Security Essentials 2010

Résolu
RastaRaquette -  
 gen-hackman -
Bonjour,

Comme beaucoup, je viens de choper une variante avec la fameuse croix rouge qui nous indique être attaqué par un virus et demandant d'installer un Security Essentials 2010 et de désactiver l'antivirus résident.

J'ai cru comprendre qu'il y a une procédure mais dans le doute, je préfererai être guidé pour l'appliquer.
Merci pour votre aide.

61 réponses

  • 1
  • 2
  • 3
  • 4
Résumé de la discussion

Une variante de malware affichant une croix rouge et demandant d’installer un faux Security Essentials 2010 a été détectée sur Windows XP avec Internet Explorer 8, provoquant lenteur et blocages. Plusieurs réponses recommandent des outils de détection et de nettoyage tels que Malwarebytes, puis des scans en mode complet et des redémarrages si nécessaire pour finaliser le nettoyage. Des rapports montrent aussi l’utilisation de scripts et d’outils avancés (Avenger, GMER et d’autres) permettant d’identifier et d’éliminer des éléments rootkits et des services malveillants, avec des difficultés liées au chemin d’accès. D'autres éléments indiquent qu'un contrôle du pare-feu et des autorisations réseau est utile pour prévenir les retours d'infections et pour vérifier l'intégrité générale du système.

Généré automatiquement par IA
sur la base des meilleures réponses
  1. gen-hackman
     
    salut :

    DESACTIVE TON ANTIVIRUS ET TON PAREFEU SI PRESENTS !!!!!(car il est detecté a tort comme infection)

    ▶ Télécharge List_Kill'em

    et enregistre le sur ton bureau

    double clique ( clic droit "executer en tant qu'administrateur" pour Vista/7 ) sur le raccourci sur ton bureau pour lancer l'installation

    Laisse coché :

    ♦ Executer Shortcut
    ♦ Executer List_Kill'em

    une fois terminée , clic sur "terminer" et le programme se lancera seul

    choisis l'option Search

    ▶ laisse travailler l'outil

    à l'apparition de la fenetre blanche , c'est un peu long , c'est normal , le programme n'est pas bloqué.

    ▶ Poste le contenu du rapport qui s'ouvre aux 100 % du scan à l'ecran "COMPLETED"
    ?G3?-?@¢??@?(TM)©®?
    0
  2. RastaRaquette
     
    Merci pour ton aide.

    Impossible de lancer l'option Search car "Application cannot be executed"...
    0
  3. RastaRaquette
     
    Bonjour gene-hackman. Voici le rapport en deux posts :

    ¤¤¤¤¤¤¤¤¤¤ List'em by g3n-h@ckm@n 2.0.0.4 ¤¤¤¤¤¤¤¤¤¤

    User : Compaq_Propriétaire (Administrateurs)
    Update on 20/05/2010 by g3n-h@ckm@n ::::: 19.00
    Start at: 00:27:20 | 22/05/2010

    Intel(R) Pentium(R) 4 CPU 2.93GHz
    Microsoft Windows XP Édition familiale (5.1.2600 32-bit) # Service Pack 3
    Internet Explorer 8.0.6001.18702
    Windows Firewall Status : Disabled
    AV : avast! antivirus 4.8.1368 [VPS 100521-1] 4.8.1368 [ (!) Disabled | Updated ]

    C:\ -> Disque fixe local | 86,89 Go (9,68 Go free) [Windows Programs] | NTFS
    D:\ -> Disque fixe local | 5,99 Go (2,34 Go free) [SYSTÈME] | FAT32
    E:\ -> Disque CD-ROM
    F:\ -> Disque fixe local | 139,99 Go (28,68 Go free) [DONNEES] | NTFS
    G:\ -> Disque amovible
    H:\ -> Disque amovible
    I:\ -> Disque amovible
    J:\ -> Disque amovible
    K:\ -> Disque CD-ROM

    Boot: Normal
    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Compaq_Propriétaire\Bureau\OTH.scr
    C:\Program Files\List_Kill'em\List_Kill'em.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\List_Kill'em\pv.exe

    ======================
    Keys "Run"
    ======================

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    swg REG_SZ "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    BitTorrent DNA REG_SZ "C:\Program Files\DNA\btdna.exe"
    DrvMon.exe REG_SZ C:\WINDOWS\system32\DrvMon.exe
    ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
    BitTorrent REG_SZ "C:\Program Files\BitTorrent\bittorrent.exe"
    DAEMON Tools Lite REG_SZ "C:\Program Files\DAEMONTools\DTLite.exe" -autorun
    smss32.exe REG_SZ C:\WINDOWS\system32\smss32.exe
    Security essentials 2010 REG_SZ C:\Program Files\Securityessentials2010\SE2010.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    TkBellExe REG_SZ "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    RTHDCPL REG_SZ RTHDCPL.EXE
    Reminder REG_SZ "C:\Windows\Creator\Remind_XP.exe"
    Recguard REG_SZ C:\WINDOWS\SMINST\RECGUARD.EXE
    PS2 REG_SZ C:\WINDOWS\system32\ps2.exe
    KBD REG_SZ C:\HP\KBD\KBD.EXE
    ISUSScheduler REG_SZ "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start
    ISUSPM Startup REG_SZ C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    hpsysdrv REG_SZ c:\windows\system\hpsysdrv.exe
    HP Software Update REG_SZ C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    Camera Detector REG_SZ C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
    avast! REG_SZ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    ATIPTA REG_SZ "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    Alcmtr REG_SZ ALCMTR.EXE
    WinampAgent REG_SZ "C:\Program Files\Winamp\Winampa.exe"
    QuickTime Task REG_SZ "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    Monitor REG_SZ C:\WINDOWS\Philips\SPC220NC\Monitor.exe
    iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"
    BJCFD REG_SZ C:\Program Files\BroadJump\Client Foundation\CFD.exe
    Motive SmartBridge REG_SZ C:\PROGRA~1\CLUB-I~1\LECOMP~1\SMARTB~1\MotiveSB.exe
    SunJavaUpdateSched REG_SZ "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"
    smss32.exe REG_SZ C:\WINDOWS\system32\smss32.exe

