Aide pour rapport Combofix svp
funksobrother
-
funksobrother -
funksobrother -
Bonjour,
Je viens de faire tourner Combofix, quelqu'un pourrait-il me dire s'il faut faire autre chose à la lecture de ce rapport ou si mon pc est propre ?
Merci
ComboFix 10-11-01.05 - herbrete 02/11/2010 21:00:38.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.3044.2283 [GMT 1:00]
Lancé depuis: c:\documents and settings\herbrete\Bureau\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pe.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((((((( Fichiers créés du 2010-10-02 au 2010-11-02 ))))))))))))))))))))))))))))))))))))
.
2010-11-01 20:58 . 2010-11-01 20:58 -------- d-----w- c:\program files\Ad-Remover
2010-11-01 06:32 . 2010-11-01 06:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2010-11-01 06:32 . 2010-11-01 06:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2010-11-01 06:32 . 2010-11-01 06:32 -------- d-----r- c:\documents and settings\NetworkService\Favoris
2010-10-30 22:17 . 2010-10-30 22:17 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-30 22:17 . 2010-10-30 22:17 -------- d-----r- c:\documents and settings\LocalService\Favoris
2010-10-30 08:13 . 2010-10-30 08:13 -------- d-----w- c:\documents and settings\herbrete\Application Data\Malwarebytes
2010-10-30 08:13 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-30 08:13 . 2010-10-30 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-30 08:13 . 2010-10-30 08:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-30 08:13 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-18 12:42 . 2010-10-18 12:42 -------- d-----w- c:\program files\GPSBabel
2010-10-09 08:16 . 2010-10-30 07:48 -------- d-----w- C:\BOOTCOPYPOOL.BIN
2010-10-08 07:36 . 2010-10-08 07:39 -------- d-----w- c:\program files\Quantum GIS Tethys
2010-10-04 05:29 . 2010-10-04 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-10-03 22:10 . 2010-10-03 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-10-03 22:02 . 2010-03-27 16:06 67032 ----a-w- c:\program files\Mozilla Firefox\plugins\npContribute.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Le Petit Robert V3 Hyperappel"="c:\program files\Le Robert\Le Petit Robert 2009\RobertHA.exe" [2008-07-14 251152]
"Google Update"="c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-10 1351680]
"IntelWireless"="c:\program files\Fichiers communs\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-10 1191936]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13537280]
"nwiz"="nwiz.exe" [2008-08-01 1630208]
"NVHotkey"="nvHotkey.dll" [2008-08-01 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-22 442467]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-05-20 466944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-14 125536]
"picon"="c:\program files\Fichiers communs\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-19 367128]
"Atempo"="c:\program files\Atempo\LiveBackup\atrayind.exe" [2010-01-07 126976]
"Atempo2"="c:\program files\Atempo\LiveBackup\wcheck.exe" [2010-01-07 15360]
"ISUSPM"="c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2009-10-01 198160]
"ArcSoft Connection Service"="c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-10-11 31232]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"AdobeCS5ServiceManager"="c:\program files\Fichiers communs\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\herbrete\Menu D'marrer\Programmes\D'marrage\
DesktopEarth AutoStart.lnk - c:\documents and settings\herbrete\Application Data\Microsoft\Installer\{D87176E9-ECD0-48C6-8E8B-B0054781DFB4}\_2B52280D74B238E888B1F2.exe [2009-4-29 29926]
c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
iFinger 2.0.lnk - c:\program files\iFinger\iFinger.exe [2009-4-9 1596928]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-8 813584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-12-16 14:33 24672 ----a-w- c:\windows\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 10:28 72208 ----a-w- c:\program files\Fichiers communs\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0ntscan D:\LiveBackup Cache"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 01:44 500208 ------w- c:\program files\Fichiers communs\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 13:21 246504 ----a-w- c:\program files\Fichiers communs\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\WINDOWS\\system32\\msgsys.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\LowRateVoip\\LowRateVoip.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"c:\\Program Files\\Le Robert\\Le Petit Robert 2009\\RobertHA.exe"=
R0 SAFilter;LiveBackup Filter;c:\windows\system32\drivers\safilter.sys [08/01/2010 12:02 93208]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/09/2009 08:10 721904]
