TR/ Rootkit Gen impossible à supprimer Fermé

Question

Bonjour, 


Je travaille sous Vista et mon antivirus Antivir a depuis quelques jours détecté le Rootkit Gen sur le fichier qxueiz.sys dans le dossier drivers de System 32. Je pense l'avoir contracté en téléchargeant un fichier rar de sous-titres de film. J'ai essayé toutes les méthodes pour supprimer les rootkit indiquées sur ce lien https://www.commentcamarche.net/faq/14963-supprimer-les-rootkits (spybot, gmer, malwarebytes, superantipyware, désactivation de la restauration, combofix). Gmer faisait éteindre l'ordinateur et les autres programmes me disaient que le virus était mis en quarantaine et supprimé avec succès. Cependant le fichier est toujours présent et le virus à nouveau détecté une fois que je redémarre l'ordinateur. 

Je ne sais plus quoi faire à présent, si ce n'est détruire le fichier manuellement mais je ne sais pas quelle seront les conséquences et s'il existe des fichiers cachés. 

Je poste de le rapport de Combofix pour info:
ComboFix 10-06-03.01 - Steph 05/06/2010  13:03:25.1.2 - x86
Microsoft® Windows Vista(TM) Home Premium   6.0.6002.2.1252.33.1031.18.2038.1211 [GMT 2:00]
Lancé depuis: c:\users\Steph\Desktop\ComboFix.exe
SP: Windows-Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 * Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((   Fichiers créés du 2010-05-05 au 2010-06-05  ))))))))))))))))))))))))))))))))))))
.

2010-06-04 14:18 . 2009-05-07 07:04	157712	----a-w-	c:\windows\system32\drivers	mcomm.sys
2010-06-04 13:43 . 2009-03-24 14:07	55640	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2010-06-04 13:43 . 2010-06-04 16:28	--------	d-----w-	c:\program files\Avira
2010-06-03 18:36 . 2010-06-03 18:36	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware(19)
2010-05-31 17:59 . 2010-05-31 17:59	8463808	----a-w-	c:\users\Steph\AppData\Roaming\Azureus	mp\AZU15104.tmp\Vuze_4.4.0.4_win32.exe
2010-05-26 07:18 . 2010-04-23 14:13	2048	----a-w-	c:\windows\system32	zres.dll
2010-05-12 06:54 . 2010-01-29 15:40	738816	----a-w-	c:\windows\system32\inetcomm.dll

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 10:52 . 2009-07-21 12:33	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-06-05 08:57 . 2008-06-11 16:08	--------	d-----w-	c:\programdata\Google Updater
2010-06-04 17:44 . 2008-02-15 17:16	--------	d-----w-	c:\users\Steph\AppData\Roaming\Skype
2010-06-04 16:29 . 2008-10-17 07:10	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2010-06-04 16:28 . 2008-10-17 07:12	--------	d-----w-	c:\program files\Lavasoft
2010-06-04 14:19 . 2008-10-17 07:01	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2010-06-04 14:19 . 2008-10-17 07:01	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2010-06-04 14:00 . 2009-04-30 13:36	--------	d-----w-	c:\users\Steph\AppData\Roaming\skypePM
2010-06-04 07:07 . 2009-06-01 13:46	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-06-04 06:36 . 2008-04-24 15:31	--------	d-----w-	c:\programdata\Roxio
2010-05-31 19:31 . 2008-11-14 15:48	--------	d-----w-	c:\users\Steph\AppData\Roaming\Azureus
2010-05-25 15:36 . 2007-08-06 07:58	--------	d-----w-	c:\programdata\Microsoft Help
2010-05-13 07:12 . 2007-08-03 14:24	--------	d-----w-	c:\program files\Google
2010-05-12 19:17 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-05-12 09:21 . 2009-10-03 09:37	221568	------w-	c:\windows\system32\MpSigStub.exe
2010-05-07 13:42 . 2008-11-14 15:47	--------	d-----w-	c:\program files\Vuze
2010-04-30 17:03 . 2006-11-02 15:33	653582	----a-w-	c:\windows\system32\perfh007.dat
2010-04-30 17:03 . 2006-11-02 15:33	141996	----a-w-	c:\windows\system32\perfc007.dat
2010-04-24 05:36 . 2008-01-29 09:17	80440	----a-w-	c:\users\Steph\AppData\Local\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-11-05 262144]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE %;USB\VID_0AC8&PID_0302.DeviceDesc%" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-30 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-30 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-30 133656]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-10 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-06-11 317560]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-14 30192]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2007-02-13 2020968]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-05 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OBealsched.exe" [2009-07-15 198160]

