Infecté par rootkit

Résolu
John -  
 John -
Bonjour, ce matin mon avast m'alerte d'un rootkit dans c:\windows\driver\
avec des fichiers .sys ou aucune action n'était possible. J'ai éxécuter combofix dont voici le log:

ComboFix 10-04-21.01 - john 26/04/2010 13:28:49.2.1 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.895.590 [GMT 2:00]
Lancé depuis: c:\documents and settings\john\Bureau\ComboFix.exe
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-03-26 au 2010-04-26 ))))))))))))))))))))))))))))))))))))
.

2010-04-26 11:14 . 2010-04-26 11:17 574464 ----a-w- c:\windows\system32\drivers\priuz.sys
2010-04-26 10:59 . 2010-04-26 11:06 574464 ----a-w- c:\windows\system32\drivers\brdee.sys
2010-04-26 10:53 . 2010-04-26 10:55 574464 ----a-w- c:\windows\system32\drivers\fbyabclj.sys
2010-04-26 10:46 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-26 10:46 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-26 10:46 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-26 10:46 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-26 10:46 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-26 10:46 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-26 10:46 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-26 10:46 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-26 10:46 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-26 10:46 . 2010-04-26 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-26 10:40 . 2010-04-26 10:46 574464 ----a-w- c:\windows\system32\drivers\zytzl.sys
2010-04-26 10:18 . 2010-04-26 10:19 574464 ----a-w- c:\windows\system32\drivers\lbobftg.sys
2010-04-26 08:07 . 2010-04-26 10:29 -------- d-----w- c:\windows\LastGood.Tmp
2010-04-26 08:07 . 2010-04-26 08:07 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-04-26 08:07 . 2010-04-26 08:07 -------- d-----r- c:\documents and settings\LocalService\Favoris
2010-04-26 07:14 . 2010-04-26 07:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
2010-04-26 07:13 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-26 07:13 . 2010-04-26 07:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-26 07:13 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-04-01 15:34 . 2010-04-01 15:34 -------- d-----w- c:\program files\EZFace
2010-03-29 06:36 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 11:34 . 2010-04-26 11:34 574464 ----a-w- c:\windows\system32\drivers\mlbgn.sys
2010-04-26 11:34 . 2009-12-15 08:16 802304 ----a-w- c:\windows\system32\drivers\mfjaimqa.sys
2010-04-26 10:46 . 2008-08-11 12:16 -------- d-----w- c:\program files\Alwil Software
2010-04-26 08:07 . 2010-04-26 08:07 574464 ----a-w- c:\windows\TMP5.tmp
2010-04-26 08:07 . 2004-08-03 23:00 574464 ----a-w- c:\windows\system32\drivers\http.sys
2010-04-26 08:06 . 2010-04-26 08:06 4922 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-04-26 08:06 . 2006-01-26 20:35 568780 ----a-w- c:\windows\system32\perfh00C.dat
2010-04-26 08:06 . 2006-01-26 20:35 108874 ----a-w- c:\windows\system32\perfc00C.dat
2010-04-07 09:31 . 2008-02-08 13:59 -------- d-----w- c:\program files\Google
2008-08-11 08:12 . 2008-08-11 08:12 23 --sha-w- c:\windows\system32\aadebcf4_z.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-04-26_10.38.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-04-26 11:27 . 2010-04-26 11:27 16384 c:\windows\Temp\Perflib_Perfdata_248.dat
+ 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-04-26 10:46 . 2010-04-26 10:46 219648 c:\windows\Installer\f53b8.msi
+ 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-10 68856]
"Google Update"="c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-15 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [22/05/2008 15:44 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [22/05/2008 15:44 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26/04/2010 12:46 162768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/04/2010 12:46 19024]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22/05/2007 16:59 30336]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/11/2009 15:13 135664]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [11/12/2009 16:43 238960]

--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - MLBGN
*Deregistered* - mfjaimqa
*Deregistered* - mlbgn
.
Contenu du dossier 'Tâches planifiées'

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008Core.job
- c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008UA.job
- c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

2010-04-26 c:\windows\Tasks\User_Feed_Synchronization-{C559A810-C6C3-4249-85CF-66A7272D9D9E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: {8834C4ED-D914-410F-A084-AF4EE0DDA5C3} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\o0upzg5e.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
pref(dom.disable_open_during_load, false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-26 13:34
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x853062E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7520f28
\Driver\ACPI -> ACPI.sys @ 0xf7390cb8
\Driver\atapi -> 0x853062e0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Marvell Yukon 88E8071 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf70eabb0
PacketIndicateHandler -> NDIS.sys @ 0xf70d9a0d
SendHandler -> NDIS.sys @ 0xf70edb40
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\mfjaimqa]

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\mlbgn]

.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|é*9~*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
.
Heure de fin: 2010-04-26 13:36:26
ComboFix-quarantined-files.txt 2010-04-26 11:36
ComboFix2.txt 2010-04-26 10:40

Avant-CF: 116 515 938 304 octets libres
Après-CF: 116 508 151 808 octets libres

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 8A5FB8257FE941355C5C75CC51DF8482

Problème, le pc ne démarre plus en mode sans échec.

27 réponses

  • 1
  • 2
Résumé de la discussion

Une alerte antivirus signale la présence d’un rootkit dans c:\windows\drivers et des fichiers .sys, et le rapport ComboFix dresse une liste de pilotes suspects créés fin avril 2010. Des analyses complémentaires indiquent un rootkit MBR potentiel détecté par GMER, avec des hooks sur des composants du disque et des pilotes tels que CLASSPNP.SYS et ACPI.sys, mais certains éléments restent inexpliqués. Des recommandations pratiques préconisent d’extraire les éléments détectés, d’utiliser un outil anti-rootkit dédié et de vérifier le MBR, puis de restaurer le système à partir d’une sauvegarde saine et vérifiée. En complément, les éléments listés montrent des tâches planifiées Google Update et des binaires liés à Google et Avast, mais ne confirment pas l’état du système sans vérifications supplémentaires.

