bug pc

Question

Configuration: Windows XP / Firefox 3.6.3

Salut à tous
Voila, j'ai un bug sur mon ordi, il plante au bout de quelques minutes, plus précisément tout se fige, ctrl+supr inefficace
Je précise que j'ai été infecté recemment par Antivur Doctor ou un truc comme ça. Peut être en reste il des traces...
Aucun malware détecté par Malwarebytes


Voici mon rapport HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:56:43, on 30/04/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
K:\Program Files\Avira\AntiVir Desktop\avgnt.exe
K:\Program Files\QuickTime\qttask.exe
K:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
K:\Program Files\Avira\AntiVir Desktop\avguard.exe
L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
k:\Program Files\NetLimiter 2 Pro
lsvc.exe
C:\WINDOWS\System32\svchost.exe
k:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
k:\Program Files\NetLimiter 2 Pro\NLClient.exe
K:\Program Files\firefox.exe
L:\Willow\programmes\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.ask.com/?o=10148&l=dis
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: hotrevenue browser enhancer - {DB704689-3FF5-A289-4309-D30A083463BF} - C:\WINDOWS\system32	bojphdlxsegpie.dll (file missing)
O2 - BHO: Java(TM) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "K:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "K:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SuperCopier2.exe] K:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [EPSON Stylus SX400 Series (Copie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\WINDOWS\TEMP\E_S1E.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1268517640233
O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - K:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - K:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Dragon Age: Origins - Application de mise à jour (DAUpdaterSvc) - BioWare - L:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Service Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - k:\Program Files\NetLimiter 2 Pro
lsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - k:\Program Files\RealVNC\VNC4\WinVNC4.exe

archet9 · Answer

Bonjour, 

Commence par ceci stp: 


*   Télécharge de AD-Remover sur ton Bureau. (Merci à C_XX) 
http://pagesperso-orange.fr/NosTools/C_XX/AD-R.exe 

Miroir:  

https://www.androidworld.fr/ 

/!\ Ferme toutes applications en cours /!\  

/!\ Désactive provisoirement et seulement le temps de l'utilisation de AD-Remover, la protection en temps réel de ton Antivirus et de tes Antispywares, qui peuvent gêner fortement la procédure de recherche et de nettoyage de l'outil.  
  
- Double-clique sur l'icône Ad-remover située sur ton Bureau.  
- Sur la page, clique sur le bouton « Nettoyer »
- Confirme lancement du scan 
- Laisse travailler l'outil. 
- Poste le rapport qui apparaît à la fin.  

(Le rapport est sauvegardé aussi sous C:\Ad-report(Scan/clean).Txt)  

(CTRL+A pour tout sélectionner, CTRL+C pour copier et CTRL+V pour coller)  


a+ 
........

willow93 · Answer

merci de ta réponse



.
======= RAPPORT D'AD-REMOVER 2.0.0.0,D | UNIQUEMENT XP/VISTA/7 =======
.
Mis à jour par C_XX le 30/04/10 à 18:40
Contact: AdRemover.contact@gmail.com
Site web: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Lancé à: 13:39:49 le 01/05/2010 | Mode normal | Option: SCAN
Exécuté de: C:\Ad-Remover\ADR.exe
SE: Microsoft® Windows XP(TM)  Service Pack 3 - X86
Nom du PC: WILLOW-CAGE
Utilisateur actuel: willow
.
============== ÉLÉMENT(S) TROUVÉ(S) ==============
.
.
C:\Program Files\Ask.com
C:\Program Files\Mozilla FireFox\Components\AskHPRFF.js
C:\Program Files\Mozilla FireFox\Components
sFFxSHot.xpt
C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
L:\DOCUME~1\willow\LOCALS~1\Temp\AskSearch
L:\Documents and Settings\willow\Application Data\Mozilla\FireFox\Profiles\2ig1d9a7.default\extensions	oolbar@ask.com
L:\Documents and Settings\willow\Application Data\Mozilla\FireFox\Profiles\2ig1d9a7.default\searchplugins\askcom.xml
L:\Documents and Settings\willow\Local Settings\Application Data\AskToolbar
.
HKCU\Software\AppDataLow\AskBarDis
HKCU\Software\AppDataLow\AskHomePage
HKCU\Software\AppDataLow\AskToolbarInfo
HKCU\Software\AppDataLow\software\{A1D008E1-4663-81E9-A11A-35154AA79B94}
HKCU\Software\Ask.com
HKCU\Software\AskToolbar
HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB704689-3FF5-A289-4309-D30A083463BF}
HKLM\Software\Classes\adhlpr.adhlpr
HKLM\Software\Classes\adhlpr.adhlpr.1.0
HKLM\Software\Classes\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}
HKLM\Software\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
HKLM\Software\Classes\AppID\{A9722A0D-365F-47D2-B70B-37D046316D99}
HKLM\Software\Classes\AppID\GenericAskToolbar.DLL
HKLM\Software\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Classes\CLSID\{DB704689-3FF5-A289-4309-D30A083463BF}
HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd
HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd.1
HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
HKLM\Software\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
HKLM\Software\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
HKLM\Software\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
HKLM\Software\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB704689-3FF5-A289-4309-D30A083463BF}
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Userdata\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{D4027C7F-154A-4066-A1AD-4243D8127440}
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\post platform|AskTB5.5
HKLM\Software\Microsoft\Internet Explorer\Toolbar|{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files\Ask.com\GenericAskToolbar.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files\Ask.com\TaskScheduler.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files\Ask.com\UpdateTask.exe
.
.
============== SCAN ADDITIONNEL ==============
.
* Mozilla FireFox Version 3.6.3 (fr) *
.
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.download.lastDir: L:\Documents and Settings\willow\Bureau
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.search.defaultenginename: Ask.com
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.search.selectedEngine: Google
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.startup.homepage_override.mstone: rv:1.9.2.3
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - keyword.URL: hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BTV5&o=10148&locale=en_US&q=
L:\Documents and Settings\Administrateur\..\jccpu1ie.default\prefs.js - browser.startup.homepage_override.mstone: rv:1.9.1.8
.
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("browser.search.defaultengine", "Ask.com");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("browser.search.defaultenginename", "Ask.com");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("browser.search.order.1", "Ask.com");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.cbid", "A2");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}&qsrc={qsrc}");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.fresh-install", false);
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.l", "dis");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.last-config-req", "1272601374032");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.locale", "en_US");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.o", "10148");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.qsrc", "2871");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.r", "2");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.enabledItems", "anycolor.pavlos256@gmail.com:0.3.2,{e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.18,piclens@cooliris.com:1.11.6,{DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.9,{1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.4,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{db53f460-71d0-4aac-9eaf-d4700a6a2f07}:0.9.82,personas@christopher.beard:1.5.3,toolbar@ask.com:3.5.1.110,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3");
TROUVÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("keyword.URL", "hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BTV5&o=10148&locale=en_US&q=");
.
* Internet Explorer Version 6.0.2900.5512 *
.
[HKCU\Software\Microsoft\Internet Explorer\Main]
.
Do404Search: 0x01000000
Local Page: C:\WINDOWS\system32\blank.htm
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Show_ToolBar: yes
Start Page: hxxp://www.ask.com?o=10148&l=dis
.
[HKLM\Software\Microsoft\Internet Explorer\Main]
.
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Delete_Temp_Files_On_Exit: yes
Local Page: %SystemRoot%\system32\blank.htm
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Start Page: hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
.
[HKLM\Software\Microsoft\Internet Explorer\ABOUTURLS]
.
Blank: res://mshtml.dll/blank.htm
.
========================================
.
C:\Ad-Remover\Quarantine: 0 Fichier(s)
C:\Ad-Remover\Backup: 1 Fichier(s)
.
L:\Ad-Report-SCAN[1].txt - 8086 Octet(s)
.
Fin à: 13:42:00, 01/05/2010
.
============== E.O.F - SCAN[1] ==============

archet9 · Answer

Re, 

Je t'avais demandé ceci :

- Double-clique sur l'icône Ad-remover située sur ton Bureau. 
- Sur la page, clique sur le bouton « Nettoyer » 

==> Donc recommence !!! --> Car tu as fait l'option "chercher"qui a trouvé des éléments infectieux, mais qui ne les a pas supprimé !

a+

willow93 · Answer

oupss !



.
======= RAPPORT D'AD-REMOVER 2.0.0.0,D | UNIQUEMENT XP/VISTA/7 =======
.
Mis à jour par C_XX le 30/04/10 à 18:40
Contact: AdRemover.contact@gmail.com
Site web: http://pagesperso-orange.fr/NosTools/ad_remover.html
.
Lancé à: 14:06:36 le 01/05/2010 | Mode normal | Option: CLEAN
Exécuté de: C:\Ad-Remover\ADR.exe
SE: Microsoft® Windows XP(TM)  Service Pack 3 - X86
Nom du PC: WILLOW-CAGE
Utilisateur actuel: willow
.
============== ÉLÉMENT(S) NEUTRALISÉ(S) ==============
.
.
C:\Program Files\Ask.com
C:\Program Files\Mozilla FireFox\Components\AskHPRFF.js
C:\Program Files\Mozilla FireFox\Components
sFFxSHot.xpt
C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
L:\DOCUME~1\willow\LOCALS~1\Temp\AskSearch
L:\Documents and Settings\willow\Application Data\Mozilla\FireFox\Profiles\2ig1d9a7.default\extensions	oolbar@ask.com
L:\Documents and Settings\willow\Application Data\Mozilla\FireFox\Profiles\2ig1d9a7.default\searchplugins\askcom.xml
L:\Documents and Settings\willow\Local Settings\Application Data\AskToolbar

(!) -- Fichiers temporaires supprimés.
.
HKCU\Software\AppDataLow\AskBarDis
HKCU\Software\AppDataLow\AskHomePage
HKCU\Software\AppDataLow\AskToolbarInfo
HKCU\Software\AppDataLow\software\{A1D008E1-4663-81E9-A11A-35154AA79B94}
HKCU\Software\Ask.com
HKCU\Software\AskToolbar
HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB704689-3FF5-A289-4309-D30A083463BF}
HKLM\Software\Classes\adhlpr.adhlpr
HKLM\Software\Classes\adhlpr.adhlpr.1.0
HKLM\Software\Classes\AppID\{38061EDC-40BB-4618-A8DA-E56353347E6D}
HKLM\Software\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
HKLM\Software\Classes\AppID\{A9722A0D-365F-47D2-B70B-37D046316D99}
HKLM\Software\Classes\AppID\GenericAskToolbar.DLL
HKLM\Software\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Classes\CLSID\{DB704689-3FF5-A289-4309-D30A083463BF}
HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd
HKLM\Software\Classes\GenericAskToolbar.ToolbarWnd.1
HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
HKLM\Software\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
HKLM\Software\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
HKLM\Software\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
HKLM\Software\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
HKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB704689-3FF5-A289-4309-D30A083463BF}
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Userdata\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser|{D4027C7F-154A-4066-A1AD-4243D8127440}
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\post platform|AskTB5.5
HKLM\Software\Microsoft\Internet Explorer\Toolbar|{D4027C7F-154A-4066-A1AD-4243D8127440}
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files\Ask.com\GenericAskToolbar.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files\Ask.com\TaskScheduler.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\Program Files\Ask.com\UpdateTask.exe
.
(Orpheline) HKCU,Run - EPSON Stylus SX400 Series (Copie 1) - C:\WINDOWS\TEMP\E_S1E.tmp (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB888111WXPSP2 - C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB923561 - C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB946648 - C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB950762 - C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB951066 - C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB951748 - C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB952004 - C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB952069_WM9 - C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB952954 - C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB955069 - C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB956572 - C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB956802 - C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB956844 - C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB958869 - C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB960225 - C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB960859 - C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB961501 - C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB968389 - C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB969059 - C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB970238 - C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB971468 - C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB971737 - C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB972270 - C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB973507 - C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB973540_WM9L - C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB973815 - C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB973904 - C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB974318 - C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB974571 - C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB975467 - C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB975561 - C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB977165-v2 - C:\WINDOWS\$NtUninstallKB977165-v2$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB977914 - C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB978207 - C:\WINDOWS\$NtUninstallKB978207$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB978262 - C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - KB978706 - C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - WIC - C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe (Fichier manquant)
(Orpheline) HKLM,Uninstall - Windows XP Service - C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe (Fichier manquant)
.
============== SCAN ADDITIONNEL ==============
.
* Mozilla FireFox Version 3.6.3 (fr) *
.
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.download.lastDir: L:\Documents and Settings\willow\Bureau
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.search.defaultenginename: Ask.com
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.search.selectedEngine: Google
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - browser.startup.homepage_override.mstone: rv:1.9.2.3
L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - keyword.URL: hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BTV5&o=10148&locale=en_US&q=
L:\Documents and Settings\Administrateur\..\jccpu1ie.default\prefs.js - browser.startup.homepage_override.mstone: rv:1.9.1.8
.
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("browser.search.defaultengine", "Ask.com");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("browser.search.defaultenginename", "Ask.com");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("browser.search.order.1", "Ask.com");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.cbid", "A2");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}&qsrc={qsrc}");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.fresh-install", false);
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.l", "dis");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.last-config-req", "1272601374032");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.locale", "en_US");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.o", "10148");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.overlay-reloaded-using-restart", true);
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.qsrc", "2871");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.asktb.r", "2");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("extensions.enabledItems", "anycolor.pavlos256@gmail.com:0.3.2,{e001c731-5e37-4538-a5cb-8168736a2360}:0.9.9.18,piclens@cooliris.com:1.11.6,{DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.9,{1018e4d6-728f-4b20-ad56-37578a4de76b}:4.0.4,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,{db53f460-71d0-4aac-9eaf-d4700a6a2f07}:0.9.82,personas@christopher.beard:1.5.3,toolbar@ask.com:3.5.1.110,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.6.3");
EFFACÉ: L:\Documents and Settings\willow\..\2ig1d9a7.default\prefs.js - user_pref("keyword.URL", "hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BTV5&o=10148&locale=en_US&q=");
.
* Internet Explorer Version 6.0.2900.5512 *
.
[HKCU\Software\Microsoft\Internet Explorer\Main]
.
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Do404Search: 0x01000000
Local Page: C:\WINDOWS\system32\blank.htm
Search bar: hxxp://go.microsoft.com/fwlink/?linkid=54896
Show_ToolBar: yes
Start Page: hxxp://fr.msn.com/
.
[HKLM\Software\Microsoft\Internet Explorer\Main]
.
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Delete_Temp_Files_On_Exit: yes
Local Page: %SystemRoot%\system32\blank.htm
Search bar: hxxp://search.msn.com/spbasic.htm
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Start Page: hxxp://fr.msn.com/
.
[HKLM\Software\Microsoft\Internet Explorer\ABOUTURLS]
.
Tabs: res://ieframe.dll/tabswelcome.htm
Blank: res://mshtml.dll/blank.htm
.
========================================
.
C:\Ad-Remover\Quarantine: 80 Fichier(s)
C:\Ad-Remover\Backup: 14 Fichier(s)
.
L:\Ad-Report-CLEAN[1].txt - 12797 Octet(s)
L:\Ad-Report-SCAN[1].txt - 8210 Octet(s)
L:\Ad-Report-SCAN[2].txt - 8252 Octet(s)
.
Fin à: 14:08:49, 01/05/2010
.
============== E.O.F - CLEAN[1] ==============

willow93 · Answer

ca bug toujours !

archet9 · Answer

Fais un scan avec cet antispyware : 
Malwarebytes + tutoriel 
 
Tu l'installes; mets le a jour...(onglet mise a jour)
Click maintenant sur l'onglet recherche et coche la case :
 "Executer un examen rapide".
Puis click sur "rechercher". 
Laisses le scanner le pc...
A la fin du scan, clique sur Afficher les résultats 
Si des elements on ete trouvés : 
> click sur supprimer la selection.
si il t'es demandé de redemarrer > click sur "oui".
A la fin un rapport va s'ouvrir; 
sauvegarde le de maniere a le retrouver en vue de le poster sur le forum.
Copies et colles le rapport stp.  

a+

willow93 · Answer

AUCUN nuisibles détectés !

archet9 · Answer

Télécharge RSIT (de random/random) sur le bureau :

- Double clique sur RSIT.exe qui est sur le bureau
- Clique sur "Continue" dans la fenêtre
- RSIT téléchargera HijackThis si il n'est pas présent où détecté, alors il faudra accepter la licence
- Poste le contenu de log.txt plus info.txt (réduit ds la barre de taches) à la fin de l'analyse .
- Si le rapport est trop long pour passer sur le forum héberge le sur http://www.cijoint.fr/
et colle le lien généré.
Les rapports sont dans le dossier ici C:\rsit
a+

willow93 · Answer

http://www.cijoint.fr/cjlink.php?file=cj201005/cijxsxH6O8.txt
http://www.cijoint.fr/cjlink.php?file=cj201005/cij7RSIg1Y.txt

archet9 · Answer

Tes rapports montrent une infection liée à tes supports amovibles !

* Télécharge USBFIX  

http://pagesperso-orange.fr/NosTools/Chiquitine29/UsbFix.exe­ 
 


 (!) Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) susceptibles d'avoir été infectés sans les ouvrir

* Double clic sur le raccourci UsbFix présent sur ton bureau .

* Au menu principal choisis l'option " F " pour français et tape sur [entrée] . 

* Au second menu Choisis l'option " 2 " (Suppression) et tape sur [entrée] 

* Laisse travailler l'outil.

* Ensuite post le rapport UsbFix.txt qui apparaitra.