c:\users\Steph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 - Capture d''cran et lancement.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-7-30 1101824]
TrayMin315.exe.lnk - c:\program files\Philips\Philips SPC315NC Webcam\TrayMin315.exe [2008-2-27 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\VESWinlogon]
2007-07-24 17:26	98304	----a-w-	c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):94,8e,23,be,b2,20,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-04-25 639224]
R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 NewServiceInstall1;NewServiceInstall1;c:\program files\SDL International\T2007\TT\Lng\Dialogs1031.lng [x]
R3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\BT4501G.sys [2006-07-27 357568]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-14 30192]
R3 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2007-02-13 2655848]
R3 PDNMp50;PDNMp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNMp50.sys [2006-11-28 28224]
R3 PDNSp50;PDNSp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNSp50.sys [2006-11-28 27072]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2006-03-27 167808]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-06-20 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-20 1089536]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2009-12-08 673136]
S2 ABBYY.Licensing.FineReader.Professional.9.0;Service de licence ABBYY FineReader 9.0;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [2007-09-24 566560]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-11-03 299008]
S2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2007-07-05 292152]
S3 ti21sony;ti21sony;c:\windows\system32\drivers	i21sony.sys [2007-06-06 812544]


--- Autres Services/Pilotes en mémoire ---

*Deregistered* - qxueiz

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32	128512	----a-w-	c:\windows\System32\advpack.dll
.
Contenu du dossier 'Tâches planifiées'

2010-06-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 07:40]

2010-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 08:54]

2010-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 08:54]

2010-06-05 c:\windows\Tasks\User_Feed_Synchronization-{66FAA27C-FDB8-4F7D-9022-14133F595845}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.yahoo.fr/
mStart Page = hxxp://alice.aol.de
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
Trusted Zone: aeat.es
Trusted Zone: elsteronline.de\www
TCP: {FDFB222E-FB89-4793-BCBB-48C0246D5C11} = 192.168.1.1
DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} - hxxps://www5.aeat.es/es13/h/cactivex.cab
FF - ProfilePath - c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\4uz8cnc0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.fr/
FF - plugin: c:\program files\Google\Google Earth\plugin
pgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592
pCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23
pGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHELINS SUPPRIMES - - - -

HKCU-Run-Le Petit Robert Hyperappel - c:\program files\Le Robert\Le Petit Robert\prhyper.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 13:15
Windows 6.0.6002 Service Pack 2 NTFS

Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Le Petit Robert Hyperappel = c:\program files\Le Robert\Le Petit Robert\prhyper.exe?w????<???????g??w??????/?f?r?-?F?R????3/???/??2/?,???H?????/??2/?????<??????@????H??J??????/?<?????1?H?????????/?????????T ?w?????????]????????/???1???????1?????????<???0??w:???????????D???D???????H??w 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NewServiceInstall1]
"ImagePath"="\"c:\program files\SDL International\T2007\TT\Lng\Dialogs1031.lng\""

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\qxueiz]

.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Heure de fin: 2010-06-05  13:19:14
ComboFix-quarantined-files.txt  2010-06-05 11:18

Avant-CF: 13 Verzeichnis(se), 129 628 233 728 Bytes frei
Après-CF: 18 Verzeichnis(se), 129 899 982 848 Bytes frei

- - End Of File - - 37F0DB40AAE0D0CBC5C64FE3AF44E7BE

Je remercie d'avance la personne qui voudra bien m'aider. Cet ordinateur est mon ordinateur de travail et j'espère ne pas l'avoir complètement infecté.

Malekal_morte- · Answer

Salut,

Spybot et SuperAntispyware servent à rien.
Tu pourras les désinstaller.


Sauvegarde tes données car on est pas à l'abbri d'un plantage!


* Telecharge:: http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/  
-> http://www.geekstogo.com/forum/files/file/393-the-avenger-by-swandog46/  

* dezippe le , Lance l'épée , executer en tant qu'administrateur sous vista   

Dans le cadre , sous Input Script here , copie_colle le contenu du cadre ci dessous et clic execute:  

begin copying here:  
Drivers to delete:  
qxueiz
Files to delete:  
c:\windows\system32\drivers\qxueiz.sys  

* Après le re-démarrage, il crée un fichier log qui s'ouvrira,que tu posteras dans ta prochaine reponse, faisant apparaitre les actions exécutées par The Avenger. Ce fichier log se trouve ici : C:\avenger.txt

stefberlin · Answer

Désolé de répondre si tardivement mais mon ordinateur a planté plusieurs fois avant que je puisse réaliser la manipulation. 

