.exe\" mwsbar.dll,O" "Id"="7A02EADE-98E1-48E1-9E38-562B110AAB05" "CurInstall"="2" "SettingsDir"="c:\Program Files\MyWebSearch\bar\Settings\" "sr"="0" "pl"="12" "CacheDir"="c:\Program Files\MyWebSearch\bar\Cache\" "HTMLMenuRevision"="287" "sscLabel"="My Web Search" "sscURL"="http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNxmk571YYCA&fl=0&ptb=3uoCeuFI4ZgrVjieBasKEQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=sb&searchfor={searchTerms}" "Flags"="8722" "HistoryDir"="c:\Program Files\MyWebSearch\bar\History\" "AutocompleteURL"="http://srchsugg.funwebproducts.com/query?sstype=prefix&q=" "ConfigDateStamp"="2009031320" "ColorButtons"="1" [HKEY_LOCAL_MACHINE\software\MyWebSearch\SearchAssistant] @DACL=(02 0000) "UseFWB"="0" "pid"="ZNxmk571YYCA" "fwp"="0" "mwsask"="US|CA|GB" "Dir"="c:\Program Files\MyWebSearch\SrchAstt\" "esh"="1" "lsp"="" "Id"="3707E30C-2194-42E3-B685-9DA23145A9B9" "CurInstall"="2" "sr"="0" "pl"="12" "ABS"="http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNxmk571YYCA&fl=0&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&ptnrS=ZNxmk571YYCA&PG=SEASUSH&SEC=ABMANY&ind=2009031407&searchfor=" "DES"="http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNxmk571YYCA&fl=0&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=dns&ptnrS=ZNxmk571YYCA&PG=SEASUSH&SEC=DNS&ind=2009031407&searchfor=" "sscEnabled"="1" "eintl"="0" "ConfigDateStamp"="2009031407" [HKEY_LOCAL_MACHINE\software\MyWebSearch\SkinTools] @DACL=(02 0000) "PlayerPath"="\"c:\Program Files\MyWebSearch\bar\2.bin\m3SkPlay.exe\"" . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(856) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(912) c:\progra~1\NETSCA~2\sliplsp.dll c:\windows\system32\sliprt.dll . Heure de fin: 2010-04-21 17:10:57 ComboFix-quarantined-files.txt 2010-04-21 20:10 Avant-CF: 72 154 439 680 octets libres Après-CF: 72 123 375 616 octets libres WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /fastdetect /NoExecute=OptOut - - End Of File - - 71D3CBA9E583FAAC4042DDBB0F557A0D

dédétraqué · Answer

Salut mia928


Télécharge Gmer et enregistre-le sur ton bureau.
http://www2.gmer.net/download.php

- Déconnecte toi d'internet si possible et ferme tous les programmes, puis lance l'outil.
- Clique sur le bouton "Scan" sur la droite.

- Lorsque le scan est terminé, clic sur "Copy".
- Ouvre le bloc-note et clic sur le Menu Edition / Coller
- Le rapport doit alors apparaître.

- Enregistre le fichier sur ton bureau et copie/colle le contenu ici.


@++  :)

mia928 · Answer

Salut dédétraqué
Désolé du delai pour répondre, j'étais pas à la maison pour la fin de semaine.
Alors voici le rapport:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-22 23:07:53
Windows 5.1.2600 Service Pack 3
Running: z0vjw5ke.exe; Driver: C:\DOCUME~1\Zamboni\LOCALS~1\Temp\fxrorkoc.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwClose [0xAD383576]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwCreateKey [0xAD383432]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwDeleteValueKey [0xAD383910]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwDuplicateObject [0xAD38300A]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwOpenKey [0xAD38350C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwOpenProcess [0xAD382F4A]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwOpenThread [0xAD382FAE]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwQueryValueKey [0xAD38362C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwRestoreKey [0xAD3835EC]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                                                     ZwSetValueKey [0xAD38376C]
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)                             ZwTerminateProcess [0xAD43EF20]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc           C:\WINDOWS\system32\drivers\atapi.sys                                                                                                     entry point in ".rsrc" section [0xF7325780]
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                                                  section is writeable [0xF638A000, 0x19DA46, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]                              00380002
IAT             C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]                                    00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                    aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                  aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                 aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort2                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort3                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort4                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort5                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-16                                                                                              [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-b                                                                                               [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                 aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                               aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\InprocServer32@                                                        C:\PROGRA~1\MICROS~2\OFFICE11\IEAWSDC.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\ProgID@                                                                Office.awsdc.1
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\TypeLib@                                                               {012F24C1-35B0-11D0-BF2D-0000E8D0D146}
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\Version@                                                               1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\VersionIndependentProgID@                                              Office.awsdc
Reg             HKLM\SOFTWARE\Classes\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs@                                                               {63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}
Reg             HKLM\SOFTWARE\Classes\CLSID\{284F0BD5-81D1-7456-EF12-DF58AD1383B6}\InprocServer32@                                                        C:\WINDOWS\system32\PortableDeviceTypes.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{284F0BD5-81D1-7456-EF12-DF58AD1383B6}\InprocServer32@ThreadingModel                                          Both
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@                                                         C:\PROGRA~1\MICROS~2\OFFICE11\MSPUB.EXE /Automation
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@LocalServer32                                            *]gAVn-}f(ZXfeAR6.jiPubPrimary>dic+V~SM09P_'_@$%)xK /Automation?
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\NotInsertable@                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\ProgID@                                                                Publisher.Application.11
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\Programmable@                                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\TypeLib@                                                               {0002123C-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\VersionIndependentProgID@                                              Publisher.Application
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b                        0xC8 0x28 0x51 0xAF ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@                                                        C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\ITIRCL52.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@InprocServer32                                          *]gAVn-}f(ZXfeAR6.jiTranslationHidden>BbxH8x=!g(3?!!!_GX=b?
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@ThreadingModel                                          both
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\ProgID@                                                                ITIR.DefaultStemmer.5.2
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b                        0x71 0x3B 0x04 0x66 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016                        0xFF 0x7C 0x85 0xE0 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48                        0x86 0x8C 0x21 0x01 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472                        0xF5 0x1D 0x4D 0x73 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d                        0xB0 0x18 0xED 0xA7 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\DefaultIcon@                                                           C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE,7
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\InprocServer32@                                                        C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open                                                             
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open\Command                                                     
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open\Command@                                                    "C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE"
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}   
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}@  
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs@                                                               {A9571378-68A1-443d-B082-284F960C6D17}
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@                                                        C:\Program Files\Google\Google Earth\plugin\plugin_ax.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ThreadingModel                                          apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus@                                                            0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus\1                                                           
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus\1@                                                          131473
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ProgID@                                                                KmlLayerRootCoClass.KmlLayerRootCoC.1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ToolboxBitmap32@                                                       C:\Program Files\Google\Google Earth\plugin\plugin_ax.dll, 1
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\TypeLib@                                                               {F9152AEC-3462-4632-8087-EEE3C3CDDA35}
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Version@                                                               1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\VersionIndependentProgID@                                              KmlLayerRootCoClass.KmlLayerRootCoC
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b                        0x31 0x77 0xE1 0xBA ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\InProcServer32@                                                        %SystemRoot%\system32\dsuiext.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\InProcServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\ShellEx\MayChangeDefaultMenu                                           
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\ShellEx\MayChangeDefaultMenu@                                          1
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d                        0x83 0x6C 0x56 0x8B ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3                        0xF6 0x0F 0x4E 0x58 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b                        0xB1 0xCD 0x45 0x5A ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6                        0xE3 0x0E 0x66 0xD5 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2                        0xFA 0xEA 0x66 0x7F ...
Reg             HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid@                                                    {00020420-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32@                                                  {00020420-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib@                                                           {29D67D3C-509A-4544-903F-C8C1B8236554}
Reg             HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib@Version                                                    1.0
Reg             HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid@                                                    {00020424-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32@                                                  {00020424-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib@                                                           {E47CAEE0-DEEA-464A-9326-3F2801535A4D}
Reg             HKLM\SOFTWARE\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib@Version                                                    1.0
Reg             HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid@                                                    {00020424-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32@                                                  {00020424-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib@                                                           {D518921A-4A03-425E-9873-B9A71756821E}
Reg             HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib@Version                                                    1.0
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0@                                                                 HtmldocPlugin 1.0 Type Library
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0                                                                
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32                                                          
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32@                                                         C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS                                                            
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS@                                                           0
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR                                                          
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR@                                                         C:\Program Files\MyWebSearch\bar\2.bin\

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\drivers\atapi.sys                                                                                                     suspicious modification

---- EOF - GMER 1.0.15 ----

Merci!

dédétraqué · Answer

Salut mia928


On a un fichier système patché (modifié), on va tenter d'en trouver un sain sur le PC:

Télécharge SystemLook sur ton Bureau :
http://jpshortstuff.247fixes.com/SystemLook.exe

- Double-clique sur SystemLook.exe pour le lancer.