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

    =====================
    Other Keys
    =====================

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    dontdisplaylastusername REG_DWORD 0 (0x0)
    legalnoticecaption REG_SZ
    legalnoticetext REG_SZ
    shutdownwithoutlogon REG_DWORD 1 (0x1)
    undockwithoutlogon REG_DWORD 1 (0x1)
    EnableLUA REG_DWORD 0 (0x0)

    ===============

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    NoDriveTypeAutoRun REG_DWORD 145 (0x91)
    NoDrives REG_DWORD 0 (0x0)
    NoViewOnDrive REG_DWORD 0 (0x0)
    NoSetActiveDesktop REG_DWORD 1 (0x1)
    NoActiveDesktopChanges REG_DWORD 1 (0x1)

    ===============

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    HonorAutoRunSetting REG_DWORD 1 (0x1)
    NoCDBurning REG_DWORD 0 (0x0)
    NoSetActiveDesktop REG_DWORD 1 (0x1)
    NoActiveDesktopChanges REG_DWORD 1 (0x1)

    ===============

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    AppInit_DLLS REG_SZ

    ===============

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    AutoRestartShell REG_DWORD 1 (0x1)
    DefaultDomainName REG_SZ VERO-NICO
    DefaultUserName REG_SZ Compaq_Propriétaire
    LegalNoticeCaption REG_SZ
    LegalNoticeText REG_SZ
    PowerdownAfterShutdown REG_SZ 0
    ReportBootOk REG_SZ 1
    Shell REG_SZ Explorer.exe
    ShutdownWithoutLogon REG_SZ 0
    System REG_SZ
    Userinit REG_SZ C:\WINDOWS\system32\winlogon32.exe
    VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl"
    SfcQuota REG_DWORD -1 (0xffffffff)
    allocatecdroms REG_SZ 0
    allocatedasd REG_SZ 0
    allocatefloppies REG_SZ 0
    cachedlogonscount REG_SZ 10
    forceunlocklogon REG_DWORD 0 (0x0)
    passwordexpirywarning REG_DWORD 14 (0xe)
    scremoveoption REG_SZ 0
    AllowMultipleTSSessions REG_DWORD 1 (0x1)
    UIHost REG_EXPAND_SZ logonui.exe
    LogonType REG_DWORD 1 (0x1)
    Background REG_SZ 0 0 0
    DebugServerCommand REG_SZ no
    SFCDisable REG_DWORD 0 (0x0)
    WinStationsDisabled REG_SZ 0
    DefaultPassword REG_SZ
    HibernationPreviouslyEnabled REG_DWORD 1 (0x1)
    ShowLogonOptions REG_DWORD 0 (0x0)
    AltDefaultUserName REG_SZ Compaq_Propriétaire
    AltDefaultDomainName REG_SZ VERO-NICO
    ChangePasswordUseKerberos REG_DWORD 1 (0x1)

    ===============

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJAQJAT]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon]

    ===============

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    {AEB6717E-7E19-11d0-97EE-00C04FD91972} REG_SZ
    {166BCB27-FCFD-4588-9BDB-44FC6A02EF35} REG_SZ

    ===============

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    %windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
    C:\Program Files\iTunes\iTunes.exe REG_SZ C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
    C:\Program Files\DNA\btdna.exe REG_SZ C:\Program Files\DNA\btdna.exe:*:Enabled:DNA
    %windir%\Network Diagnostic\xpnetdiag.exe REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
    C:\Program Files\PPMate\ppmate.exe REG_SZ C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate
    C:\Program Files\PPMate\ppmnet.exe REG_SZ C:\Program Files\PPMate\ppmnet.exe:*:Enabled:PPMate
    C:\Program Files\PPMate\ppamnet.exe REG_SZ C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate
    C:\Program Files\Messenger\msmsgs.exe REG_SZ C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
    C:\Program Files\Windows Live\Messenger\wlcsdk.exe REG_SZ C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
    C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe REG_SZ C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe REG_SZ C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
    C:\Program Files\AOL 9.0\waol.exe REG_SZ C:\Program Files\AOL 9.0\waol.exe:*:Disabled:AOL France
    C:\Program Files\BitTorrent\bittorrent.exe REG_SZ C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
    C:\Program Files\Bonjour\mDNSResponder.exe REG_SZ C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour
    C:\Program Files\TerraTec\TerraTec Home Cinema\InstTool.exe REG_SZ C:\Program Files\TerraTec\TerraTec Home Cinema\InstTool.exe:*:Enabled:TerraTec Home Cinema Basic (Setup)
    C:\Program Files\TerraTec\TerraTec Home Cinema\tvtvSetup\tvtv_Wizard.exe REG_SZ C:\Program Files\TerraTec\TerraTec Home Cinema\tvtvSetup\tvtv_Wizard.exe:*:Enabled:TerraTec Home Cinema Basic (tvtv Setup)
    C:\Program Files\TerraTec\TerraTec Home Cinema\CinergyDvr.exe REG_SZ C:\Program Files\TerraTec\TerraTec Home Cinema\CinergyDvr.exe:*:Enabled:TerraTec Home Cinema Basic
    C:\Program Files\TerraTec\TerraTec Home Cinema\VersionCheck\VersionCheck.exe REG_SZ C:\Program Files\TerraTec\TerraTec Home Cinema\VersionCheck\VersionCheck.exe:*:Enabled:TerraTec Home Cinema Basic (Auto Update)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    %windir%\system32\sessmgr.exe REG_SZ %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
    %windir%\Network Diagnostic\xpnetdiag.exe REG_SZ %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
    C:\Program Files\Windows Live\Messenger\wlcsdk.exe REG_SZ C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
    C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe REG_SZ C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe REG_SZ C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
    0
  4. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  5. RastaRaquette
     