* Note : Le rapport UsbFix.txt est sauvegardé a la racine du disque. ( C:\UsbFix.txt )

( CTRL+A Pour tout selectionner , CTRL+C pour copier et CTRL+V pour coller ) 

* Note : "Process.exe", une composante de l'outil, est détecté par certains antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) comme étant un RiskTool. 
          Il ne s'agit pas d'un virus, mais d'un utilitaire destiné à mettre fin à des processus.           Mis entre de mauvaises mains, cet utilitaire pourrait arrêter des logiciels de sécurité (Antivirus, Firewall...) d'où l'alerte émise par ces antivirus. 

a+

willow93 · Answer

Bizzard, je n'est pas utilisé de clé usb ces derniers temps...


############################## | UsbFix V6.110 |

User : willow (Administrateurs) # WILLOW-CAGE
Update on 29/04/2010 by El Desaparecido , C_XX & Chimay8
Start at: 17:49:33 | 01/05/2010
Website : http://pagesperso-orange.fr/NosTools/index.html
Contact : FindyKill.Contact@gmail.com

Processeur Intel Pentium III Xeon
Microsoft Windows XP Édition familiale (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 6.0.2900.5512
Windows Firewall Status : Enabled
AV : AntiVir Desktop 9.0.1.32 [ Enabled | Updated ]

A:\ -> Lecteur de disquettes 3 ½ pouces
C:\ -> Disque fixe local # 6,51 Go (942,62 Mo free) # NTFS
D:\ -> Disque fixe local # 232,88 Go (232,21 Go free) [alex] # NTFS
E:\ -> Disque CD-ROM
F:\ -> Disque fixe local # 37,23 Go (31,8 Go free) [JUKE BOX] # FAT32
H:\ -> Disque amovible
I:\ -> Disque amovible
J:\ -> Disque CD-ROM
K:\ -> Disque fixe local # 105,28 Go (101,62 Go free) [autre] # NTFS
L:\ -> Disque fixe local # 698,64 Go (349,55 Go free) [Disk Willow] # NTFS
M:\ -> Disque amovible
N:\ -> Disque amovible

################## | Elements infectieux |

Supprimé ! C:\Recycler\S-1-5-21-1004336348-57989841-839522115-1004 
Supprimé ! D:\Recycler\S-1-5-21-1004336348-57989841-839522115-1004 
Supprimé ! K:\Recycler\S-1-5-21-1004336348-57989841-839522115-1004 
Supprimé ! L:\Recycler\S-1-5-21-1004336348-57989841-839522115-1004 

################## | Registre |


################## | Mountpoints2 |


################## | Listing des fichiers présent |

[13/03/2010 16:24|--a------|0] C:\AUTOEXEC.BAT 
[25/04/2010 21:57|---hs----|216] C:\boot.ini 
[28/08/2001 14:00|-rahs----|4952] C:\Bootfont.bin 
[13/03/2010 16:24|--a------|0] C:\CONFIG.SYS 
[13/03/2010 16:32|--a------|197] C:\csb.log 
[13/03/2010 16:24|-rahs----|0] C:\IO.SYS 
[13/03/2010 16:24|-rahs----|0] C:\MSDOS.SYS 
[14/03/2010 12:58|-rahs----|47564] C:\NTDETECT.COM 
[24/03/2010 14:46|-rahs----|252240] C:\ntldr 
[21/03/2010 15:07|--ahs----|20] C:\ntuser.ini 
[?|?|?] C:\pagefile.sys 
[26/04/2010 18:13|--a------|679] C:\rkill.log 
[16/03/2010 14:34|--ahs----|4096] C:\Thumbs.db 
[17/01/2010 05:34|--a------|1637171] D:\(eBook) Le livre noir du capitalisme (1998).pdf 
[17/01/2010 05:34|--a------|66449] D:\Entrer En R'sistance - Sur Les In'galit's Dans Nos Soci't's Industrielles Avanc'es - Economie Capitalisme Philosophie Politique.doc 
[17/01/2010 06:16|--a------|1231522] D:\important,attestation,chiva.pdf 
[17/01/2010 05:34|--a------|76006] D:\Le nouveau manifeste du capitalisme mondial french REVEILLEZ VOUS by HASARD.pdf 
[17/01/2010 06:16|--a------|3266828] D:\p 274.jpeg 
[17/01/2010 06:16|--a------|800382] D:\P1110608.JPG 
[17/01/2010 06:16|--a------|1193815] D:\P1110609.JPG 
[17/01/2010 06:16|--a------|1215167] D:\P1110610.JPG 
[17/01/2010 06:16|--a------|1113729] D:\P1110611.JPG 
[17/01/2010 06:16|--a------|1017477] D:\P1110612.JPG 
[17/01/2010 06:16|--a------|1153361] D:\P1110613.JPG 
[17/01/2010 06:16|--a------|1004049] D:\P1110614.JPG 
[17/01/2010 06:16|--a------|995700] D:\P1110619.JPG 
[17/01/2010 06:16|--a------|1130838] D:\P1110620.JPG 
[17/01/2010 06:16|--a------|1050070] D:\P1110621.JPG 
[17/01/2010 06:16|--a------|1124812] D:\P1110622.JPG 
[17/01/2010 06:16|--a------|992085] D:\P1110623.JPG 
[17/01/2010 06:16|--a------|971818] D:\P1110626.JPG 
[17/01/2010 06:16|--a------|1066521] D:\P1110636.JPG 
[17/01/2010 06:16|--a------|1004299] D:\P1110637.JPG 
[17/01/2010 06:16|--a------|1152521] D:\P1110638.JPG 
[17/01/2010 06:16|--a------|932003] D:\P1110639.JPG 
[17/01/2010 06:16|--a------|1000580] D:\P1110640.JPG 
[17/01/2010 06:16|--a------|1129683] D:\P1110641.JPG 
[17/01/2010 06:16|--a------|1258513] D:\P1110642.JPG 
[17/01/2010 06:16|--a------|1133102] D:\P1110644.JPG 
[17/01/2010 06:16|--a------|1017045] D:\P1110648.JPG 
[17/01/2010 06:16|--a------|1018986] D:\P1110650.JPG 
[17/01/2010 06:16|--a------|1095592] D:\P1110651.JPG 
[17/01/2010 06:16|--a------|962300] D:\P1110654.JPG 
[17/01/2010 06:16|--a------|961215] D:\P1110660.JPG 
[17/01/2010 06:16|--a------|937776] D:\P1110664.JPG 
[17/01/2010 06:16|--a------|1036450] D:\P1110665.JPG 
[17/01/2010 06:16|--a------|1068585] D:\P1110666.JPG 
[17/01/2010 06:16|--a------|892830] D:\P1110667.JPG 
[17/01/2010 06:16|--a------|1144330] D:\P1110668.JPG 
[17/01/2010 06:16|--a------|1015290] D:\P1110669.JPG 
[17/01/2010 06:16|--a------|1081730] D:\P1110670.JPG 
[17/01/2010 06:16|--a------|1019883] D:\P1110671.JPG 
[17/01/2010 06:16|--a------|974463] D:\P1110672.JPG 
[17/01/2010 06:16|--a------|999116] D:\P1110676.JPG 
[17/01/2010 06:16|--a------|1068788] D:\P1110680.JPG 
[17/01/2010 06:16|--a------|967351] D:\P1110681.JPG 
[17/01/2010 06:16|--a------|1064573] D:\P1110682.JPG 
[17/01/2010 06:16|--a------|978166] D:\P1110683.JPG 
[17/01/2010 06:16|--a------|911677] D:\P1110684.JPG 
[17/01/2010 06:16|--a------|1175297] D:\P1110687.JPG 
[17/01/2010 06:16|--a------|784286] D:\P1110688.JPG 
[17/01/2010 06:16|--a------|754213] D:\P1110690.JPG 
[17/01/2010 06:16|--a------|970187] D:\P1110691.JPG 
[17/01/2010 06:16|--a------|808110] D:\P1110692.JPG 
[17/01/2010 06:16|--a------|1084749] D:\P1110693.JPG 
[17/01/2010 06:16|--a------|888969] D:\P1110694.JPG 
[17/01/2010 06:16|--a------|1037882] D:\P1110695.JPG 
[17/01/2010 06:16|--a------|906360] D:\P1110697.JPG 
[17/01/2010 06:16|--a------|887975] D:\P1110700.JPG 
[17/01/2010 06:16|--a------|773401] D:\P1110701.JPG 
[17/01/2010 06:16|--a------|902354] D:\P1110703.JPG 
[17/01/2010 06:16|--a------|930775] D:\P1110704.JPG 
[17/01/2010 06:16|--a------|992547] D:\P1110707.JPG 
[17/01/2010 06:16|--a------|746539] D:\P1110710.JPG 
[17/01/2010 06:16|--a------|893552] D:\P1110713.JPG 
[17/01/2010 06:16|--a------|851417] D:\P1110715.JPG 
[17/01/2010 06:16|--a------|869222] D:\P1110724.JPG 
[17/01/2010 06:16|--a------|1098334] D:\P1110729.JPG 
[17/01/2010 06:16|--a------|1210621] D:\P1110730.JPG 
[17/01/2010 06:16|--a------|918594] D:\P1110731.JPG 
[17/01/2010 06:16|--a------|1116511] D:\P1110733.JPG 
[17/01/2010 06:16|--a------|853116] D:\P1110736.JPG 
[17/01/2010 06:16|--a------|1027177] D:\P1110737.JPG 
[17/01/2010 06:16|--a------|973416] D:\P1110738.JPG 
[17/01/2010 06:16|--a------|1102340] D:\P1110739.JPG 
[17/01/2010 06:16|--a------|1165267] D:\P1110740.JPG 
[17/01/2010 06:16|--a------|1052069] D:\P1110741.JPG 
[17/01/2010 06:16|--a------|948774] D:\P1110742.JPG 
[17/01/2010 06:16|--a------|1135850] D:\P1110743.JPG 
[17/01/2010 06:16|--a------|938745] D:\P1110745.JPG 
[17/01/2010 06:16|--a------|980601] D:\P1110746.JPG 
[17/01/2010 06:16|--a------|981940] D:\P1110747.JPG 
[17/01/2010 06:16|--a------|1171514] D:\P1110748.JPG 
[17/01/2010 06:16|--a------|1075988] D:\P1110749.JPG 
[17/01/2010 06:16|--a------|1007806] D:\P1110750.JPG 
[17/01/2010 06:16|--a------|1077254] D:\P1110751.JPG 
[17/01/2010 06:16|--a------|984048] D:\P1110752.JPG 
[17/01/2010 06:16|--a------|1026719] D:\P1110753.JPG 
[17/01/2010 06:16|--a------|672124] D:\P1110754.JPG 
[17/01/2010 06:16|--a------|860062] D:\P1110761.JPG 
[17/01/2010 06:16|--a------|1066824] D:\P1110763.JPG 
[17/01/2010 06:16|--a------|1077176] D:\P1110764.JPG 
[17/01/2010 06:16|--a------|974926] D:\P1110768.JPG 
[17/01/2010 06:16|--a------|1099441] D:\P1110770.JPG 
[17/01/2010 06:16|--a------|774393] D:\P1110772.JPG 
[17/01/2010 06:16|--a------|808864] D:\P1110773.JPG 
[17/01/2010 06:16|--a------|1162760] D:\P1110774.JPG 
[17/01/2010 06:16|--a------|645431] D:\P1110775.JPG 
[17/01/2010 06:16|--a------|735900] D:\P1110776.JPG 
[17/01/2010 06:16|--a------|737668] D:\P1110777.JPG 
[17/01/2010 06:16|--a------|747239] D:\P1110778.JPG 
[17/01/2010 06:16|--a------|634896] D:\P1110779.JPG 
[17/01/2010 06:16|--a------|633668] D:\P1110780.JPG 
[17/01/2010 06:16|--a------|1055088] D:\P1110782.JPG 
[17/01/2010 06:16|--a------|1039948] D:\P1110784.JPG 
[17/01/2010 06:16|--a------|1094896] D:\P1110786.JPG 
[17/01/2010 06:16|--a------|878722] D:\P1110787.JPG 
[17/01/2010 06:16|--a------|1154362] D:\P1110788.JPG 
[17/01/2010 06:16|--a------|1187020] D:\P1110789.JPG 
[17/01/2010 06:16|--a------|1018321] D:\P1110790.JPG 
[17/01/2010 06:16|--a------|1099408] D:\P1110791.JPG 
[17/01/2010 06:16|--a------|899480] D:\P1110792.JPG 
[17/01/2010 06:16|--a------|1089233] D:\P1110793.JPG 
[17/01/2010 06:16|--a------|1302778] D:\P1110794.JPG 
[17/01/2010 06:16|--a------|1223871] D:\P1110795.JPG 
[17/01/2010 06:16|--a------|1275144] D:\P1110796.JPG 
[17/01/2010 06:16|--a------|1307364] D:\P1110797.JPG 
[17/01/2010 06:16|--a------|1169346] D:\P1110798.JPG 
[17/01/2010 06:16|--a------|1270007] D:\P1110799.JPG 
[17/01/2010 06:16|--a------|1063616] D:\P1110800.JPG 
[17/01/2010 06:16|--a------|922278] D:\P1110801.JPG 
[17/01/2010 06:16|--a------|1124791] D:\P1110802.JPG 
[17/01/2010 06:16|--a------|979240] D:\P1110803.JPG 
[17/01/2010 06:16|--a------|986565] D:\P1110812.JPG 
[17/01/2010 06:16|--a------|1265855] D:\P1110822.JPG 
[17/01/2010 06:16|--a------|959234] D:\P1110835.JPG 
[17/01/2010 06:16|--a------|948879] D:\P1110836.JPG 
[17/01/2010 06:16|--a------|992234] D:\P1110838.JPG 
[17/01/2010 06:16|--a------|1050399] D:\P1110842.JPG 
[17/01/2010 06:16|--a------|1023048] D:\P1110845.JPG 
[17/01/2010 06:16|--a------|971103] D:\P1110852.JPG 
[17/01/2010 06:16|--a------|1126966] D:\P1110854.JPG 
[17/01/2010 06:16|--a------|1200472] D:\P1110855.JPG 
[17/01/2010 06:16|--a------|1292752] D:\P1110856.JPG 
[17/01/2010 06:16|--a------|1283006] D:\P1110857.JPG 
[17/01/2010 06:16|--a------|1277787] D:\P1110858.JPG 
[17/01/2010 06:16|--a------|1204670] D:\P1110859.JPG 
[17/01/2010 06:16|--a------|1295982] D:\P1110860.JPG 
[17/01/2010 06:16|--a------|1288024] D:\P1110861.JPG 
[17/01/2010 06:16|--a------|1209613] D:\P1110863.JPG 
[17/01/2010 06:16|--a------|1169295] D:\P1110864.JPG 
[17/01/2010 06:16|--a------|1239668] D:\P1110865.JPG 
[17/01/2010 06:16|--a------|1276638] D:\P1110866.JPG 
[17/01/2010 06:16|--a------|797101] D:\P1110867.JPG 
[17/01/2010 06:16|--a------|1053362] D:\P1110868.JPG 
[17/01/2010 06:16|--a------|1296660] D:\P1110869.JPG 
[17/01/2010 06:16|--a------|1228571] D:\P1110871.JPG 
[17/01/2010 06:16|--a------|1296285] D:\P1110872.JPG 
[17/01/2010 06:16|--a------|1172718] D:\P1110873.JPG 
[17/01/2010 06:16|--a------|1230769] D:\P1110874.JPG 
[17/01/2010 06:16|--a------|1061504] D:\P1110875.JPG 
[17/01/2010 06:16|--a------|1258896] D:\P1110876.JPG 
[17/01/2010 06:16|--a------|1259895] D:\P1110877.JPG 
[17/01/2010 06:16|--a------|1295008] D:\P1110878.JPG 
[17/01/2010 06:16|--a------|1202664] D:\P1110879.JPG 
[17/01/2010 06:16|--a------|1260710] D:\P1110880.JPG 
[17/01/2010 06:16|--a------|1129243] D:\P1110881.JPG 
[17/01/2010 06:16|--a------|847620] D:\P1110882.JPG 
[17/01/2010 06:16|--a------|1313340] D:\P1110883.JPG 
[17/01/2010 06:16|--a------|1275448] D:\P1110884.JPG 
[17/01/2010 06:16|--a------|1218718] D:\P1110885.JPG 
[17/01/2010 06:16|--a------|1329597] D:\P1110886.JPG 
[17/01/2010 06:16|--a------|1243782] D:\P1110887.JPG 
[17/01/2010 06:16|--a------|1290117] D:\P1110888.JPG 
[17/01/2010 06:16|--a------|1235843] D:\P1110890.JPG 
[17/01/2010 06:16|--a------|1248416] D:\P1110891.JPG 
[17/01/2010 06:16|--a------|871074] D:\P1110892.JPG 
[17/01/2010 06:16|--a------|863322] D:\P1110893.JPG 
[17/01/2010 06:16|--a------|860777] D:\P1110895.JPG 
[17/01/2010 06:16|--a------|893076] D:\P1110901.JPG 
[17/01/2010 06:16|--a------|1081090] D:\P1110913.JPG 
[17/01/2010 06:16|--a------|1057204] D:\P1110914.JPG 
[17/01/2010 06:16|--a------|1151318] D:\P1110915.JPG 
[17/01/2010 06:16|--a------|91532] D:\paomme cannelle requefort.jpeg 
[17/01/2010 06:16|--a------|90398] D:\pave biche betterave.jpeg 
[17/01/2010 06:16|--a------|117339] D:\pcrempe choco cannelle.jpeg 
[17/01/2010 06:16|--a------|88192] D:\poulet-mangue.jpeg 
[31/12/2009 20:30|--a------|302889] D:\Powaqqatsi - back.jpg 
[31/12/2009 20:30|--a------|178913] D:\Powaqqatsi - front.jpg 
[16/03/2010 14:32|--ahs----|3591168] D:\Thumbs.db 
[15/03/2010 01:40|--a------|39148659] D:\uneautre.st3 
[16/03/2010 12:54|--a------|677376] D:\[000097].jpg 
[16/03/2010 12:54|--a------|620544] D:\[000098].jpg 
[16/03/2010 12:54|--a------|506368] D:\[000099].jpg 
[16/03/2010 12:54|--a------|434688] D:\[000100].jpg 
[16/03/2010 12:54|--a------|411136] D:\[000101].jpg 
[16/03/2010 12:54|--a------|596992] D:\[000102].jpg 
[16/03/2010 12:54|--a------|556032] D:\[000103].jpg 
[16/03/2010 12:54|--a------|642048] D:\[000104].jpg 
[16/03/2010 12:54|--a------|770560] D:\[000105].jpg 
[16/03/2010 12:54|--a------|555008] D:\[000106].jpg 
[16/03/2010 12:54|--a------|686080] D:\[000107].jpg 
[16/03/2010 12:54|--a------|842752] D:\[000108].jpg 
[16/03/2010 12:54|--a------|757248] D:\[000109].jpg 
[16/03/2010 12:54|--a------|1105920] D:\[000110].jpg 
[16/03/2010 12:54|--a------|1458176] D:\[000111].jpg 
[16/03/2010 12:54|--a------|705024] D:\[000112].jpg 
[16/03/2010 12:54|--a------|632832] D:\[000113].jpg 
[16/03/2010 12:54|--a------|588800] D:\[000114].jpg 
[16/03/2010 12:54|--a------|766464] D:\[000115].jpg 
[16/03/2010 12:54|--a------|670208] D:\[000116].jpg 
[16/03/2010 12:54|--a------|662528] D:\[000117].jpg 
[16/03/2010 12:54|--a------|720896] D:\[000118].jpg 
[16/03/2010 12:54|--a------|663040] D:\[000119].jpg 
[16/03/2010 12:54|--a------|719872] D:\[000120].jpg 
[16/03/2010 12:54|--a------|550912] D:\[000121].jpg 
[16/03/2010 12:54|--a------|3344896] D:\[000122].jpg 
[16/03/2010 12:54|--a------|3312128] D:\[000123].jpg 
[16/03/2010 12:54|--a------|3181056] D:\[000124].jpg 
[16/03/2010 12:54|--a------|3249152] D:\[000125].jpg 
[16/03/2010 12:54|--a------|3322880] D:\[000126].jpg 
[16/03/2010 12:54|--a------|3296256] D:\[000127].jpg 
[01/05/2010 14:08|--a------|13008] L:\Ad-Report-CLEAN[1].txt 
[01/05/2010 15:14|--a------|4391] L:\Ad-Report-CLEAN[2].txt 
[01/05/2010 13:42|--a------|8210] L:\Ad-Report-SCAN[1].txt 
[01/05/2010 13:44|--a------|8252] L:\Ad-Report-SCAN[2].txt 
[30/04/2010 19:00|--a------|6073] L:\ggg.txt 
[01/05/2010 17:55|--a------|14106] L:\UsbFix.txt 
[01/05/2010 17:41|--a------|7337] L:\UsbFix_Upload_Me_WILLOW-CAGE.zip 