- Copie le contenu en gras ci-dessous et colle-le dans la zone texte de SystemLook :

 :filefind
atapi.sys

- Clique sur le bouton Look pour démarrer l'examen.
- A la fin, le Bloc-notes s'ouvre avec le résultat de l'analyse. Copie-colle le rapport dans ta prochaine réponse.


@++   :)

mia928 · Answer

Salut dédétraqué
Voici le rapport:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:41 on 26/04/2010 by Zamboni (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys "
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys	-----c 95360 bytes	[18:02 17/10/2008]	[01:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys	--a--- 96512 bytes	[20:09 21/04/2010]	[18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys	-----c 96512 bytes	[18:40 13/04/2008]	[18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys	--a--- 96512 bytes	[12:00 02/03/2006]	[18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\system32\DRIVERS\atapi.sys	--a--c 95360 bytes	[06:15 03/07/2008]	[12:00 02/03/2006] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys	--a--c 95360 bytes	[06:15 03/07/2008]	[12:00 02/03/2006] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys	--a--c 95360 bytes	[06:15 03/07/2008]	[01:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Merci!

dédétraqué · Answer

Salut mia928


Faire un scan de ce fichier atapi.sys ici :

https://www.virustotal.com/gui/


Clique sur Parcourir et copie/colle ceci :
C:\WINDOWS\ServicePackFiles\i386\atapi.sys
Après tu clique sur Envoyer le fichier et attendre le résultat de l'analyse.

Si il te dit que le fichier a déjà été analysé, sélectionne le bouton :
Reanalyse le fichier maintenant et attendre le résultat de l'analyse, poste le résultat au complet.

Poste le résultat au complet

Aide : http://bibou0007.com/scans-en-ligne-f75/tutorial-sur-virustotal-t190.htm


@++   :)

mia928 · Answer

Salut dédétraqué

Voici le résultat:

Antivirus  	Version  	Dernière mise à jour  	Résultat
a-squared	4.5.0.50	2010.04.26	-
AhnLab-V3	5.0.0.2	2010.04.26	-
AntiVir	8.2.1.224	2010.04.26	-
Antiy-AVL	2.0.3.7	2010.04.26	-
Authentium	5.2.0.5	2010.04.26	-
Avast	4.8.1351.0	2010.04.26	-
Avast5	5.0.332.0	2010.04.26	-
AVG	9.0.0.787	2010.04.26	-
BitDefender	7.2	2010.04.27	-
CAT-QuickHeal	10.00	2010.04.26	-
ClamAV	0.96.0.3-git	2010.04.27	-
Comodo	4684	2010.04.26	-
DrWeb	5.0.2.03300	2010.04.27	-
eSafe	7.0.17.0	2010.04.26	Win32.Rootkit
eTrust-Vet	35.2.7452	2010.04.26	-
F-Prot	4.5.1.85	2010.04.26	-
F-Secure	9.0.15370.0	2010.04.26	-
Fortinet	4.0.14.0	2010.04.26	-
GData	21	2010.04.27	-
Ikarus	T3.1.1.80.0	2010.04.26	-
Jiangmin	13.0.900	2010.04.26	-
Kaspersky	7.0.0.125	2010.04.26	-
McAfee	5.400.0.1158	2010.04.27	-
McAfee-GW-Edition	6.8.5	2010.04.26	-
Microsoft	1.5703	2010.04.27	-
NOD32	5063	2010.04.26	-
Norman	6.04.11	2010.04.26	-
nProtect	2010-04-26.01	2010.04.26	-
Panda	10.0.2.7	2010.04.26	-
PCTools	7.0.3.5	2010.04.26	-
Prevx	3.0	2010.04.27	-
Rising	22.45.00.04	2010.04.26	-
Sophos	4.53.0	2010.04.27	-
Sunbelt	6225	2010.04.26	-
Symantec	20091.2.0.41	2010.04.26	-
TheHacker	6.5.2.0.269	2010.04.26	-
TrendMicro	9.120.0.1004	2010.04.26	-
TrendMicro-HouseCall	9.120.0.1004	2010.04.27	-
VBA32	3.12.12.4	2010.04.26	-
ViRobot	2010.4.26.2294	2010.04.26	-
VirusBuster	5.0.27.0	2010.04.26	-
Information additionnelle
File size: 96512 bytes
MD5...: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1..: a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159f7
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


Merci!

dédétraqué · Answer

Salut mia928 


- Clique sur le menu démarrer/Exécuter, tape notepad à l'invite de commande et OK.

- Copie/colle ce qui est en gras ci-dessous dans le Bloc-Notes :

 KillAll::

Mbr::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

RegLockDel::
[HKEY_USERS\S-1-5-21-117609710-838170752-839522115-1007\Software\FunWebProducts\Settings\MSNMessenger] 
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}\TreatAs]     
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}\TreatAs]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32]     
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib]     
[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0]     
[HKEY_LOCAL_MACHINE\software\Fun Web Products\MSNMessenger]     
[HKEY_LOCAL_MACHINE\software\Fun Web Products\ScreenSaver]     
[HKEY_LOCAL_MACHINE\software\Fun Web Products\Settings]     
[HKEY_LOCAL_MACHINE\software\FunWebProducts\Installer] 
[HKEY_LOCAL_MACHINE\software\MyWebSearch\bar] 
[HKEY_LOCAL_MACHINE\software\MyWebSearch\SearchAssistant] 
[HKEY_LOCAL_MACHINE\software\MyWebSearch\SkinTools]

- Enregistre ce fichier sur le bureau (Impératif)

-Nom du fichier : CFScript.txt
-Type du fichier : tous les fichiers

- Clique sur Enregistrer et quitte le Bloc Notes

Important Désactive ton Antivirus et antispyware avant de faire le glisser/déposer

- Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe sur le bureau, comme sur cette capture (l'icône est un lion) :

http://free0.hiboox.com/images/2409/9126d3b136f7db9ab6242ad715b44296.gif

   * Patiente le temps du scan. Le bureau va disparaître à plusieurs reprises: c'est normal!
     Ne touche à rien tant que le scan n'est pas terminé.
   * Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
   * Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt


@++   :)

mia928 · Answer

Salut dédétraqué

Voici le rapport:

ComboFix 10-04-26.02 - Zamboni 2010-04-27   0:21.2.2 - x86
Microsoft Windows XP Édition familiale  5.1.2600.3.1252.2.1036.18.3071.2608 [GMT -3:00]
Lancé depuis: c:\documents and settings\Zamboni\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Zamboni\Bureau\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090807-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
(((((((((((((((((((((((((((((   Fichiers créés du 2010-03-27 au 2010-04-27  ))))))))))))))))))))))))))))))))))))
.