    ===============
    ActivX controls
    ===============

    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\Microsoft XML Parser for Java]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{166B1BCA-3F9C-11CF-8075-444553540000}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{5D637FAD-E202-48D1-8F18-5B9C459BD1E3}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6E5E167B-1566-4316-B27F-0DDAB3484CF7}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{6F750203-1362-4815-A476-88533DE61D0C}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{78ABDC59-D8E7-44D3-9A76-9A0918C52B4A}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{C36112BF-2FA3-4694-8603-3B510EA3B465}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{E008A543-CEFB-4559-912F-C27C2B89F13B}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{E87F6C8E-16C0-11D3-BEF7-009027438003}]
    [HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{EDFCB7CB-942C-4822-AF14-F0B687409848}]

    ===============
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10072CEC-8CC1-11D1-986E-00A0C955B42F}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{233C1507-6A77-46A4-9443-F871F945D258}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{283807B5-2C60-11D0-A31D-00AA00B92C03}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36f8ec70-c29a-11d1-b5c7-0000f8051515}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3af36230-a269-11d1-b5bf-0000f8051515}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3bf42070-b3b1-11d1-b5c5-0000f8051515}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3EA915E5-75D7-4F6A-65F2-2596D5DAE5EB}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{411EDCF7-755D-414E-A74B-3DCD6583F589}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4278c270-a269-11d1-b5bf-0000f8051515}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f216970-c90c-11d1-b5c7-0000f8051515}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4f645220-306d-11d2-995d-00c04f98bbc9}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5A8D6EE0-3E18-11D0-821E-444553540000}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9A394342-4A68-4EBA-85A6-55B559F4E700}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B508B3F1-A24A-32C0-B310-85786919EF28}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C9E9A340-D1F1-11D0-821E-444553540600}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CC2A9BA0-3BDD-11D0-821E-444553540000}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{CDD7975E-60F8-41d5-8149-19E51D6F71D0}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]

    ==============
    BHO :
    ======

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

    ===
    DNS
    ===

    Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Miniport d'ordonnancement de paquets
    DNS Server Search Order: 192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{DE246E2C-8697-44FE-A5BB-FA04D12D4DEC}: DhcpNameServer=15.243.128.51 15.243.160.51
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{FCCC2066-BE36-4E2B-9B89-928F3A3C6C42}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{DE246E2C-8697-44FE-A5BB-FA04D12D4DEC}: DhcpNameServer=15.243.128.51 15.243.160.51
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{FCCC2066-BE36-4E2B-9B89-928F3A3C6C42}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{DE246E2C-8697-44FE-A5BB-FA04D12D4DEC}: DhcpNameServer=15.243.128.51 15.243.160.51
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{FCCC2066-BE36-4E2B-9B89-928F3A3C6C42}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{DE246E2C-8697-44FE-A5BB-FA04D12D4DEC}: DhcpNameServer=15.243.128.51 15.243.160.51
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{FCCC2066-BE36-4E2B-9B89-928F3A3C6C42}: DhcpNameServer=194.117.200.10 194.117.200.15
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=194.117.200.10 194.117.200.15

    ================
    Internet Explorer :
    ================

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    Start Page REG_SZ https://www.msn.com/fr-fr/?ocid=iehp
    Local Page REG_SZ C:\WINDOWS\system32\blank.htm
    Default_Search_URL REG_SZ https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    Default_Page_URL REG_SZ https://www.msn.com/fr-fr/?ocid=iehp
    Search Page REG_SZ https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    Start Page REG_SZ https://www.google.fr/?gws_rd=ssl
    Local Page REG_SZ C:\WINDOWS\system32\blank.htm
    Search Page REG_SZ https://www.google.com/?gws_rd=ssl

    ========
    Services
    ========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]

    Ndisuio : 0x3 ( OK = 3 )
    EapHost : 0x3 ( OK = 2 )
    SharedAccess : 0x2 ( OK = 2 )
    wuauserv : 0x2 ( OK = 2 )

    ========
    Safemode
    ========

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot : OK !!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal : OK !!
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network : OK !!

