Aide MalwareFermé

Question

Bonjour, 

Alors voilà j'ai un gros problème avec un trojan qui me bouffe mon système et qui apparemment refuse de partir, il se trouve sur mon PC portable, là je suis sur le fixe, et donc j'ais scanné mon pc avec malware histoire de les supprimés (oui y'en avait 5) donc je fais affiché les résultats, puis supprimé la sélection, et redémarrage car certains trojans nécessité pour leur suppression un redémarrage il me propose démarer windows normalement et la BOOM écran bleu erreur irrécupérable, je redémarre encore, je prend démarrer windows normalement une nouvelle fois et là ca marche, je relance Malware et hop encore 5 trojans les mêmes au vu des rapports, et justement ces trojans de merde il me bouffe la connexion internet, je ne peu plus navigué sans que ca ram, par contre dès que j'éteins le pc portable et que je navigue depuis le fixe pas de prob c'est fluide, parfait, vous avez une solution siuou plait ?

gen-hackman · Answer

salut c est quoi le nom des trojans ?

Benjamin89140 · Answer

Celui qui demande redémarrage s'appelle Trojan.vundo.H

gen-hackman · Answer

/!\ ATTENTION SUIVRE A LA LETTRE CES INDICATIONS/!\ __________________________________________________________ >Ce logiciel n'est à utiliser que prescrit par un helper qualifié et formé à l'outil.< >>>>>>>Ne pas utiliser en dehors de ce cas de figure : dangereux!<<<<<<<< ===================================================== ▶ Surtout , pense à l'enregistrement à renommer Combofix en "ton prenom.exe" avant qu'il soit enregistré sur ton disque dur Telecharge ici : Combofix Avant d'utiliser ComboFix : Les logiciels d'émulation de CD comme Daemon Tools peuvent gêner les outils de désinfection. Utilise Defogger pour les désactiver temporairement : ▶ Télécharge Defogger (de jpshortstuff) sur ton Bureau ▶ Lance le Une fenêtre apparait : clique sur "Disable" ▶ Fais redémarrer l'ordinateur si l'outil te le demande Note : Quand nous aurons terminé la désinfection, tu pourras réactiver ces logiciels en relançant Defogger et en cliquant sur "Re-enable" _________________________________________________________ >> referme les fenêtres de tous les programmes en cours. >> Désactive provisoirement et seulement le temps de l'utilisation de ComboFix, >>la protection en temps réel de ton Antivirus et de tes Antispywares, >>qui peuvent gêner fortement la procédure de recherche et de nettoyage de l'outil. °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° si tu as XP => double clique si tu as Vista ou windows 7 => clic droit "executer en tant que...." sur combofix renommé ▶ !!!!!NE TOUCHE A RIEN PENDANT LE TRAVAIL DE COMBOFIX (SOURIS/CLAVIER.....)!!!!! ▶ n'oublie pas de reactiver la garde de ton Antivirus et de tes Antispywares, avant de te reconnecter à internet. ▶▶ Reviens sur le forum, et copie et colle la totalité du contenu de C:\Combofix.txt dans ton prochain message.

Benjamin89140 · Answer

Bonsoir, oulala je reviens d'une longue soirée passé le pc portable je tourné à 6 ko/Sec pour dl les logiciels, mais c'est bon tout est bien supprimé, je pouvais plus aller sur internet après le redémarrage de combofix et ont me disait que le registre ne me le permettais pas un truc comme ca, mais là internet parait fluide, ca à l'air d'aller, y' avait pas mal de fichiers et dossiers supprimer^^ en tout cas merci à toi, je te vénère !^^

gen-hackman · Answer

je peux lire le rapport ? ve n est pas fini

Benjamin89140 · Answer

Je voudrai bien, mais je ne le trouve pas à l'emplacement indiqué ?

gen-hackman · Answer

hello

C:\Combofix.txt

Benjamin89140 · Answer

ComboFix 10-12-09.08 - marchier 11/12/2010  10:54:05.2.2 - x86
Microsoft® Windows Vista(TM) Édition Familiale Premium   6.0.6002.2.1252.33.1036.18.3000.1555 [GMT 1:00]
Lancé depuis: c:\users\marchier\dwhelper\Desktop\Benjamin.exe.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\unrar.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\02000000227c0a001079C.manifest
c:\windows\system32\config\systemprofile\AppData\Roaming\02000000227c0a001079O.manifest
c:\windows\system32\config\systemprofile\AppData\Roaming\02000000227c0a001079P.manifest
c:\windows\system32\config\systemprofile\AppData\Roaming\02000000227c0a001079S.manifest
c:\windows\system32\config\systemprofile\AppData\Roaming\CD21.tmp

.
(((((((((((((((((((((((((((((   Fichiers créés du 2010-11-11 au 2010-12-11  ))))))))))))))))))))))))))))))))))))
.