2010-04-20 23:45 . 2010-04-20 23:45	411368	----a-w-	c:\windows\system32\deployJava1.dll
2010-04-20 23:44 . 2010-04-20 23:44	79488	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-04-20 23:44 . 2010-04-20 23:44	152576	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-04-20 02:12 . 2010-04-20 02:12	--------	d-----w-	c:\program files\ESET
2010-04-18 23:56 . 2010-04-20 23:27	--------	d-----w-	c:\program files	rend micro
2010-04-16 21:16 . 2010-04-16 21:16	--------	d-----w-	c:\program files\Ares
2010-04-13 10:26 . 2010-04-13 10:26	--------	d-----w-	c:\program files\iPod
2010-04-13 10:26 . 2010-04-13 10:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-13 10:24 . 2010-04-13 10:24	--------	d-----w-	c:\program files\QuickTime
2010-04-13 10:22 . 2010-04-13 10:22	--------	d-----w-	c:\program files\Bonjour
2010-04-13 10:20 . 2010-04-13 10:20	73000	----a-w-	c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-10 22:30 . 2010-04-10 22:30	532	----a-w-	c:\windows\eReg.dat
2010-04-10 22:29 . 2010-04-10 22:29	--------	d-----w-	c:\program files\Maxis

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 23:47 . 2008-07-03 19:45	--------	d-----w-	c:\program files\CCleaner
2010-04-20 23:37 . 2008-07-03 19:46	--------	d-----w-	c:\program files\Fichiers communs\Adobe
2010-04-18 23:14 . 2009-02-14 00:15	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-17 00:31 . 2008-08-14 20:43	--------	d-----w-	c:\program files\Fichiers communs\DVDVIDEOSOFT
2010-04-16 21:26 . 2010-03-08 00:58	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\LimeWire
2010-04-16 21:07 . 2009-02-24 21:15	--------	d-----w-	c:\program files\Google
2010-04-13 10:27 . 2008-12-28 12:06	--------	d-----w-	c:\program files\iTunes
2010-04-13 10:26 . 2008-12-28 12:05	--------	d-----w-	c:\program files\Fichiers communs\Apple
2010-03-23 02:46 . 2010-02-05 21:26	50354	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook\uninstall.exe
2010-03-23 02:46 . 2010-02-05 21:26	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\Facebook
2010-03-15 03:49 . 2010-03-15 03:49	--------	d-----w-	c:\program files\Fichiers communs\Java
2010-03-15 03:49 . 2010-03-15 03:49	503808	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\msvcp71.dll
2010-03-15 03:49 . 2010-03-15 03:49	499712	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\jmc.dll
2010-03-15 03:49 . 2010-03-15 03:49	348160	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\msvcr71.dll
2010-03-15 03:49 . 2010-03-15 03:49	61440	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28a3a294-n\decora-sse.dll
2010-03-15 03:49 . 2010-03-15 03:49	12800	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28a3a294-n\decora-d3d.dll
2010-03-15 03:49 . 2009-02-16 10:37	--------	d-----w-	c:\program files\Java
2010-03-15 03:48 . 2006-03-02 12:00	85608	----a-w-	c:\windows\system32\perfc00C.dat
2010-03-15 03:48 . 2006-03-02 12:00	513410	----a-w-	c:\windows\system32\perfh00C.dat
2010-03-14 16:48 . 2009-11-11 17:56	79488	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:34 . 2006-03-02 12:00	832512	----a-w-	c:\windows\system32\wininet.dll
2010-03-11 12:34 . 2009-10-27 15:14	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-03-11 12:34 . 2006-03-02 12:00	17408	----a-w-	c:\windows\system32\corpol.dll
2010-03-09 11:10 . 2006-03-02 12:00	430080	----a-w-	c:\windows\system32\vbscript.dll
2010-03-08 01:03 . 2010-03-08 01:03	--------	d-----w-	c:\documents and settings\All Users\Application Data\SiComponents
2010-03-06 05:30 . 2010-03-06 05:30	5582848	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook
pfbplugin_1_0_3.dll
2010-03-03 20:36 . 2010-02-17 01:14	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\FrostWire
2010-02-24 13:11 . 2006-03-02 12:00	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 01:32 . 2010-02-17 01:32	0	-c--a-w-	c:\documents and settings\Zamboni\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-02-16 19:06 . 2006-03-02 12:00	2148352	----a-w-	c:\windows\system32
toskrnl.exe
2010-02-16 19:06 . 2004-08-19 16:04	2026496	----a-w-	c:\windows\system32
tkrnlpa.exe
2010-02-12 14:46 . 2010-02-12 14:46	91424	----a-w-	c:\windows\system32\dnssd.dll
2010-02-12 14:46 . 2010-02-12 14:46	107808	----a-w-	c:\windows\system32\dns-sd.exe
2010-02-12 04:34 . 2006-03-02 12:00	100864	----a-w-	c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-03-02 12:00	226880	----a-w-	c:\windows\system32\drivers	cpip6.sys
2010-02-09 20:14 . 2008-08-30 20:17	58402	-c--a-w-	c:\windows\War3Unin.dat
2010-02-08 01:42 . 2010-02-08 01:42	180224	----a-w-	c:\windows\system32\WinVd32.sys
2010-02-08 01:42 . 2010-02-08 01:42	7680	----a-w-	c:\windows\system32\WinFLsrv.exe
2010-02-01 22:04 . 2010-02-01 22:04	847040	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04	5578752	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook
pfbplugin_1_0_1.dll
2010-01-28 12:19 . 2010-01-24 18:58	21035	----a-w-	c:\windows\system32\drivers\AegisP.sys
2008-11-02 21:06 . 2008-11-02 21:06	89408	-c--a-w-	c:\program files\setup spiral frog.exe
2008-09-30 01:36 . 2008-09-30 01:36	5408074	-c--a-w-	c:\program files\Last.fm-1.5.2.38918.exe
2008-08-14 19:17 . 2008-08-14 19:17	611424	-c--a-w-	c:\program files\setuppad.exe
2008-08-02 05:35 . 2008-08-02 05:35	1283912	-c--a-w-	c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
.

(((((((((((((((((((((((((((((   SnapShot@2010-04-21_20.09.18   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-27 03:28 . 2010-04-27 03:28	16384              c:\windows\Temp\Perflib_Perfdata_770.dat
+ 2010-04-27 03:28 . 2010-04-27 03:28	16384              c:\windows\Temp\Perflib_Perfdata_690.dat
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\377081.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\32b118b.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\2f56995.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\2693f.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\22440a9.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\1f43884.msp
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"WeatherEye"="c:\documents and settings\Zamboni\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VM30xSnap"="VM30xSnap.exe Vimicro USB PC Camera (ZC030x)" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Window  UDP Control Servic"="winlogon.exe" [2008-04-14 512000]
"SlipStream"="c:\program files\Netscape Accélérateur\slipcore.exe" [2006-04-06 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
Belkin Wireless G Desktop Card Client Utility.lnk - c:\program files\Belkin\F5D7000v7032\Belkinwcui.exe [2010-1-28 1560576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\!SASWinLogon]
2008-12-22 15:05	356352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05	40368	----a-w-	c:\program files\Adobe\Reader 8.0\Readereader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 18:43	69632	-c----r-	c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 20:36	455968	----a-w-	c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-10 15:28	16126464	-c----r-	c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-04-04 17:22	1822720	-c----r-	c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 15:17	61440	-c--a-w-	c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AresChatServer"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"c:\Documents and Settings\All Users\Documents\Warcraft III\Warcraft III.exe"=
"c:\WINDOWS\system32\dpvsetup.exe"=
"c:\WINDOWS\system32\rtcshare.exe"=
"c:\Program Files\Windows Live\Messenger\wlcsdk.exe"=
"c:\Documents and Settings\All Users\Documents\Warcraft III\War3.exe"=
"c:\Program Files\LimeWire\LimeWire.exe"=
"c:\Program Files\Windows Live\Messenger\msnmsgr.exe"=
"c:\Program Files\Bonjour\mDNSResponder.exe"=
"c:\Program Files\iTunes\iTunes.exe"=
"c:\Program Files\Ares\Ares.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-04 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-07-04 20560]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2010-02-07 17984]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-07-03 35840]
R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2010-01-24 303616]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
R3 VM30xx86;Vimicro USB PC Camera (ZC030x);c:\windows\system32\drivers\vm30xx86.sys [2009-02-24 1294336]
S2 gupdate1c996c4f9b01916;Google Update Service (gupdate1c996c4f9b01916);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 133104]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 20:34	451872	----a-w-	c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe
.
Contenu du dossier 'Tâches planifiées'