R2 Amnt;Live Backup Network Service;c:\program files\Atempo\LiveBackup\amnt.exe [07/01/2010 15:52 155648]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [02/06/2008 09:42 155648]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [14/01/2009 12:14 353680]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [31/07/2008 21:41 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [31/07/2008 21:41 21352]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [07/04/2009 13:40 118784]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [27/02/2007 20:32 61440]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [14/11/2006 15:50 119904]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [28/10/2008 17:37 17456]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [07/04/2009 13:40 331776]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Fichiers communs\Intel\Privacy Icon\UNS\UNS.exe [11/12/2008 11:54 2058776]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [28/10/2008 17:37 670128]
R2 WEngine;Live Backup Client Service;c:\program files\Atempo\LiveBackup\wengine.exe [07/01/2010 15:45 479232]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [28/10/2008 15:43 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [28/10/2008 17:01 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [28/10/2008 15:02 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Fichiers communs\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [05/06/2010 09:27 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [28/10/2008 17:37 2041904]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [07/04/2009 13:40 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [07/04/2009 13:40 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [07/04/2009 13:40 3712]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [28/10/2008 15:05 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [28/10/2008 15:05 277504]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [14/01/2009 12:14 126808]
S2 gupdate1c9b920f011fd6;Service Google Update (gupdate1c9b920f011fd6);c:\program files\Google\Update\GoogleUpdate.exe [09/04/2009 15:32 133104]
S3 DreSrvc;Live Backup Disaster Recovery;c:\program files\Atempo\LiveBackup\DRESrvc.exe [07/01/2010 15:54 53248]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\documents and settings\Administrateur\Bureau\everest460\kerneld.wnt --> c:\documents and settings\Administrateur\Bureau\everest460\kerneld.wnt [?]
S3 LBCHost;Live Backup Recovery Service;c:\program files\Atempo\LiveBackup\LBCHost.exe [07/01/2010 15:45 35840]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [28/10/2008 17:37 14924]
S3 SwitchBoard;SwitchBoard;c:\program files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 12:37 517096]
S3 TrmbTS;TrimbleTS Driver (TrmbTS.sys);c:\windows\system32\drivers\TrmbTS.sys [09/02/2010 16:04 23040]
S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.SYS [09/02/2010 16:04 9881]
.
Contenu du dossier 'Tâches planifiées'
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6eb2205e4ca.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 14:32]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 14:32]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1845010707-2387731409-2327566850-4114Core.job
- c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 17:20]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1845010707-2387731409-2327566850-4114UA.job
- c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 17:20]
.
.
------- Examen supplémentaire -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipédia (fr)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/ig?tab=mw&hl=fr&source=iglk
FF - prefs.js: keyword.URL - hxxp://fr.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHELINS SUPPRIMES - - - -
HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-0 - c:\docume~1\herbrete\LOCALS~1\Temp\0.41166492136869937.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-ImageSkillBackgroundRemover_Demo - c:\program files\Adobe\Adobe Photoshop CS3\Plug-Ins\ImageSkill\BackgroundRemover_Demo\uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 21:16
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS723225L9A362 rev.FCDOC30F -> \Device\Ide\IdePort0
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC36446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac3c504]; MOV EAX, [0x8ac3c580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AD03AB8]
3 CLASSPNP[0xBA908FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD05258]
\Driver\atapi[0x8AC433E8] -> IRP_MJ_CREATE -> 0x8AC36446
error: Read Le fichier spécifié est introuvable.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected hooks:
\Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskHitachi_HTS723225L9A362_________________FCDOC30F#3930323037314346443330304a4e35473037444c#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x8AC36292
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
Filesystem trace:
called modules: ntkrnlpa.exe hal.dll fltmgr.sys eeCtrl.sys SYMEVENT.SYS SAFilter.sys sr.sys >>UNKNOWN [0x8AD931F8]<<
_asm { MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX; PUSH 0x8ad93008; MOV EAX, 0xba6b804c; CALL EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD2A480]