J'ai finalement pu, même si l'ordinateur n'a pas pu redémarrer normalement et a cherché à effectuer des réparations. 

Mais j'ai finalement eu le log suivant :
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "qxueiz" deleted successfully.
File "c:\windows\system32\drivers\qxueiz.sys" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Cependant, Antivir s'est déclenché et m'a indiqué que le virus Rootkit Gen dans le programme Avenger. J'ai coché alors "Supprimer le fichier", je ne sais pas si c'était la bonne manipulation à faire.

J'ai toutefois regardé dans le répertoire C/Windows/System 32/drivers et le fichier infecté a disparu.

Est-ce qu'il a complètement disparu ?

Malekal_morte- · Answer

yep ça doit être bon.

Refais un Combofix histoire de :)
file le rapport ici.

stefberlin · Answer

Voici le rapport Combofix: 
ComboFix 10-06-06.03 - Steph 07/06/2010  10:15:54.2.2 - x86
Microsoft® Windows Vista(TM) Home Premium   6.0.6002.2.1252.33.1031.18.2038.1096 [GMT 2:00]
Lancé depuis: c:\users\Steph\Desktop\ComboFix.exe
SP: Windows-Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
 * Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((   Fichiers créés du 2010-05-07 au 2010-06-07  ))))))))))))))))))))))))))))))))))))
.

2010-06-07 08:25 . 2010-06-07 08:26	--------	d-----w-	c:\users\Steph\AppData\Local	emp
2010-06-07 08:25 . 2010-06-07 08:25	--------	d-----w-	c:\users\Public\AppData\Local	emp
2010-06-07 08:25 . 2010-06-07 08:25	--------	d-----w-	c:\users\Default\AppData\Local	emp
2010-06-05 11:32 . 2010-06-05 11:42	56816	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2010-06-05 11:32 . 2009-03-30 08:32	96104	----a-w-	c:\windows\system32\drivers\avipbb.sys
2010-06-05 11:32 . 2010-06-05 11:32	--------	d-----w-	c:\programdata\Avira
2010-06-04 14:18 . 2009-05-07 07:04	157712	----a-w-	c:\windows\system32\drivers	mcomm.sys
2010-06-04 13:43 . 2010-06-04 16:28	--------	d-----w-	c:\program files\Avira
2010-06-03 18:36 . 2010-06-03 18:36	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware(19)
2010-05-31 17:59 . 2010-05-31 17:59	8463808	----a-w-	c:\users\Steph\AppData\Roaming\Azureus	mp\AZU15104.tmp\Vuze_4.4.0.4_win32.exe
2010-05-26 07:18 . 2010-04-23 14:13	2048	----a-w-	c:\windows\system32	zres.dll
2010-05-12 06:54 . 2010-01-29 15:40	738816	----a-w-	c:\windows\system32\inetcomm.dll