2010-04-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:15]

2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:15]

2010-04-27 c:\windows\Tasks\User_Feed_Synchronization-{1976200C-4A2E-4FAC-9D4C-74B0D23C66DA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:36]
.
.

mia928 · Answer

------- Examen supplémentaire ------- . uStart Page = hxxp://facebook.com/ uInternet Settings,ProxyOverride = *.local IE: Save YouTube Video - c:\program files\Fichiers communs\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm IE: Save YouTube Video as MP3 - c:\program files\Fichiers communs\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm LSP: c:\progra~1\NETSCA~2\sliplsp.dll DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://download.playfirst.com/play/game/chocolatier2/Chocolatier2Web.1.0.0.10.cab FF - ProfilePath - c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/ FF - component: c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\documents and settings\Zamboni\Application Data\Facebook pfbplugin_1_0_1.dll FF - plugin: c:\documents and settings\Zamboni\Application Data\Facebook pfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\extensions\piclens@cooliris.com\plugins pcoolirisplugin.dll FF - plugin: c:\program files\Google\Google Earth\plugin pgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.23 pGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin ew_plugin pdeployJava1.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- PARAMETRES FIREFOX ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "https://www.mozilla.org/en-US/firefox/new/?redirect_source=firefox-com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-27 00:31 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... c:\windows\system32\sys_drv.dat 6024 bytes c:\windows\system32\sys_drv_2.dat 5020 bytes c:\windows\system32\WinFLdrv.sys 17984 bytes executable c:\documents and settings\Zamboni\Application Data\systemfl.$dk 990 bytes Scan terminé avec succès Fichiers cachés: 4 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8AEA08C8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28 \Driver\ACPI -> ACPI.sys @ 0xf735dcb8 \Driver\atapi -> atapi.sys @ 0xf7318b3a IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 NDIS: Belkin Wireless G Desktop Card #2 -> SendCompleteHandler -> NDIS.sys @ 0xf7221bb0 PacketIndicateHandler -> NDIS.sys @ 0xf7210a0d SendHandler -> NDIS.sys @ 0xf7224b40 user & kernel MBR OK ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32] @DACL=(02 0000) @="c:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|ù*9~*] "C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h-€|ÿÿÿÿ¤*€|ù*9~*] "C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€-€|ÿÿÿÿÀ*€|ù*9~*] "C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL" . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(860) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(916) c:\progra~1\NETSCA~2\sliplsp.dll c:\windows\system32\sliprt.dll - - - - - - - > 'explorer.exe'(204) c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\eappprxy.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Autres processus actifs ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\Ati2evxx.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Fichiers communs\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\drivers\CDAC11BA.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Fichiers communs\LightScribe\LSSrvc.exe c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\pctspk.exe c:\program files\CyberLink\Shared Files\RichVideo.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Heure de fin: 2010-04-27 00:35:20 - La machine a redémarré ComboFix-quarantined-files.txt 2010-04-27 03:35 ComboFix2.txt 2010-04-21 20:10 Avant-CF: 70 788 694 016 octets libres Après-CF: 70 761 717 760 octets libres - - End Of File - - 9C1DEC043E2A0D6316F5016E20E51036 Merci!

dédétraqué · Answer

Salut mia928 


Télécharge MBR par (GMER) sur ton Bureau :

http://www2.gmer.net/mbr/mbr.exe

- Désactive tous les programmes de protection (antivirus, antispyware etc.)
https://forum.pcastuces.com/default.asp

- Double-clique sur mbr.exe > une fenêtre noire va s'ouvrir et se refermer.
- Poste le rapport mbr.log qui apparaît.


@++    :)

mia928 · Answer

Salut dédétraqué..
Aucun rapport n'a apparu après que la fenêtre noire a disparu.. mais voici ce que la fenêtre noire avait d'inscrit:

http://tinypic.com/images/goodbye.jpg

Merci!

dédétraqué · Answer

Salut mia928 


On va vérifier si rien de caché :

Faire un scan avec Nod32 en ligne (il faut utiliser Internet Explorer) ici :

https://www.eset.com/int/home/online-scanner/

(coche toutes les cases à chaque fois, sauf les deux dernières a la fin du scan, sinon le rapport est supprimer) 
A la fin, colle le rapport : C:\Program Files\EsetOnlineScanner\log.txt


@++   :)

mia928 · Answer

Salut dédétraqué

Voici le rapport:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0a3b0c1e05dbe24cbf6e0778eb00c548
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-20 04:31:11
# local_time=2010-04-20 01:31:11 (-0400, Atlantique (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775129 100 98 0 207096428 21979802 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108142
# found=12
# cleaned=12
# scan_time=8199
C:\UsbFix_Upload_Me_UTILISAT-3CF45A.zip	multiple threats (deleted - quarantined)	00000000000000000000000000000000	C
C:\Ad-Remover\Quarantine\C\Program Files\Windows Live\Messenger\Riched20.dll.vir	Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\balligomingo.over.you.45026(2).exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\balligomingo.over.you.45026(3).exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\balligomingo.over.you.45026.exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\MallTycoonSetup-dm.exe	Win32/Adware.Trymedia application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\Documents and Settings\Zamboni\Mes documents\Téléchargements\Pet_Pals_Animal_Doctor_Setup-dm.exe	Win32/Adware.Trymedia application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\System Volume Information\_restore{F61F9CA3-36E7-44DC-95CB-4D9E05BBB1AB}\RP937\A0106155.dll	Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\UsbFix\Quarantine\C\DOCUME~1\Zamboni\LOCALS~1\Temp\Jxp.exe.UsbFix	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\UsbFix\Quarantine\C\DOCUME~1\Zamboni\LOCALS~1\Temp\Jxq.exe.UsbFix	a variant of Win32/Kryptik.DTU trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002262.tmp	Win32/Olmarik.XO trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
C:\_OTM\MovedFiles\04192010_221154\C_WINDOWS\Jrupya.exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0a3b0c1e05dbe24cbf6e0778eb00c548
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-20 06:51:25
# local_time=2010-04-20 03:51:25 (-0400, Atlantique (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=769 16775129 100 98 0 207104767 21152941 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=108405
# found=1
# cleaned=1
# scan_time=8273
C:\System Volume Information\_restore{F61F9CA3-36E7-44DC-95CB-4D9E05BBB1AB}\RP938\A0106303.exe	Win32/TrojanDownloader.FakeAlert.AQI trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0a3b0c1e05dbe24cbf6e0778eb00c548
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-04-29 02:53:27
# local_time=2010-04-28 11:53:27 (-0400, Atlantique (heure d'été))
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 610018 610018 0 0
# compatibility_mode=769 16775145 100 98 0 207869205 22752579 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=99737
# found=0
# cleaned=0
# scan_time=7157

Merci!

dédétraqué · Answer

Salut mia928 


Désolé j'ai été absent deux jours sur le forum.

Le dernier rapport est propre, as-tu d'autre souci?


@++   :)

mia928 · Answer

Salut dédétraqué

Ne t'inquiète pas pour tes absences. :)

Les pop ups n'apparaisent plus.. mais j'ai encore des redirections Google, malheureusement.

Merci!

dédétraqué · Answer

Salut mia928 


As-tu des redirections avec IE et Firefox?


@++   :)

mia928 · Answer

Salut dédétraqué

Oui, avec les deux navigateurs.

Merci!

dédétraqué · Answer

Salut mia928 


Fais moi un nouveau scan avec Combofix et Gmer, poste les rapports.


@++   :)

mia928 · Answer

Salut dédétraqué
Désolé de mon absence... :(

Mon beau-père à installer un nouveau anti-virus sur mon ordi et cela à suprimer ComboFix car le programme était malveillant.. Alors, ce ne serait pas prudent de l'installer à nouveau, non?