################## | Vaccination |

# C:\autorun.inf -> Dossier créé par UsbFix (El Desaparecido). 
# D:\autorun.inf -> Dossier créé par UsbFix (El Desaparecido). 
# F:\autorun.inf -> Dossier créé par UsbFix (El Desaparecido). 
# K:\autorun.inf -> Dossier créé par UsbFix (El Desaparecido). 
# L:\autorun.inf -> Dossier créé par UsbFix (El Desaparecido). 

################## | Upload | 

Veuillez envoyer le fichier : L:\UsbFix_Upload_Me_WILLOW-CAGE.zip : https://www.ionos.fr/?affiliate_id=77097 
Merci pour votre contribution .  

################## | ! Fin du rapport # UsbFix V6.110 ! |

willow93 · Answer

Pour l'instant NAN !
Merci (pour l'instant !)

willow93 · Answer

Ca y'est ca RE-bug !
Obliger de Hard-rebooter

willow93 · Answer

J'ai l'impression que le b_ug est du a Mozilla

archet9 · Answer

Je soupçonne plutot un rootkit.... 

---> Télécharge ComboFix.exe de sUBs sur ton Bureau :  
http://download.bleepingcomputer.com/sUBs/ComboFix.exe  

/!\ Déconnecte-toi du net et ferme toutes les applications, antivirus et antispyware y compris /!\  

---> Double-clique sur Combofix.exe  
Un "pop-up" va apparaître qui dit que "ComboFix est utilisé à vos risques et avec aucune garantie...".  
Accepte en cliquant sur "Oui"  

---> Mets-le en langue française F  
Tape sur la touche 1 (Yes) pour démarrer le scan.  

/!\ Ne touche à rien tant que le scan n'est pas terminé. /!\  
En fin de scan, il est possible que ComboFix ait besoin de redémarrer le PC pour finaliser la désinfection, laisse-le faire.  

Une fois le scan achevé, un rapport va s'afficher : Poste son contenu  

/!\ Réactive la protection en temps réel de ton antivirus et de ton antispyware avant de te reconnecter à Internet. /!\  

Note : Le rapport se trouve également là : C:\ComboFix.txt 

a+ 

........

willow93 · Answer

ComboFix 10-05-01.01 - willow 01/05/2010 19:43:51.1.2 - x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.2046.1539 [GMT 2:00]
Lancé depuis: l:\documents and settings\willow\Bureau\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WindowsUpdate
C:\Thumbs.db
c:\windows\system32\drivers\fuisyygb.sys
c:\windows\system32\Thumbs.db
l:\documents and settings\willow\Application Data\50FDDD3DE4FAF471D5507192433B548F
l:\documents and settings\willow\Application Data\50FDDD3DE4FAF471D5507192433B548F\enemies-names.txt
l:\documents and settings\willow\Application Data\50FDDD3DE4FAF471D5507192433B548F\lsrslt.ini

Une copie infectée de c:\windows\system32\drivers\ftdisk.sys a été trouvée et désinfectée
Copie restaurée à partir de - Kitty had a snack :p
.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DARKNESS

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-01 au 2010-05-01 ))))))))))))))))))))))))))))))))))
.

2010-05-01 15:31 . 2010-05-01 15:55 -------- d-----w- C:\UsbFix
2010-05-01 11:39 . 2010-05-01 13:14 -------- d-----w- C:\Ad-Remover
2010-04-28 21:50 . 2010-04-28 21:50 -------- d-----w- l:\documents and settings\Downloads\The Full Monty
2010-04-27 22:39 . 2010-04-27 22:39 -------- d-----w- l:\documents and settings\Downloads\Twilight[2008]VOSTFR-DvDrip-AIA
2010-04-27 22:28 . 2010-04-29 01:09 -------- d-----w- l:\documents and settings\Downloads\Dancer in the Dark
2010-04-27 22:28 . 2010-04-27 22:28 -------- d-----w- l:\documents and settings\Downloads
2010-04-27 20:36 . 2010-04-30 11:33 -------- d-----w- l:\documents and settings\willow\Application Data\BitTorrent
2010-04-26 10:14 . 2010-04-26 10:14 -------- d-s---w- l:\documents and settings\LocalService.AUTORITE NT\UserData
2010-04-25 20:28 . 2010-04-25 20:28 -------- d-----w- c:\program files\Enigma Software Group
2010-04-25 20:28 . 2010-04-26 18:41 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-25 20:15 . 2010-04-25 20:15 -------- d-s---w- l:\documents and settings\NetworkService.AUTORITE NT\UserData
2010-04-23 16:11 . 2010-04-30 13:16 -------- d-----w- l:\documents and settings\Risen\SaveGames
2010-04-23 16:11 . 2010-04-23 16:12 -------- d-----w- l:\documents and settings\willow\Local Settings\Application Data\Risen
2010-04-23 16:11 . 2010-04-23 16:11 -------- d-----w- l:\documents and settings\Risen
2010-04-23 16:08 . 2010-04-23 16:08 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-04-23 16:08 . 2010-04-23 16:08 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-04-18 13:14 . 2010-04-18 13:28 -------- d-----w- l:\documents and settings\willow\Application Data\gtk-2.0
2010-04-18 12:57 . 2010-04-18 12:57 -------- d-----w- l:\documents and settings\willow\.thumbnails
2010-04-18 12:56 . 2010-04-18 12:56 -------- d-----w- l:\documents and settings\gegl-0.0\plug-ins
2010-04-18 12:56 . 2010-04-18 12:56 -------- d-----w- l:\documents and settings\gegl-0.0
2010-04-16 22:03 . 2010-04-16 22:03 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-12 16:56 . 2001-07-13 11:56 14976 ----a-w- c:\windows\system32\drivers\SBKUPNT.SYS
2010-04-12 16:56 . 1997-02-08 15:11 13312 ----a-w- c:\windows\system32\DEVLOAD.EXE
2010-04-12 16:34 . 2010-04-12 16:34 -------- d-----w- c:\program files\Restore
2010-04-12 16:27 . 2010-04-12 16:34 249856 ------w- c:\windows\Setup1.exe
2010-04-12 16:27 . 2010-04-12 16:34 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-04-08 15:31 . 2010-04-08 15:31 -------- d--h--w- c:\windows\PIF
2010-04-07 09:33 . 2010-04-07 09:33 -------- d-----w- l:\documents and settings\willow\Local Settings\Application Data\Gas Powered Games
2010-04-07 09:21 . 2010-04-07 09:21 -------- d-----w- C:\temp
2010-04-07 09:20 . 2010-04-07 09:20 -------- d-----w- l:\documents and settings\willow\Application Data\Media Center Programs
2010-04-07 09:13 . 2010-04-07 09:13 -------- d-----w- l:\documents and settings\willow\Application Data\InstallShield Installation Information
2010-04-04 15:12 . 2010-04-04 15:12 -------- d-----w- l:\documents and settings\All Users\Application Data\BioWare
2010-04-04 15:07 . 2010-04-04 15:16 -------- d-----w- l:\documents and settings\BioWare\Dragon Age
2010-04-03 16:47 . 2010-04-03 16:47 -------- d-----w- l:\documents and settings\NetworkService.AUTORITE NT\Local Settings\Application Data\Apple
2010-04-02 18:54 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-04-02 18:54 . 2010-04-02 18:54 -------- d-----w- c:\program files\ATI
2010-04-02 18:52 . 2010-04-02 18:52 -------- d-----w- C:\ATI
2010-04-02 12:07 . 2010-04-02 12:07 -------- d-----w- l:\documents and settings\willow\Application Data\Apple Computer
2010-04-02 11:56 . 2010-04-02 11:56 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-01 16:15 . 2010-03-21 00:00 -------- d-----w- l:\documents and settings\willow\Application Data\vlc
2010-04-25 20:28 . 2010-03-20 18:45 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
2010-04-25 20:15 . 2010-03-22 14:55 -------- d-----w- l:\documents and settings\willow\Application Data\QuickScan
2010-04-23 16:03 . 2010-03-13 14:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 13:29 . 2010-03-16 08:44 -------- d-----w- l:\documents and settings\willow\Application Data\dvdcss
2010-04-22 03:26 . 2010-03-22 01:07 -------- d-----w- c:\program files\Google
2010-04-02 18:54 . 2010-03-13 16:12 -------- d-----w- c:\program files\ATI Technologies
2010-04-02 12:38 . 2010-04-02 12:38 384 ----a-w- l:\documents and settings\im_lastritual\user.tmp
2010-04-02 12:05 . 2010-03-31 20:36 -------- d-----w- l:\documents and settings\All Users\Application Data\Apple Computer
2010-04-01 10:03 . 2010-04-01 10:03 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-01 09:38 . 2010-03-31 16:36 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2010-03-31 22:04 . 2010-03-20 18:45 -------- d-----w- c:\program files\AGEIA Technologies
2010-03-31 20:35 . 2010-03-31 20:35 -------- d-----w- c:\program files\Fichiers communs\Apple
2010-03-31 20:35 . 2010-03-31 20:35 -------- d-----w- c:\program files\Apple Software Update
2010-03-31 20:35 . 2010-03-31 20:35 -------- d-----w- l:\documents and settings\All Users\Application Data\Apple
2010-03-31 17:03 . 2010-03-31 17:02 -------- d-----w- l:\documents and settings\All Users\Application Data\QuickTime
2010-03-31 16:43 . 2010-03-20 18:17 -------- d-----w- c:\program files\SpeedFan
2010-03-31 16:36 . 2010-03-31 16:35 -------- d-----w- c:\program files\Gigabyte
2010-03-31 16:34 . 2010-03-13 14:30 16608 ----a-w- c:\windows\gdrv.sys
2010-03-31 12:04 . 2010-03-31 12:04 -------- d-----w- l:\documents and settings\willow\Application Data\EPSON
2010-03-28 13:02 . 2001-08-28 12:00 80508 ----a-w- c:\windows\system32\perfc00C.dat
2010-03-28 13:02 . 2001-08-28 12:00 500482 ----a-w- c:\windows\system32\perfh00C.dat
2010-03-27 22:49 . 2010-03-27 22:31 -------- d-----w- c:\program files\DivX
2010-03-27 22:49 . 2010-03-27 22:30 -------- d-----w- l:\documents and settings\All Users\Application Data\DivX
2010-03-27 22:49 . 2010-03-27 22:49 -------- d-----w- c:\program files\Fichiers communs\DivX Shared
2010-03-24 14:13 . 2010-03-24 14:13 67128 ----a-w- l:\documents and settings\LocalService.AUTORITE NT\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-24 14:10 . 2010-03-20 17:25 -------- d-----w- c:\program files\Fichiers communs\BioWare
2010-03-24 13:49 . 2010-03-24 13:38 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-03-24 13:35 . 2010-03-24 13:35 -------- d-----w- c:\program files\Rockstar Games
2010-03-24 13:32 . 2010-03-24 13:29 -------- d-----w- l:\documents and settings\willow\Application Data\DeepBurner
2010-03-24 12:50 . 2010-03-13 14:24 76487 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-03-22 17:14 . 2010-03-22 16:59 -------- d-----w- l:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-22 17:02 . 2010-03-22 17:02 -------- d-----w- c:\program files\trend micro
2010-03-21 13:29 . 2010-03-21 13:29 -------- d-----w- l:\documents and settings\willow\Application Data\Malwarebytes
2010-03-21 13:29 . 2010-03-21 13:29 -------- d-----w- l:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-20 17:23 . 2010-03-20 17:23 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-20 17:10 . 2010-03-13 16:11 -------- d-----w- c:\program files\Fichiers communs\InstallShield
2010-03-20 17:09 . 2010-03-20 17:09 -------- d-----w- c:\program files\Bayo
2010-03-20 17:09 . 2010-03-20 17:09 -------- d-----w- c:\program files\Fichiers communs\Bayo
2010-03-20 16:44 . 2010-03-20 16:44 -------- d-----w- c:\program files\Intel
2010-03-17 17:28 . 2010-03-16 09:06 17280 ----a-w- l:\documents and settings\LocalService.AUTORITE NT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 16:52 . 2010-03-17 16:52 -------- d-----w- c:\program files\MSBuild
2010-03-17 16:52 . 2010-03-17 16:52 -------- d-----w- c:\program files\Reference Assemblies
2010-03-17 16:50 . 2010-03-17 16:50 -------- d-----w- c:\program files\MSXML 6.0
2010-03-16 08:56 . 2010-03-16 08:56 -------- d-----w- l:\documents and settings\Administrateur\Application Data\OpenOffice.org
2010-03-14 14:05 . 2010-03-14 14:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-14 14:04 . 2010-03-14 14:04 -------- d-----w- c:\program files\epson
2010-03-14 11:14 . 2010-03-13 14:31 -------- d-----w- c:\program files\Realtek
2010-03-14 11:14 . 2010-03-14 11:14 315392 ----a-w- c:\windows\HideWin.exe
2010-03-13 19:54 . 2010-03-13 19:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-13 19:54 . 2010-03-13 19:54 -------- d-----w- c:\program files\Java
2010-03-13 19:35 . 2010-03-13 19:35 -------- d-----w- c:\program files\Fichiers communs\Adobe
2010-03-13 18:17 . 2010-03-13 18:17 0 ----a-w- c:\windows\ativpsrm.bin
2010-03-13 16:21 . 2010-03-13 16:21 0 ----a-w- c:\windows\nsreg.dat
2010-03-13 16:18 . 2010-03-13 16:16 -------- d-----w- c:\program files\Fichiers communs\ATI Technologies
2010-03-13 14:24 . 2010-03-13 14:24 -------- d-----w- c:\program files\microsoft frontpage
2010-03-13 14:22 . 2010-03-13 14:22 21892 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-13 14:22 . 2010-03-13 14:22 -------- d-----w- c:\program files\Services en ligne
2010-03-09 11:10 . 2001-08-28 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-03 04:21 . 2009-08-14 04:27 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2010-03-13 16:12 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-03-03 04:02 . 2009-08-14 01:21 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-03-03 04:02 . 2009-08-14 01:20 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-03-03 04:01 . 2009-08-14 01:19 3641344 ----a-w- c:\windows\system32\aticaldd.dll
2010-03-03 03:44 . 2009-08-14 01:47 14262272 ----a-w- c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2010-03-13 16:12 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2009-08-14 01:58 3616096 ----a-w- c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2009-08-14 02:27 301056 ----a-w- c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2009-08-14 02:10 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2009-08-14 01:42 2232320 ----a-w- c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2009-08-14 02:10 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2010-03-13 16:12 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2010-03-13 16:12 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2009-08-14 02:09 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2009-08-14 02:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2009-08-14 02:09 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2009-08-14 02:08 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2009-08-14 02:06 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-03-03 03:16 . 2009-08-14 01:21 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2009-08-14 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2009-08-14 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2009-08-14 01:17 393216 ----a-w- c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2009-08-14 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2009-08-14 01:17 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2009-08-14 01:25 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-03-03 03:07 . 2009-08-14 01:25 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-26 05:42 . 2001-08-28 12:00 671232 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:42 . 2010-03-14 11:01 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-25 19:55 . 2010-03-13 16:12 201875 ----a-w- c:\windows\system32\atiicdxx.dat
2010-02-24 13:11 . 2001-08-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 19:06 . 2001-08-28 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:06 . 2001-08-23 17:12 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-03-18 16:58 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:34 . 2001-08-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2001-08-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-04 08:01 . 2010-03-31 22:12 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 08:01 . 2010-03-31 22:12 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 08:01 . 2010-03-31 22:12 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 08:01 . 2010-03-31 22:12 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-02 18:00 . 2010-03-13 19:53 85504 ----a-w- c:\windows\system32\ff_vfw.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="k:\program files\SuperCopier2\SuperCopier2.exe" [2009-08-16 955392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-13 98304]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800]
"avgnt"="k:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="k:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

l:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\
OpenOffice.org 3.1.lnk - k:\program files\oo\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"= 0 (0x0)