    =========
    Atapi.sys
    =========

    C:\WINDOWS\$NtServicePackUninstall$\atapi.sys :
    MD5 :: [cdfe4411a69c224bd1d11b2da92dac51]
    SHA256 :: [0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d]

    C:\WINDOWS\ServicePackFiles\i386\atapi.sys :
    MD5 :: [9f3a2f5aa6875c72bf062c712cfa2674]
    SHA256 :: [b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9]

    C:\WINDOWS\system32\drivers\atapi.sys :
    MD5 :: [9f3a2f5aa6875c72bf062c712cfa2674]
    SHA256 :: [b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9]

    C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys :
    MD5 :: [cdfe4411a69c224bd1d11b2da92dac51]
    SHA256 :: [0e6b23a80f171550575bebc56f7500cd87a5cf03b2b9fdc49bc3de96282cd69d]

    Référence :
    ==========

    Win 2000_SP2 : ff953a8f08ca3f822127654375786bbe
    Win 2000_SP4 : 8c718aa8c77041b3285d55a0ce980867
    Win XP_32b : a64013e98426e1877cb653685c5c0009
    Win XP_SP2_32b : CDFE4411A69C224BD1D11B2DA92DAC51
    Win XP_SP3_32b : 9F3A2F5AA6875C72BF062C712CFA2674
    Vista_32b : e03e8c99d15d0381e02743c36afc7c6f
    Vista_SP1_32b : 2d9c903dc76a66813d350a562de40ed9
    Vista_SP2_32b : 1F05B78AB91C9075565A9D8A4B880BC4
    Vista_SP2_64b : 1898FAE8E07D97F2F6C2D5326C633FAC
    Windows 7_32b : 80C40F7FDFC376E4C5FEEC28B41C119E
    Windows 7_64b : 02062C0B390B7729EDC9E69C680A6F3C
    Windows 7_32b_Ultimate : 338c86357871c167a96ab976519bf59e

    =======
    Drive :
    =======

    D'fragmenteur de disque Windows
    Copyright (c) 2001 Microsoft Corp. et Executive Software International Inc.

    Rapport d'analyse
    86,89 Go total, 9,68 Go libre (11%), 30% fragment' (fragmentation du fichier 60%)

    Vous devriez d'fragmenter ce volume.

    ¤¤¤¤¤¤¤¤¤¤ Files/folders :

    Present !! : C:\Program Files\Advantage
    Present !! : C:\Program Files\Securityessentials2010
    Present !! : C:\Program Files\WindowsUpdate
    Present !! : C:\WINDOWS\003043_.tmp
    Present !! : C:\WINDOWS\System32\helpers32.dll
    Present !! : C:\WINDOWS\System32\ps2.bat
    Present !! : C:\WINDOWS\System32\SET20.tmp
    Present !! : C:\WINDOWS\System32\SET40.tmp
    Present !! : C:\WINDOWS\System32\SET4C.tmp
    Present !! : C:\WINDOWS\System32\SET55.tmp
    Present !! : C:\WINDOWS\System32\SET56.tmp
    Present !! : C:\WINDOWS\System32\SET57.tmp
    Present !! : C:\WINDOWS\System32\SET5A.tmp
    Present !! : C:\WINDOWS\System32\smss32.exe
    Present !! : C:\WINDOWS\System32\warnings.html
    Present !! : C:\WINDOWS\System32\winlogon32.exe
    Present !! : C:\WINDOWS\Temp\8.tmp
    Present !! : C:\WINDOWS\Temp\85.tmp
    Present !! : C:\WINDOWS\Temp\86.tmp
    Present !! : C:\WINDOWS\Temp\88.tmp
    Present !! : C:\WINDOWS\Temp\89.tmp
    Present !! : C:\WINDOWS\Temp\8A.tmp
    Present !! : C:\WINDOWS\Temp\9.tmp
    Present !! : C:\WINDOWS\Temp\91.tmp
    Present !! : C:\WINDOWS\Temp\92.tmp
    Present !! : C:\WINDOWS\Temp\is11.tmp
    Present !! : C:\WINDOWS\Temp\is1AF.tmp
    Present !! : C:\WINDOWS\Temp\is1B1.tmp
    Present !! : C:\WINDOWS\Temp\isE.tmp
    Present !! : C:\WINDOWS\Temp\~TM15.tmp
    Present !! : C:\WINDOWS\Temp\~TM83.tmp
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\avdrn.dat
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\EurosportPersonalization.data
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\qvjsge.dat
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\wklnhst.dat
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\avdrn.dat
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\EurosportPersonalization.data
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\qvjsge.dat
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\wklnhst.dat
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Local Settings\Temp\6.tmp
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Local Settings\Temp\83.tmp
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Local Settings\Temp\8F.tmp
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\LOCAL Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\LOCAL Settings\Temp\dwa7res_fr.dll
    Present !! : C:\Documents and Settings\Compaq_Propri'taire\Local Settings\Temporary Internet Files\SuggestedSites.dat

    ¤¤¤¤¤¤¤¤¤¤ Keys :