3 fltmgr[0xBA5B6E95] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A0E6150]
5 SYMEVENT[0xACEEF73B] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD07020]
7 SAFilter[0xBA58C2C2] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AC4FDD0]
9 sr[0xBA5A6870] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD00A30]
11 fltmgr[0xBA5C36BD] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD0C020]
\FileSystem\Ntfs[0x8AD0BC10] -> IRP_MJ_CREATE -> 0x8AD931F8
Registry trace:
called modules: ntkrnlpa.exe spes.sys hal.dll >>UNKNOWN [0x8ADB58B0]<<
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff5805bf3; }
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\documents and settings\Administrateur\Bureau\everest460\kerneld.wnt"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h-€|ÿÿÿÿ¤*€|ù*9~*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'winlogon.exe'(1136)
c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll
c:\program files\fichiers communs\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\netprovcredman.dll
- - - - - - - > 'explorer.exe'(3460)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Fichiers communs\Symantec Shared\ccSetMgr.exe
c:\program files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
c:\program files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDCLient\tmcsvc.exe
c:\progra~1\LANDesk\LDCLient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Fichiers communs\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Atempo\LiveBackup\WVRULES.EXE
c:\program files\Atempo\LiveBackup\NAMESYNC.EXE
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\progra~1\LANDesk\LDCLient\rcgui.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Atempo\LiveBackup\WACCESS.EXE
c:\program files\DesktopEarth\DesktopEarth.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Heure de fin: 2010-11-02 21:26:28 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-11-02 20:26
Avant-CF: 52 412 121 088 octets libres
Après-CF: 52 465 000 448 octets libres
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect
- - End Of File - - DE8F010FA8D058C5E8FBC18971F4553C
Je viens de faire tourner Combofix, quelqu'un pourrait-il me dire s'il faut faire autre chose à la lecture de ce rapport ou si mon pc est propre ?
Merci
ComboFix 10-11-01.05 - herbrete 02/11/2010 21:00:38.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.3044.2283 [GMT 1:00]
Lancé depuis: c:\documents and settings\herbrete\Bureau\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pe.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
-------\Service_NPF
((((((((((((((((((((((((((((( Fichiers créés du 2010-10-02 au 2010-11-02 ))))))))))))))))))))))))))))))))))))
.
2010-11-01 20:58 . 2010-11-01 20:58 -------- d-----w- c:\program files\Ad-Remover
2010-11-01 06:32 . 2010-11-01 06:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird
2010-11-01 06:32 . 2010-11-01 06:32 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird
2010-11-01 06:32 . 2010-11-01 06:32 -------- d-----r- c:\documents and settings\NetworkService\Favoris
2010-10-30 22:17 . 2010-10-30 22:17 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-30 22:17 . 2010-10-30 22:17 -------- d-----r- c:\documents and settings\LocalService\Favoris
2010-10-30 08:13 . 2010-10-30 08:13 -------- d-----w- c:\documents and settings\herbrete\Application Data\Malwarebytes
2010-10-30 08:13 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-30 08:13 . 2010-10-30 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-30 08:13 . 2010-10-30 08:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-30 08:13 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-18 12:42 . 2010-10-18 12:42 -------- d-----w- c:\program files\GPSBabel
2010-10-09 08:16 . 2010-10-30 07:48 -------- d-----w- C:\BOOTCOPYPOOL.BIN
2010-10-08 07:36 . 2010-10-08 07:39 -------- d-----w- c:\program files\Quantum GIS Tethys
2010-10-04 05:29 . 2010-10-04 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-10-03 22:10 . 2010-10-03 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-10-03 22:02 . 2010-03-27 16:06 67032 ----a-w- c:\program files\Mozilla Firefox\plugins\npContribute.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Le Petit Robert V3 Hyperappel"="c:\program files\Le Robert\Le Petit Robert 2009\RobertHA.exe" [2008-07-14 251152]
"Google Update"="c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-10 1351680]
"IntelWireless"="c:\program files\Fichiers communs\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-10 1191936]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-12-21 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-01 13537280]
"nwiz"="nwiz.exe" [2008-08-01 1630208]
"NVHotkey"="nvHotkey.dll" [2008-08-01 90112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-01 86016]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-22 442467]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-05-20 466944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-14 125536]