[HKLM\~\startupfolder\L:^Documents and Settings^willow^Menu Démarrer^Programmes^Démarrage^Antimalware Doctor.lnk]
path=l:\documents and settings\willow\Menu Démarrer\Programmes\Démarrage\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- k:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- k:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro]
2007-07-26 13:05 20480 ----a-w- c:\program files\Gigabyte\ET5Pro\ETcall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- k:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SteamUp]
2010-03-20 19:14 1217872 ----a-w- k:\program files\Cracked Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"k:\\Program Files\\aMSN\\bin\\wish.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"k:\\Program Files\\eMule\\eMule.exe"=
"l:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"l:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"k:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"l:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"l:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"l:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"l:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"l:\\Program Files\\Left 4 Dead 2\\left4dead2.exe"=
"k:\\Program Files\\Ubi Soft\\dernierrituel\\rituel.exe"=
"l:\\Program Files\\Call Of duty modern 2\\iw4sp.exe"=
"l:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"l:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"l:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"k:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [13/03/2010 21:37 22360]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [13/03/2010 21:37 45416]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [23/04/2007 13:03 82200]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;k:\program files\Avira\AntiVir Desktop\sched.exe [13/03/2010 21:37 108289]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [12/04/2010 18:56 14976]
S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22/03/2010 03:07 136176]
S2 lewlhljw;PCI Bus p03d7 Helper;c:\windows\System32\svchost.exe -k netsvcs [28/08/2001 14:00 14336]
S3 DAUpdaterSvc;Dragon Age: Origins - Application de mise à jour;l:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [15/12/2009 22:07 25832]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;k:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [13/03/2010 21:46 23152]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/03/2010 16:05 691696]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lewlhljw
.
Contenu du dossier 'Tâches planifiées'

2010-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 01:07]

2010-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 01:07]
.
.
------- Examen supplémentaire -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: k:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: k:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: k:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: k:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: k:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: k:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: k:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: k:\program files\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: k:\program files\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHELINS SUPPRIMES - - - -

ShellIconOverlayIdentifiers-{BC1E645D-D5E6-4D7E-8AEA-D62991DB00EE} - (no file)
MSConfigStartUp-ezLife - kkzqnktf.dll
MSConfigStartUp-hsf87efjhdsf87f3jfsdi7fhsujfd - l:\docume~1\willow\LOCALS~1\Temp\avp.exe
MSConfigStartUp-hsf87sdhfush87fsufhuie3fddf - l:\docume~1\willow\LOCALS~1\Temp\xsxp14ti.exe
MSConfigStartUp-lfuztayejueapqi - c:\windows\system32\tbojphdlxsegpie.dll
MSConfigStartUp-mcexecwin - l:\docume~1\willow\LOCALS~1\Temp\kebwqg.dll
MSConfigStartUp-net - c:\windows\system32\net.net
MSConfigStartUp-newupdate1142C - l:\documents and settings\willow\Application Data\50FDDD3DE4FAF471D5507192433B548F\newupdate1142C.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-01 19:59
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89B48CC0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> 0x89b48cc0
\Driver\atapi -> atapi.sys @ 0xb9f36852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x890c45c0
PacketIndicateHandler -> NDIS.sys @ 0xb9e4fa21
SendHandler -> NDIS.sys @ 0xb9e2d87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x057545301
malicious code @ sector 0x057545304 !
PE file found in sector at 0x05754531A !

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\k:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_USERS\S-1-5-21-1004336348-57989841-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:31,c4,1c,c8,15,4c,36,f4,ab,0e,80,87,60,2d,8e,22,62,30,1e,8c,0d,
b7,f8,4d,a3,8a,d5,2f,da,9c,eb,f7,bc,67,04,ca,71,33,30,c3,f2,99,b4,ad,68,be,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll

- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
k:\program files\Avira\AntiVir Desktop\avguard.exe
l:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
l:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
k:\program files\NetLimiter 2 Pro\nlsvc.exe
k:\program files\RealVNC\VNC4\WinVNC4.exe
k:\program files\NetLimiter 2 Pro\NLClient.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Heure de fin: 2010-05-01 20:01:56 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-05-01 18:01

Avant-CF: 913 072 128 octets libres
Après-CF: 839 561 216 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /fastdetect /NoExecute=OptIn

- - End Of File - - D8C7897367ADE74530E6B9691D5A7265

archet9 · Answer

YEP !!!   BINGO pour le rootkit....!!!!  

Relance MBAM... ==> Examen rapide et colle moi le rapport même s'il n'a rien trouvé !  

==> Ce n'est pas fini...il en reste ! 

a+  




........

willow93 · Answer

Malwarebytes' Anti-Malware 1.44
Version de la base de données: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

01/05/2010 23:26:24
mbam-log-2010-05-01 (23-26-24).txt

Type de recherche: Examen rapide
Eléments examinés: 124387
Temps écoulé: 3 minute(s), 26 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

willow93 · Answer

Up !
ça bug toujours !

archet9 · Answer

MBAM pas à jours.
Relance MBAM  mets le à jour et fait un examen rapide.

a+

willow93 · Answer

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Version de la base de données: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

02/05/2010 16:34:11
mbam-log-2010-05-02 (16-34-11).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 152854
Temps écoulé: 4 minute(s), 19 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

archet9 · Answer

Re 

/!\ ATTENTION /!\ Le script qui suit a été écrit spécialement pour cet ordinateur/!\<==| 
il est fort déconseillé de le transposer sur un autre ordinateur !
----------------------------------------------------------------------------------------------- 

Toujours avec toutes les protections désactivées, fais ceci : 

* Ouvre le bloc-notes (Menu démarrer --> programmes --> accessoires --> bloc-notes) 
* Copie/colle dans le bloc-notes ce qui est en grastre les ci dessous 



KillAll:: 

Driver:: 
lewlhljw

Netsvc:: 
lewlhljw


File:: 
c:\windows\System32\svchost.exe -k netsvcs 



* Enregistre ce fichier sur ton Bureau (et pas ailleurs !) Sous le nom CFScript.txt 
* Quitte le Bloc Notes 

* Fais un glisser/déposer de ce fichier CFScript sur le fichier C-Fix.exe (combofix) comme sur ce lien :
http://img517.imageshack.us/img517/8662/cfscript10uc2.gif 

* Patiente le temps du scan. Le Bureau va disparaître à plusieurs reprises : c'est normal ! Ne touche à rien tant que le scan n'est pas terminé. 
* Une fois le scan achevé, un rapport va s'afficher: poste son contenu. 
* Si le fichier ne s'ouvre pas, il se trouve ici ? C:\ComboFix.txt 


