merci beaucoup à tous de vouloir m'aider, voilà le CR de ComboFix en espérant que ça n'est pas trop grave (je n'ai pas compris ce qu'était "kitty have a snack" :
ComboFix 10-04-21.01 - Mimi 24/04/2010 16:24:30.1.2 - x86
Microsoft® Windows Vista(TM) Édition Familiale Premium 6.0.6002.2.1252.33.1036.18.3062.1783 [GMT 2:00]
Lancé depuis: c:\users\Mimi\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-3439835839-1429783917-1240170184-500
C:\ErrLog.txt
c:\users\Mimi\AppData\Roaming\.#
c:\users\Mimi\AppData\Roaming\Desktopicon
c:\users\Mimi\AppData\Roaming\Desktopicon\config.ini
c:\users\Mimi\AppData\Roaming\Desktopicon\eBayShortcuts.exe
c:\users\Mimi\AppData\Roaming\Microsoft\Windows\Recent_NEW_Time_Management_Game_[AllSmartGas.pif
c:\users\Mimi\AppData\Roaming\Microsoft\Windows\Recent
Une copie infectée de c:\windows\system32\drivers\volmgr.sys a été trouvée et désinfectée
Copie restaurée à partir de - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_Boonty Games
((((((((((((((((((((((((((((( Fichiers créés du 2010-03-24 au 2010-04-24 ))))))))))))))))))))))))))))))))))))
.
2010-04-24 14:32 . 2010-04-24 14:32 -------- d-----w- c:\users\Mimi\AppData\Local\temp
2010-04-24 14:32 . 2010-04-24 14:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-24 13:39 . 2010-04-24 13:39 -------- d-----w- c:\program files\ZHPDiag
2010-04-24 11:56 . 2010-04-24 11:56 -------- d-----w- c:\users\Mimi\AppData\Roaming\Malwarebytes
2010-04-24 11:56 . 2010-04-24 11:56 -------- d-----w- c:\programdata\Malwarebytes
2010-04-21 18:36 . 2010-04-24 07:02 -------- d-----w- c:\users\Mimi\AppData\Local\adslTV
2010-04-16 12:08 . 2010-04-16 12:08 -------- d-----w- c:\program files\Alawar Entertainment
2010-04-14 06:15 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 06:15 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 06:15 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 06:15 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 06:15 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 06:15 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 06:15 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 06:15 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 06:15 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 06:15 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 06:15 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 07:07 . 2010-04-20 11:40 -------- d-----w- c:\program files\World of Warcraft
2010-04-08 09:36 . 2010-04-08 09:47 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-04-08 07:27 . 2010-04-09 07:19 -------- d-----w- c:\users\Public\Games
2010-03-31 11:11 . 2010-03-09 15:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-31 11:11 . 2010-03-09 16:25 78336 ----a-w- c:\windows\system32\ieencode.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 14:34 . 2008-06-19 12:15 220444 ----a-w- c:\programdata\nvModes.dat
2010-04-24 14:30 . 2008-06-19 21:27 669566 ----a-w- c:\windows\system32\perfh00C.dat
2010-04-24 14:30 . 2008-06-19 21:27 123556 ----a-w- c:\windows\system32\perfc00C.dat
2010-04-24 14:12 . 2008-12-11 12:47 -------- d-----w- c:\users\Mimi\AppData\Roaming\DNA
2010-04-24 11:24 . 2008-09-11 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-23 12:33 . 2008-12-11 12:47 -------- d-----w- c:\users\Mimi\AppData\Roaming\BitTorrent
2010-04-21 18:36 . 2008-09-10 19:25 -------- d-----w- c:\program files\adslTV
2010-04-21 18:32 . 2008-09-10 19:25 -------- d-----w- c:\users\Mimi\AppData\Roaming\vlc
2010-04-17 11:31 . 2009-07-27 11:53 -------- d-----w- c:\programdata\AlawarWrapper
2010-04-16 12:07 . 2009-08-03 14:49 -------- d-----w- c:\program files\Safari
2010-04-16 12:01 . 2010-04-16 12:01 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-14 06:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-14 06:18 . 2008-06-19 12:46 -------- d-----w- c:\programdata\Microsoft Help
2010-03-29 11:43 . 2009-03-07 13:20 -------- d-----w- c:\users\Mimi\AppData\Roaming\SpinTop Games
2010-03-09 11:42 . 2010-03-09 11:42 -------- d-----w- c:\users\Mimi\AppData\Roaming\Gamelab
2010-03-08 12:33 . 2009-10-02 06:58 -------- d-----w- c:\program files\Games
2010-02-27 07:42 . 2008-09-10 06:27 76392 ----a-w- c:\users\Mimi\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 08:16 . 2009-10-04 10:02 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06 . 2010-03-12 07:21 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-12 07:21 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-12 07:21 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 10:32 . 2010-03-01 07:34 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-01-25 12:00 . 2010-02-27 07:22 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-27 07:22 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-27 07:22 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-27 07:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-27 07:22 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-27 07:22 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-27 07:22 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-27 07:22 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-27 07:22 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2008-06-19 21:31 . 2008-06-19 21:31 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\program files\Packard Bell\SetUpMyPC\SmpSys.exe" [2008-02-04 1038136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2009-02-02 251264]