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 07:06 . 2008-02-15 17:16	--------	d-----w-	c:\users\Steph\AppData\Roaming\Skype
2010-06-07 06:34 . 2009-04-30 13:36	--------	d-----w-	c:\users\Steph\AppData\Roaming\skypePM
2010-06-07 06:30 . 2008-06-11 16:08	--------	d-----w-	c:\programdata\Google Updater
2010-06-05 17:15 . 2006-11-02 15:33	653582	----a-w-	c:\windows\system32\perfh007.dat
2010-06-05 17:15 . 2006-11-02 15:33	141996	----a-w-	c:\windows\system32\perfc007.dat
2010-06-05 10:52 . 2009-07-21 12:33	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-06-04 16:29 . 2008-10-17 07:10	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2010-06-04 16:28 . 2008-10-17 07:12	--------	d-----w-	c:\program files\Lavasoft
2010-06-04 14:19 . 2008-10-17 07:01	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2010-06-04 14:19 . 2008-10-17 07:01	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2010-06-04 07:07 . 2009-06-01 13:46	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-06-04 06:36 . 2008-04-24 15:31	--------	d-----w-	c:\programdata\Roxio
2010-05-31 19:31 . 2008-11-14 15:48	--------	d-----w-	c:\users\Steph\AppData\Roaming\Azureus
2010-05-25 15:36 . 2007-08-06 07:58	--------	d-----w-	c:\programdata\Microsoft Help
2010-05-13 07:12 . 2007-08-03 14:24	--------	d-----w-	c:\program files\Google
2010-05-12 19:17 . 2006-11-02 11:18	--------	d-----w-	c:\program files\Windows Mail
2010-05-12 09:21 . 2009-10-03 09:37	221568	------w-	c:\windows\system32\MpSigStub.exe
2010-05-07 13:42 . 2008-11-14 15:47	--------	d-----w-	c:\program files\Vuze
2010-04-24 05:36 . 2008-01-29 09:17	80440	----a-w-	c:\users\Steph\AppData\Local\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((   SnapShot@2010-06-05_11.15.30   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-30 05:49 . 2010-06-04 14:13	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-30 05:49 . 2010-06-05 17:11	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-30 05:49 . 2010-06-04 14:13	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-30 05:49 . 2010-06-05 17:11	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-30 05:49 . 2010-06-05 17:11	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-30 05:49 . 2010-06-04 14:13	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-06-05 10:58 . 2010-06-05 10:58	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-07 08:08 . 2010-06-07 08:08	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-06-05 10:58 . 2010-06-05 10:58	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-06-07 08:08 . 2010-06-07 08:08	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-25 13:51 . 2010-06-07 07:53	245760              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-03-25 13:51 . 2010-06-04 14:26	245760              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-11-05 262144]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BigDogPath"="c:\windows\VM_STI.EXE %;USB\VID_0AC8&PID_0302.DeviceDesc%" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-30 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-30 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-30 133656]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-10 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-06-11 317560]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-14 30192]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Norton Save and Restore 2.0"="c:\program files\Norton Save and Restore\Agent\VProTray.exe" [2007-02-13 2020968]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-05 155648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OBealsched.exe" [2009-07-15 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\users\Steph\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 - Capture d''cran et lancement.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2006-7-30 1101824]
TrayMin315.exe.lnk - c:\program files\Philips\Philips SPC315NC Webcam\TrayMin315.exe [2008-2-27 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\VESWinlogon]
2007-07-24 17:26	98304	----a-w-	c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):94,8e,23,be,b2,20,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-04-25 639224]
R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 NewServiceInstall1;NewServiceInstall1;c:\program files\SDL International\T2007\TT\Lng\Dialogs1031.lng [x]
R3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\BT4501G.sys [2006-07-27 357568]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-14 30192]
R3 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [2007-02-13 2655848]
R3 PDNMp50;PDNMp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNMp50.sys [2006-11-28 28224]
R3 PDNSp50;PDNSp50 NDIS Protocol Driver;c:\windows\system32\drivers\PDNSp50.sys [2006-11-28 27072]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\DRIVERS\wg111v2.sys [2006-03-27 167808]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-06-20 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-20 1089536]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2009-12-08 673136]
S2 ABBYY.Licensing.FineReader.Professional.9.0;Service de licence ABBYY FineReader 9.0;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [2007-09-24 566560]
S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-06-05 108289]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-11-03 299008]
S2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2007-07-05 292152]
S3 ti21sony;ti21sony;c:\windows\system32\drivers	i21sony.sys [2007-06-06 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32	128512	----a-w-	c:\windows\System32\advpack.dll
.
Contenu du dossier 'Tâches planifiées'

2010-06-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 07:40]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 08:54]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 08:54]

2010-06-07 c:\windows\Tasks\User_Feed_Synchronization-{66FAA27C-FDB8-4F7D-9022-14133F595845}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.yahoo.fr/
mStart Page = hxxp://alice.aol.de
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
Trusted Zone: aeat.es
Trusted Zone: elsteronline.de\www
TCP: {FDFB222E-FB89-4793-BCBB-48C0246D5C11} = 192.168.1.1
DPF: {B785FA3C-1DE9-4D20-8396-613C486FE95E} - hxxps://www5.aeat.es/es13/h/cactivex.cab
FF - ProfilePath - c:\users\Steph\AppData\Roaming\Mozilla\Firefox\Profiles\4uz8cnc0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.fr/
FF - plugin: c:\program files\Google\Google Earth\plugin
pgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592
pCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23
pGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 10:26
Windows 6.0.6002 Service Pack 2 NTFS

Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NewServiceInstall1]
"ImagePath"="\"c:\program files\SDL International\T2007\TT\Lng\Dialogs1031.lng\""
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Heure de fin: 2010-06-07  10:29:52
ComboFix-quarantined-files.txt  2010-06-07 08:29
ComboFix2.txt  2010-06-05 11:19

Avant-CF: 18 Verzeichnis(se), 128 806 150 144 Bytes frei
Après-CF: 19 Verzeichnis(se), 128 804 065 280 Bytes frei

- - End Of File - - B632C916A4EA4587185C76A0A6ED48C5

Ca a l'air d'avoir fonctionné. 
Encore une question : dois-je réactiver la restauration du système ?

TR/ Rootkit Gen impossible à supprimer

4 réponses

Discussions similaires