@+

willow93 · Answer

ComboFix 10-05-01.01 - willow 02/05/2010 19:47:44.2.2 - x86 Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.2046.1621 [GMT 2:00] Lancé depuis: l:\documents and settings\willow\Bureau\ComboFix.exe Commutateurs utilisés :: l:\documents and settings\willow\Bureau\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FILE :: "c:\windows\System32\svchost.exe -k netsvcs" . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Pilotes/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_LEWLHLJW -------\Service_lewlhljw ((((((((((((((((((((((((((((( Fichiers créés du 2010-04-02 au 2010-05-02 )))))))))))))))))))))))))))))))))))) . 2010-05-01 15:31 . 2010-05-01 15:55 -------- d-----w- C:\UsbFix 2010-05-01 11:39 . 2010-05-01 13:14 -------- d-----w- C:\Ad-Remover 2010-04-28 21:50 . 2010-04-28 21:50 -------- d-----w- l:\documents and settings\Downloads\The Full Monty 2010-04-27 22:39 . 2010-04-27 22:39 -------- d-----w- l:\documents and settings\Downloads\Twilight[2008]VOSTFR-DvDrip-AIA 2010-04-27 22:28 . 2010-04-29 01:09 -------- d-----w- l:\documents and settings\Downloads\Dancer in the Dark 2010-04-27 22:28 . 2010-04-27 22:28 -------- d-----w- l:\documents and settings\Downloads 2010-04-27 20:36 . 2010-04-30 11:33 -------- d-----w- l:\documents and settings\willow\Application Data\BitTorrent 2010-04-26 10:14 . 2010-04-26 10:14 -------- d-s---w- l:\documents and settings\LocalService.AUTORITE NT\UserData 2010-04-25 20:28 . 2010-04-25 20:28 -------- d-----w- c:\program files\Enigma Software Group 2010-04-25 20:28 . 2010-04-26 18:41 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP 2010-04-25 20:15 . 2010-04-25 20:15 -------- d-s---w- l:\documents and settings\NetworkService.AUTORITE NT\UserData 2010-04-23 16:11 . 2010-04-30 13:16 -------- d-----w- l:\documents and settings\Risen\SaveGames 2010-04-23 16:11 . 2010-04-23 16:12 -------- d-----w- l:\documents and settings\willow\Local Settings\Application Data\Risen 2010-04-23 16:11 . 2010-04-23 16:11 -------- d-----w- l:\documents and settings\Risen 2010-04-23 16:08 . 2010-04-23 16:08 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys 2010-04-23 16:08 . 2010-04-23 16:08 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys 2010-04-18 13:14 . 2010-04-18 13:28 -------- d-----w- l:\documents and settings\willow\Application Data\gtk-2.0 2010-04-18 12:57 . 2010-04-18 12:57 -------- d-----w- l:\documents and settings\willow\.thumbnails 2010-04-18 12:56 . 2010-04-18 12:56 -------- d-----w- l:\documents and settings\gegl-0.0\plug-ins 2010-04-18 12:56 . 2010-04-18 12:56 -------- d-----w- l:\documents and settings\gegl-0.0 2010-04-16 22:03 . 2010-04-16 22:03 -------- d-----w- c:\program files\Microsoft Silverlight 2010-04-12 16:56 . 2001-07-13 11:56 14976 ----a-w- c:\windows\system32\drivers\SBKUPNT.SYS 2010-04-12 16:56 . 1997-02-08 15:11 13312 ----a-w- c:\windows\system32\DEVLOAD.EXE 2010-04-12 16:34 . 2010-04-12 16:34 -------- d-----w- c:\program files\Restore 2010-04-12 16:27 . 2010-04-12 16:34 249856 ------w- c:\windows\Setup1.exe 2010-04-12 16:27 . 2010-04-12 16:34 73216 ----a-w- c:\windows\ST6UNST.EXE 2010-04-09 20:48 . 2010-04-09 20:48 3600384 ----a-w- c:\windows\system32\GPhotos.scr 2010-04-08 15:31 . 2010-04-08 15:31 -------- d--h--w- c:\windows\PIF 2010-04-07 09:33 . 2010-04-07 09:33 -------- d-----w- l:\documents and settings\willow\Local Settings\Application Data\Gas Powered Games 2010-04-07 09:21 . 2010-04-07 09:21 -------- d-----w- C: emp 2010-04-07 09:20 . 2010-04-07 09:20 -------- d-----w- l:\documents and settings\willow\Application Data\Media Center Programs 2010-04-07 09:13 . 2010-04-07 09:13 -------- d-----w- l:\documents and settings\willow\Application Data\InstallShield Installation Information 2010-04-04 15:12 . 2010-04-04 15:12 -------- d-----w- l:\documents and settings\All Users\Application Data\BioWare 2010-04-04 15:07 . 2010-04-04 15:16 -------- d-----w- l:\documents and settings\BioWare\Dragon Age 2010-04-03 16:47 . 2010-04-03 16:47 -------- d-----w- l:\documents and settings\NetworkService.AUTORITE NT\Local Settings\Application Data\Apple 2010-04-02 18:54 . 2010-03-03 03:20 143360 ----a-w- c:\windows\system32\atiapfxx.exe 2010-04-02 18:54 . 2010-04-02 18:54 -------- d-----w- c:\program files\ATI 2010-04-02 18:52 . 2010-04-02 18:52 -------- d-----w- C:\ATI . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-01 16:15 . 2010-03-21 00:00 -------- d-----w- l:\documents and settings\willow\Application Data\vlc 2010-04-29 13:39 . 2010-03-21 13:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 13:39 . 2010-03-21 13:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-25 20:28 . 2010-03-20 18:45 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard 2010-04-25 20:15 . 2010-03-22 14:55 -------- d-----w- l:\documents and settings\willow\Application Data\QuickScan 2010-04-23 16:03 . 2010-03-13 14:31 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-04-22 13:29 . 2010-03-16 08:44 -------- d-----w- l:\documents and settings\willow\Application Data\dvdcss 2010-04-22 03:26 . 2010-03-22 01:07 -------- d-----w- c:\program files\Google 2010-04-02 18:54 . 2010-03-13 16:12 -------- d-----w- c:\program files\ATI Technologies 2010-04-02 12:38 . 2010-04-02 12:38 384 ----a-w- l:\documents and settings\im_lastritual\user.tmp 2010-04-02 12:07 . 2010-04-02 12:07 -------- d-----w- l:\documents and settings\willow\Application Data\Apple Computer 2010-04-02 12:05 . 2010-03-31 20:36 -------- d-----w- l:\documents and settings\All Users\Application Data\Apple Computer 2010-04-01 10:03 . 2010-04-01 10:03 -------- d-----w- c:\program files\NVIDIA Corporation 2010-04-01 09:38 . 2010-03-31 16:36 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys 2010-03-31 22:04 . 2010-03-20 18:45 -------- d-----w- c:\program files\AGEIA Technologies 2010-03-31 20:35 . 2010-03-31 20:35 -------- d-----w- c:\program files\Fichiers communs\Apple 2010-03-31 20:35 . 2010-03-31 20:35 -------- d-----w- c:\program files\Apple Software Update 2010-03-31 20:35 . 2010-03-31 20:35 -------- d-----w- l:\documents and settings\All Users\Application Data\Apple 2010-03-31 17:03 . 2010-03-31 17:02 -------- d-----w- l:\documents and settings\All Users\Application Data\QuickTime 2010-03-31 16:43 . 2010-03-20 18:17 -------- d-----w- c:\program files\SpeedFan 2010-03-31 16:36 . 2010-03-31 16:35 -------- d-----w- c:\program files\Gigabyte 2010-03-31 16:34 . 2010-03-13 14:30 16608 ----a-w- c:\windows\gdrv.sys 2010-03-31 12:04 . 2010-03-31 12:04 -------- d-----w- l:\documents and settings\willow\Application Data\EPSON 2010-03-28 13:02 . 2001-08-28 12:00 80508 ----a-w- c:\windows\system32\perfc00C.dat 2010-03-28 13:02 . 2001-08-28 12:00 500482 ----a-w- c:\windows\system32\perfh00C.dat 2010-03-27 22:49 . 2010-03-27 22:31 -------- d-----w- c:\program files\DivX 2010-03-27 22:49 . 2010-03-27 22:30 -------- d-----w- l:\documents and settings\All Users\Application Data\DivX 2010-03-27 22:49 . 2010-03-27 22:49 -------- d-----w- c:\program files\Fichiers communs\DivX Shared 2010-03-24 14:13 . 2010-03-24 14:13 67128 ----a-w- l:\documents and settings\LocalService.AUTORITE NT\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-03-24 14:10 . 2010-03-20 17:25 -------- d-----w- c:\program files\Fichiers communs\BioWare 2010-03-24 13:49 . 2010-03-24 13:38 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE 2010-03-24 13:35 . 2010-03-24 13:35 -------- d-----w- c:\program files\Rockstar Games 2010-03-24 13:32 . 2010-03-24 13:29 -------- d-----w- l:\documents and settings\willow\Application Data\DeepBurner 2010-03-24 12:50 . 2010-03-13 14:24 76487 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat 2010-03-22 17:14 . 2010-03-22 16:59 -------- d-----w- l:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-03-22 17:02 . 2010-03-22 17:02 -------- d-----w- c:\program files rend micro 2010-03-21 13:29 . 2010-03-21 13:29 -------- d-----w- l:\documents and settings\willow\Application Data\Malwarebytes 2010-03-21 13:29 . 2010-03-21 13:29 -------- d-----w- l:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-20 17:23 . 2010-03-20 17:23 108144 ----a-w- c:\windows\system32\CmdLineExt.dll 2010-03-20 17:10 . 2010-03-13 16:11 -------- d-----w- c:\program files\Fichiers communs\InstallShield 2010-03-20 17:09 . 2010-03-20 17:09 -------- d-----w- c:\program files\Bayo 2010-03-20 17:09 . 2010-03-20 17:09 -------- d-----w- c:\program files\Fichiers communs\Bayo 2010-03-20 16:44 . 2010-03-20 16:44 -------- d-----w- c:\program files\Intel 2010-03-17 17:28 . 2010-03-16 09:06 17280 ----a-w- l:\documents and settings\LocalService.AUTORITE NT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-17 16:52 . 2010-03-17 16:52 -------- d-----w- c:\program files\MSBuild 2010-03-17 16:52 . 2010-03-17 16:52 -------- d-----w- c:\program files\Reference Assemblies 2010-03-17 16:50 . 2010-03-17 16:50 -------- d-----w- c:\program files\MSXML 6.0 2010-03-16 08:56 . 2010-03-16 08:56 -------- d-----w- l:\documents and settings\Administrateur\Application Data\OpenOffice.org 2010-03-14 14:05 . 2010-03-14 14:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys 2010-03-14 14:04 . 2010-03-14 14:04 -------- d-----w- c:\program files\epson 2010-03-14 11:14 . 2010-03-13 14:31 -------- d-----w- c:\program files\Realtek 2010-03-14 11:14 . 2010-03-14 11:14 315392 ----a-w- c:\windows\HideWin.exe 2010-03-13 19:54 . 2010-03-13 19:54 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-03-13 19:54 . 2010-03-13 19:54 -------- d-----w- c:\program files\Java 2010-03-13 19:35 . 2010-03-13 19:35 -------- d-----w- c:\program files\Fichiers communs\Adobe 2010-03-13 18:17 . 2010-03-13 18:17 0 ----a-w- c:\windows\ativpsrm.bin 2010-03-13 16:21 . 2010-03-13 16:21 0 ----a-w- c:\windows sreg.dat 2010-03-13 16:18 . 2010-03-13 16:16 -------- d-----w- c:\program files\Fichiers communs\ATI Technologies 2010-03-13 14:24 . 2010-03-13 14:24 -------- d-----w- c:\program files\microsoft frontpage 2010-03-13 14:22 . 2010-03-13 14:22 21892 ----a-w- c:\windows\system32\emptyregdb.dat 2010-03-13 14:22 . 2010-03-13 14:22 -------- d-----w- c:\program files\Services en ligne 2010-03-09 11:10 . 2001-08-28 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-03-03 04:21 . 2009-08-14 04:27 4630016 ----a-w- c:\windows\system32\drivers\ati2mtag.sys 2010-03-03 04:07 . 2010-03-13 16:12 311296 ----a-w- c:\windows\system32\atiiiexx.dll 2010-03-03 04:02 . 2009-08-14 01:21 45056 ----a-w- c:\windows\system32\aticalrt.dll 2010-03-03 04:02 . 2009-08-14 01:20 45056 ----a-w- c:\windows\system32\aticalcl.dll 2010-03-03 04:01 . 2009-08-14 01:19 3641344 ----a-w- c:\windows\system32\aticaldd.dll 2010-03-03 03:44 . 2009-08-14 01:47 14262272 ----a-w- c:\windows\system32\atioglxx.dll 2010-03-03 03:40 . 2010-03-13 16:12 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll 2010-03-03 03:40 . 2009-08-14 01:58 3616096 ----a-w- c:\windows\system32\ati3duag.dll 2010-03-03 03:39 . 2009-08-14 02:27 301056 ----a-w- c:\windows\system32\ati2dvag.dll 2010-03-03 03:24 . 2009-08-14 02:10 208896 ----a-w- c:\windows\system32\atipdlxx.dll 2010-03-03 03:24 . 2009-08-14 01:42 2232320 ----a-w- c:\windows\system32\ativvaxx.dll 2010-03-03 03:24 . 2009-08-14 02:10 155648 ----a-w- c:\windows\system32\Oemdspif.dll 2010-03-03 03:24 . 2010-03-13 16:12 887724 ----a-w- c:\windows\system32\ativva6x.dat 2010-03-03 03:24 . 2010-03-13 16:12 3 ----a-w- c:\windows\system32\ativva5x.dat 2010-03-03 03:24 . 2009-08-14 02:09 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe 2010-03-03 03:24 . 2009-08-14 02:09 43520 ----a-w- c:\windows\system32\ati2edxx.dll 2010-03-03 03:23 . 2009-08-14 02:09 159744 ----a-w- c:\windows\system32\ati2evxx.dll 2010-03-03 03:22 . 2009-08-14 02:08 602112 ----a-w- c:\windows\system32\ati2evxx.exe 2010-03-03 03:21 . 2009-08-14 02:06 53248 ----a-w- c:\windows\system32\ATIDDC.DLL 2010-03-03 03:16 . 2009-08-14 01:21 565248 ----a-w- c:\windows\system32\atikvmag.dll 2010-03-03 03:15 . 2009-08-14 01:19 184320 ----a-w- c:\windows\system32\atiadlxx.dll 2010-03-03 03:14 . 2009-08-14 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll 2010-03-03 03:14 . 2009-08-14 01:17 393216 ----a-w- c:\windows\system32\atiok3x2.dll 2010-03-03 03:09 . 2009-08-14 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll 2010-03-03 03:07 . 2009-08-14 01:17 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll 2010-03-03 03:07 . 2009-08-14 01:25 65024 ----a-w- c:\windows\system32\atimpc32.dll 2010-03-03 03:07 . 2009-08-14 01:25 65024 ----a-w- c:\windows\system32\amdpcom32.dll 2010-02-26 05:42 . 2001-08-28 12:00 671232 ----a-w- c:\windows\system32\wininet.dll 2010-02-26 05:42 . 2010-03-14 11:01 81920 ------w- c:\windows\system32\ieencode.dll 2010-02-25 19:55 . 2010-03-13 16:12 201875 ----a-w- c:\windows\system32\atiicdxx.dat 2010-02-24 13:11 . 2001-08-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 19:06 . 2001-08-28 12:00 2148352 ----a-w- c:\windows\system32 toskrnl.exe 2010-02-16 19:06 . 2001-08-23 17:12 2026496 ----a-w- c:\windows\system32 tkrnlpa.exe 2010-02-12 10:03 . 2010-03-18 16:58 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-12 04:34 . 2001-08-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2001-08-28 12:00 226880 ----a-w- c:\windows\system32\drivers cpip6.sys 2010-02-04 08:01 . 2010-03-31 22:12 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll 2010-02-04 08:01 . 2010-03-31 22:12 528216 ----a-w- c:\windows\system32\XAudio2_6.dll . ((((((((((((((((((((((((((((( SnapShot@2010-05-01_17.59.59 ))))))))))))))))))))))))))))))))))))))))) . + 2010-05-02 17:55 . 2010-05-02 17:55 32768 c:\windows emp\Temporary Internet Files\Content.IE5\index.dat + 2010-05-02 17:52 . 2010-05-02 17:52 16384 c:\windows emp\Perflib_Perfdata_7f0.dat + 2010-05-02 17:55 . 2010-05-02 17:55 32768 c:\windows emp\Historique\History.IE5\MSHist012010050220100503\index.dat + 2010-05-02 17:55 . 2010-05-02 17:55 32768 c:\windows emp\Historique\History.IE5\index.dat - 2010-05-01 15:35 . 2010-05-01 17:59 32768 c:\windows\Temp\Historique\History.IE5\index.dat + 2010-05-02 17:55 . 2010-05-02 17:55 16384 c:\windows emp\Cookies\index.dat - 2010-05-01 15:35 . 2010-05-01 17:59 16384 c:\windows\Temp\Cookies\index.dat . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SuperCopier2.exe"="k:\program files\SuperCopier2\SuperCopier2.exe" [2009-08-16 955392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-13 98304] "RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800] "avgnt"="k:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "QuickTime Task"="k:\program files\QuickTime\qttask.exe" [2010-03-17 421888] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] l:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\ OpenOffice.org 3.1.lnk - k:\program files\oo\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) [HKLM\~\startupfolder\L:^Documents and Settings^willow^Menu Démarrer^Programmes^Démarrage^Antimalware Doctor.lnk] path=l:\documents and settings\willow\Menu Démarrer\Programmes\Démarrage\Antimalware Doctor.lnk backup=c:\windows\pss\Antimalware Doctor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-03-24 18:17 952768 ----a-w- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-04 05:42 36272 ----a-w- k:\program files\Adobe\Reader 9.0\Reader eader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2009-10-30 11:57 369200 ----a-w- k:\program files\DAEMON Tools Lite\DTLite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro] 2007-07-26 13:05 20480 ----a-w- c:\program files\Gigabyte\ET5Pro\ETcall.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-17 19:53 421888 ----a-w- k:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SteamUp] 2010-03-20 19:14 1217872 ----a-w- k:\program files\Cracked Steam\Steam.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "k:\Program Files\aMSN\bin\wish.exe"= "c:\Program Files\Java\jre6\bin\javaw.exe"= "k:\Program Files\eMule\eMule.exe"= "l:\Program Files\Mass Effect 2\Binaries\MassEffect2.exe"= "l:\Program Files\Mass Effect 2\MassEffect2Launcher.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "k:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe"= "l:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe"= "l:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe"= "l:\Program Files\Dragon Age\bin_ship\daorigins.exe"= "l:\Program Files\Dragon Age\DAOriginsLauncher.exe"= "l:\Program Files\Left 4 Dead 2\left4dead2.exe"= "k:\Program Files\Ubi Soft\dernierrituel\rituel.exe"= "l:\Program Files\Call Of duty modern 2\iw4sp.exe"= "l:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe"= "l:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe"= "l:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe"= "k:\Program Files\BitTorrent\bittorrent.exe"= R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [13/03/2010 21:37 22360] R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [13/03/2010 21:37 45416] R1 nltdi;nltdi;c:\windows\system32\drivers ltdi.sys [23/04/2007 13:03 82200] R2 AntiVirSchedulerService;Avira AntiVir Planificateur;k:\program files\Avira\AntiVir Desktop\sched.exe [13/03/2010 21:37 108289] R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [12/04/2010 18:56 14976] S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22/03/2010 03:07 136176] S3 DAUpdaterSvc;Dragon Age: Origins - Application de mise à jour;l:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [15/12/2009 22:07 25832] S3 EverestDriver;Lavalys EVEREST Kernel Driver;k:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [13/03/2010 21:46 23152] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [21/03/2010 15:29 38224] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/03/2010 16:05 691696] . Contenu du dossier 'Tâches planifiées' 2010-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2010-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 01:07] 2010-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 01:07] . . ------- Examen supplémentaire ------- . IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 FF - ProfilePath - l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - component: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\program files\DivX\DivX Plus Web Player pdivx32.dll FF - plugin: c:\program files\Google\Google Earth\plugin pgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.23 pGoogleOneClick8.dll FF - plugin: k:\program files\Adobe\Reader 9.0\Reader\browser ppdf32.dll FF - plugin: k:\program files\Google\Picasa3 pPicasa3.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin2.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin3.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin4.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin5.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin6.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin7.dll FF - plugin: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins pqscan.dll FF - plugin: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\piclens@cooliris.com\plugins pcoolirisplugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- PARAMETRES FIREFOX ---- k:\program files\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); k:\program files\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); k:\program files\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); k:\program files\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-02 19:55 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89BDFCC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28 \Driver\ACPI -> 0x89bdfcc8 \Driver\atapi -> atapi.sys @ 0xb9f36852 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x88ffc5c0 PacketIndicateHandler -> NDIS.sys @ 0xb9e4fa21 SendHandler -> NDIS.sys @ 0xb9e2d87b Warning: possible MBR rootkit infection ! user & kernel MBR OK copy of MBR has been found in sector 0x057545301 malicious code @ sector 0x057545304 ! PE file found in sector at 0x05754531A ! ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\k:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt" . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_USERS\S-1-5-21-1004336348-57989841-839522115-1004\Software\SecuROM\License information*] "datasecu"=hex:31,c4,1c,c8,15,4c,36,f4,ab,0e,80,87,60,2d,8e,22,62,30,1e,8c,0d, b7,f8,4d,a3,8a,d5,2f,da,9c,eb,f7,bc,67,04,ca,71,33,30,c3,f2,99,b4,ad,68,be,\ "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98 . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(728) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll - - - - - - - > 'explorer.exe'(3220) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\windows\system32\eappprxy.dll . ------------------------ Autres processus actifs ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe k:\program files\Avira\AntiVir Desktop\avguard.exe l:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE l:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE c:\program files\Java\jre6\bin\jqs.exe k:\program files\NetLimiter 2 Pro lsvc.exe k:\program files\RealVNC\VNC4\WinVNC4.exe k:\program files\NetLimiter 2 Pro\NLClient.exe c:\windows\RTHDCPL.EXE c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\windows\system32\wscntfy.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Heure de fin: 2010-05-02 19:57:30 - La machine a redémarré ComboFix-quarantined-files.txt 2010-05-02 17:57 ComboFix2.txt 2010-05-01 18:01 Avant-CF: 815 874 048 octets libres Après-CF: 787 542 016 octets libres - - End Of File - - D2D002CE4551F709185A4B5AA792C715

willow93 · Answer

http://www.cijoint.fr/cjlink.php?file=cj201005/cij1mYcM9O.txt

willow93 · Answer

Super ! Ca a l'air d'être bon !
Plus de bug depuis un moment...
Je te remercie pour ton super boulot, franchement vous assurez !
J'imagine que je doit finaliser en nettoyant un peu tout ca ?
Je crois qu'on va pouvoir mettre "résolu"
Encore merci

archet9 · Answer

J'imagine que je doit finaliser en nettoyant un peu tout ca ? 

Oui tout à fait....

Dsl je bosse demain très tot et --> dodo ce soir !!! je n'est plus de temps ce
soir....

==> Relance moi un "UP" demain vers 18/19 h afin que je puisse lire ton message et on finalisera......

à demain...dsl pour ce soir !

archet9 · Answer

Re,

Pour vérif, fais tout de même ceci stp .

/!\ Il faut impérativement désactiver tous tes logiciels de protection pour utiliser ce programme/!\ 


 Télécharge : Gmer (by Przemyslaw Gmerek) 

http://www.gmer.net/ 



 Dezippe gmer ,cliques sur l'onglet rootkit,lances le scan,des lignes rouges vont apparaitre, ou pas... 

 Les lignes rouges indiquent la presence d'un rootkit.Postes moi le rapport gmer (cliques sur copy,puis vas dans demarrer ,puis ouvres le bloc note,vas dans edition et cliques sur coller,le rapport gmer va apparaitre,postes moi le) 

Ensuite 

 sur les lignes rouge: 

 Services:cliques droit delete service 
 Process:cliques droit kill process 
 Adl ,file:cliques droit delete files 


a+

willow93 · Answer

Je te fait en ce momment meme un GMER ...
c'est long

willow93 · Answer

RE ! Pardon de pas avoir donné de nouvelles mais j'était très occupé ...

Ca continue a bugger ! (meme avec le net débranché )
Je n'arrive pas a faire un scan GMER complet car ca bug avant. J'ai fait lecteur par lecteur mais le plus gros ne se termine pas avant un bug !
Voici le scan de mes lecteurs sauf un :


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 20:46:57
Windows 5.1.2600 Service Pack 3
Running: 6i5gmgrn.exe; Driver: L:\DOCUME~1\willow\LOCALS~1\Temp\uwlorkod.sys


---- System - GMER 1.0.15 ----

SSDT            BA73A606                                                                                                            ZwCreateKey
SSDT            BA73A5FC                                                                                                            ZwCreateThread
SSDT            BA73A60B                                                                                                            ZwDeleteKey
SSDT            BA73A615                                                                                                            ZwDeleteValueKey
SSDT            BA73A61A                                                                                                            ZwLoadKey
SSDT            BA73A5E8                                                                                                            ZwOpenProcess
SSDT            BA73A5ED                                                                                                            ZwOpenThread
SSDT            BA73A624                                                                                                            ZwReplaceKey
SSDT            BA73A61F                                                                                                            ZwRestoreKey
SSDT            BA73A610                                                                                                            ZwSetValueKey
SSDT            BA73A5F7                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2DB8                                                                                80504654 4 Bytes  CALL 870AB9FE 
.text           C:\WINDOWS\System32\DRIVERS\ati2mtag.sys                                                                            section is writeable [0xB9911000, 0x235297, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                              section is writeable [0xA9015300, 0x3B6D8, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                              section is writeable [0xBA368300, 0x1BEE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                              avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                            nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000050                                                                                       89854300
Device          \Driver\ACPI \Device\00000043                                                                                       89854300
Device          \Driver\ACPI \Device\00000060                                                                                       89854300
Device          \Driver\ACPI \Device\00000048                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000062                                                                                       89854300
Device          \Driver\ACPI \Device\00000049                                                                                       89854300
Device          \Driver\ACPI \Device\00000063                                                                                       89854300
Device          \Driver\ACPI \Device\00000057                                                                                       89854300
Device          \Driver\ACPI \Device\00000064                                                                                       89854300
Device          \Driver\ACPI \Device\00000065                                                                                       89854300
Device          \Driver\ACPI \Device\0000004a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004b                                                                                       89854300
Device          \Driver\ACPI \Device\0000003f                                                                                       89854300
Device          \Driver\ACPI \Device\0000004c                                                                                       89854300
Device          \Driver\ACPI \Device\0000005a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004d                                                                                       89854300
Device          \Driver\ACPI \Device\0000005b                                                                                       89854300
Device          \Driver\ACPI \Device\0000005c                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005d                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                         nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005f                                                                                       89854300

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     K:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x05 0xE1 0xEF 0xB7 ...