    Present !! : HKCU\Software\Microsoft\Windows\CurrentVersion\Run : Security essentials 2010
    Present !! : HKCU\Software\Microsoft\Windows\CurrentVersion\Run : smss32.exe
    Present !! : HKLM\Software\Microsoft\Windows\CurrentVersion\Run : smss32.exe
    Present !! : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser : {0E5CBF21-D15F-11D0-8301-00AA005B4383}
    Present !! : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoActiveDesktopChanges
    Present !! : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoDrives
    Present !! : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoSetActiveDesktop
    Present !! : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoViewOnDrive
    Present !! : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoActiveDesktopChanges
    Present !! : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoSetActiveDesktop
    Present !! : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System : DisableTaskMgr
    Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe"
    Present !! : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe"
    Present !! : HKCU\SOFTWARE\SE2010
    Present !! : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_mchInjDrv
    Present !! : HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_mchInjDrv
    Present !! : HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_mchInjDrv

    ============

    catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-22 01:54:11
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    IPC error: 2 Le fichier spécifié est introuvable.
    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85F48D01]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    FirstRunDisabled REG_DWORD 1 (0x1)
    AntiVirusDisableNotify REG_DWORD 1 (0x1)
    FirewallDisableNotify REG_DWORD 1 (0x1)
    UpdatesDisableNotify REG_DWORD 1 (0x1)
    AntiVirusOverride REG_DWORD 0 (0x0)
    FirewallOverride REG_DWORD 0 (0x0)

    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

    End of scan : 1:54:13,03
    0
  6. gen-hackman
     
    hello

    ▶ Relance List_Kill'em(soit en clic droit pour vista/7),avec le raccourci sur ton bureau.
    mais cette fois-ci :

    ▶ choisis l'Option Clean

    ton PC va redemarrer,

    laisse travailler l'outil.

    en fin de scan la fenetre se ferme , et tu as un rapport du nom de Kill'em.txt sur ton bureau ,

    ▶ colle le contenu dans ta reponse
    0
  7. RastaRaquette
     
    Rapport après le Clean :

    ¤¤¤¤¤¤¤¤¤¤ Kill'em by g3n-h@ckm@n 2.0.0.4 ¤¤¤¤¤¤¤¤¤¤

    User : Compaq_Propriétaire (Administrateurs)
    Update on 20/05/2010 by g3n-h@ckm@n ::::: 19.00
    Start at: 10:17:20 | 22/05/2010

    Intel(R) Pentium(R) 4 CPU 2.93GHz
    Microsoft Windows XP Édition familiale (5.1.2600 32-bit) # Service Pack 3
    Internet Explorer 8.0.6001.18702
    Windows Firewall Status : Disabled
    AV : avast! antivirus 4.8.1368 [VPS 100522-0] 4.8.1368 [ Enabled | Updated ]

    C:\ -> Disque fixe local | 86,89 Go (9,68 Go free) [Windows Programs] | NTFS
    D:\ -> Disque fixe local | 5,99 Go (2,34 Go free) [SYSTÈME] | FAT32
    E:\ -> Disque CD-ROM
    F:\ -> Disque fixe local | 139,99 Go (28,68 Go free) [DONNEES] | NTFS
    G:\ -> Disque amovible
    H:\ -> Disque amovible
    I:\ -> Disque amovible
    J:\ -> Disque amovible
    K:\ -> Disque CD-ROM

    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\winlogon32.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Diskeeper Lite\DKService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\List_Kill'em\ERUNT.EXE
    C:\Program Files\List_Kill'em\pv.exe

    ¤¤¤¤¤¤¤¤¤¤ Files/folders :
    0
  8. RastaRaquette
     
    Ben non, c'est tout ce que j'ai dans le .txt !
    Je dois relancer une manip ?
    0
  9. gen-hackman
     
    oui refais OTH avant au pire des cas et fais l'option safemode clean
    0
  10. RastaRaquette
     
    Resultat :
    Et je n'arrive plus à me connecter à Internet (là je passe par un autre PC) : "Prévention de l'éxecution des données" m'en empeche et impossible de désactiver cette fonction...

    ¤¤¤¤¤¤¤¤¤¤ Kill'em by g3n-h@ckm@n 2.0.0.4 ¤¤¤¤¤¤¤¤¤¤

    User : Compaq_Propriétaire (Administrateurs)
    Update on 20/05/2010 by g3n-h@ckm@n ::::: 19.00
    Start at: 11:25:31 | 22/05/2010

    Intel(R) Pentium(R) 4 CPU 2.93GHz
    Microsoft Windows XP Édition familiale (5.1.2600 32-bit) # Service Pack 3
    Internet Explorer 8.0.6001.18702
    Windows Firewall Status : Disabled
    AV : avast! antivirus 4.8.1368 [VPS 100522-0] 4.8.1368 [ (!) Disabled | Updated ]

    C:\ -> Disque fixe local | 86,89 Go (10,5 Go free) [Windows Programs] | NTFS
    D:\ -> Disque fixe local | 5,99 Go (2,34 Go free) [SYSTÈME] | FAT32
    E:\ -> Disque CD-ROM
    F:\ -> Disque fixe local | 139,99 Go (28,68 Go free) [DONNEES] | NTFS
    G:\ -> Disque amovible
    H:\ -> Disque amovible
    I:\ -> Disque amovible
    J:\ -> Disque amovible
    K:\ -> Disque CD-ROM

    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes running

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Compaq_Propriétaire\Bureau\OTH.scr
    C:\Program Files\List_Kill'em\List_Kill'em.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\List_Kill'em\ERUNT.EXE
    C:\Program Files\List_Kill'em\pv.exe

    ¤¤¤¤¤¤¤¤¤¤ Files/folders :