Généré automatiquement par IA
sur la base des meilleures réponses
  1. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Salut

    Tu veux dire ne démarre qu'en mode sans échec? ou ne démarre plus du tout?

    Il ne faut jamais utiliser Combofix sans avis d'un Helper!!!!

    tu as une infection mbr

    Télécharger TDSS remover

    * Il se peut que le programme demande a redémarrer => faire "Yes"
    * Lancer le programme, le scan débute.
    * Les programmes cachés apparaissent, les selectionner et faire "Delete Selected"
    * Le programme demande a redémarrer le PC, faire "Yes"
    * Donner le rapport si possible.

    --------------

    *Téléchargez mbr.exe de Gmer sur le Bureau : mbr.exe
    *Désactivez vos protections et coupez la connexion.
    *Sous Windows XP : double-cliquez surmbr.exe / Sous Windows Vista ou Seven, faites un clic-droit sur mbr.exe et choisissez "Exécuter en temps qu'administrateur"
    *Un rapport sera généré : mbr.log

    -----

    Je vois au moins 7 fichiers Rootkits:

    2010-04-26 11:14 . 2010-04-26 11:17 574464 ----a-w- c:\windows\system32\drivers\priuz.sys
    2010-04-26 10:59 . 2010-04-26 11:06 574464 ----a-w- c:\windows\system32\drivers\brdee.sys
    2010-04-26 10:53 . 2010-04-26 10:55 574464 ----a-w- c:\windows\system32\drivers\fbyabclj.sys
    2010-04-26 10:40 . 2010-04-26 10:46 574464 ----a-w- c:\windows\system32\drivers\zytzl.sys
    2010-04-26 10:18 . 2010-04-26 10:19 574464 ----a-w- c:\windows\system32\drivers\lbobftg.sys
    2010-04-26 11:34 . 2010-04-26 11:34 574464 ----a-w- c:\windows\system32\drivers\mlbgn.sys
    2010-04-26 11:34 . 2009-12-15 08:16 802304 ----a-w- c:\windows\system32\drivers\mfjaimqa.sys
    0
  2. John
     
    Bonjour,
    Merci pour ta réponse, malheureusement lorsque j'ai exécuter combofixe la premiere fois c'était en mode sans échec il a ensuite rebooté et la je n'est plus eu accés mode SE . Je vais tester le lien pour fixer ceci.

    Par contre le pc plante sur le bureau ( la barre de tache n'est pas accesible ( sablier ) et je ne peut cliquer sur aucun icone).

    Merci
    0
    1. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
       
      Je ne te cache pas que ça va être coton, c'est une infection très grave.
      Tu as accès au mode normal?
      0
    2. John
       
      Oui accés au mode normal, mais celui bloc un long moment avant que je puisse avoir la main
      0
    3. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
       
      Ok, tu me dira ce que ça donne niveau scan.
      0
  3. John
     
    J'ai réussi a booter en mode SE par contre, TDS remover renvoi une erreur lorsque je le lance : " Erro while creating or starting service."

    Et voici le log de mbr.exe :

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    0
  4. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Ouais c'est le bazard.... bon.

    Telecharge:

    The avenger

    * dezippe le , Lance le , executer en tant qu'administrateur sous vista

    capture

    Dans le cadre , sous Input Script here , copie_colle ce qui est en gras ci dessous et clic execute:


    Drivers to delete:
    priuz.sys
    brdee.sys
    fbyabclj.sys
    zytzl.sys
    lbobftg.sys
    mlbgn.sys
    mfjaimqa.sys
    Files to delete:
    c:\windows\system32\drivers\priuz.sys
    c:\windows\system32\drivers\brdee.sys
    c:\windows\system32\drivers\fbyabclj.sys
    c:\windows\system32\drivers\zytzl.sys
    c:\windows\system32\drivers\lbobftg.sys
    c:\windows\system32\drivers\mlbgn.sys
    c:\windows\system32\drivers\mfjaimqa.sys


    * Après le re-démarrage, il crée un fichier log qui s'ouvrira,que tu posteras dans ta prochaine reponse, faisant apparaitre les actions exécutées par The Avenger. Ce fichier log se trouve ici : C:\avenger.txt

    -------------

    refaire un Combofix.
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. John
     
    en mode normale le pc est toujours planté .

    Voici le avenger.txt:

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\priuz.sys" not found!
    Deletion of driver "priuz.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\brdee.sys" not found!
    Deletion of driver "brdee.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\fbyabclj.sys" not found!
    Deletion of driver "fbyabclj.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\zytzl.sys" not found!
    Deletion of driver "zytzl.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\lbobftg.sys" not found!
    Deletion of driver "lbobftg.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mlbgn.sys" not found!
    Deletion of driver "mlbgn.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mfjaimqa.sys" not found!
    Deletion of driver "mfjaimqa.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: file "c:\windows\system32\drivers\priuz.sys" not found!
    Deletion of file "c:\windows\system32\drivers\priuz.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: file "c:\windows\system32\drivers\brdee.sys" not found!
    Deletion of file "c:\windows\system32\drivers\brdee.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: file "c:\windows\system32\drivers\fbyabclj.sys" not found!
    Deletion of file "c:\windows\system32\drivers\fbyabclj.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: file "c:\windows\system32\drivers\zytzl.sys" not found!
    Deletion of file "c:\windows\system32\drivers\zytzl.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: file "c:\windows\system32\drivers\lbobftg.sys" not found!
    Deletion of file "c:\windows\system32\drivers\lbobftg.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    Error: file "c:\windows\system32\drivers\mlbgn.sys" not found!
    Deletion of file "c:\windows\system32\drivers\mlbgn.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist

    File "c:\windows\system32\drivers\mfjaimqa.sys" deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.