"BitTorrent DNA"="c:\users\Mimi\Program Files\DNA\btdna.exe" [2009-11-13 323392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
c:\users\Mimi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ashDisp - Raccourci.lnk - c:\program files\Alwil Software\Avast4\ashDisp.exe [2009-9-6 81000]
FastStone Capture.lnk - c:\program files\FastStone Capture\FSCapture.exe [2008-10-15 1010688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 23:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-07-24 15:02 490952 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskSpace]
2008-02-10 08:41 1184256 ----a-w- c:\program files\DeskSpace\deskspace.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
2009-09-03 21:17 3342336 ----a-w- c:\program files\Electronic Arts\EADM\Core.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-25 20:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 15:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):45,18,83,50,b6,e5,c9,01
R3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-03-19 8320]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-09-03 3347280]
R3 WSDPrintDevice;Prise en charge de l'impression WSD via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-09-17 717296]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S2 BT848;Conexant's BtPCI WDM Video Capture;c:\windows\system32\DRIVERS\BT848.sys [2009-04-07 371349]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 A310;AVerMedia A310 DVB-T;c:\windows\system32\DRIVERS\AVerA310USB.sys [2007-08-19 26496]
S3 BDASwCap;AVerMedia A310 BDA DVBT Capture Device;c:\windows\system32\drivers\AVerA310Cap.sys [2007-08-19 42496]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2007-01-08 46592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contenu du dossier 'Tâches planifiées'
2010-04-24 c:\windows\Tasks\Extension de garantie-Mimi.job
- c:\program files\Packard Bell\SetupmyPC\PBCarNot.exe [2008-06-19 10:13]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://mystart.incredimail.com/
mStart Page = hxxp://eo.st
uInternet Settings,ProxyOverride = *.local
IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Mimi\AppData\Roaming\Mozilla\Firefox\Profiles\r0vjtvo4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VIATDF&PC=VIATDF&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Mimi\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHELINS SUPPRIMES - - - -
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
AddRemove-Active WebCam - c:\program files\Active WebCam\PY_UNINSTAL.EXE SOFTWARE\PySoft\Act_WebCam
AddRemove-AVerMedia A310 (MiniCard, DVB-T) - c:\program files\AVerMedia\AVerMedia A310 (MiniCard
**************************************************************************
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés:
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
[HKEY_USERS\S-1-5-21-590227869-547796766-1065380527-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9922F856-0869-6DA2-55D9-17E0AC8645EB}*]
"oafahafaadmjjdhllfcdelkflldgal"=hex:6a,61,61,6a,61,63,63,6a,63,6e,6e,63,66,65,
64,64,61,6c,6b,62,00,8b
"pappfloadlgjmhkpnionmaaomilklcnd"=hex:6a,61,61,6a,61,63,63,6a,63,6e,6e,63,66,
65,64,64,61,6c,6b,62,00,8b
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'Explorer.exe'(1516)
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\System32\netshell.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Common Files\Nero\Lib\MediaLibraryNSE.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\rundll32.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\conime.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Heure de fin: 2010-04-24 16:41:50 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-04-24 14:41
Avant-CF: 146 751 037 440 octets libres
Après-CF: 146 464 587 776 octets libres
- - End Of File - - 5E9412DC34DBDCA8BCD7E01B0F297ACB
Modifié par kalimusic le 24/04/2010 à 15:34
pour mayflower : ep44 ou guillaume 5188 vont s'occuper de ton PC (ils ont postés en même temps) car c'est une infection TDSS très coriace.
Bonne continuation A+
24 avril 2010 à 16:22
Modifié par Guillaume5188 le 24/04/2010 à 16:48
Justement ;regarde sur Google en tapant ceci:
C:\Windows\Temp\*.tmp\svchost.exe
@+
Modifié par kalimusic le 24/04/2010 à 16:43
A noter que celui-ci est récent et donc d'actualité. A la lecture de cet article, effectivement on voit pas la nécessité de poster pour notre ami internaute, tellement cela me parait facile à traiter
(ndlr : humour)
CQFD
edit : salut Guillaume, j'avais pas vu