    Quarantined & Deleted !! : C:\Program Files\Advantage
    Quarantined & Deleted !! : C:\Program Files\Securityessentials2010
    Quarantined & Deleted !! : C:\Program Files\WindowsUpdate
    Quarantined & Deleted !! : C:\WINDOWS\003043_.tmp

    Quarantined & Deleted !! : C:\WINDOWS\System32\19169.exe
    Quarantined & Deleted !! : C:\WINDOWS\System32\26500.exe
    Quarantined & Deleted !! : C:\WINDOWS\System32\6334.exe
    Quarantined & Deleted !! : C:\WINDOWS\System32\helpers32.dll
    Quarantined & Deleted !! : C:\WINDOWS\System32\ps2.bat
    Quarantined & Deleted !! : C:\WINDOWS\System32\SET20.tmp
    Quarantined & Deleted !! : C:\WINDOWS\System32\SET40.tmp
    Quarantined & Deleted !! : C:\WINDOWS\System32\SET4C.tmp
    Quarantined & Deleted !! : C:\WINDOWS\System32\SET55.tmp
    Quarantined & Deleted !! : C:\WINDOWS\System32\SET56.tmp
    Quarantined & Deleted !! : C:\WINDOWS\System32\SET57.tmp
    Quarantined & Deleted !! : C:\WINDOWS\System32\SET5A.tmp
    Quarantined & Deleted !! : C:\WINDOWS\System32\smss32.exe
    Quarantined & Deleted !! : C:\WINDOWS\System32\warnings.html
    Quarantined & Deleted !! : C:\WINDOWS\System32\winlogon32.exe
    Quarantined & Deleted !! : C:\WINDOWS\Temp\1D.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\1E.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\8.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\88.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\89.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\8A.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\9.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\is11.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\is1AF.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\is1B1.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\isE.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\~TM15.tmp
    Quarantined & Deleted !! : C:\WINDOWS\Temp\~TM83.tmp
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\avdrn.dat
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\EurosportPersonalization.data
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\qvjsge.dat
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\Application Data\wklnhst.dat
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\Local Settings\Temp\1B.tmp
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\Local Settings\Temp\7.tmp
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\LOCAL Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\LOCAL Settings\Temp\dwa7res_fr.dll
    Quarantined & Deleted !! : C:\Documents and Settings\Compaq_Propri'taire\Local Settings\Temporary Internet Files\SuggestedSites.dat

    =======
    Hosts :
    =======

    127.0.0.1 localhost

    ========
    Registry
    ========

    Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run : Security essentials 2010
    Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run : smss32.exe
    Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Run : smss32.exe
    Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser : {0E5CBF21-D15F-11D0-8301-00AA005B4383}
    Deleted : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoActiveDesktopChanges
    Deleted : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoDrives
    Deleted : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoSetActiveDesktop
    Deleted : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoViewOnDrive
    Deleted : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoActiveDesktopChanges
    Deleted : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer : NoSetActiveDesktop
    Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System : DisableTaskMgr
    Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe"
    Deleted : "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe"
    Deleted : HKCU\SOFTWARE\SE2010
    Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_mchInjDrv
    Deleted : HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_mchInjDrv
    =================
    Internet Explorer
    =================

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    Start Page REG_SZ https://www.msn.com/fr-fr/?ocid=iehp
    Local Page REG_SZ C:\WINDOWS\system32\blank.htm
    Default_Search_URL REG_SZ https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    Default_Page_URL REG_SZ https://www.msn.com/fr-fr/?ocid=iehp
    Search Page REG_SZ https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    Start Page REG_SZ https://www.google.com/?gws_rd=ssl
    Local Page REG_SZ C:\WINDOWS\system32\blank.htm
    Search Page REG_SZ http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

    ===============
    Security Center
    ===============

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    FirstRunDisabled REG_DWORD 1 (0x1)
    AntiVirusDisableNotify REG_DWORD 0 (0x0)
    FirewallDisableNotify REG_DWORD 0 (0x0)
    UpdatesDisableNotify REG_DWORD 0 (0x0)
    AntiVirusOverride REG_DWORD 1 (0x1)
    FirewallOverride REG_DWORD 1 (0x1)

    ========
    Services
    =========

    Ndisuio : Start = 3
    EapHost : Start = 2
    SharedAccess : Start = 2
    wuauserv : Start = 2
    wscsvc : Start = 2

    ============
    Disk Cleaned
    anti-ver blaster : OK
    Prefetch cleaned
    ================

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85D83D01]<<
    kernel: MBR read successfully
    user & kernel MBR OK

    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤( EOF )¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    0
  11. gen-hackman
     
    ▶ Télécharge : Gmer (by Przemyslaw Gmerek) et enregistre-le sur ton bureau

    Desactive toutes tes protections le temps du scan de gMer

    Pour XP => double clique sur gmer.exe
    Pour Vista et 7 => clique droit "executer en tant que...."

    ▶ Dezippe gmer ,cliques sur l'onglet rootkit,lances le scan,des lignes rouges vont apparaitre.