    Combo fix tourne en ce moment
    0
    1. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
       
      Les rootkits ne sont plus là... ça devait être vieux.
      Combofix en normal?
      0
    2. John
       
      Combofix tourne en mode sans echec étant donné que le mode normale la barre de tache et les icone sont innaccesible et le pc freeze
      0
    3. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
       
      Arf... ça va être un clone du premier log.
      Laisse finir, on sait jamais....


      Poste le rapport, et ensuite

      Télécharger sur le bureau
      Gmer
      = Clic sur ==> GMER Application: Gmer.zip
      = Clic-droit sur l'archive Gmer
      = Extraire ici ( ou extraire sans confirmation ou tout ou unzip)
      = Double-clic sur Gmer qui vient de se créer
      = Une fenêtre s'ouvre, clic Scan
      Patienter jusqu'à la fin du scan
      = Clic Save
      = Choisir => bureau => nommer : rapport
      0
    4. John
       
      COmboFix a planté et GMER plante ( gmer a rencontrer un probleme envoyer rapport d'erreur)
      0
    5. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
       
      Bon...

      Télécharger et dézipper sur le bureau TDSSKiller

      = Lancer TDSSKiller en faisant un double clique
      = Une fois le scan fini, un rapport s'ouvre
      = Copier coller le contenu dans la prochaine réponse
      = Le rapport se trouve également dans C:\TDSSKiller.XXXXXX_log.txt.( X correspondant a la version, la date et l'heure )
      0
  7. John
     
    ComboFix a bien voulu se lancer voila le log.txt:
    ComboFix 10-04-21.01 - john 26/04/2010 16:13:23.3.1 - x86 MINIMAL
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.895.738 [GMT 2:00]
    Lancé depuis: c:\documents and settings\john\Bureau\ComboFix.exe
    .

    ((((((((((((((((((((((((((((( Fichiers créés du 2010-03-26 au 2010-04-26 ))))))))))))))))))))))))))))))))))))
    .

    2010-04-26 10:46 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-04-26 10:46 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-04-26 10:46 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-04-26 10:46 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-04-26 10:46 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-04-26 10:46 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-04-26 10:46 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-04-26 10:46 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-04-26 10:46 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-04-26 10:46 . 2010-04-26 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-----r- c:\documents and settings\LocalService\Favoris
    2010-04-26 07:14 . 2010-04-26 07:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-26 07:13 . 2010-04-26 07:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-04-01 15:34 . 2010-04-01 15:34 -------- d-----w- c:\program files\EZFace
    2010-03-29 06:36 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-26 10:46 . 2008-08-11 12:16 -------- d-----w- c:\program files\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 574464 ----a-w- c:\windows\TMP5.tmp
    2010-04-26 08:07 . 2004-08-03 23:00 574464 ----a-w- c:\windows\system32\drivers\http.sys
    2010-04-26 08:06 . 2010-04-26 08:06 4922 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-04-26 08:06 . 2006-01-26 20:35 568780 ----a-w- c:\windows\system32\perfh00C.dat
    2010-04-26 08:06 . 2006-01-26 20:35 108874 ----a-w- c:\windows\system32\perfc00C.dat
    2010-04-07 09:31 . 2008-02-08 13:59 -------- d-----w- c:\program files\Google
    2008-08-11 08:12 . 2008-08-11 08:12 23 --sha-w- c:\windows\system32\aadebcf4_z.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-04-26_10.38.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2010-04-26 10:46 . 2010-04-26 10:46 219648 c:\windows\Installer\f53b8.msi
    + 2010-04-26 11:43 . 2010-04-26 11:43 219648 c:\windows\Installer\f311d.msi
    + 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-10 68856]
    "Google Update"="c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-15 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [22/05/2008 15:44 137216]
    R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [22/05/2008 15:44 5248]
    S0 mfjaimqa;mfjaimqa; [x]
    S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26/04/2010 12:46 162768]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/04/2010 12:46 19024]
    S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/11/2009 15:13 135664]
    S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [11/12/2009 16:43 238960]
    S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
    S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22/05/2007 16:59 30336]
    .
    Contenu du dossier 'Tâches planifiées'

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008Core.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008UA.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-26 c:\windows\Tasks\User_Feed_Synchronization-{C559A810-C6C3-4249-85CF-66A7272D9D9E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.google.fr/
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    TCP: {8834C4ED-D914-410F-A084-AF4EE0DDA5C3} = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\o0upzg5e.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- PARAMETRES FIREFOX ----
    pref(dom.disable_open_during_load, false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-26 16:22
    Windows 5.1.2600 Service Pack 3 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85767438]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7733f28
    \Driver\ACPI -> ACPI.sys @ 0xf7683cb8
    \Driver\atapi -> 0x85767438
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|é*9~*]
    "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------

    - - - - - - - > 'winlogon.exe'(256)
    c:\windows\system32\Ati2evxx.dll
    .
    Heure de fin: 2010-04-26 16:27:19
    ComboFix-quarantined-files.txt 2010-04-26 14:27
    ComboFix2.txt 2010-04-26 10:40

    Avant-CF: 117 383 417 856 octets libres
    Après-CF: 117 336 305 664 octets libres

    - - End Of File - - FA533B9F8EE7B82E45CE4B3BD813DF58
    0
  8. John
     
    et voici le log TDSSKiller:
    16:29:16:718 1744 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
    16:29:16:718 1744 ================================================================================
    16:29:16:718 1744 SystemInfo:

    16:29:16:718 1744 OS Version: 5.1.2600 ServicePack: 3.0
    16:29:16:718 1744 Product type: Workstation
    16:29:16:718 1744 ComputerName: POSTE105
    16:29:16:718 1744 UserName: john
    16:29:16:718 1744 Windows directory: C:\WINDOWS
    16:29:16:718 1744 Processor architecture: Intel x86
    16:29:16:718 1744 Number of processors: 1
    16:29:16:718 1744 Page size: 0x1000
    16:29:16:718 1744 Boot type: Safe boot
    16:29:16:718 1744 ================================================================================
    16:29:16:718 1744 UnloadDriverW: NtUnloadDriver error 2
    16:29:16:718 1744 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    16:29:16:781 1744 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    16:29:16:781 1744 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    16:29:16:781 1744 wfopen_ex: Trying to KLMD file open
    16:29:16:781 1744 wfopen_ex: File opened ok (Flags 2)
    16:29:16:781 1744 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    16:29:16:781 1744 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    16:29:16:781 1744 wfopen_ex: Trying to KLMD file open
    16:29:16:781 1744 wfopen_ex: File opened ok (Flags 2)
    16:29:16:781 1744 Initialize success
    16:29:16:781 1744
    16:29:16:781 1744 Scanning Services ...
    16:29:17:406 1744 Raw services enum returned 339 services
    16:29:17:406 1744
    16:29:17:406 1744 Scanning Kernel memory ...
    16:29:17:421 1744 Devices to scan: 5
    16:29:17:421 1744
    16:29:17:421 1744 Driver Name: Disk
    16:29:17:421 1744 IRP_MJ_CREATE : F7735BB0
    16:29:17:421 1744 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
    16:29:17:421 1744 IRP_MJ_CLOSE : F7735BB0
    16:29:17:421 1744 IRP_MJ_READ : F772FD1F
    16:29:17:421 1744 IRP_MJ_WRITE : F772FD1F
    16:29:17:421 1744 IRP_MJ_QUERY_INFORMATION : 804FA88E
    16:29:17:421 1744 IRP_MJ_SET_INFORMATION : 804FA88E
    16:29:17:421 1744 IRP_MJ_QUERY_EA : 804FA88E
    16:29:17:421 1744 IRP_MJ_SET_EA : 804FA88E
    16:29:17:421 1744 IRP_MJ_FLUSH_BUFFERS : F77302E2
    16:29:17:421 1744 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
    16:29:17:421 1744 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
    16:29:17:421 1744 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
    16:29:17:421 1744 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
    16:29:17:421 1744 IRP_MJ_DEVICE_CONTROL : F77303BB
    16:29:17:421 1744 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7733F28
    16:29:17:421 1744 IRP_MJ_SHUTDOWN : F77302E2
    16:29:17:421 1744 IRP_MJ_LOCK_CONTROL : 804FA88E
    16:29:17:421 1744 IRP_MJ_CLEANUP : 804FA88E
    16:29:17:421 1744 IRP_MJ_CREATE_MAILSLOT : 804FA88E
    16:29:17:421 1744 IRP_MJ_QUERY_SECURITY : 804FA88E
    16:29:17:421 1744 IRP_MJ_SET_SECURITY : 804FA88E
    16:29:17:421 1744 IRP_MJ_POWER : F7731C82
    16:29:17:421 1744 IRP_MJ_SYSTEM_CONTROL : F773699E
    16:29:17:421 1744 IRP_MJ_DEVICE_CHANGE : 804FA88E
    16:29:17:421 1744 IRP_MJ_QUERY_QUOTA : 804FA88E
    16:29:17:421 1744 IRP_MJ_SET_QUOTA : 804FA88E
    16:29:17:468 1744 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    16:29:17:468 1744
    16:29:17:468 1744 Driver Name: USBSTOR
    16:29:17:468 1744 IRP_MJ_CREATE : F7ADC218
    16:29:17:468 1744 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
    16:29:17:468 1744 IRP_MJ_CLOSE : F7ADC218
    16:29:17:468 1744 IRP_MJ_READ : F7ADC23C
    16:29:17:468 1744 IRP_MJ_WRITE : F7ADC23C
    16:29:17:468 1744 IRP_MJ_QUERY_INFORMATION : 804FA88E
    16:29:17:468 1744 IRP_MJ_SET_INFORMATION : 804FA88E
    16:29:17:468 1744 IRP_MJ_QUERY_EA : 804FA88E
    16:29:17:468 1744 IRP_MJ_SET_EA : 804FA88E
    16:29:17:468 1744 IRP_MJ_FLUSH_BUFFERS : 804FA88E
    16:29:17:468 1744 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
    16:29:17:468 1744 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
    16:29:17:468 1744 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
    16:29:17:468 1744 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
    16:29:17:468 1744 IRP_MJ_DEVICE_CONTROL : F7ADC180
    16:29:17:468 1744 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7AD79E6
    16:29:17:468 1744 IRP_MJ_SHUTDOWN : 804FA88E
    16:29:17:468 1744 IRP_MJ_LOCK_CONTROL : 804FA88E
    16:29:17:468 1744 IRP_MJ_CLEANUP : 804FA88E
    16:29:17:468 1744 IRP_MJ_CREATE_MAILSLOT : 804FA88E
    16:29:17:468 1744 IRP_MJ_QUERY_SECURITY : 804FA88E
    16:29:17:468 1744 IRP_MJ_SET_SECURITY : 804FA88E
    16:29:17:468 1744 IRP_MJ_POWER : F7ADB5F0
    16:29:17:468 1744 IRP_MJ_SYSTEM_CONTROL : F7AD9A6E
    16:29:17:468 1744 IRP_MJ_DEVICE_CHANGE : 804FA88E
    16:29:17:468 1744 IRP_MJ_QUERY_QUOTA : 804FA88E
    16:29:17:468 1744 IRP_MJ_SET_QUOTA : 804FA88E
    16:29:17:500 1744 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
    16:29:17:500 1744
    16:29:17:500 1744 Driver Name: Disk
    16:29:17:500 1744 IRP_MJ_CREATE : F7735BB0
    16:29:17:500 1744 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
    16:29:17:500 1744 IRP_MJ_CLOSE : F7735BB0
    16:29:17:500 1744 IRP_MJ_READ : F772FD1F
    16:29:17:500 1744 IRP_MJ_WRITE : F772FD1F
    16:29:17:500 1744 IRP_MJ_QUERY_INFORMATION : 804FA88E