Entre temps, voici le rapport Gmer:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 15:55:55
Windows 5.1.2600 Service Pack 3
Running: z0vjw5ke.exe; Driver: C:\DOCUME~1\Zamboni\LOCALS~1\Temp\fxrorkoc.sys


---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwOpenProcess [0xF6BF7670]
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)                                                             ZwTerminateProcess [0xAD16AF20]
SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateThread [0xF6BF77C0]
SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwWriteVirtualMemory [0xF6BF7860]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc           C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                                     entry point in ".rsrc" section [0xF7325780]
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                                                                                  section is writeable [0xF62F9000, 0x19DA46, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                                    AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort2                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort3                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort4                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort5                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-16                                                                                                                              [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-b                                                                                                                               [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                               avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                                  fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                                  AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\InprocServer32@                                                                                        C:\PROGRA~1\MICROS~2\OFFICE11\IEAWSDC.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\ProgID@                                                                                                Office.awsdc.1
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\TypeLib@                                                                                               {012F24C1-35B0-11D0-BF2D-0000E8D0D146}
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\Version@                                                                                               1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\VersionIndependentProgID@                                                                              Office.awsdc
Reg             HKLM\SOFTWARE\Classes\CLSID\{284F0BD5-81D1-7456-EF12-DF58AD1383B6}\InprocServer32@                                                                                        C:\WINDOWS\system32\PortableDeviceTypes.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{284F0BD5-81D1-7456-EF12-DF58AD1383B6}\InprocServer32@ThreadingModel                                                                          Both
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@                                                                                         C:\PROGRA~1\MICROS~2\OFFICE11\MSPUB.EXE /Automation
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@LocalServer32                                                                            *]gAVn-}f(ZXfeAR6.jiPubPrimary>dic+V~SM09P_'_@$%)xK /Automation?
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\NotInsertable@                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\ProgID@                                                                                                Publisher.Application.11
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\Programmable@                                                                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\TypeLib@                                                                                               {0002123C-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\VersionIndependentProgID@                                                                              Publisher.Application
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b                                                        0xC8 0x28 0x51 0xAF ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@                                                                                        C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\ITIRCL52.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@InprocServer32                                                                          *]gAVn-}f(ZXfeAR6.jiTranslationHidden>BbxH8x=!g(3?!!!_GX=b?
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@ThreadingModel                                                                          both
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\ProgID@                                                                                                ITIR.DefaultStemmer.5.2
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b                                                        0x71 0x3B 0x04 0x66 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016                                                        0xFF 0x7C 0x85 0xE0 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48                                                        0x86 0x8C 0x21 0x01 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472                                                        0xF5 0x1D 0x4D 0x73 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel                                                                          Apartment

mia928 · Answer

Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d                                                        0xB0 0x18 0xED 0xA7 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\DefaultIcon@                                                                                           C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE,7
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\InprocServer32@                                                                                        C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open                                                                                             
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open\Command                                                                                     
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open\Command@                                                                                    "C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE"
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers                                                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}                                   
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}@                                  
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@                                                                                        C:\Program Files\Google\Google Earth\plugin\plugin_ax.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ThreadingModel                                                                          apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus@                                                                                            0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus\1                                                                                           
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus\1@                                                                                          131473
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ProgID@                                                                                                KmlLayerRootCoClass.KmlLayerRootCoC.1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ToolboxBitmap32@                                                                                       C:\Program Files\Google\Google Earth\plugin\plugin_ax.dll, 1
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\TypeLib@                                                                                               {F9152AEC-3462-4632-8087-EEE3C3CDDA35}
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Version@                                                                                               1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\VersionIndependentProgID@                                                                              KmlLayerRootCoClass.KmlLayerRootCoC
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b                                                        0x31 0x77 0xE1 0xBA ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\InProcServer32@                                                                                        %SystemRoot%\system32\dsuiext.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\InProcServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\ShellEx\MayChangeDefaultMenu                                                                           
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\ShellEx\MayChangeDefaultMenu@                                                                          1
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d                                                        0x83 0x6C 0x56 0x8B ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3                                                        0xF6 0x0F 0x4E 0x58 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b                                                        0xB1 0xCD 0x45 0x5A ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6                                                        0xE3 0x0E 0x66 0xD5 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2                                                        0xFA 0xEA 0x66 0x7F ...
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32@                                                                                         C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\sys_drv.dat                                                                                                                                           6024 bytes
File            C:\WINDOWS\system32\sys_drv_2.dat                                                                                                                                         5020 bytes
File            C:\WINDOWS\system32\WinFLdrv.sys                                                                                                                                          17984 bytes executable                                                                            <-- ROOTKIT !!!
File            C:\Documents and Settings\Zamboni\Application Data\systemfl.$dk                                                                                                           990 bytes
File            C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                                     suspicious modification

---- Services - GMER 1.0.15 ----

Service         C:\WINDOWS\system32\WinFLdrv.sys                                                                                                                                          [AUTO] WinFLdrv                                                                                   <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----


Merci!

dédétraqué · Answer

Salut mia928 


Comme mentionner dans la procédure pour Combofix :
Combofix est détecté par certains antivirus comme une infection, ne pas en tenir compte, il s'agit d'un faux positif, continue la procédure


Au vu du rapport de Gmer, on a un fichier système patché (modifié) :
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification 


Combofix devrais réparer cela


@++   :)

mia928 · Answer

Bonjour dédétraqué

Voici le rapport ComboFix:

ComboFix 10-05-15.01 - Zamboni 2010-05-15  14:31:45.3.2 - x86
Microsoft Windows XP Édition familiale  5.1.2600.3.1252.2.1036.18.3071.2532 [GMT -3:00]
Lancé depuis: c:\documents and settings\Zamboni\Mes documents\Téléchargements\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
 * Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((   Fichiers créés du 2010-04-15 au 2010-05-15  ))))))))))))))))))))))))))))))))))))
.

2010-05-14 23:10 . 2010-05-14 23:10	57344	----a-w-	c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-14 23:10 . 2010-05-14 23:08	754984	----a-w-	c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-14 23:10 . 2010-05-14 23:08	1180952	----a-w-	c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-14 23:09 . 2010-05-14 23:09	56766	----a-w-	c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-14 23:09 . 2010-05-14 23:09	56978	----a-w-	c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-14 23:09 . 2010-05-14 23:09	53600	----a-w-	c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-14 23:09 . 2010-05-14 23:09	57409	----a-w-	c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-14 23:09 . 2010-05-14 23:09	52963	----a-w-	c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-14 23:09 . 2010-05-14 23:09	54073	----a-w-	c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-05-14 23:09 . 2010-05-14 23:09	--------	d-----w-	c:\program files\Fichiers communs\DivX Shared
2010-05-14 23:08 . 2010-05-14 23:08	144696	----a-w-	c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-14 23:08 . 2010-05-14 23:09	--------	d-----w-	c:\documents and settings\All Users\Application Data\DivX
2010-05-11 22:08 . 2010-05-11 22:08	503808	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-12fd9ff7-n\msvcp71.dll
2010-05-11 22:08 . 2010-05-11 22:08	499712	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-12fd9ff7-n\jmc.dll
2010-05-11 22:08 . 2010-05-11 22:08	348160	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-12fd9ff7-n\msvcr71.dll
2010-05-11 22:08 . 2010-05-11 22:08	61440	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1f7fe9fa-n\decora-sse.dll
2010-05-11 22:08 . 2010-05-11 22:08	12800	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1f7fe9fa-n\decora-d3d.dll
2010-05-09 21:07 . 2010-05-15 04:11	0	----a-w-	c:\documents and settings\Zamboni\Local Settings\Application Data\prvlcl.dat
2010-05-09 20:53 . 2010-05-09 20:53	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\AVG9
2010-05-07 21:11 . 2010-05-07 21:11	--------	d-----w-	c:\documents and settings\Zamboni\Local Settings\Application Data\AVG Security Toolbar
2010-05-07 12:58 . 2010-05-07 12:58	12464	----a-w-	c:\windows\system32\avgrsstx.dll
2010-05-07 12:58 . 2010-05-07 12:58	52872	----a-w-	c:\windows\system32\drivers\avgrkx86.sys
2010-05-07 12:58 . 2010-05-07 12:58	25096	----a-w-	c:\windows\system32\drivers\AVGIDSxx.sys
2010-05-07 12:58 . 2010-05-07 12:58	242896	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2010-05-07 12:57 . 2010-05-07 12:57	216200	----a-w-	c:\windows\system32\drivers\avgldx86.sys
2010-05-07 12:57 . 2010-05-07 12:57	29512	----a-w-	c:\windows\system32\drivers\avgmfx86.sys
2010-05-07 12:57 . 2010-05-15 11:21	--------	d-----w-	c:\windows\system32\drivers\Avg
2010-05-07 12:57 . 2010-05-07 12:57	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-05-07 12:47 . 2010-05-07 12:56	30104	----a-w-	c:\windows\system32\drivers\avgfwdx.sys
2010-05-07 12:47 . 2010-05-07 12:47	50968	----a-w-	c:\windows\system32\avgfwdx.dll
2010-05-07 12:46 . 2010-05-07 12:46	--------	d-----w-	c:\program files\AVG
2010-05-07 12:46 . 2010-05-10 19:57	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2010-05-01 19:52 . 2010-05-01 19:52	--------	d-----w-	c:\program files\EA GAMES
2010-05-01 19:52 . 2005-02-26 05:34	442368	----a-r-	c:\windows\system32\vp6vfw.dll
2010-04-29 02:28 . 2010-04-29 02:28	--------	d-----w-	c:\documents and settings\Zamboni\Local Settings\Application Data\Yahoo!
2010-04-20 23:45 . 2010-04-20 23:45	411368	----a-w-	c:\windows\system32\deployJava1.dll
2010-04-20 23:44 . 2010-04-20 23:44	79488	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-04-20 23:44 . 2010-04-20 23:44	152576	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-04-20 02:12 . 2010-04-20 02:12	--------	d-----w-	c:\program files\ESET
2010-04-18 23:56 . 2010-04-20 23:27	--------	d-----w-	c:\program files	rend micro
2010-04-16 21:16 . 2010-04-16 21:16	--------	d-----w-	c:\program files\Ares