    ▶ Les lignes rouges indiquent la presence d'un rootkit.Postes moi le rapport gmer (cliques sur copy,puis vas dans demarrer ,puis ouvres le bloc note,vas dans edition et cliques sur coller,le rapport gmer va apparaitre,postes moi le)

    Ensuite

    ▶ sur les lignes rouge:

    ▶ Services:cliques droit delete service
    ▶ Process:cliques droit kill process
    ▶ Adl ,file:cliques droit delete files
    0
  12. RastaRaquette
     
    J'attends que tu aies lu le rapport avant les clicks droit (service, process et Adl) ou j'enchaine après le scan ?
    0
  13. gen-hackman
     
    enchaine apres avoir collé le rapport ici
    0
  14. RastaRaquette
     
    Une ligne rouge en Service
    9 lignes rouges en SSDT

    Rapport à venir.
    0
  15. RastaRaquette
     
    Rapport 1/3

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-22 18:14:45
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pxtorpod.sys

    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEC3FE6B8] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEC3FEA52] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEC3FE14C] <-- ROOTKIT !!!
    SSDT spdz.sys ZwEnumerateKey [0xF73E1DA4] <-- ROOTKIT !!!
    SSDT spdz.sys ZwEnumerateValueKey [0xF73E2132] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEC3FE64E] <-- ROOTKIT !!!
    SSDT spdz.sys ZwQueryKey [0xF73E220A] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEC3FE76E] <-- ROOTKIT !!!
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEC3FE72E] <-- ROOTKIT !!!

    INT 0x73 ? 861D8BF8
    INT 0x82 ? 861D8BF8
    INT 0x83 ? 861D8BF8
    INT 0x83 ? 861D8BF8
    INT 0xB4 ? 85F28F00
    INT 0xB4 ? 85F28F00
    INT 0xB4 ? 85F28F00
    INT 0xB4 ? 85F28F00

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 80504570 4 Bytes JMP 924AEC3F
    ? spdz.sys Le fichier spécifié est introuvable. !
    .pak2 C:\WINDOWS\system32\drivers\chjry.sys entry point in ".pak2" section [0xF729F1B3]
    ? C:\WINDOWS\system32\drivers\chjry.sys Un périphérique attaché au système ne fonctionne pas correctement.
    .text USBPORT.SYS!DllUnload F64928AC 5 Bytes JMP 85F284E0
    .text ae0md5dc.SYS F63CF386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text ae0md5dc.SYS F63CF3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text ae0md5dc.SYS F63CF3C4 3 Bytes [00, 80, 02]
    .text ae0md5dc.SYS F63CF3C9 1 Byte [30]
    .text ae0md5dc.SYS F63CF3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\System32\svchost.exe[608] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: imagehlp.dll
    .text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 006D000A
    .text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 006E000A
    .text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 006C000C
    .text C:\WINDOWS\System32\svchost.exe[1128] ole32.dll!CoCreateInstance 774C057E 5 Bytes JMP 0232000A
    .text C:\WINDOWS\Explorer.EXE[1688] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[1688] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\Explorer.EXE[1688] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00B6000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00EA000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00EB000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00E9000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 40D85505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!SetWindowsHookExW 7E3A820F 5 Bytes JMP 40E59A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!CallNextHookEx 7E3AB3C6 5 Bytes JMP 40E4D101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 40E5DAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!UnhookWindowsHookEx 7E3AD5F3 5 Bytes JMP 40DC466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 40F5473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40F54671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 40F546DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40F54542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40F545A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40F547A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40F54606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] ole32.dll!CoCreateInstance 774C057E 5 Bytes JMP 40E5DB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2156] ole32.dll!OleLoadFromStream 774E9C85 5 Bytes JMP 40F54AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00EA000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00EB000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00E9000C
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 40D85505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 40E5DAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 40F5473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40F54671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 40F546DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40F54542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40F545A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40F547A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2588] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 40F54606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    ? C:\WINDOWS\System32\svchost.exe[3964] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73CA042] spdz.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73CA13E] spdz.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73CA0C0] spdz.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73CA800] spdz.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73CA6D6] spdz.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73D9B90] spdz.sys
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!KfRaiseIrql] 00001CB1
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!KfLowerIrql] 0E798366
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
    IAT \SystemRoot\System32\Drivers\ae0md5dc.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E
    0
  16. RastaRaquette
     