    16:29:17:500 1744 IRP_MJ_SET_INFORMATION : 804FA88E
    16:29:17:500 1744 IRP_MJ_QUERY_EA : 804FA88E
    16:29:17:500 1744 IRP_MJ_SET_EA : 804FA88E
    16:29:17:500 1744 IRP_MJ_FLUSH_BUFFERS : F77302E2
    16:29:17:500 1744 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
    16:29:17:500 1744 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
    16:29:17:500 1744 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
    16:29:17:500 1744 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
    16:29:17:500 1744 IRP_MJ_DEVICE_CONTROL : F77303BB
    16:29:17:500 1744 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7733F28
    16:29:17:500 1744 IRP_MJ_SHUTDOWN : F77302E2
    16:29:17:500 1744 IRP_MJ_LOCK_CONTROL : 804FA88E
    16:29:17:500 1744 IRP_MJ_CLEANUP : 804FA88E
    16:29:17:500 1744 IRP_MJ_CREATE_MAILSLOT : 804FA88E
    16:29:17:500 1744 IRP_MJ_QUERY_SECURITY : 804FA88E
    16:29:17:500 1744 IRP_MJ_SET_SECURITY : 804FA88E
    16:29:17:500 1744 IRP_MJ_POWER : F7731C82
    16:29:17:500 1744 IRP_MJ_SYSTEM_CONTROL : F773699E
    16:29:17:500 1744 IRP_MJ_DEVICE_CHANGE : 804FA88E
    16:29:17:500 1744 IRP_MJ_QUERY_QUOTA : 804FA88E
    16:29:17:500 1744 IRP_MJ_SET_QUOTA : 804FA88E
    16:29:17:531 1744 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    16:29:17:531 1744
    16:29:17:531 1744 Driver Name: Disk
    16:29:17:531 1744 IRP_MJ_CREATE : F7735BB0
    16:29:17:531 1744 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
    16:29:17:531 1744 IRP_MJ_CLOSE : F7735BB0
    16:29:17:531 1744 IRP_MJ_READ : F772FD1F
    16:29:17:531 1744 IRP_MJ_WRITE : F772FD1F
    16:29:17:531 1744 IRP_MJ_QUERY_INFORMATION : 804FA88E
    16:29:17:531 1744 IRP_MJ_SET_INFORMATION : 804FA88E
    16:29:17:531 1744 IRP_MJ_QUERY_EA : 804FA88E
    16:29:17:531 1744 IRP_MJ_SET_EA : 804FA88E
    16:29:17:531 1744 IRP_MJ_FLUSH_BUFFERS : F77302E2
    16:29:17:531 1744 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
    16:29:17:531 1744 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
    16:29:17:531 1744 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
    16:29:17:531 1744 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
    16:29:17:531 1744 IRP_MJ_DEVICE_CONTROL : F77303BB
    16:29:17:531 1744 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7733F28
    16:29:17:531 1744 IRP_MJ_SHUTDOWN : F77302E2
    16:29:17:531 1744 IRP_MJ_LOCK_CONTROL : 804FA88E
    16:29:17:531 1744 IRP_MJ_CLEANUP : 804FA88E
    16:29:17:531 1744 IRP_MJ_CREATE_MAILSLOT : 804FA88E
    16:29:17:531 1744 IRP_MJ_QUERY_SECURITY : 804FA88E
    16:29:17:531 1744 IRP_MJ_SET_SECURITY : 804FA88E
    16:29:17:531 1744 IRP_MJ_POWER : F7731C82
    16:29:17:531 1744 IRP_MJ_SYSTEM_CONTROL : F773699E
    16:29:17:531 1744 IRP_MJ_DEVICE_CHANGE : 804FA88E
    16:29:17:531 1744 IRP_MJ_QUERY_QUOTA : 804FA88E
    16:29:17:531 1744 IRP_MJ_SET_QUOTA : 804FA88E
    16:29:17:546 1744 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
    16:29:17:546 1744
    16:29:17:546 1744 Driver Name: atapi
    16:29:17:546 1744 IRP_MJ_CREATE : 85767438
    16:29:17:546 1744 IRP_MJ_CREATE_NAMED_PIPE : 85767438
    16:29:17:546 1744 IRP_MJ_CLOSE : 85767438
    16:29:17:546 1744 IRP_MJ_READ : 85767438
    16:29:17:546 1744 IRP_MJ_WRITE : 85767438
    16:29:17:546 1744 IRP_MJ_QUERY_INFORMATION : 85767438
    16:29:17:546 1744 IRP_MJ_SET_INFORMATION : 85767438
    16:29:17:546 1744 IRP_MJ_QUERY_EA : 85767438
    16:29:17:546 1744 IRP_MJ_SET_EA : 85767438
    16:29:17:546 1744 IRP_MJ_FLUSH_BUFFERS : 85767438
    16:29:17:546 1744 IRP_MJ_QUERY_VOLUME_INFORMATION : 85767438
    16:29:17:546 1744 IRP_MJ_SET_VOLUME_INFORMATION : 85767438
    16:29:17:546 1744 IRP_MJ_DIRECTORY_CONTROL : 85767438
    16:29:17:546 1744 IRP_MJ_FILE_SYSTEM_CONTROL : 85767438
    16:29:17:546 1744 IRP_MJ_DEVICE_CONTROL : 85767438
    16:29:17:546 1744 IRP_MJ_INTERNAL_DEVICE_CONTROL : 85767438
    16:29:17:546 1744 IRP_MJ_SHUTDOWN : 85767438
    16:29:17:546 1744 IRP_MJ_LOCK_CONTROL : 85767438
    16:29:17:546 1744 IRP_MJ_CLEANUP : 85767438
    16:29:17:546 1744 IRP_MJ_CREATE_MAILSLOT : 85767438
    16:29:17:546 1744 IRP_MJ_QUERY_SECURITY : 85767438
    16:29:17:546 1744 IRP_MJ_SET_SECURITY : 85767438
    16:29:17:546 1744 IRP_MJ_POWER : 85767438
    16:29:17:546 1744 IRP_MJ_SYSTEM_CONTROL : 85767438
    16:29:17:546 1744 IRP_MJ_DEVICE_CHANGE : 85767438
    16:29:17:546 1744 IRP_MJ_QUERY_QUOTA : 85767438
    16:29:17:546 1744 IRP_MJ_SET_QUOTA : 85767438
    16:29:17:640 1744 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
    16:29:17:640 1744
    16:29:17:640 1744 Completed
    16:29:17:640 1744
    16:29:17:640 1744 Results:
    16:29:17:640 1744 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    16:29:17:656 1744 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    16:29:17:656 1744 File objects infected / cured / cured on reboot: 0 / 0 / 0
    16:29:17:656 1744
    16:29:17:656 1744 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    16:29:17:656 1744 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    16:29:17:656 1744 KLMD(ARK) unloaded successfully
    0
  9. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Refait un Combofix.
    0
  10. John
     