2010-12-11 10:01 . 2010-12-11 10:03	--------	d-----w-	c:\users\marchier\AppData\Local	emp
2010-12-11 10:01 . 2010-12-11 10:01	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local	emp
2010-12-11 10:01 . 2010-12-11 10:01	--------	d-----w-	c:\users\Default\AppData\Local	emp
2010-12-10 20:01 . 2010-11-10 04:33	6273872	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{23231612-706E-4CF5-B42F-1598E1C8B56E}\mpengine.dll
2010-12-09 17:56 . 2010-12-11 09:52	--------	d-----w-	c:\programdata\2026374954
2010-12-05 14:00 . 2010-12-08 22:11	--------	d-sh--w-	c:\programdata\5F3DCFEF685089DA36696111AC6425ED
2010-12-05 13:59 . 2010-12-05 13:59	262144	----a-w-	c:\programdata\atmlib32.dll
2010-12-05 13:59 . 2010-12-05 13:57	1377280	----a-w-	c:\programdata\duser32.exe
2010-12-05 13:59 . 2010-12-05 13:59	186368	----a-w-	c:\windows\system32\duser32.exe
2010-12-05 13:59 . 2010-12-05 13:57	1377280	----a-w-	c:\windows\system32\accessibilitycpl32.exe
2010-11-11 15:17 . 2010-11-11 15:17	--------	d-----w-	c:\program files\Common Files\Adobe
2010-11-11 13:52 . 2010-11-11 13:52	--------	d-----w-	c:\programdata\WEBREG
2010-11-11 13:51 . 2010-11-11 13:51	--------	d-----w-	c:\users\marchier\AppData\Local\HP
2010-11-11 13:50 . 2010-11-11 13:52	--------	d-----w-	c:\users\marchier\AppData\Roaming\HP
2010-11-11 13:49 . 2009-10-21 14:29	320512	----a-w-	c:\windows\system32\Spool\prtprocs\w32x86\hpfpp101.dll
2010-11-11 13:46 . 2010-11-25 20:43	--------	d-----w-	c:\users\marchier\AppData\Roaming\HpUpdate
2010-11-11 13:44 . 2010-11-11 13:44	--------	d-----w-	c:\programdata\HP Product Assistant
2010-11-11 13:40 . 2010-11-11 13:40	--------	d-----w-	c:\program files\Common Files\HP
2010-11-11 13:40 . 2010-11-11 13:40	--------	d-----w-	c:\program files\Common Files\Hewlett-Packard
2010-11-11 13:38 . 2009-10-30 03:15	372736	----a-w-	c:\windows\system32\hppldcoi.dll
2010-11-11 13:38 . 2009-09-10 16:44	966656	----a-w-	c:\windows\system32\hpost_p04b.dll
2010-11-11 13:38 . 2009-09-10 16:44	887296	----a-w-	c:\windows\system32\hposwia_p04b.dll
2010-11-11 13:38 . 2009-09-10 16:44	315392	----a-w-	c:\windows\system32\hposc_p04a.dll
2010-11-11 13:38 . 2009-10-21 23:55	452736	----a-w-	c:\windows\system32\hpzids01.dll
2010-11-11 13:38 . 2009-10-21 14:29	125440	----a-w-	c:\windows\system32\hpf3l101.dll
2010-11-11 13:36 . 2010-11-11 13:46	--------	d-----w-	c:\program files\HP
2010-11-11 13:32 . 2010-11-11 13:51	--------	d-----w-	c:\programdata\HP

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 09:41 . 2009-10-23 20:04	222080	------w-	c:\windows\system32\MpSigStub.exe
2010-09-22 22:47 . 2010-09-22 22:47	49016	----a-w-	c:\windows\system32\sirenacm.dll
2010-09-22 22:32 . 2010-09-22 22:32	301936	----a-w-	c:\windows\WLXPGSS.SCR
2010-09-15 03:50 . 2010-04-25 19:05	472808	----a-w-	c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-16 06:58	8147456	----a-w-	c:\windows\system32\wmploc.DLL
2009-10-13 21:38 . 2009-10-13 21:36	3481968	----a-w-	c:\program files\FLV PlayerFCSetup.exe
.