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 23:10 . 2009-02-24 21:15	--------	d-----w-	c:\program files\Google
2010-05-14 23:09 . 2009-11-04 03:26	--------	d-----w-	c:\program files\DivX
2010-05-08 15:16 . 2009-05-15 23:08	--------	d-----w-	c:\program files\Messenger Plus! Live
2010-04-20 23:47 . 2008-07-03 19:45	--------	d-----w-	c:\program files\CCleaner
2010-04-20 23:37 . 2008-07-03 19:46	--------	d-----w-	c:\program files\Fichiers communs\Adobe
2010-04-18 23:14 . 2009-02-14 00:15	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-04-17 00:31 . 2008-08-14 20:43	--------	d-----w-	c:\program files\Fichiers communs\DVDVIDEOSOFT
2010-04-16 21:26 . 2010-03-08 00:58	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\LimeWire
2010-04-13 10:27 . 2010-04-13 10:26	--------	d-----w-	c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-13 10:27 . 2008-12-28 12:06	--------	d-----w-	c:\program files\iTunes
2010-04-13 10:26 . 2010-04-13 10:26	--------	d-----w-	c:\program files\iPod
2010-04-13 10:26 . 2008-12-28 12:05	--------	d-----w-	c:\program files\Fichiers communs\Apple
2010-04-13 10:24 . 2010-04-13 10:24	--------	d-----w-	c:\program files\QuickTime
2010-04-13 10:22 . 2010-04-13 10:22	--------	d-----w-	c:\program files\Bonjour
2010-04-13 10:20 . 2010-04-13 10:20	73000	----a-w-	c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-10 22:30 . 2010-04-10 22:30	532	----a-w-	c:\windows\eReg.dat
2010-04-10 22:29 . 2010-04-10 22:29	--------	d-----w-	c:\program files\Maxis
2010-03-23 02:46 . 2010-02-05 21:26	50354	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook\uninstall.exe
2010-03-23 02:46 . 2010-02-05 21:26	--------	d-----w-	c:\documents and settings\Zamboni\Application Data\Facebook
2010-03-15 03:49 . 2010-03-15 03:49	503808	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\msvcp71.dll
2010-03-15 03:49 . 2010-03-15 03:49	499712	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\jmc.dll
2010-03-15 03:49 . 2010-03-15 03:49	348160	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-10733cf8-n\msvcr71.dll
2010-03-15 03:49 . 2010-03-15 03:49	61440	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28a3a294-n\decora-sse.dll
2010-03-15 03:49 . 2010-03-15 03:49	12800	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28a3a294-n\decora-d3d.dll
2010-03-15 03:48 . 2006-03-02 12:00	85608	----a-w-	c:\windows\system32\perfc00C.dat
2010-03-15 03:48 . 2006-03-02 12:00	513410	----a-w-	c:\windows\system32\perfh00C.dat
2010-03-14 16:48 . 2009-11-11 17:56	79488	----a-w-	c:\documents and settings\Zamboni\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:34 . 2006-03-02 12:00	832512	----a-w-	c:\windows\system32\wininet.dll
2010-03-11 12:34 . 2009-10-27 15:14	78336	----a-w-	c:\windows\system32\ieencode.dll
2010-03-11 12:34 . 2006-03-02 12:00	17408	----a-w-	c:\windows\system32\corpol.dll
2010-03-09 11:10 . 2006-03-02 12:00	430080	----a-w-	c:\windows\system32\vbscript.dll
2010-03-06 05:30 . 2010-03-06 05:30	5582848	----a-w-	c:\documents and settings\Zamboni\Application Data\Facebook
pfbplugin_1_0_3.dll
2010-02-24 13:11 . 2006-03-02 12:00	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 01:32 . 2010-02-17 01:32	0	-c--a-w-	c:\documents and settings\Zamboni\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-02-16 19:06 . 2006-03-02 12:00	2148352	----a-w-	c:\windows\system32
toskrnl.exe
2010-02-16 19:06 . 2004-08-19 16:04	2026496	----a-w-	c:\windows\system32
tkrnlpa.exe
2008-11-02 21:06 . 2008-11-02 21:06	89408	-c--a-w-	c:\program files\setup spiral frog.exe
2008-09-30 01:36 . 2008-09-30 01:36	5408074	-c--a-w-	c:\program files\Last.fm-1.5.2.38918.exe
2008-08-14 19:17 . 2008-08-14 19:17	611424	-c--a-w-	c:\program files\setuppad.exe
2008-08-02 05:35 . 2008-08-02 05:35	1283912	-c--a-w-	c:\program files\WoW-2.3.0.7561-enUS-downloader.exe
.