    Voici le log ComboFix:

    ComboFix 10-04-21.01 - john 26/04/2010 16:51:03.4.1 - x86 MINIMAL
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.895.740 [GMT 2:00]
    Lancé depuis: c:\documents and settings\john\Bureau\ComboFix.exe
    .

    ((((((((((((((((((((((((((((( Fichiers créés du 2010-03-26 au 2010-04-26 ))))))))))))))))))))))))))))))))))))
    .

    2010-04-26 10:46 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-04-26 10:46 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-04-26 10:46 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-04-26 10:46 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-04-26 10:46 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-04-26 10:46 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-04-26 10:46 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-04-26 10:46 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-04-26 10:46 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-04-26 10:46 . 2010-04-26 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-----r- c:\documents and settings\LocalService\Favoris
    2010-04-26 07:14 . 2010-04-26 07:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-26 07:13 . 2010-04-26 07:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-04-01 15:34 . 2010-04-01 15:34 -------- d-----w- c:\program files\EZFace
    2010-03-29 06:36 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-26 10:46 . 2008-08-11 12:16 -------- d-----w- c:\program files\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 574464 ----a-w- c:\windows\TMP5.tmp
    2010-04-26 08:07 . 2004-08-03 23:00 574464 ----a-w- c:\windows\system32\drivers\http.sys
    2010-04-26 08:06 . 2010-04-26 08:06 4922 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-04-26 08:06 . 2006-01-26 20:35 568780 ----a-w- c:\windows\system32\perfh00C.dat
    2010-04-26 08:06 . 2006-01-26 20:35 108874 ----a-w- c:\windows\system32\perfc00C.dat
    2010-04-07 09:31 . 2008-02-08 13:59 -------- d-----w- c:\program files\Google
    2008-08-11 08:12 . 2008-08-11 08:12 23 --sha-w- c:\windows\system32\aadebcf4_z.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-04-26_10.38.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2010-04-26 10:46 . 2010-04-26 10:46 219648 c:\windows\Installer\f53b8.msi
    + 2010-04-26 11:43 . 2010-04-26 11:43 219648 c:\windows\Installer\f311d.msi
    + 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-10 68856]
    "Google Update"="c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-15 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [22/05/2008 15:44 137216]
    R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [22/05/2008 15:44 5248]
    S0 mfjaimqa;mfjaimqa; [x]
    S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26/04/2010 12:46 162768]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/04/2010 12:46 19024]
    S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/11/2009 15:13 135664]
    S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [11/12/2009 16:43 238960]
    S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
    S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22/05/2007 16:59 30336]
    .
    Contenu du dossier 'Tâches planifiées'

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008Core.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008UA.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-26 c:\windows\Tasks\User_Feed_Synchronization-{C559A810-C6C3-4249-85CF-66A7272D9D9E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.google.fr/
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    TCP: {8834C4ED-D914-410F-A084-AF4EE0DDA5C3} = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\o0upzg5e.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- PARAMETRES FIREFOX ----
    pref(dom.disable_open_during_load, false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-26 16:59
    Windows 5.1.2600 Service Pack 3 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85767438]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7733f28
    \Driver\ACPI -> ACPI.sys @ 0xf7683cb8
    \Driver\atapi -> 0x85767438
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|é*9~*]
    "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------

    - - - - - - - > 'winlogon.exe'(256)
    c:\windows\system32\Ati2evxx.dll
    .
    Heure de fin: 2010-04-26 17:04:42
    ComboFix-quarantined-files.txt 2010-04-26 15:04
    ComboFix2.txt 2010-04-26 14:27
    ComboFix3.txt 2010-04-26 10:40

    Avant-CF: 117 353 709 568 octets libres
    Après-CF: 117 306 740 736 octets libres

    - - End Of File - - E77D8B71DB31DE2C0CD2CAA1EDFADC1D
    0
  11. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Si Gmer n'est pas déjà sur le bureau, le mettre:
    *Téléchargez mbr.exe de Gmer sur le Bureau : mbr.exe

    Ensuite

    *cliquer sur le Menu démarrer --> Exécuter, et tapez la commande suivante :
    *Sous XP : "%userprofile%\Bureau\mbr" -f
    *Sous Vista/Seven : "%userprofile%\Desktop\mbr" -f
    *Dans le mbr.log cette ligne apparaîtra : original MBR restored successfully !
    *Postez le rapport
    0
  12. John
     
    La ligne original MBR restored successfully n'est pas apparut , voici le log:

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK

    Merci
    0
  13. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Ya comme un truc bizarre qui se passe.... Combo et MBR jouent à cache-cache :D
    Supprime Combofix,

    Retélécharge le et renomme le testCombo.exe au moment de l'enregistrement sur le bureau. Puis refait un scan avec.
    Je vais me renseigner, car là je vais être à cours d'arguments.
    0
  14. John
     
    Voici le log de testCombo.exe :

    ComboFix 10-04-21.01 - john 26/04/2010 18:07:24.4.1 - x86 MINIMAL
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.895.737 [GMT 2:00]
    Lancé depuis: c:\documents and settings\john\Bureau\testCombo.exe
    .