"picon"="c:\program files\Fichiers communs\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-06-19 367128]
"Atempo"="c:\program files\Atempo\LiveBackup\atrayind.exe" [2010-01-07 126976]
"Atempo2"="c:\program files\Atempo\LiveBackup\wcheck.exe" [2010-01-07 15360]
"ISUSPM"="c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2009-10-01 198160]
"ArcSoft Connection Service"="c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-10-11 31232]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"AdobeCS5ServiceManager"="c:\program files\Fichiers communs\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\herbrete\Menu D'marrer\Programmes\D'marrage\
DesktopEarth AutoStart.lnk - c:\documents and settings\herbrete\Application Data\Microsoft\Installer\{D87176E9-ECD0-48C6-8E8B-B0054781DFB4}\_2B52280D74B238E888B1F2.exe [2009-4-29 29926]
c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
iFinger 2.0.lnk - c:\program files\iFinger\iFinger.exe [2009-4-9 1596928]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-8 813584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2004-12-16 14:33 24672 ----a-w- c:\windows\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 10:28 72208 ----a-w- c:\program files\Fichiers communs\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0ntscan D:\LiveBackup Cache"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 01:44 500208 ------w- c:\program files\Fichiers communs\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 13:21 246504 ----a-w- c:\program files\Fichiers communs\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\WINDOWS\\system32\\msgsys.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\LowRateVoip\\LowRateVoip.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
"c:\\Program Files\\Le Robert\\Le Petit Robert 2009\\RobertHA.exe"=
R0 SAFilter;LiveBackup Filter;c:\windows\system32\drivers\safilter.sys [08/01/2010 12:02 93208]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/09/2009 08:10 721904]
R2 Amnt;Live Backup Network Service;c:\program files\Atempo\LiveBackup\amnt.exe [07/01/2010 15:52 155648]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [02/06/2008 09:42 155648]
R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [14/01/2009 12:14 353680]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [31/07/2008 21:41 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [31/07/2008 21:41 21352]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [07/04/2009 13:40 118784]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\OCS Inventory Agent\OcsService.exe [27/02/2007 20:32 61440]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [14/11/2006 15:50 119904]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [28/10/2008 17:37 17456]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [07/04/2009 13:40 331776]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Fichiers communs\Intel\Privacy Icon\UNS\UNS.exe [11/12/2008 11:54 2058776]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [28/10/2008 17:37 670128]
R2 WEngine;Live Backup Client Service;c:\program files\Atempo\LiveBackup\wengine.exe [07/01/2010 15:45 479232]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [28/10/2008 15:43 108160]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [28/10/2008 17:01 32808]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [28/10/2008 15:02 244368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Fichiers communs\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [05/06/2010 09:27 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [28/10/2008 17:37 2041904]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [07/04/2009 13:40 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [07/04/2009 13:40 3328]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [07/04/2009 13:40 3712]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [28/10/2008 15:05 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [28/10/2008 15:05 277504]
R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [14/01/2009 12:14 126808]
S2 gupdate1c9b920f011fd6;Service Google Update (gupdate1c9b920f011fd6);c:\program files\Google\Update\GoogleUpdate.exe [09/04/2009 15:32 133104]
S3 DreSrvc;Live Backup Disaster Recovery;c:\program files\Atempo\LiveBackup\DRESrvc.exe [07/01/2010 15:54 53248]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\documents and settings\Administrateur\Bureau\everest460\kerneld.wnt --> c:\documents and settings\Administrateur\Bureau\everest460\kerneld.wnt [?]
S3 LBCHost;Live Backup Recovery Service;c:\program files\Atempo\LiveBackup\LBCHost.exe [07/01/2010 15:45 35840]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [28/10/2008 17:37 14924]
S3 SwitchBoard;SwitchBoard;c:\program files\Fichiers communs\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 12:37 517096]
S3 TrmbTS;TrimbleTS Driver (TrmbTS.sys);c:\windows\system32\drivers\TrmbTS.sys [09/02/2010 16:04 23040]
S3 TRMUSB5K;Trimble USB GPS Driver;c:\windows\system32\drivers\TRMUSB5K.SYS [09/02/2010 16:04 9881]
.