---- EOF - GMER 1.0.15 ----


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 22:02:28
Windows 5.1.2600 Service Pack 3
Running: 6i5gmgrn.exe; Driver: L:\DOCUME~1\willow\LOCALS~1\Temp\uwlorkod.sys


---- System - GMER 1.0.15 ----

SSDT            BA73A606                                                                                                            ZwCreateKey
SSDT            BA73A5FC                                                                                                            ZwCreateThread
SSDT            BA73A60B                                                                                                            ZwDeleteKey
SSDT            BA73A615                                                                                                            ZwDeleteValueKey
SSDT            BA73A61A                                                                                                            ZwLoadKey
SSDT            BA73A5E8                                                                                                            ZwOpenProcess
SSDT            BA73A5ED                                                                                                            ZwOpenThread
SSDT            BA73A624                                                                                                            ZwReplaceKey
SSDT            BA73A61F                                                                                                            ZwRestoreKey
SSDT            BA73A610                                                                                                            ZwSetValueKey
SSDT            BA73A5F7                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2DB8                                                                                80504654 4 Bytes  CALL 870AB9FE 
.text           C:\WINDOWS\System32\DRIVERS\ati2mtag.sys                                                                            section is writeable [0xB9911000, 0x235297, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                              section is writeable [0xA9015300, 0x3B6D8, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                              section is writeable [0xBA368300, 0x1BEE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                              avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                            nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000050                                                                                       89854300
Device          \Driver\ACPI \Device\00000043                                                                                       89854300
Device          \Driver\ACPI \Device\00000060                                                                                       89854300
Device          \Driver\ACPI \Device\00000048                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000062                                                                                       89854300
Device          \Driver\ACPI \Device\00000049                                                                                       89854300
Device          \Driver\ACPI \Device\00000063                                                                                       89854300
Device          \Driver\ACPI \Device\00000057                                                                                       89854300
Device          \Driver\ACPI \Device\00000064                                                                                       89854300
Device          \Driver\ACPI \Device\00000065                                                                                       89854300
Device          \Driver\ACPI \Device\0000004a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004b                                                                                       89854300
Device          \Driver\ACPI \Device\0000003f                                                                                       89854300
Device          \Driver\ACPI \Device\0000004c                                                                                       89854300
Device          \Driver\ACPI \Device\0000005a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004d                                                                                       89854300
Device          \Driver\ACPI \Device\0000005b                                                                                       89854300
Device          \Driver\ACPI \Device\0000005c                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005d                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                         nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005f                                                                                       89854300

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     K:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x05 0xE1 0xEF 0xB7 ...

willow93 · Answer

RE ! Pardon de pas avoir donné de nouvelles mais j'était très occupé ...

Ca continue a bugger ! (meme avec le net débranché )
Je n'arrive pas a faire un scan GMER complet car ca bug avant. J'ai fait lecteur par lecteur mais le plus gros ne se termine pas avant un bug !
Voici le scan de mes lecteurs sauf un :


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 20:46:57
Windows 5.1.2600 Service Pack 3
Running: 6i5gmgrn.exe; Driver: L:\DOCUME~1\willow\LOCALS~1\Temp\uwlorkod.sys


---- System - GMER 1.0.15 ----

SSDT            BA73A606                                                                                                            ZwCreateKey
SSDT            BA73A5FC                                                                                                            ZwCreateThread
SSDT            BA73A60B                                                                                                            ZwDeleteKey
SSDT            BA73A615                                                                                                            ZwDeleteValueKey
SSDT            BA73A61A                                                                                                            ZwLoadKey
SSDT            BA73A5E8                                                                                                            ZwOpenProcess
SSDT            BA73A5ED                                                                                                            ZwOpenThread
SSDT            BA73A624                                                                                                            ZwReplaceKey
SSDT            BA73A61F                                                                                                            ZwRestoreKey
SSDT            BA73A610                                                                                                            ZwSetValueKey
SSDT            BA73A5F7                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2DB8                                                                                80504654 4 Bytes  CALL 870AB9FE 
.text           C:\WINDOWS\System32\DRIVERS\ati2mtag.sys                                                                            section is writeable [0xB9911000, 0x235297, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                              section is writeable [0xA9015300, 0x3B6D8, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                              section is writeable [0xBA368300, 0x1BEE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                              avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                            nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000050                                                                                       89854300
Device          \Driver\ACPI \Device\00000043                                                                                       89854300
Device          \Driver\ACPI \Device\00000060                                                                                       89854300
Device          \Driver\ACPI \Device\00000048                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000062                                                                                       89854300
Device          \Driver\ACPI \Device\00000049                                                                                       89854300
Device          \Driver\ACPI \Device\00000063                                                                                       89854300
Device          \Driver\ACPI \Device\00000057                                                                                       89854300
Device          \Driver\ACPI \Device\00000064                                                                                       89854300
Device          \Driver\ACPI \Device\00000065                                                                                       89854300
Device          \Driver\ACPI \Device\0000004a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004b                                                                                       89854300
Device          \Driver\ACPI \Device\0000003f                                                                                       89854300
Device          \Driver\ACPI \Device\0000004c                                                                                       89854300
Device          \Driver\ACPI \Device\0000005a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004d                                                                                       89854300
Device          \Driver\ACPI \Device\0000005b                                                                                       89854300
Device          \Driver\ACPI \Device\0000005c                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005d                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                         nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005f                                                                                       89854300

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     K:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x05 0xE1 0xEF 0xB7 ...

---- EOF - GMER 1.0.15 ----

willow93 · Answer

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 22:02:28
Windows 5.1.2600 Service Pack 3
Running: 6i5gmgrn.exe; Driver: L:\DOCUME~1\willow\LOCALS~1\Temp\uwlorkod.sys


---- System - GMER 1.0.15 ----

SSDT            BA73A606                                                                                                            ZwCreateKey
SSDT            BA73A5FC                                                                                                            ZwCreateThread
SSDT            BA73A60B                                                                                                            ZwDeleteKey
SSDT            BA73A615                                                                                                            ZwDeleteValueKey
SSDT            BA73A61A                                                                                                            ZwLoadKey
SSDT            BA73A5E8                                                                                                            ZwOpenProcess
SSDT            BA73A5ED                                                                                                            ZwOpenThread
SSDT            BA73A624                                                                                                            ZwReplaceKey
SSDT            BA73A61F                                                                                                            ZwRestoreKey
SSDT            BA73A610                                                                                                            ZwSetValueKey
SSDT            BA73A5F7                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2DB8                                                                                80504654 4 Bytes  CALL 870AB9FE 
.text           C:\WINDOWS\System32\DRIVERS\ati2mtag.sys                                                                            section is writeable [0xB9911000, 0x235297, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                              section is writeable [0xA9015300, 0x3B6D8, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                              section is writeable [0xBA368300, 0x1BEE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                              avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                            nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000050                                                                                       89854300
Device          \Driver\ACPI \Device\00000043                                                                                       89854300
Device          \Driver\ACPI \Device\00000060                                                                                       89854300
Device          \Driver\ACPI \Device\00000048                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000062                                                                                       89854300
Device          \Driver\ACPI \Device\00000049                                                                                       89854300
Device          \Driver\ACPI \Device\00000063                                                                                       89854300
Device          \Driver\ACPI \Device\00000057                                                                                       89854300
Device          \Driver\ACPI \Device\00000064                                                                                       89854300
Device          \Driver\ACPI \Device\00000065                                                                                       89854300
Device          \Driver\ACPI \Device\0000004a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004b                                                                                       89854300
Device          \Driver\ACPI \Device\0000003f                                                                                       89854300
Device          \Driver\ACPI \Device\0000004c                                                                                       89854300
Device          \Driver\ACPI \Device\0000005a                                                                                       89854300
Device          \Driver\ACPI \Device\0000004d                                                                                       89854300
Device          \Driver\ACPI \Device\0000005b                                                                                       89854300
Device          \Driver\ACPI \Device\0000005c                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005d                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                         nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005f                                                                                       89854300

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     K:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x05 0xE1 0xEF 0xB7 ...

willow93 · Answer

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-10 22:56:44
Windows 5.1.2600 Service Pack 3
Running: 6i5gmgrn.exe; Driver: L:\DOCUME~1\willow\LOCALS~1\Temp\uwlorkod.sys


---- System - GMER 1.0.15 ----

SSDT            BA73A606                                                                                                            ZwCreateKey
SSDT            BA73A5FC                                                                                                            ZwCreateThread
SSDT            BA73A60B                                                                                                            ZwDeleteKey
SSDT            BA73A615                                                                                                            ZwDeleteValueKey
SSDT            BA73A61A                                                                                                            ZwLoadKey
SSDT            BA73A5E8                                                                                                            ZwOpenProcess
SSDT            BA73A5ED                                                                                                            ZwOpenThread
SSDT            BA73A624                                                                                                            ZwReplaceKey
SSDT            BA73A61F                                                                                                            ZwRestoreKey
SSDT            BA73A610                                                                                                            ZwSetValueKey
SSDT            BA73A5F7                                                                                                            ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2DB8                                                                                80504654 4 Bytes  CALL 870AB9FE 
.text           C:\WINDOWS\System32\DRIVERS\ati2mtag.sys                                                                            section is writeable [0xB9911000, 0x235297, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\atksgt.sys                                                                              section is writeable [0xA9015300, 0x3B6D8, 0xE8000020]
.text           C:\WINDOWS\system32\DRIVERS\lirsgt.sys                                                                              section is writeable [0xBA368300, 0x1BEE, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                              avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                            nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000043                                                                                       89854300
Device          \Driver\ACPI \Device\00000050                                                                                       89854300
Device          \Driver\ACPI \Device\00000060                                                                                       89854300
Device          \Driver\ACPI \Device\00000048                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\00000049                                                                                       89854300
Device          \Driver\ACPI \Device\00000062                                                                                       89854300
Device          \Driver\ACPI \Device\00000057                                                                                       89854300
Device          \Driver\ACPI \Device\00000063                                                                                       89854300
Device          \Driver\ACPI \Device\00000064                                                                                       89854300
Device          \Driver\ACPI \Device\00000065                                                                                       89854300
Device          \Driver\ACPI \Device\0000004a                                                                                       89854300
Device          \Driver\ACPI \Device\0000003f                                                                                       89854300
Device          \Driver\ACPI \Device\0000004b                                                                                       89854300
Device          \Driver\ACPI \Device\0000004c                                                                                       89854300
Device          \Driver\ACPI \Device\0000004d                                                                                       89854300
Device          \Driver\ACPI \Device\0000005a                                                                                       89854300
Device          \Driver\ACPI \Device\0000005b                                                                                       89854300
Device          \Driver\ACPI \Device\0000005c                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005d                                                                                       89854300

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                         nltdi.sys (NetLimiter Driver/Locktime Software)

Device          \Driver\ACPI \Device\0000005f                                                                                       89854300

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                    
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                 C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                 0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                 0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                              0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                           
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                        0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                     0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     C:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x65 0xB2 0x77 0x33 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                     K:\Program Files\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                     0xD4 0xC3 0x97 0x02 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                     0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                  0x9B 0xDA 0xCD 0xCC ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)       
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                            0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                         0x44 0xE3 0x5F 0xCB ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                    0x05 0xE1 0xEF 0xB7 ...

---- EOF - GMER 1.0.15 ----

willow93 · Answer

Up !

archet9 · Answer

Supprimes Combofix ainsi : 

->Cliques sur " Démarrer "( ou combine la touche Windows + R ) -> " Executer " -> copie/colles cette ligne : 

ComboFix /uninstall 
 

-->Valides . 


==> Réinstalle le iici :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe 

Lance le et colle le rapport stp...

a+

willow93 · Answer

ComboFix 10-05-13.04 - willow 14/05/2010  19:09:52.5.2 - x86
Microsoft Windows XP Édition familiale  5.1.2600.3.1252.33.1036.18.2046.1620 [GMT 2:00]
Lancé depuis: l:\documents and settings\Téléchargements\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((   Fichiers créés du 2010-04-14 au 2010-05-14  ))))))))))))))))))))))))))))))))))))
.

2010-05-13 15:48 . 2009-06-18 10:55	18816	------w-	c:\windows\system32\SAVRKBootTasks.sys
2010-05-13 14:45 . 2007-01-18 12:00	3968	----a-w-	c:\windows\system32\drivers\AvgArCln.sys
2010-05-13 14:44 . 2010-05-13 14:44	--------	d-----w-	c:\program files\Sophos
2010-05-03 16:10 . 2010-05-03 16:13	--------	d-----w-	c:\program files\DAEMON Tools Lite
2010-05-01 15:31 . 2010-05-01 15:55	--------	d-----w-	C:\UsbFix
2010-05-01 11:39 . 2010-05-01 13:14	--------	d-----w-	C:\Ad-Remover
2010-04-28 21:50 . 2010-04-28 21:50	--------	d-----w-	l:\documents and settings\Downloads\The Full Monty
2010-04-27 22:39 . 2010-04-27 22:39	--------	d-----w-	l:\documents and settings\Downloads\Twilight[2008]VOSTFR-DvDrip-AIA
2010-04-27 22:28 . 2010-04-29 01:09	--------	d-----w-	l:\documents and settings\Downloads\Dancer in the Dark
2010-04-27 22:28 . 2010-04-27 22:28	--------	d-----w-	l:\documents and settings\Downloads
2010-04-27 20:36 . 2010-05-09 22:22	--------	d-----w-	l:\documents and settings\willow\Application Data\BitTorrent
2010-04-26 10:14 . 2010-04-26 10:14	--------	d-s---w-	l:\documents and settings\LocalService.AUTORITE NT\UserData
2010-04-25 20:28 . 2010-04-25 20:28	--------	d-----w-	c:\program files\Enigma Software Group
2010-04-25 20:28 . 2010-04-26 18:41	--------	d-----w-	c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-25 20:15 . 2010-04-25 20:15	--------	d-s---w-	l:\documents and settings\NetworkService.AUTORITE NT\UserData
2010-04-23 16:11 . 2010-04-30 13:16	--------	d-----w-	l:\documents and settings\Risen\SaveGames
2010-04-23 16:11 . 2010-04-23 16:12	--------	d-----w-	l:\documents and settings\willow\Local Settings\Application Data\Risen
2010-04-23 16:11 . 2010-04-23 16:11	--------	d-----w-	l:\documents and settings\Risen
2010-04-23 16:08 . 2010-04-23 16:08	281760	----a-w-	c:\windows\system32\drivers\atksgt.sys
2010-04-23 16:08 . 2010-04-23 16:08	25888	----a-w-	c:\windows\system32\drivers\lirsgt.sys
2010-04-18 13:14 . 2010-04-18 13:28	--------	d-----w-	l:\documents and settings\willow\Application Data\gtk-2.0
2010-04-18 12:57 . 2010-04-18 12:57	--------	d-----w-	l:\documents and settings\willow\.thumbnails
2010-04-18 12:56 . 2010-04-18 12:56	--------	d-----w-	l:\documents and settings\gegl-0.0\plug-ins
2010-04-18 12:56 . 2010-04-18 12:56	--------	d-----w-	l:\documents and settings\gegl-0.0
2010-04-16 22:03 . 2010-04-16 22:03	--------	d-----w-	c:\program files\Microsoft Silverlight