(((((((((((((((((((((((((((((   SnapShot@2010-04-21_20.09.18   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:54 . 2009-07-11 23:54	65536              c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	57344              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	65536              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	45056              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-11 23:32 . 2009-07-11 23:32	40960              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 04:07 . 2009-07-12 04:07	57856              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 04:19 . 2009-07-12 04:19	69632              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-11 22:41 . 2009-07-11 22:41	97280              c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2010-05-15 17:23 . 2010-05-15 17:23	16384              c:\windows\Temp\Perflib_Perfdata_284.dat
+ 2008-07-03 19:35 . 2010-05-12 06:01	23040              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	23040              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	61440              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	61440              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	27136              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	27136              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	11264              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	11264              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	86016              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	86016              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	12288              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	12288              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	4096              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	4096              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-03 05:47 . 2010-01-29 15:00	691712              c:\windows\system32\inetcomm.dll
- 2008-07-03 05:47 . 2008-04-11 19:05	691712              c:\windows\system32\inetcomm.dll
- 2008-08-15 00:51 . 2008-04-11 19:05	691712              c:\windows\system32\dllcache\inetcomm.dll
+ 2008-08-15 00:51 . 2010-01-29 15:00	691712              c:\windows\system32\dllcache\inetcomm.dll
+ 2010-05-07 12:41 . 2010-05-07 12:41	262144              c:\windows\system32\config\systemprofile\NtUser.dat
+ 2010-05-14 23:09 . 2010-05-14 23:09	169472              c:\windows\Installer\dfe362.msi
+ 2010-05-07 12:46 . 2010-05-07 12:46	424448              c:\windows\Installer\143aba.msi
- 2008-07-03 19:35 . 2010-04-15 06:00	409600              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	409600              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	286720              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	286720              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	249856              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	249856              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	794624              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	794624              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	135168              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	135168              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-03 19:35 . 2010-05-12 06:01	593920              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-07-03 19:35 . 2010-04-15 06:00	593920              c:\windows\Installer\{9011040C-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-07-11 23:46 . 2009-07-11 23:46	1093120              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-11 23:46 . 2009-07-11 23:46	1105920              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
- 2008-07-03 05:47 . 2009-07-10 13:27	1315328              c:\windows\system32\dllcache\msoe.dll
+ 2008-07-03 05:47 . 2010-01-29 15:00	1315328              c:\windows\system32\dllcache\msoe.dll
+ 2010-04-21 20:46 . 2010-04-21 20:46	5522432              c:\windows\Installer\24b7f6d.msp
+ 2008-07-04 13:29 . 2010-04-30 18:51	32058312              c:\windows\system32\MRT.exe
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\92e86.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\8bf289.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\83263.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\727d2c7.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\45cfe80.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\3a20340.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\3a0e4d0.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\385d04.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\377081.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\35ba7e6.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\3570c45.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\32b118b.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\3286632.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\2f56995.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\29a3001.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\2693f.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\257f6c2.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\23e459c.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\230d6d4.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\2244a1f.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\22440a9.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\22236b0.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\1f43884.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\18fba71.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\18d60c2.msp
+ 2005-08-22 05:29 . 2005-08-22 05:29	103434240              c:\windows\Installer\138714a.msp
.

mia928 · Answer

-- Instantané actualisé --
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 13:25	2117704	----a-w-	c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"WeatherEye"="c:\documents and settings\Zamboni\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VM30xSnap"="VM30xSnap.exe Vimicro USB PC Camera (ZC030x)" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"Window  UDP Control Servic"="winlogon.exe" [2008-04-14 512000]
"SlipStream"="c:\program files\Netscape Accélérateur\slipcore.exe" [2006-04-06 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
Belkin Wireless G Desktop Card Client Utility.lnk - c:\program files\Belkin\F5D7000v7032\Belkinwcui.exe [2010-1-28 1560576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\!SASWinLogon]
2008-12-22 15:05	356352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\avgrsstarter]
2010-05-07 12:58	12464	----a-w-	c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05	40368	----a-w-	c:\program files\Adobe\Reader 8.0\Readereader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 18:43	69632	-c----r-	c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 20:36	455968	----a-w-	c:\program files\Fichiers communs\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-04-10 15:28	16126464	-c----r-	c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-04-04 17:22	1822720	-c----r-	c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 15:17	61440	-c--a-w-	c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AresChatServer"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"c:\Documents and Settings\All Users\Documents\Warcraft III\Warcraft III.exe"=
"c:\WINDOWS\system32\dpvsetup.exe"=
"c:\WINDOWS\system32\rtcshare.exe"=
"c:\Program Files\Windows Live\Messenger\wlcsdk.exe"=
"c:\Documents and Settings\All Users\Documents\Warcraft III\War3.exe"=
"c:\Program Files\LimeWire\LimeWire.exe"=
"c:\Program Files\Windows Live\Messenger\msnmsgr.exe"=
"c:\Program Files\Bonjour\mDNSResponder.exe"=
"c:\Program Files\iTunes\iTunes.exe"=
"c:\Program Files\Ares\Ares.exe"=
"c:\Program Files\AVG\AVG9\avgam.exe"=
"c:\Program Files\AVG\AVG9\avgdiagex.exe"=
"c:\Program Files\AVG\AVG9\avgupd.exe"=
"c:\Program Files\AVG\AVG9\avgnsx.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2010-05-07 25096]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-05-07 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-05-07 216200]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-05-07 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-05-07 308064]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2010-05-07 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2010-05-07 5888008]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2010-02-07 17984]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-07-03 35840]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-05-07 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [2010-05-07 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [2010-05-07 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [2010-05-07 26120]
R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2010-01-24 303616]
R3 VM30xx86;Vimicro USB PC Camera (ZC030x);c:\windows\system32\drivers\vm30xx86.sys [2009-02-24 1294336]
S2 gupdate1c996c4f9b01916;Google Update Service (gupdate1c996c4f9b01916);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-05-07 430152]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-05-07 30104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 20:34	451872	----a-w-	c:\program files\Fichiers communs\LightScribe\LSRunOnce.exe
.
Contenu du dossier 'Tâches planifiées'

2010-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:15]

2010-05-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 21:15]

2010-05-15 c:\windows\Tasks\User_Feed_Synchronization-{1976200C-4A2E-4FAC-9D4C-74B0D23C66DA}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:36]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://facebook.com/
uInternet Settings,ProxyOverride = *.local
IE: Save YouTube Video - c:\program files\Fichiers communs\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP4.htm
IE: Save YouTube Video as MP3 - c:\program files\Fichiers communs\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
LSP: c:\progra~1\NETSCA~2\sliplsp.dll
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://download.playfirst.com/play/game/chocolatier2/Chocolatier2Web.1.0.0.10.cab
FF - ProfilePath - c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Zamboni\Application Data\Facebook
pfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Zamboni\Application Data\Facebook
pfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Zamboni\Application Data\Mozilla\Firefox\Profiles\q7i78nx0.default\extensions\piclens@cooliris.com\plugins
pcoolirisplugin.dll
FF - plugin: c:\documents and settings\Zamboni\Local Settings\Application Data\Yahoo!\BrowserPlus\2.7.1\Plugins
pybrowserplus_2.7.1.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player
pdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin
pgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23
pGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin
ew_plugin
pdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- Associations de fichier -------
.
.scr=AutoCADLTScriptFile
.

**************************************************************************
Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32]
@DACL=(02 0000)
@="c:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|ù*9~*]
"C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h-€|ÿÿÿÿ¤*€|ù*9~*]
"C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€-€|ÿÿÿÿÀ*€|ù*9~*]
"C040110900063D11C8EF10054038389C"="C?\WINDOWS\system32\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1268)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1324)
c:\progra~1\NETSCA~2\sliplsp.dll
c:\windows\system32\sliprt.dll
.
Heure de fin: 2010-05-15  14:39:33
ComboFix-quarantined-files.txt  2010-05-15 17:39
ComboFix2.txt  2010-04-27 03:35
ComboFix3.txt  2010-04-21 20:10

Avant-CF: 63 012 765 696 octets libres
Après-CF: 63 065 378 816 octets libres

- - End Of File - - 9997CCF054FAC20D0D015081B3D3A9C7

mia928 · Answer

Salut dédétraqué..

Est-ce possible que l'un ou plusieurs des programmes que vous m'avez faite installer sur mon ordinateur aurais pu le ralentir?

Je trouve que depuis un certain temps (a peu près lorque j'ai commencé à installer des programmes), mon ordi se montre plus lent que d'habitude.

Merci!

dédétraqué · Answer

Salut mia928 


Désolé j'ai été fort occupé cette fin de semaine...


Est-ce possible que l'un ou plusieurs des programmes que vous m'avez faite installer sur mon ordinateur aurais pu le ralentir? 
Comme je l'ai dit plus haut ton PC étais encore infecté et fichier système modifié.

Télécharge Gmer et enregistre-le sur ton bureau.
http://www2.gmer.net/download.php

- Déconnecte toi d'internet si possible et ferme tous les programmes, puis lance l'outil.
- Clique sur le bouton "Scan" sur la droite.

- Lorsque le scan est terminé, clic sur "Copy".
- Ouvre le bloc-note et clic sur le Menu Edition / Coller
- Le rapport doit alors apparaître.

- Enregistre le fichier sur ton bureau et copie/colle le contenu ici.