    Rapport 2/3

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 81EC8B55
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 000814EC
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 6A575300
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] FF335B04
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 6A575757
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 7D895701
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] F045C7F8
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 00004E20
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] FFFC5D89
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 40208015
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] F4458900
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 840FC73B
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 00000132
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 94358B56
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 458D53D6
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 066A50F0
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] FFF475FF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 458D53D6
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] 056A50F0
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] FFF475FF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 0C5D8BD6
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] EC858D00
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 68FFFFF7
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] 00000800
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] AC15FF50
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] 83004020
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] 07EB10C4
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] F7EC85C6
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 5700FFFF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 0C320068
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 8DFF6A8C
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] FFF7EC85
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 75FF50FF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] F475FF08
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 209015FF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] F08B0040
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 3BF87589
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] A9840FF7
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 39000000
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 1F75087B
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FC458D57
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] EC458D50
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 00056850
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] FF562000
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 40208C15
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] EC458B06
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 8D084389
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 6850FC45
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 00000800
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] F7EC858D
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 5650FFFF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 208815FF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 4EEB0040
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 74FC7D39
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 04438B5E
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 8BFC4503
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] FF565033
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 4020A815
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 89595900
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 74C73B03
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 047B8B37
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 03FC4D8B
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] ECB58DF8
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] F3FFFFF7
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] FC458BA4
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 6850FC45
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 00000800
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] F7EC858D
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] FF50FFFF
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 15FFF875
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [00402088] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C085FF33
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0FEBAE75
    IAT C:\WINDOWS\System32\svchost.exe[608] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 0874F73B
    IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
    IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000
    IAT C:\Program Files\Internet Explorer\iexplore.exe[2156] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00ED1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 51EC8B55
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1845DB51
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] F855DD56
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] E8084DDC
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 000004D2
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] FF184589
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [40516015] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] F845DD00
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 8B104DDC
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 1865DAF0
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0004B9E8
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8BC88B00
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F74199C6
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] C28B5EF9
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2B08244C
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 9904244C
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 8BF9F741
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 244403C2
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] FF56C304
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [40516015] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 244C8B00
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 244403C1
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 15FFC308
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [00405160] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 04244C8B
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] F9F74199
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] FFC3C28B
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [40516015] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 646A9900
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 33F9F759
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 24543BC0
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C09C0F04
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] EC8B55C3
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 0204EC81
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 68560000
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 00000100
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 515815FF
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B590040
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00FFB8F0
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 8D500000
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FFFEFC8D
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C93351FF
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 558D5151
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 8D5052FC
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFDFC85
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] [40504415] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 56216A00
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] FFFC75FF
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] [40515C15] C:\WINDOWS\system32\WININET.dll (Internet Extensions for Win32/Microsoft Corporation)
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 0CC48300
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] C01BD8F7
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C95EC623
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] EC8B55C3
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 458B5151
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 33565308
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 57C88BF6
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 33FC7589
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 01518DFF
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 8441198A
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 2BF975DB
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 802974CA
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7420063C
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 75FF850A
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 45FF470C
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 46C88BFF
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 8A01518D
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] DB844119
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] CA2BF975
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] D772F13B
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 5FFC458B
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C3C95B5E
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 83EC8B55
    IAT C:\WINDOWS\System32\svchost.exe[3964] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 56530CEC
    0
  17. RastaRaquette
     
    Rapport 3/3

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 861D4798

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    Device \FileSystem\Fastfat \FatCdrom 85CCE500
    Device \Driver\sptd \Device\4251334232 spdz.sys

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\usbohci \Device\USBPDO-0 85EC21F8
    Device \Driver\usbohci \Device\USBPDO-1 85EC21F8
    Device \Driver\usbehci \Device\USBPDO-2 85EA91F8
    Device \Driver\PCI_PNP4232 \Device\00000046 spdz.sys
    Device \Driver\PCI_PNP4232 \Device\00000046 spdz.sys

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\USBSTOR \Device\00000070 85CC2500
    Device \Driver\Ftdisk \Device\HarddiskVolume1 861681F8
    Device \Driver\USBSTOR \Device\00000071 85CC2500
    Device \Driver\Ftdisk \Device\HarddiskVolume2 861681F8
    Device \Driver\Cdrom \Device\CdRom0 85E921F8
    Device \Driver\Ftdisk \Device\HarddiskVolume3 861681F8
    Device \Driver\Cdrom \Device\CdRom1 85E921F8
    Device \Driver\atapi \Device\Ide\IdePort0 [F71FEB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F71FEB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort2 [F71FEB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort3 [F71FEB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort4 [F71FEB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort5 [F71FEB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-14 [F71FEB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\USBSTOR \Device\00000074 85CC2500
    Device \Driver\NetBT \Device\NetBt_Wins_Export 856541F8
    Device \Driver\NetBT \Device\NetbiosSmb 856541F8

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{FCCC2066-BE36-4E2B-9B89-928F3A3C6C42} 856541F8
    Device \Driver\USBSTOR \Device\0000006b 85CC2500
    Device \Driver\usbohci \Device\USBFDO-0 85EC21F8
    Device \Driver\USBSTOR \Device\0000006d 85CC2500
    Device \Driver\usbohci \Device\USBFDO-1 85EC21F8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 856A81F8
    Device \Driver\USBSTOR \Device\0000006e 85CC2500
    Device \Driver\usbehci \Device\USBFDO-2 85EA91F8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 856A81F8
    Device \Driver\USBSTOR \Device\0000006f 85CC2500
    Device \Driver\Ftdisk \Device\FtControl 861681F8
    Device \Driver\ae0md5dc \Device\Scsi\ae0md5dc1Port6Path0Target0Lun0 85DA0500
    Device \Driver\ae0md5dc \Device\Scsi\ae0md5dc1 85DA0500
    Device \FileSystem\Fastfat \Fat 85CCE500

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    Device \FileSystem\Cdfs \Cdfs 85BDF500

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] chjry <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\chjry@Type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\chjry@Start 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\chjry@ErrorControl 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\chjry@Group Boot Bus Extender
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMONTools\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0x15 0xA0 0x58 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0x06 0x25 0xD4 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD1 0x4D 0x17 0xA2 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\chjry@Type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\chjry@Start 0
    Reg HKLM\SYSTEM\ControlSet002\Services\chjry@ErrorControl 0
    Reg HKLM\SYSTEM\ControlSet002\Services\chjry@Group Boot Bus Extender
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMONTools\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0x15 0xA0 0x58 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x72 0x06 0x25 0xD4 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD1 0x4D 0x17 0xA2 ...

    ---- EOF - GMER 1.0.15 ----
    0
  18. gen-hackman
     
    tiens on a attrappé avast en rootkit !! ^^
    0
  • 1
  • 2
  • 3
  • 4