(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}"= "c:\program files\PHPNukeFR	bPHPN.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]
2008-11-23 22:03	1784856	----a-w-	c:\program files\PHPNukeFR	bPHPN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E566D57-91BF-F11B-C148-02558860B396}]
2010-12-05 13:59	262144	----a-w-	c:\programdata\atmlib32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}"= "c:\program files\PHPNukeFR	bPHPN.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{258FE8B8-A13C-4B91-9A0C-C2D3CAB8B990}"= "c:\program files\PHPNukeFR	bPHPN.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-10-27 10:05	40496	----a-w-	c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [2008-01-21 192000]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-19 6793760]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-19 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-06-03 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-19 866824]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-04-11 249600]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-04-15 440864]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2008-10-27 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2008-10-27 346672]
"PE2CKFNT SE"="c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"etMonitor"="c:\windows\etMon.exe" [2007-09-19 102400]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-16 175128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-16 153624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\users\marchier\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-6-21 46432]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-1-1 541976]
Philips GoGear SA018 Device Manager.lnk - c:\philips\GoGear SA018 Device Manager\GoGear_SA018_DeviceManager.exe [2010-10-26 1615232]
Photo Express Calendar Checker SE.lnk - c:\program files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2009-9-17 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\programdata\atmlib32.dll

R0 jsrkxlai;jsrkxlai;c:\windows\System32\drivers\ibadbspe.sys [x]
R0 qkthfqp;qkthfqp;c:\windows\System32\drivers\yryf.sys [x]
R2 0250021266604865mcinstcleanup;McAfee Application Installer Cleanup (0250021266604865);c:\windows\TEMP\025002~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 136176]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 DCamUSBET;ET USB 2750 Camera;c:\windows\system32\DRIVERS\etDevice.sys [2008-03-01 131712]
R3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\DRIVERS\etFilter.sys [2008-06-12 183168]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\DRIVERS\etScan.sys [2007-09-07 6656]
R3 WPFFontCache_v0400;Cache de police de Windows Presentation Foundation 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [2009-12-16 375296]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 AVPNStarter;Steganos Anonym VPN Starter Service;c:\program files\Steganos Internet Anonym VPN\AVPNStarter.exe [2009-10-06 21504]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [2009-04-15 703008]
S2 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2008-10-09 19504]
S2 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2008-10-09 16432]
S2 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2008-10-09 59952]
S2 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\MWLService.exe [2008-10-27 306736]
S2 nsi32;Service Interface du magasin réseau ;c:\windows\system32\accessibilitycpl32.exe [2010-12-05 1377280]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-04-11 61184]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-09-04 223232]
S3 tapavpn;Steganos Anonym VPN Adapter;c:\windows\system32\DRIVERS	apavpn.sys [2009-07-03 24320]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
HPService	REG_MULTI_SZ   	HPSLPSVC
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contenu du dossier 'Tâches planifiées'

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 14:23]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 14:23]
.
.
------- Examen supplémentaire -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Tout télécharger avec Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Télécharger avec Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Télécharger la sélection avec Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Télécharger la vidéo avec Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
FF - ProfilePath - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=fr&q=
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{fc600575-3013-4e8e-941c-4b00dafce730}\components\FFExternalAlert.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{fc600575-3013-4e8e-941c-4b00dafce730}\components\RadioWMPCore.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensionsadiobar@toolbar\components	oolbarhomewmp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39
pGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin
ew_plugin
pdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live
pOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins
p-mswmp.dll
FF - plugin: c:\program files\VistaCodecPackm\browser\plugins
ppl3260.dll
FF - plugin: c:\program files\VistaCodecPackm\browser\plugins
prpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\marchier\AppData\Roaming\Mozilla\plugins
p-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: myBabylon English4 Toolbar: {fc600575-3013-4e8e-941c-4b00dafce730} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{fc600575-3013-4e8e-941c-4b00dafce730}
FF - Extension: RadioBar Toolbar: radiobar@toolbar - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensionsadiobar@toolbar
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