Contenu du dossier 'Tâches planifiées'
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cac6eb2205e4ca.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 14:32]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-09 14:32]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1845010707-2387731409-2327566850-4114Core.job
- c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 17:20]
2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1845010707-2387731409-2327566850-4114UA.job
- c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 17:20]
.
.
------- Examen supplémentaire -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipédia (fr)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/ig?tab=mw&hl=fr&source=iglk
FF - prefs.js: keyword.URL - hxxp://fr.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\herbrete\Application Data\Mozilla\Firefox\Profiles\e2mx9yf4.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: c:\documents and settings\herbrete\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHELINS SUPPRIMES - - - -
HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-0 - c:\docume~1\herbrete\LOCALS~1\Temp\0.41166492136869937.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-ImageSkillBackgroundRemover_Demo - c:\program files\Adobe\Adobe Photoshop CS3\Plug-Ins\ImageSkill\BackgroundRemover_Demo\uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 21:16
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS723225L9A362 rev.FCDOC30F -> \Device\Ide\IdePort0
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC36446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac3c504]; MOV EAX, [0x8ac3c580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AD03AB8]
3 CLASSPNP[0xBA908FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD05258]
\Driver\atapi[0x8AC433E8] -> IRP_MJ_CREATE -> 0x8AC36446
error: Read Le fichier spécifié est introuvable.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected hooks:
\Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskHitachi_HTS723225L9A362_________________FCDOC30F#3930323037314346443330304a4e35473037444c#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
\Driver\atapi DriverStartIo -> 0x8AC36292
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
Filesystem trace:
called modules: ntkrnlpa.exe hal.dll fltmgr.sys eeCtrl.sys SYMEVENT.SYS SAFilter.sys sr.sys >>UNKNOWN [0x8AD931F8]<<
_asm { MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX; PUSH 0x8ad93008; MOV EAX, 0xba6b804c; CALL EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD2A480]
3 fltmgr[0xBA5B6E95] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A0E6150]
5 SYMEVENT[0xACEEF73B] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD07020]
7 SAFilter[0xBA58C2C2] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AC4FDD0]
9 sr[0xBA5A6870] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD00A30]
11 fltmgr[0xBA5C36BD] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AD0C020]
\FileSystem\Ntfs[0x8AD0BC10] -> IRP_MJ_CREATE -> 0x8AD931F8
Registry trace:
called modules: ntkrnlpa.exe spes.sys hal.dll >>UNKNOWN [0x8ADB58B0]<<
_asm { PUSH EBP; MOV EBP, ESP; JMP 0xfffffffff5805bf3; }
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\documents and settings\Administrateur\Bureau\everest460\kerneld.wnt"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h-€|ÿÿÿÿ¤*€|ù*9~*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'winlogon.exe'(1136)
c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll
c:\program files\fichiers communs\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\netprovcredman.dll
- - - - - - - > 'explorer.exe'(3460)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Fichiers communs\Symantec Shared\ccSetMgr.exe
c:\program files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
c:\program files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\idt\dellxpm09b_6017v022\wdm\stacsv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDCLient\tmcsvc.exe
c:\progra~1\LANDesk\LDCLient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Fichiers communs\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Atempo\LiveBackup\WVRULES.EXE
c:\program files\Atempo\LiveBackup\NAMESYNC.EXE
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\progra~1\LANDesk\LDCLient\rcgui.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\Atempo\LiveBackup\WACCESS.EXE
c:\program files\DesktopEarth\DesktopEarth.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Heure de fin: 2010-11-02 21:26:28 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-11-02 20:26
Avant-CF: 52 412 121 088 octets libres
Après-CF: 52 465 000 448 octets libres
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect
- - End Of File - - DE8F010FA8D058C5E8FBC18971F4553C
A voir également:
- Aide pour rapport Combofix svp
- Plan rapport de stage - Guide
- Rapport de crash windows - Guide
- Impression rapport de stage ✓ - Forum Word
- Modifier rapport d'échelle pdf xchange viewer ✓ - Forum PDF
- Acheter un rapport de stage - Forum Programmation