@++  :)

mia928 · Answer

Salut dédétraqué

Ahh, alors l'infection ralentit mon ordi?

Voici le rapport:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-18 07:09:23
Windows 5.1.2600 Service Pack 3
Running: z0vjw5ke.exe; Driver: C:\DOCUME~1\Zamboni\LOCALS~1\Temp\fxrorkoc.sys


---- System - GMER 1.0.15 ----

SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwOpenProcess [0xAB942670]
SSDT            \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)                                                             ZwTerminateProcess [0xADCC8F20]
SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateThread [0xAB9427C0]
SSDT            \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwWriteVirtualMemory [0xAB942860]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc           C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                                     entry point in ".rsrc" section [0xF7325780]
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                                                                                  section is writeable [0xF6669000, 0x19DA46, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                                    AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                                  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort2                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort3                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort4                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdePort5                                                                                                                                        [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-16                                                                                                                              [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device          \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-b                                                                                                                               [F7318B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                               avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                                  fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                                                  AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\InprocServer32@                                                                                        C:\PROGRA~1\MICROS~2\OFFICE11\IEAWSDC.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\ProgID@                                                                                                Office.awsdc.1
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\TypeLib@                                                                                               {012F24C1-35B0-11D0-BF2D-0000E8D0D146}
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\Version@                                                                                               1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{089E6823-B8BE-478A-BD90-D4B8DDC332DE}\VersionIndependentProgID@                                                                              Office.awsdc
Reg             HKLM\SOFTWARE\Classes\CLSID\{284F0BD5-81D1-7456-EF12-DF58AD1383B6}\InprocServer32@                                                                                        C:\WINDOWS\system32\PortableDeviceTypes.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{284F0BD5-81D1-7456-EF12-DF58AD1383B6}\InprocServer32@ThreadingModel                                                                          Both
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@                                                                                         C:\PROGRA~1\MICROS~2\OFFICE11\MSPUB.EXE /Automation
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\LocalServer32@LocalServer32                                                                            *]gAVn-}f(ZXfeAR6.jiPubPrimary>dic+V~SM09P_'_@$%)xK /Automation?
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\NotInsertable@                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\ProgID@                                                                                                Publisher.Application.11
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\Programmable@                                                                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\TypeLib@                                                                                               {0002123C-0000-0000-C000-000000000046}
Reg             HKLM\SOFTWARE\Classes\CLSID\{35C4FFFE-BE6C-7BA5-2E99-205B388F02D7}\VersionIndependentProgID@                                                                              Publisher.Application
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b                                                        0xC8 0x28 0x51 0xAF ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@                                                                                        C:\Program Files\Fichiers communs\Microsoft Shared\Information Retrieval\ITIRCL52.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@InprocServer32                                                                          *]gAVn-}f(ZXfeAR6.jiTranslationHidden>BbxH8x=!g(3?!!!_GX=b?
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\InprocServer32@ThreadingModel                                                                          both
Reg             HKLM\SOFTWARE\Classes\CLSID\{5FA45BED-077A-9079-9181-7DC47626297F}\ProgID@                                                                                                ITIR.DefaultStemmer.5.2
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b                                                        0x71 0x3B 0x04 0x66 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016                                                        0xFF 0x7C 0x85 0xE0 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48                                                        0x86 0x8C 0x21 0x01 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel                                                                          Apartment

mia928 · Answer

Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472                                                        0xF5 0x1D 0x4D 0x73 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d                                                        0xB0 0x18 0xED 0xA7 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\DefaultIcon@                                                                                           C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE,7
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\InprocServer32@                                                                                        C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open                                                                                             
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open\Command                                                                                     
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\Shell\Open\Command@                                                                                    "C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE"
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers                                                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}                                   
Reg             HKLM\SOFTWARE\Classes\CLSID\{961E2139-9A58-90A1-0365-C7FA3C64FE29}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}@                                  
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@                                                                                        C:\Program Files\Google\Google Earth\plugin\plugin_ax.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\InprocServer32@ThreadingModel                                                                          apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus@                                                                                            0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus\1                                                                                           
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\MiscStatus\1@                                                                                          131473
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ProgID@                                                                                                KmlLayerRootCoClass.KmlLayerRootCoC.1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\ToolboxBitmap32@                                                                                       C:\Program Files\Google\Google Earth\plugin\plugin_ax.dll, 1
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\TypeLib@                                                                                               {F9152AEC-3462-4632-8087-EEE3C3CDDA35}
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\Version@                                                                                               1.0
Reg             HKLM\SOFTWARE\Classes\CLSID\{A4A89CDB-91EF-5D57-F4C6-A70AD0C9D045}\VersionIndependentProgID@                                                                              KmlLayerRootCoClass.KmlLayerRootCoC
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b                                                        0x31 0x77 0xE1 0xBA ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\InProcServer32@                                                                                        %SystemRoot%\system32\dsuiext.dll
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\InProcServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\ShellEx\MayChangeDefaultMenu                                                                           
Reg             HKLM\SOFTWARE\Classes\CLSID\{D9C47CD5-9B59-C3BF-FC64-7B1564692D75}\ShellEx\MayChangeDefaultMenu@                                                                          1
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d                                                        0x83 0x6C 0x56 0x8B ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3                                                        0xF6 0x0F 0x4E 0x58 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b                                                        0xB1 0xCD 0x45 0x5A ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6                                                        0xE3 0x0E 0x66 0xD5 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32                                                                                         
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel                                                                          Apartment
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@                                                                                        C:\WINDOWS\system32\OLE32.DLL
Reg             HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2                                                        0xFA 0xEA 0x66 0x7F ...
Reg             HKLM\SOFTWARE\Classes\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32@                                                                                         C:\Program Files\MyWebSearch\bar\2.bin\F3REPROX.DLL

---- Files - GMER 1.0.15 ----

File            C:\WINDOWS\system32\sys_drv.dat                                                                                                                                           6024 bytes
File            C:\WINDOWS\system32\sys_drv_2.dat                                                                                                                                         5020 bytes
File            C:\WINDOWS\system32\WinFLdrv.sys                                                                                                                                          17984 bytes executable                                                                            <-- ROOTKIT !!!
File            C:\Documents and Settings\Zamboni\Application Data\systemfl.$dk                                                                                                           990 bytes
File            C:\WINDOWS\system32\drivers\atapi.sys                                                                                                                                     suspicious modification

---- Services - GMER 1.0.15 ----

Service         C:\WINDOWS\system32\WinFLdrv.sys                                                                                                                                          [AUTO] WinFLdrv                                                                                   <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Merci!

dédétraqué · Answer

Salut mia928 


Combofix n'a pas réparer, on va voir avec un fichier de remplacement pour le fichier système atapi.sys :

Télécharge SystemLook sur ton Bureau :
http://jpshortstuff.247fixes.com/SystemLook.exe

- Double-clique sur SystemLook.exe pour le lancer.

- Copie le contenu en gras ci-dessous et colle-le dans la zone texte de SystemLook :

 :filefind
atapi.sys

- Clique sur le bouton Look pour démarrer l'examen.
- A la fin, le Bloc-notes s'ouvre avec le résultat de l'analyse. Copie-colle le rapport dans ta prochaine réponse.


@++   :)

mia928 · Answer

Bonjour dédétraqué

Voici le rapport:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:08 on 19/05/2010 by Zamboni (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys "
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys	-----c 95360 bytes	[18:02 17/10/2008]	[01:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys	--a--- 96512 bytes	[20:09 21/04/2010]	[18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys	-----c 96512 bytes	[18:40 13/04/2008]	[18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys	--a--- 96512 bytes	[12:00 02/03/2006]	[18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\system32\DRIVERS\atapi.sys	--a--c 95360 bytes	[06:15 03/07/2008]	[12:00 02/03/2006] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys	--a--c 95360 bytes	[06:15 03/07/2008]	[12:00 02/03/2006] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys	--a--c 95360 bytes	[06:15 03/07/2008]	[01:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

Merci!

Virus de pop ups.

69 réponses

Votre réponse

Discussions similaires

Newsletters