---- PARAMETRES FIREFOX ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 11:02
Windows 6.0.6002 Service Pack 2 NTFS

Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'Explorer.exe'(4004)
c:\program files\EgisTec\MyWinLocker 3\x86\psdprotect.dll
c:\program files\EgisTec\MyWinLocker 3\x86\sysenv.dll
c:\program files\EgisTec\MyWinLocker 3\x86\mwlUI.dll
c:\program files\EgisTec\MyWinLocker 3\x86\GDIExtendCtrl.dll
c:\program files\EgisTec\MyWinLocker 3\x86\mwlOP.dll
c:\program files\EgisTec\MyWinLocker 3\x86\CryptoAPI.dll
c:\program files\EgisTec\MyWinLocker 3\x86\ShowErrMsg.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\EgisTec\MyWinLocker 3\x86\MWLService.exe
c:\programdata\duser32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Heure de fin: 2010-12-11  11:10:03 - La machine a redémarré
ComboFix-quarantined-files.txt  2010-12-11 10:09
ComboFix2.txt  2010-12-09 22:40

Avant-CF: 310 387 691 520 octets libres
Après-CF: 311 910 834 176 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 96831144B1303E3AD8D97642A5C04471

gen-hackman · Answer

__________________________________________________ =>/!\Le script qui suit a été écrit spécialement cet ordinateur/!\ <= =>il est fort déconseillé de le transposer sur un autre ordinateur !<= ---------------------------------------------------------------------------- Toujours avec toutes les protections désactivées, fais ceci : ▶ Ouvre le bloc-notes (Menu démarrer --> programmes --> accessoires --> bloc-notes) ▶ Copie/colle dans le bloc-notes ce qui entre les lignes ci dessous (sans les lignes) : ---------------------------------------------------------- KillAll:: File:: c:\programdata\atmlib32.dll c:\programdata\duser32.exe c:\windows\system32\duser32.exe Rootkit:: c:\windows\System32\drivers\ibadbspe.sys c:\windows\System32\drivers\yryf.sys Folder:: c:\programdata\2026374954 c:\programdata\5F3DCFEF685089DA36696111AC6425ED c:\program files\Application Updater Registry:: [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E566D57-91BF-F11B-C148-02558860B396}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"=- "iTunesHelper"=- "HP Software Update"=- "Adobe Reader Speed Launcher"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" Driver:: jsrkxlai qkthfqp ibadbspe yryf Application Updater DDS:: uInternet Settings,ProxyOverride = *.local Firefox:: FF - Extension: RadioBar Toolbar: radiobar@toolbar - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\radiobar@toolbar ------------------------------------------------------------------ ▶ Enregistre ce fichier sur ton Bureau (et pas ailleurs !) sous le nom CFScript.txt ▶ Quitte le Bloc Notes ▶ Fais un glisser/déposer de ce fichier CFScript sur le fichier combofix ▶ Patiente le temps du scan. Le Bureau va disparaître à plusieurs reprises : c'est normal ! Ne touche à rien tant que le scan n'est pas terminé. ▶ Une fois le scan achevé, un rapport va s'afficher: poste son contenu. ▶ Si le fichier ne s'ouvre pas, il se trouve ici => C:\ComboFix.txt

Benjamin89140 · Answer

ComboFix 10-12-09.08 - marchier 11/12/2010  11:42:27.3.2 - x86
Microsoft® Windows Vista(TM) Édition Familiale Premium   6.0.6002.2.1252.33.1036.18.3000.1885 [GMT 1:00]
Lancé depuis: c:\users\marchier\dwhelper\Desktop\Benjamin.exe.exe
Commutateurs utilisés :: c:\users\marchier\dwhelper\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\atmlib32.dll"
"c:\programdata\duser32.exe"
"c:\windows\system32\duser32.exe"
.