    ((((((((((((((((((((((((((((( Fichiers créés du 2010-03-26 au 2010-04-26 ))))))))))))))))))))))))))))))))))))
    .

    2010-04-26 15:46 . 2010-04-26 15:48 -------- d-----w- C:\testCombo
    2010-04-26 10:46 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-04-26 10:46 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-04-26 10:46 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-04-26 10:46 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-04-26 10:46 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-04-26 10:46 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-04-26 10:46 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-04-26 10:46 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-04-26 10:46 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-04-26 10:46 . 2010-04-26 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-----r- c:\documents and settings\LocalService\Favoris
    2010-04-26 07:14 . 2010-04-26 07:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-26 07:13 . 2010-04-26 07:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-04-01 15:34 . 2010-04-01 15:34 -------- d-----w- c:\program files\EZFace
    2010-03-29 06:36 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-26 10:46 . 2008-08-11 12:16 -------- d-----w- c:\program files\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 574464 ----a-w- c:\windows\TMP5.tmp
    2010-04-26 08:07 . 2004-08-03 23:00 574464 ----a-w- c:\windows\system32\drivers\http.sys
    2010-04-26 08:06 . 2010-04-26 08:06 4922 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-04-26 08:06 . 2006-01-26 20:35 568780 ----a-w- c:\windows\system32\perfh00C.dat
    2010-04-26 08:06 . 2006-01-26 20:35 108874 ----a-w- c:\windows\system32\perfc00C.dat
    2010-04-07 09:31 . 2008-02-08 13:59 -------- d-----w- c:\program files\Google
    2008-08-11 08:12 . 2008-08-11 08:12 23 --sha-w- c:\windows\system32\aadebcf4_z.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-04-26_10.38.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2010-04-26 10:46 . 2010-04-26 10:46 219648 c:\windows\Installer\f53b8.msi
    + 2010-04-26 11:43 . 2010-04-26 11:43 219648 c:\windows\Installer\f311d.msi
    + 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-10 68856]
    "Google Update"="c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-15 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [22/05/2008 15:44 137216]
    R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [22/05/2008 15:44 5248]
    S0 mfjaimqa;mfjaimqa; [x]
    S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26/04/2010 12:46 162768]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/04/2010 12:46 19024]
    S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/11/2009 15:13 135664]
    S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [11/12/2009 16:43 238960]
    S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
    S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22/05/2007 16:59 30336]
    .
    Contenu du dossier 'Tâches planifiées'

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008Core.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008UA.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-26 c:\windows\Tasks\User_Feed_Synchronization-{C559A810-C6C3-4249-85CF-66A7272D9D9E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.google.fr/
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    TCP: {8834C4ED-D914-410F-A084-AF4EE0DDA5C3} = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\o0upzg5e.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- PARAMETRES FIREFOX ----
    pref(dom.disable_open_during_load, false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-26 18:16
    Windows 5.1.2600 Service Pack 3 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85767438]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7733f28
    \Driver\ACPI -> ACPI.sys @ 0xf7683cb8
    \Driver\atapi -> 0x85767438
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|é*9~*]
    "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------

    - - - - - - - > 'winlogon.exe'(256)
    c:\windows\system32\Ati2evxx.dll
    .
    Heure de fin: 2010-04-26 18:21:19
    ComboFix-quarantined-files.txt 2010-04-26 16:21
    ComboFix2.txt 2010-04-26 15:04
    ComboFix3.txt 2010-04-26 14:27
    ComboFix4.txt 2010-04-26 10:40

    Avant-CF: 117 296 930 816 octets libres
    Après-CF: 117 248 987 136 octets libres

    - - End Of File - - C40A2EF6B1ADCC9A4DEFA08AACAE9B40
    0
  15. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Ecoute, je crois que je pourrais pas en venir à bout tout seul.
    J'attends des conseils de la dream team, je reviens te voir, ou quelqu'un d'autre prendra la suite.. ok?
    0
    1. John
       
      D'accord Merci beaucoup.
      0
  16. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Telécharge sur le bureau Defogger

    = Double click sur Defogger
    = Une fenêtre apparait clique Disable
    = Redemarre ton PC si demandé

    ----------

    refaire un scan Gmer.
    0
    1. john
       
      Encore merci de ta réponse , la je n'est plus accés au pc, je testerai sa demain matin.
      Merci.
      0
    2. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
       
      ok à demain.
      0
  17. John
     
    Bonjour,
    J'ai lancé Defogger , le pc à redémarrer.
    Malheureusement, gmer rencontre toujours une erreur.
    0
  18. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Tu as le rapport Deffoger?

    Tu as essayé Gmer en mode sans échec?
    0
  19. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Est ce que la console de récupération a été installée par Combofix?
    Si oui, alors démarre dessus (tu as le choix au démarrage)

    Une fois dedans, taper:

    fixmbr

    puis

    shutdown -r -t 00

    Au redémarrage, refait un combofix.
    0
  20. John
     
    Voila le log combofix:

    ComboFix 10-04-21.01 - john 27/04/2010 9:06.5.1 - x86
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.895.630 [GMT 2:00]
    Lancé depuis: c:\documents and settings\john\Bureau\testCombo.exe
    .

    ((((((((((((((((((((((((((((( Fichiers créés du 2010-03-27 au 2010-04-27 ))))))))))))))))))))))))))))))))))))
    .