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 09:46 . 2010-03-21 00:00	--------	d-----w-	l:\documents and settings\willow\Application Data\vlc
2010-05-02 19:39 . 2010-03-14 14:05	691696	----a-w-	c:\windows\system32\drivers\sptd.sys
2010-04-29 13:39 . 2010-03-21 13:29	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2010-03-21 13:29	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-04-25 20:28 . 2010-03-20 18:45	--------	d-----w-	c:\program files\Fichiers communs\Wise Installation Wizard
2010-04-25 20:15 . 2010-03-22 14:55	--------	d-----w-	l:\documents and settings\willow\Application Data\QuickScan
2010-04-23 16:03 . 2010-03-13 14:31	--------	d--h--w-	c:\program files\InstallShield Installation Information
2010-04-22 13:29 . 2010-03-16 08:44	--------	d-----w-	l:\documents and settings\willow\Application Data\dvdcss
2010-04-22 03:26 . 2010-03-22 01:07	--------	d-----w-	c:\program files\Google
2010-04-12 16:34 . 2010-04-12 16:34	--------	d-----w-	c:\program files\Restore
2010-04-12 16:34 . 2010-04-12 16:27	249856	------w-	c:\windows\Setup1.exe
2010-04-12 16:34 . 2010-04-12 16:27	73216	----a-w-	c:\windows\ST6UNST.EXE
2010-04-09 20:48 . 2010-04-09 20:48	3600384	----a-w-	c:\windows\system32\GPhotos.scr
2010-04-07 09:20 . 2010-04-07 09:20	--------	d-----w-	l:\documents and settings\willow\Application Data\Media Center Programs
2010-04-07 09:13 . 2010-04-07 09:13	--------	d-----w-	l:\documents and settings\willow\Application Data\InstallShield Installation Information
2010-04-04 15:12 . 2010-04-04 15:12	--------	d-----w-	l:\documents and settings\All Users\Application Data\BioWare
2010-04-02 18:54 . 2010-03-13 16:12	--------	d-----w-	c:\program files\ATI Technologies
2010-04-02 18:54 . 2010-04-02 18:54	--------	d-----w-	c:\program files\ATI
2010-04-02 12:38 . 2010-04-02 12:38	384	----a-w-	l:\documents and settings\im_lastritual\user.tmp
2010-04-02 12:07 . 2010-04-02 12:07	--------	d-----w-	l:\documents and settings\willow\Application Data\Apple Computer
2010-04-02 12:05 . 2010-03-31 20:36	--------	d-----w-	l:\documents and settings\All Users\Application Data\Apple Computer
2010-04-01 10:03 . 2010-04-01 10:03	--------	d-----w-	c:\program files\NVIDIA Corporation
2010-04-01 09:38 . 2010-03-31 16:36	24944	----a-w-	c:\windows\system32\drivers\GVTDrv.sys
2010-03-31 22:04 . 2010-03-20 18:45	--------	d-----w-	c:\program files\AGEIA Technologies
2010-03-31 20:35 . 2010-03-31 20:35	--------	d-----w-	c:\program files\Fichiers communs\Apple
2010-03-31 20:35 . 2010-03-31 20:35	--------	d-----w-	c:\program files\Apple Software Update
2010-03-31 20:35 . 2010-03-31 20:35	--------	d-----w-	l:\documents and settings\All Users\Application Data\Apple
2010-03-31 17:03 . 2010-03-31 17:02	--------	d-----w-	l:\documents and settings\All Users\Application Data\QuickTime
2010-03-31 16:43 . 2010-03-20 18:17	--------	d-----w-	c:\program files\SpeedFan
2010-03-31 16:36 . 2010-03-31 16:35	--------	d-----w-	c:\program files\Gigabyte
2010-03-31 16:34 . 2010-03-13 14:30	16608	----a-w-	c:\windows\gdrv.sys
2010-03-31 12:04 . 2010-03-31 12:04	--------	d-----w-	l:\documents and settings\willow\Application Data\EPSON
2010-03-28 13:02 . 2001-08-28 12:00	80508	----a-w-	c:\windows\system32\perfc00C.dat
2010-03-28 13:02 . 2001-08-28 12:00	500482	----a-w-	c:\windows\system32\perfh00C.dat
2010-03-27 22:49 . 2010-03-27 22:31	--------	d-----w-	c:\program files\DivX
2010-03-27 22:49 . 2010-03-27 22:30	--------	d-----w-	l:\documents and settings\All Users\Application Data\DivX
2010-03-27 22:49 . 2010-03-27 22:49	--------	d-----w-	c:\program files\Fichiers communs\DivX Shared
2010-03-24 14:13 . 2010-03-24 14:13	67128	----a-w-	l:\documents and settings\LocalService.AUTORITE NT\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-24 14:10 . 2010-03-20 17:25	--------	d-----w-	c:\program files\Fichiers communs\BioWare
2010-03-24 13:49 . 2010-03-24 13:38	--------	d-----w-	c:\program files\Microsoft Games for Windows - LIVE
2010-03-24 13:35 . 2010-03-24 13:35	--------	d-----w-	c:\program files\Rockstar Games
2010-03-24 13:32 . 2010-03-24 13:29	--------	d-----w-	l:\documents and settings\willow\Application Data\DeepBurner
2010-03-24 12:50 . 2010-03-13 14:24	76487	----a-w-	c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2010-03-22 17:14 . 2010-03-22 16:59	--------	d-----w-	l:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-22 17:02 . 2010-03-22 17:02	--------	d-----w-	c:\program files	rend micro
2010-03-21 13:29 . 2010-03-21 13:29	--------	d-----w-	l:\documents and settings\willow\Application Data\Malwarebytes
2010-03-21 13:29 . 2010-03-21 13:29	--------	d-----w-	l:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-20 17:23 . 2010-03-20 17:23	108144	----a-w-	c:\windows\system32\CmdLineExt.dll
2010-03-20 17:10 . 2010-03-13 16:11	--------	d-----w-	c:\program files\Fichiers communs\InstallShield
2010-03-20 17:09 . 2010-03-20 17:09	--------	d-----w-	c:\program files\Bayo
2010-03-20 17:09 . 2010-03-20 17:09	--------	d-----w-	c:\program files\Fichiers communs\Bayo
2010-03-20 16:44 . 2010-03-20 16:44	--------	d-----w-	c:\program files\Intel
2010-03-17 17:28 . 2010-03-16 09:06	17280	----a-w-	l:\documents and settings\LocalService.AUTORITE NT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-17 16:52 . 2010-03-17 16:52	--------	d-----w-	c:\program files\MSBuild
2010-03-17 16:52 . 2010-03-17 16:52	--------	d-----w-	c:\program files\Reference Assemblies
2010-03-17 16:50 . 2010-03-17 16:50	--------	d-----w-	c:\program files\MSXML 6.0
2010-03-16 08:56 . 2010-03-16 08:56	--------	d-----w-	l:\documents and settings\Administrateur\Application Data\OpenOffice.org
2010-03-14 11:14 . 2010-03-14 11:14	315392	----a-w-	c:\windows\HideWin.exe
2010-03-13 19:54 . 2010-03-13 19:54	411368	----a-w-	c:\windows\system32\deploytk.dll
2010-03-13 18:17 . 2010-03-13 18:17	0	----a-w-	c:\windows\ativpsrm.bin
2010-03-13 16:21 . 2010-03-13 16:21	0	----a-w-	c:\windows
sreg.dat
2010-03-13 14:22 . 2010-03-13 14:22	21892	----a-w-	c:\windows\system32\emptyregdb.dat
2010-03-09 11:10 . 2001-08-28 12:00	430080	----a-w-	c:\windows\system32\vbscript.dll
2010-03-03 04:21 . 2009-08-14 04:27	4630016	----a-w-	c:\windows\system32\drivers\ati2mtag.sys
2010-03-03 04:07 . 2010-03-13 16:12	311296	----a-w-	c:\windows\system32\atiiiexx.dll
2010-03-03 04:02 . 2009-08-14 01:21	45056	----a-w-	c:\windows\system32\aticalrt.dll
2010-03-03 04:02 . 2009-08-14 01:20	45056	----a-w-	c:\windows\system32\aticalcl.dll
2010-03-03 04:01 . 2009-08-14 01:19	3641344	----a-w-	c:\windows\system32\aticaldd.dll
2010-03-03 03:44 . 2009-08-14 01:47	14262272	----a-w-	c:\windows\system32\atioglxx.dll
2010-03-03 03:40 . 2010-03-13 16:12	446464	----a-w-	c:\windows\system32\ATIDEMGX.dll
2010-03-03 03:40 . 2009-08-14 01:58	3616096	----a-w-	c:\windows\system32\ati3duag.dll
2010-03-03 03:39 . 2009-08-14 02:27	301056	----a-w-	c:\windows\system32\ati2dvag.dll
2010-03-03 03:24 . 2009-08-14 02:10	208896	----a-w-	c:\windows\system32\atipdlxx.dll
2010-03-03 03:24 . 2009-08-14 01:42	2232320	----a-w-	c:\windows\system32\ativvaxx.dll
2010-03-03 03:24 . 2009-08-14 02:10	155648	----a-w-	c:\windows\system32\Oemdspif.dll
2010-03-03 03:24 . 2010-03-13 16:12	887724	----a-w-	c:\windows\system32\ativva6x.dat
2010-03-03 03:24 . 2010-03-13 16:12	3	----a-w-	c:\windows\system32\ativva5x.dat
2010-03-03 03:24 . 2009-08-14 02:09	26112	----a-w-	c:\windows\system32\Ati2mdxx.exe
2010-03-03 03:24 . 2009-08-14 02:09	43520	----a-w-	c:\windows\system32\ati2edxx.dll
2010-03-03 03:23 . 2009-08-14 02:09	159744	----a-w-	c:\windows\system32\ati2evxx.dll
2010-03-03 03:22 . 2009-08-14 02:08	602112	----a-w-	c:\windows\system32\ati2evxx.exe
2010-03-03 03:21 . 2009-08-14 02:06	53248	----a-w-	c:\windows\system32\ATIDDC.DLL
2010-03-03 03:20 . 2010-04-02 18:54	143360	----a-w-	c:\windows\system32\atiapfxx.exe
2010-03-03 03:16 . 2009-08-14 01:21	565248	----a-w-	c:\windows\system32\atikvmag.dll
2010-03-03 03:15 . 2009-08-14 01:19	184320	----a-w-	c:\windows\system32\atiadlxx.dll
2010-03-03 03:14 . 2009-08-14 01:18	17408	----a-w-	c:\windows\system32\atitvo32.dll
2010-03-03 03:14 . 2009-08-14 01:17	393216	----a-w-	c:\windows\system32\atiok3x2.dll
2010-03-03 03:09 . 2009-08-14 01:12	638976	----a-w-	c:\windows\system32\ati2cqag.dll
2010-03-03 03:07 . 2009-08-14 01:17	53248	----a-w-	c:\windows\system32\drivers\ati2erec.dll
2010-03-03 03:07 . 2009-08-14 01:25	65024	----a-w-	c:\windows\system32\atimpc32.dll
2010-03-03 03:07 . 2009-08-14 01:25	65024	----a-w-	c:\windows\system32\amdpcom32.dll
2010-02-26 05:42 . 2001-08-28 12:00	671232	----a-w-	c:\windows\system32\wininet.dll
2010-02-26 05:42 . 2010-03-14 11:01	81920	------w-	c:\windows\system32\ieencode.dll
2010-02-25 19:55 . 2010-03-13 16:12	201875	----a-w-	c:\windows\system32\atiicdxx.dat
2010-02-24 13:11 . 2001-08-28 12:00	455680	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 19:06 . 2001-08-28 12:00	2148352	----a-w-	c:\windows\system32
toskrnl.exe
2010-02-16 19:06 . 2001-08-23 17:12	2026496	----a-w-	c:\windows\system32
tkrnlpa.exe
.

(((((((((((((((((((((((((((((   SnapShot@2010-05-01_17.59.59   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-02 17:55 . 2010-05-14 17:09	32768              c:\windows	emp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-14 17:09 . 2010-05-14 17:09	16384              c:\windows	emp\Perflib_Perfdata_dc.dat
+ 2010-05-14 16:43 . 2010-05-14 17:09	32768              c:\windows	emp\Historique\History.IE5\MSHist012010051420100515\index.dat
- 2010-05-01 15:35 . 2010-05-01 17:59	32768              c:\windows\Temp\Historique\History.IE5\index.dat
+ 2010-05-02 17:55 . 2010-05-14 17:09	32768              c:\windows	emp\Historique\History.IE5\index.dat
- 2010-05-01 15:35 . 2010-05-01 17:59	16384              c:\windows\Temp\Cookies\index.dat
+ 2010-05-02 17:55 . 2010-05-14 17:09	16384              c:\windows	emp\Cookies\index.dat
+ 2007-01-31 13:33 . 2007-01-31 13:33	5632              c:\windows\system32\drivers\avgarkt.sys
- 2010-03-13 14:22 . 2008-04-11 19:05	691712              c:\windows\system32\inetcomm.dll
+ 2010-03-13 14:22 . 2010-01-29 15:00	691712              c:\windows\system32\inetcomm.dll
+ 2010-03-15 12:44 . 2010-01-29 15:00	691712              c:\windows\system32\dllcache\inetcomm.dll
- 2010-03-15 12:44 . 2008-04-11 19:05	691712              c:\windows\system32\dllcache\inetcomm.dll
- 2010-03-24 13:04 . 2009-07-10 13:27	1315328              c:\windows\system32\dllcache\msoe.dll
+ 2010-03-24 13:04 . 2010-01-29 15:00	1315328              c:\windows\system32\dllcache\msoe.dll
+ 2010-03-17 09:29 . 2010-04-30 18:51	32058312              c:\windows\system32\MRT.exe

willow93 · Answer

((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SuperCopier2.exe"="k:\program files\SuperCopier2\SuperCopier2.exe" [2009-08-16 955392] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-08-13 98304] "RTHDCPL"="RTHDCPL.EXE" [2007-09-19 16844800] "avgnt"="k:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] l:\documents and settings\Administrateur\Menu D'marrer\Programmes\D'marrage\ OpenOffice.org 3.1.lnk - k:\program files\oo\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "HonorAutoRunSetting"= 0 (0x0) [HKLM\~\startupfolder\L:^Documents and Settings^willow^Menu Démarrer^Programmes^Démarrage^Antimalware Doctor.lnk] path=l:\documents and settings\willow\Menu Démarrer\Programmes\Démarrage\Antimalware Doctor.lnk backup=c:\windows\pss\Antimalware Doctor.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-03-24 18:17 952768 ----a-w- c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-04-04 05:42 36272 ----a-w- k:\program files\Adobe\Reader 9.0\Reader eader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-03-05 15:32 1135912 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneVPro] 2007-07-26 13:05 20480 ----a-w- c:\program files\Gigabyte\ET5Pro\ETcall.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-17 19:53 421888 ----a-w- k:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SteamUp] 2010-03-20 19:14 1217872 ----a-w- k:\program files\Cracked Steam\Steam.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe"= "k:\Program Files\aMSN\bin\wish.exe"= "c:\Program Files\Java\jre6\bin\javaw.exe"= "k:\Program Files\eMule\eMule.exe"= "l:\Program Files\Mass Effect 2\Binaries\MassEffect2.exe"= "l:\Program Files\Mass Effect 2\MassEffect2Launcher.exe"= "%windir%\Network Diagnostic\xpnetdiag.exe"= "k:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe"= "l:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe"= "l:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe"= "l:\Program Files\Dragon Age\bin_ship\daorigins.exe"= "l:\Program Files\Dragon Age\DAOriginsLauncher.exe"= "l:\Program Files\Left 4 Dead 2\left4dead2.exe"= "k:\Program Files\Ubi Soft\dernierrituel\rituel.exe"= "l:\Program Files\Call Of duty modern 2\iw4sp.exe"= "l:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe"= "l:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe"= "l:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe"= "k:\Program Files\BitTorrent\bittorrent.exe"= R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [13/03/2010 21:37 22360] R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [13/03/2010 21:37 45416] R1 nltdi;nltdi;c:\windows\system32\drivers ltdi.sys [23/04/2007 13:03 82200] R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [13/05/2010 17:48 18816] R2 AntiVirSchedulerService;Avira AntiVir Planificateur;k:\program files\Avira\AntiVir Desktop\sched.exe [13/03/2010 21:37 108289] R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [12/04/2010 18:56 14976] S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22/03/2010 03:07 136176] S3 DAUpdaterSvc;Dragon Age: Origins - Application de mise à jour;l:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [15/12/2009 22:07 25832] S3 EverestDriver;Lavalys EVEREST Kernel Driver;k:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [13/03/2010 21:46 23152] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [21/03/2010 15:29 38224] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\91.tmp --> c:\windows\system32\91.tmp [?] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/03/2010 16:05 691696] . Contenu du dossier 'Tâches planifiées' 2010-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 01:07] 2010-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-22 01:07] . . ------- Examen supplémentaire ------- . IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 FF - ProfilePath - l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - component: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll FF - component: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\program files\DivX\DivX Plus Web Player pdivx32.dll FF - plugin: c:\program files\Google\Google Earth\plugin pgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.23 pGoogleOneClick8.dll FF - plugin: k:\program files\Adobe\Reader 9.0\Reader\browser ppdf32.dll FF - plugin: k:\program files\Google\Picasa3 pPicasa3.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin2.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin3.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin4.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin5.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin6.dll FF - plugin: k:\program files\QuickTime\Plugins pqtplugin7.dll FF - plugin: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins pqscan.dll FF - plugin: l:\documents and settings\willow\Application Data\Mozilla\Firefox\Profiles\2ig1d9a7.default\extensions\piclens@cooliris.com\plugins pcoolirisplugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- PARAMETRES FIREFOX ---- k:\program files\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); k:\program files\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); k:\program files\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); k:\program files\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-14 19:12 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A139208]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28 \Driver\ACPI -> 0x8a139208 \Driver\atapi -> atapi.sys @ 0xb9f36852 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8 ParseProcedure -> ntkrnlpa.exe @ 0x805827e8 SecurityProcedure -> ntkrnlpa.exe @ 0x80583d4a NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x8953f5c0 PacketIndicateHandler -> NDIS.sys @ 0xb9e4fa21 SendHandler -> NDIS.sys @ 0xb9e2d87b Warning: possible MBR rootkit infection ! user & kernel MBR OK copy of MBR has been found in sector 0x057545301 malicious code @ sector 0x057545304 ! PE file found in sector at 0x05754531A ! ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\k:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\91.tmp" . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_USERS\S-1-5-21-1004336348-57989841-839522115-1004\Software\SecuROM\License information*] "datasecu"=hex:31,c4,1c,c8,15,4c,36,f4,ab,0e,80,87,60,2d,8e,22,62,30,1e,8c,0d, b7,f8,4d,a3,8a,d5,2f,da,9c,eb,f7,bc,67,04,ca,71,33,30,c3,f2,99,b4,ad,68,be,\ "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98 . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(724) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll . Heure de fin: 2010-05-14 19:13:51 ComboFix-quarantined-files.txt 2010-05-14 17:13 ComboFix2.txt 2010-05-05 12:17 ComboFix3.txt 2010-05-03 16:22 ComboFix4.txt 2010-05-02 17:57 ComboFix5.txt 2010-05-14 17:07 Avant-CF: 505 212 928 octets libres Après-CF: 477 499 392 octets libres - - End Of File - - 8268960F4B0A17C9E0E39DF62445A74E

archet9 · Answer

DESACTIVE TON ANTIVIRUS ET TON PAREFEU SI PRESENTS !!!!!(car il est detecté a tort comme infection) 

 Télécharge List_Kill'em et enregistre le sur ton bureau
 
http://sd-1.archive-host.com/...

double clique ( clic droit "executer en tant qu'administrateur" pour Vista/7 ) sur le raccourci sur ton bureau pour lancer l'installation 

une fois terminée , clic sur "terminer" et le programme se lancera seul 

choisis choisis l'option Search 

un icone blanc et noir va s'afficher sur le bureau , il te servira à rappeler le programme si besoin. 

 laisse travailler l'outil 

à l'apparition de la fenetre blanche , c'est un peu long , c'est normal , le programme n'est pas bloqué. 

un rapport du nom de catchme apparait sur ton bureau , ignore-le,ne le poste pas , , il s'auto supprimera a la fin du scan 

 Poste le contenu du rapport qui s'ouvre aux 100 % du scan à l'ecran "COMPLETED"

willow93 · Answer

¤¤¤¤¤¤¤¤¤¤ List'em by g3n-h@ckm@n 2.0.0.1 ¤¤¤¤¤¤¤¤¤¤

User : willow (Administrateurs) 
Update on 09/05/2010 by g3n-h@ckm@n ::::: 09.15
Start at: 21:20:18 | 15/05/2010