    2010-04-26 15:46 . 2010-04-26 15:48 -------- d-----w- C:\testCombo
    2010-04-26 10:46 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-04-26 10:46 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-04-26 10:46 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-04-26 10:46 . 2010-04-14 16:31 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-04-26 10:46 . 2010-04-14 16:31 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-04-26 10:46 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-04-26 10:46 . 2010-04-14 16:30 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-04-26 10:46 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-04-26 10:46 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-04-26 10:46 . 2010-04-26 10:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2010-04-26 08:07 . 2010-04-26 08:07 -------- d-----r- c:\documents and settings\LocalService\Favoris
    2010-04-26 07:14 . 2010-04-26 07:14 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\john\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-26 07:13 . 2010-04-26 07:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-26 07:13 . 2010-04-26 07:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-04-26 07:13 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\drivers\changer.sys
    2010-04-26 06:58 . 2008-04-13 09:41 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
    2010-04-01 15:34 . 2010-04-01 15:34 -------- d-----w- c:\program files\EZFace
    2010-03-29 06:36 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-27 06:46 . 2004-08-03 23:00 574464 ----a-w- c:\windows\system32\drivers\http.sys
    2010-04-26 10:46 . 2008-08-11 12:16 -------- d-----w- c:\program files\Alwil Software
    2010-04-26 08:07 . 2010-04-26 08:07 574464 ----a-w- c:\windows\TMP5.tmp
    2010-04-26 08:06 . 2010-04-26 08:06 4922 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2010-04-26 08:06 . 2006-01-26 20:35 568780 ----a-w- c:\windows\system32\perfh00C.dat
    2010-04-26 08:06 . 2006-01-26 20:35 108874 ----a-w- c:\windows\system32\perfc00C.dat
    2010-04-07 09:31 . 2008-02-08 13:59 -------- d-----w- c:\program files\Google
    2008-08-11 08:12 . 2008-08-11 08:12 23 --sha-w- c:\windows\system32\aadebcf4_z.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-04-26_10.38.50 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2010-04-26 16:29 . 2010-04-26 16:29 16384 c:\windows\temp\Perflib_Perfdata_90.dat
    + 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    + 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2010-04-26 10:46 . 2010-04-26 10:46 219648 c:\windows\Installer\f53b8.msi
    + 2010-04-26 11:43 . 2010-04-26 11:43 219648 c:\windows\Installer\f311d.msi
    + 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-10 68856]
    "Google Update"="c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-21 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-15 149280]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    c:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
    CCC.lnk - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2006-9-29 49152]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

    R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [22/05/2008 15:44 137216]
    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [26/04/2010 12:46 162768]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/04/2010 12:46 19024]
    R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [22/05/2007 16:59 30336]
    S0 mfjaimqa;mfjaimqa; [x]
    S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/11/2009 15:13 135664]
    S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [11/12/2009 16:43 238960]
    S3 rk_remover-boot;rk_remover-boot;\??\c:\windows\system32\drivers\rk_remover.sys --> c:\windows\system32\drivers\rk_remover.sys [?]
    S4 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [22/05/2008 15:44 5248]
    .
    Contenu du dossier 'Tâches planifiées'

    2010-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-18 13:13]

    2010-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008Core.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3136234265-601822484-2454817574-1008UA.job
    - c:\documents and settings\john\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-21 06:30]

    2010-04-27 c:\windows\Tasks\User_Feed_Synchronization-{C559A810-C6C3-4249-85CF-66A7272D9D9E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.google.fr/
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    TCP: {8834C4ED-D914-410F-A084-AF4EE0DDA5C3} = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\o0upzg5e.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- PARAMETRES FIREFOX ----
    pref(dom.disable_open_during_load, false);c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-27 09:12
    Windows 5.1.2600 Service Pack 3 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8529C930]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7520f28
    \Driver\ACPI -> ACPI.sys @ 0xf7390cb8
    \Driver\atapi -> 0x8529c930
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
    ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
    ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
    NDIS: Marvell Yukon 88E8071 PCI-E Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xf722ebb0
    PacketIndicateHandler -> NDIS.sys @ 0xf721da0d
    SendHandler -> NDIS.sys @ 0xf7231b40
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø*€|ÿÿÿÿ*€|é*9~*]
    "C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------

    - - - - - - - > 'winlogon.exe'(948)
    c:\windows\system32\Ati2evxx.dll
    .
    Heure de fin: 2010-04-27 09:13:51
    ComboFix-quarantined-files.txt 2010-04-27 07:13
    ComboFix2.txt 2010-04-26 16:21
    ComboFix3.txt 2010-04-26 15:04
    ComboFix4.txt 2010-04-26 14:27
    ComboFix5.txt 2010-04-27 07:01

    Avant-CF: 116 321 554 432 octets libres
    Après-CF: 116 275 499 008 octets libres

    - - End Of File - - 5BC5482F9ACC098C6D76FA15C09E39C7
    0
    1. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
       
      Tu as fait le fixmbr avant?
      0
    2. john
       
      oui
      0
  21. Tigzy Messages postés 7983 Statut Contributeur sécurité 582
     
    Fais ceci

    = Copier ce texte qui est en gras


    Driver::
    mfjaimqa
    File::
    c:\windows\TMP5.tmp
    c:\windows\system32\aadebcf4_z.dll
    FireFox::
    FF - ProfilePath - c:\documents and settings\john\Application Data\Mozilla\Firefox\Profiles\o0upzg5e.default\
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=


    ------------------------------

    = Ouvrir le Bloc-Notes
    = Clic-droit ==> coller
    = Faire ==> fichier ==> enregistrer sous ==> choisir Bureau
    = Le nommer CFScript.txt
    = Fermer le bloc-note
    = prendre ce Bloc-note qui est sur le bureau par un clic-gauche continu
    = L'amener dans Combofix et relacher le clic
    = Combofix se relance seul
    = mettre le rapport dans la réponse
    0
  • 1
  • 2