Processeur Intel Pentium III Xeon
Microsoft Windows XP Édition familiale (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 6.0.2900.5512
Windows Firewall Status : Disabled
AV : AntiVir Desktop 9.0.1.32 [ (!) Disabled | Updated ]

A:\ -> Lecteur de disquettes 3 ½ pouces
C:\ -> Disque fixe local | 6,51 Go (466,45 Mo free) | NTFS
D:\ -> Disque fixe local | 232,88 Go (232,05 Go free) [alex] | NTFS
E:\ -> Disque CD-ROM
H:\ -> Disque amovible
I:\ -> Disque amovible
K:\ -> Disque fixe local | 105,28 Go (101,56 Go free) [autre] | NTFS
L:\ -> Disque fixe local | 698,64 Go (333,18 Go free) [Disk Willow] | NTFS
M:\ -> Disque amovible
N:\ -> Disque amovible
 
Boot: Normal 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running 

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
K:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
K:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
K:\Program Files\Avira\AntiVir Desktop\avguard.exe
L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
k:\Program Files\NetLimiter 2 Pro
lsvc.exe
C:\WINDOWS\System32\svchost.exe
k:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
k:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
K:\Program Files\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\List_Kill'em\List_Kill'em.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\List_Kill'em\pv.exe

======================
Keys "Run" 
======================

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SuperCopier2.exe	REG_SZ         	K:\Program Files\SuperCopier2\SuperCopier2.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
StartCCC	REG_SZ         	"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun 
RTHDCPL	REG_SZ         	RTHDCPL.EXE 
avgnt	REG_SZ         	"K:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min 
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

=====================
Other Keys
=====================

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] 
dontdisplaylastusername	REG_DWORD      	0 (0x0) 
legalnoticecaption	REG_SZ         	 
legalnoticetext	REG_SZ         	 
shutdownwithoutlogon	REG_DWORD      	1 (0x1) 
undockwithoutlogon	REG_DWORD      	1 (0x1) 
DisableRegistryTools	REG_DWORD      	0 (0x0) 

===============

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] 
NoDriveTypeAutoRun	REG_DWORD      	323 (0x143) 
NoDriveAutoRun	REG_DWORD      	67108863 (0x3ffffff) 
HonorAutoRunSetting	REG_DWORD      	0 (0x0) 
NoDrives	REG_DWORD      	0 (0x0) 

===============

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] 
HonorAutoRunSetting	REG_DWORD      	0 (0x0) 
NoDriveAutoRun	REG_DWORD      	67108863 (0x3ffffff) 
NoDriveTypeAutoRun	REG_DWORD      	323 (0x143) 
NoDrives	REG_DWORD      	0 (0x0) 

===============
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

===============

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 
 AutoRestartShell	REG_DWORD      	1 (0x1) 
 DefaultDomainName	REG_SZ         	WILLOW-CAGE 
 DefaultUserName	REG_SZ         	willow 
 LegalNoticeCaption	REG_SZ         	 
 LegalNoticeText	REG_SZ         	 
 PowerdownAfterShutdown	REG_SZ         	0 
 ReportBootOk	REG_SZ         	1 
 Shell	REG_SZ         	Explorer.exe 
 ShutdownWithoutLogon	REG_SZ         	0 
 System	REG_SZ         	 
 Userinit	REG_SZ         	C:\WINDOWS\system32\userinit.exe, 
 VmApplet	REG_SZ         	rundll32 shell32,Control_RunDLL "sysdm.cpl" 
 SfcQuota	REG_DWORD      	-1 (0xffffffff) 
 allocatecdroms	REG_SZ         	0 
 allocatedasd	REG_SZ         	0 
 allocatefloppies	REG_SZ         	0 
 cachedlogonscount	REG_SZ         	10 
 forceunlocklogon	REG_DWORD      	0 (0x0) 
 passwordexpirywarning	REG_DWORD      	14 (0xe) 
 scremoveoption	REG_SZ         	0 
 AllowMultipleTSSessions	REG_DWORD      	0 (0x0) 
 UIHost	REG_EXPAND_SZ  	logonui.exe 
 LogonType	REG_DWORD      	0 (0x0) 
 DebugServerCommand	REG_SZ         	no 
 SFCDisable	REG_DWORD      	0 (0x0) 
 WinStationsDisabled	REG_SZ         	0 
 HibernationPreviouslyEnabled	REG_DWORD      	1 (0x1) 
 ShowLogonOptions	REG_DWORD      	1 (0x1) 
 AltDefaultUserName	REG_SZ         	willow 
 AltDefaultDomainName	REG_SZ         	WILLOW-CAGE 
 ChangePasswordUseKerberos	REG_DWORD      	1 (0x1) 

===============

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\AtiExtEvent]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\crypt32chain]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\cryptnet]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\cscdll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\dimsntfy]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\ScCertProp]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\Schedule]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\sclgntfy]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\SensLogn]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify	ermsrv]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\wlballoon]

===============

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{AEB6717E-7E19-11d0-97EE-00C04FD91972}	REG_SZ         	 

===============

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
%windir%\system32\sessmgr.exe	REG_SZ         	%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
K:\Program Files\aMSN\bin\wish.exe	REG_SZ         	K:\Program Files\aMSN\bin\wish.exe:*:Enabled:Wish Application
C:\Program Files\Java\jre6\bin\javaw.exe	REG_SZ         	C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary
K:\Program Files\eMule\eMule.exe	REG_SZ         	K:\Program Files\eMule\eMule.exe:*:Enabled:eMule Plus
L:\Program Files\Mass Effect 2\Binaries\MassEffect2.exe	REG_SZ         	L:\Program Files\Mass Effect 2\Binaries\MassEffect2.exe:*:Enabled:Mass Effect 2 Jeu
L:\Program Files\Mass Effect 2\MassEffect2Launcher.exe	REG_SZ         	L:\Program Files\Mass Effect 2\MassEffect2Launcher.exe:*:Enabled:Mass Effect 2 Lanceur
%windir%\Network Diagnostic\xpnetdiag.exe	REG_SZ         	%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
K:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe	REG_SZ         	K:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club
L:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe	REG_SZ         	L:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV
L:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe	REG_SZ         	L:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV
L:\Program Files\Dragon Age\bin_ship\daorigins.exe	REG_SZ         	L:\Program Files\Dragon Age\bin_ship\daorigins.exe:*:Enabled:Dragon Age Origins Jeu
L:\Program Files\Dragon Age\DAOriginsLauncher.exe	REG_SZ         	L:\Program Files\Dragon Age\DAOriginsLauncher.exe:*:Enabled:Dragon Age Origins Lanceur
L:\Program Files\Left 4 Dead 2\left4dead2.exe	REG_SZ         	L:\Program Files\Left 4 Dead 2\left4dead2.exe:*:Enabled:left4dead2
K:\Program Files\Ubi Soft\dernierrituelituel.exe	REG_SZ         	K:\Program Files\Ubi Soft\dernierrituelituel.exe:*:Enabled:rituel
L:\Program Files\Call Of duty modern 2\iw4sp.exe	REG_SZ         	L:\Program Files\Call Of duty modern 2\iw4sp.exe:*:Enabled:iw4sp
L:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe	REG_SZ         	L:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe:*:Enabled:Dragon Age Origins Application de mise à jour
L:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe	REG_SZ         	L:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:*:Enabled:Supreme Commander
L:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe	REG_SZ         	L:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:*:Enabled:GPGNet - Supreme Commander
K:\Program Files\BitTorrent\bittorrent.exe	REG_SZ         	K:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
%windir%\system32\sessmgr.exe	REG_SZ         	%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
%windir%\Network Diagnostic\xpnetdiag.exe	REG_SZ         	%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

===============
ActivX controls
===============

[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6414512B-B978-451D-A0D8-FCFDF33E833C}]
[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}]
[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
[HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]

===============
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{166B1BCA-3F9C-11CF-8075-444553540000}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3af36230-a269-11d1-b5bf-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4278c270-a269-11d1-b5bf-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5056b317-8d4c-43ee-8543-b9d1e234b8f4}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C9E9A340-D1F1-11D0-821E-444553540600}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]

willow93 · Answer

============== BHO : ====== [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] === DNS === HKLM\SYSTEM\CCS\Services\Tcpip\..\{9CF10F1C-55BD-4173-8BAB-0E481E7696CA}: DhcpNameServer=213.138.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{9CF10F1C-55BD-4173-8BAB-0E481E7696CA}: DhcpNameServer=213.138.2.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{9CF10F1C-55BD-4173-8BAB-0E481E7696CA}: DhcpNameServer=213.138.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{9CF10F1C-55BD-4173-8BAB-0E481E7696CA}: DhcpNameServer=213.138.2.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=213.138.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=213.138.2.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=213.138.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=213.138.2.1 ================ Internet Explorer : ================ [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main] Start Page REG_SZ https://www.msn.com/fr-fr Local Page REG_EXPAND_SZ %SystemRoot%\system32\blank.htm Default_Search_URL REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896 Default_Page_URL REG_SZ http://go.microsoft.com/fwlink/?LinkId=69157 Search Page REG_SZ http://go.microsoft.com/fwlink/?LinkId=54896 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] Start Page REG_SZ http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Local Page REG_SZ C:\WINDOWS\system32\blank.htm Search Page REG_SZ http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ======== Services ======== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services] Ndisuio : 0x3 ( OK = 3 ) EapHost : 0x3 ( OK = 2 ) SharedAccess : 0x2 ( OK = 2 ) wuauserv : 0x2 ( OK = 2 ) ======== Safemode ======== HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot : OK !! HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal : OK !! HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network : OK !! ========= Atapi.sys ========= Référence : ========== Win 2000_SP2 : ff953a8f08ca3f822127654375786bbe Win 2000_SP4 : 8c718aa8c77041b3285d55a0ce980867 Win XP_32b : a64013e98426e1877cb653685c5c0009 Win XP_SP2_32b : CDFE4411A69C224BD1D11B2DA92DAC51 Win XP_SP3_32b : 9F3A2F5AA6875C72BF062C712CFA2674 Vista_32b : e03e8c99d15d0381e02743c36afc7c6f Vista_SP1_32b : 2d9c903dc76a66813d350a562de40ed9 Vista_SP2_32b : 1F05B78AB91C9075565A9D8A4B880BC4 Vista_SP2_64b : 1898FAE8E07D97F2F6C2D5326C633FAC Windows 7_32b : 80C40F7FDFC376E4C5FEEC28B41C119E Windows 7_64b : 02062C0B390B7729EDC9E69C680A6F3C Windows 7_32b_Ultimate : 338c86357871c167a96ab976519bf59e ======= Drive : ======= D'fragmenteur de disque Windows Copyright (c) 2001 Microsoft Corp. et Executive Software International Inc. Rapport d'analyse 699 Go total, 333 Go libre (47%), 15% fragment' (fragmentation du fichier 31%) Vous devriez d'fragmenter ce volume. ¤¤¤¤¤¤¤¤¤¤ Files/folders : Present !! : C:\WINDOWS\002235_.tmp Present !! : C:\WINDOWS\002828_.tmp Present !! : C:\WINDOWS\SET3.tmp Present !! : C:\WINDOWS\SET7.tmp ¤¤¤¤¤¤¤¤¤¤ Keys : Present !! : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser : {0E5CBF21-D15F-11D0-8301-00AA005B4383} Present !! : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoDrives Present !! : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoDrives Present !! : HKEY_USERS\S-1-5-21-1004336348-57989841-839522115-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoDrives Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe" Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe" Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888 Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF Present !! : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E Present !! : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEMSWEEP2 Present !! : HKLM\SYSTEM\CurrentControlSet\Services\MEMSWEEP2 Present !! : HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MEMSWEEP2 Present !! : HKLM\SYSTEM\ControlSet001\Services\MEMSWEEP2 Present !! : HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEMSWEEP2 Present !! : HKLM\SYSTEM\ControlSet002\Services\MEMSWEEP2 ============ catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-15 21:26:35 Windows 5.1.2600 Service Pack 3 FAT NTAPI scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8968C718]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\ACPI -> 0x8968c718 NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> 0x897a45c0 Warning: possible MBR rootkit infection ! user & kernel MBR OK copy of MBR has been found in sector 0x057545301 malicious code @ sector 0x057545304 ! PE file found in sector at 0x05754531A ! Use "Recovery Console" command "fixmbr" to clear infection ! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] AntiVirusDisableNotify REG_DWORD 0 (0x0) FirewallDisableNotify REG_DWORD 0 (0x0) UpdatesDisableNotify REG_DWORD 0 (0x0) AntiVirusOverride REG_DWORD 0 (0x0) FirewallOverride REG_DWORD 0 (0x0) ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ End of scan : 21:26:35,90

archet9 · Answer

Relance List_Kill'em(soit en clic droit pour vista/7),avec le raccourci sur ton bureau. 
mais cette fois-ci : 

 choisis l'option clean 

ton PC va redemarrer, 

laisse travailler l'outil. 

en fin de scan la fenetre se ferme , et tu as un rapport du nom de Kill'em.txt sur ton bureau , 

 colle le contenu dans ta reponse

willow93 · Answer

¤¤¤¤¤¤¤¤¤¤ Kill'em by g3n-h@ckm@n 2.0.0.1 ¤¤¤¤¤¤¤¤¤¤ 
 
User : willow (Administrateurs) 
Update on 09/05/2010 by g3n-h@ckm@n ::::: 09.15
Start at: 22:56:13 | 15/05/2010

Processeur Intel Pentium III Xeon
Microsoft Windows XP Édition familiale (5.1.2600 32-bit) # Service Pack 3
Internet Explorer 6.0.2900.5512
Windows Firewall Status : Disabled
AV : AntiVir Desktop 9.0.1.32 [ (!) Disabled | Updated ]

A:\ -> Lecteur de disquettes 3 ½ pouces
C:\ -> Disque fixe local | 6,51 Go (472 Mo free) | NTFS
D:\ -> Disque fixe local | 232,88 Go (232,05 Go free) [alex] | NTFS
E:\ -> Disque CD-ROM
H:\ -> Disque amovible
I:\ -> Disque amovible
K:\ -> Disque fixe local | 105,28 Go (101,56 Go free) [autre] | NTFS
L:\ -> Disque fixe local | 698,64 Go (333,18 Go free) [Disk Willow] | NTFS
M:\ -> Disque amovible
N:\ -> Disque amovible
 

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running
 
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
K:\Program Files\Avira\AntiVir Desktop\avguard.exe
L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
L:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
k:\Program Files\NetLimiter 2 Pro
lsvc.exe
C:\WINDOWS\System32\svchost.exe
k:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
k:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\List_Kill'em\ERUNT.EXE
C:\Program Files\List_Kill'em\pv.exe
 
¤¤¤¤¤¤¤¤¤¤ Files/folders : 

Quarantined & Deleted !! : C:\WINDOWS\002235_.tmp 
Quarantined & Deleted !! : C:\WINDOWS\002828_.tmp 
Quarantined & Deleted !! : C:\WINDOWS\SET3.tmp 
Quarantined & Deleted !! : C:\WINDOWS\SET7.tmp 
 
 
=======
Hosts :
=======

127.0.0.1       localhost   

========
Registry
========

Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser : {0E5CBF21-D15F-11D0-8301-00AA005B4383}  
Deleted : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoDrives  
Deleted : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoDrives  
Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe"  
Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe"  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF  
Deleted : HKLM\software\microsoft\windows\currentversion\installer\userdata\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E  
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MEMSWEEP2  
Deleted : HKLM\SYSTEM\CurrentControlSet\Services\MEMSWEEP2  
Deleted : HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_MEMSWEEP2  
Deleted : HKLM\SYSTEM\ControlSet002\Services\MEMSWEEP2  
=================
Internet Explorer
=================

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
Start Page	REG_SZ         	https://www.msn.com/fr-fr/?ocid=iehp
Local Page	REG_SZ         	C:\WINDOWS\system32\blank.htm
Default_Search_URL	REG_SZ         	https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
Default_Page_URL	REG_SZ         	https://www.msn.com/fr-fr/?ocid=iehp
Search Page	REG_SZ         	https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
Start Page	REG_SZ         	https://www.google.com/?gws_rd=ssl
Local Page	REG_SZ         	C:\WINDOWS\system32\blank.htm
Search Page	REG_SZ         	http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

===============
Security Center
===============

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] 
AntiVirusDisableNotify	REG_DWORD      	0 (0x0) 
FirewallDisableNotify	REG_DWORD      	0 (0x0) 
UpdatesDisableNotify	REG_DWORD      	0 (0x0) 
AntiVirusOverride	REG_DWORD      	1 (0x1) 
FirewallOverride	REG_DWORD      	1 (0x1) 
FirstRunDisabled	REG_DWORD      	1 (0x1) 
 
========
Services
=========

 Ndisuio : Start = 3   
 EapHost : Start = 2   
 Ip6Fw : Start = 2   
 SharedAccess : Start = 2   
 wuauserv : Start = 2   
 wscsvc : Start = 2   

============
Disk Cleaned
anti-ver blaster : OK 
Prefetch cleaned 
================
 
 
 
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

willow93 · Answer

Ca a encore planté !
est ce vraiment un virus ?

archet9 · Answer

Depuis plusieurs message je me dir que Non Non et Non....

==> Matériel plutot !!!!!

willow93 · Answer

Bizzard bizzard
J'ai testé la mémoire --> ok
Processeur --> ok
Carte graphique --> Ok
Aucuns de ces composants ne chauffent trop...
Ce qui est louche, c'est que le plantage apparait souvent en utilisant le net ou en écoutant de la musique...
Autre truc, deamon tool ne fonctionne plus chez moi il me dit qu'il faut desactiver le debbuger kernel, est-ce lié aux opérations qu'on a effectué ?
Merci quand meme !

Bug pc

44 réponses

Votre réponse

Discussions similaires

Newsletters