((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Application Updater
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Application Updater\config.ini
c:\programdata\2026374954
c:\programdata\2026374954
ew.i0
c:\programdata\5F3DCFEF685089DA36696111AC6425ED
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\b\bint1
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\b\version
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\content.css
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\getting-started.css
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\min.js
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\mozilla-logo.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\mozilla-pager.htm
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\fileseset-fonts-grids.css
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-answers.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-clipmarks.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-cooliris.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-facebook.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-googledocs.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-gumtree.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-howstuffworks.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-hypemachine.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-linkedin.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-miro.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-qype.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-rtm.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-shareaholic.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-topix.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-wikipedia.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\sites-youtube.png
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files	emplate.css
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\files\utilities.js
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\1\index.html
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\alert.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\dvd.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\error_detected.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\errsnd.swf
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\flist.js
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\folder.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\hdd.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\i1000000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\i2000000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\i3000000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\i4000000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\i5000000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\i6000000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\i7000000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\index.htm
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\inf20000.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\jquery-init.js
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\jquery.js
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\page_progressbar.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\2\qicon.gif
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\h\version
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\lock
c:\programdata\5F3DCFEF685089DA36696111AC6425ED
tuser.dat
c:\programdata\5F3DCFEF685089DA36696111AC6425ED\unrar.exe
c:\programdata\atmlib32.dll
c:\programdata\duser32.exe
c:\windows\system32\duser32.exe

.
(((((((((((((((((((((((((((((((((((((((   Pilotes/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Application Updater
-------\Service_jsrkxlai
-------\Service_qkthfqp


(((((((((((((((((((((((((((((   Fichiers créés du 2010-11-11 au 2010-12-11  ))))))))))))))))))))))))))))))))))))
.

2010-12-11 10:50 . 2010-12-11 10:52	--------	d-----w-	c:\users\marchier\AppData\Local	emp
2010-12-11 10:50 . 2010-12-11 10:50	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local	emp
2010-12-11 10:50 . 2010-12-11 10:50	--------	d-----w-	c:\users\Default\AppData\Local	emp
2010-12-11 09:53 . 2010-12-11 10:10	--------	d-----w-	C:\Benjamin.exe
2010-12-10 20:01 . 2010-11-10 04:33	6273872	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{23231612-706E-4CF5-B42F-1598E1C8B56E}\mpengine.dll
2010-12-05 13:59 . 2010-12-05 13:57	1377280	----a-w-	c:\windows\system32\accessibilitycpl32.exe
2010-11-11 15:17 . 2010-11-11 15:17	--------	d-----w-	c:\program files\Common Files\Adobe
2010-11-11 13:52 . 2010-11-11 13:52	--------	d-----w-	c:\programdata\WEBREG
2010-11-11 13:51 . 2010-11-11 13:51	--------	d-----w-	c:\users\marchier\AppData\Local\HP
2010-11-11 13:50 . 2010-11-11 13:52	--------	d-----w-	c:\users\marchier\AppData\Roaming\HP
2010-11-11 13:49 . 2009-10-21 14:29	320512	----a-w-	c:\windows\system32\Spool\prtprocs\w32x86\hpfpp101.dll
2010-11-11 13:46 . 2010-11-25 20:43	--------	d-----w-	c:\users\marchier\AppData\Roaming\HpUpdate
2010-11-11 13:44 . 2010-11-11 13:44	--------	d-----w-	c:\programdata\HP Product Assistant
2010-11-11 13:40 . 2010-11-11 13:40	--------	d-----w-	c:\program files\Common Files\HP
2010-11-11 13:40 . 2010-11-11 13:40	--------	d-----w-	c:\program files\Common Files\Hewlett-Packard
2010-11-11 13:38 . 2009-10-30 03:15	372736	----a-w-	c:\windows\system32\hppldcoi.dll
2010-11-11 13:38 . 2009-09-10 16:44	966656	----a-w-	c:\windows\system32\hpost_p04b.dll
2010-11-11 13:38 . 2009-09-10 16:44	887296	----a-w-	c:\windows\system32\hposwia_p04b.dll
2010-11-11 13:38 . 2009-09-10 16:44	315392	----a-w-	c:\windows\system32\hposc_p04a.dll
2010-11-11 13:38 . 2009-10-21 23:55	452736	----a-w-	c:\windows\system32\hpzids01.dll
2010-11-11 13:38 . 2009-10-21 14:29	125440	----a-w-	c:\windows\system32\hpf3l101.dll
2010-11-11 13:36 . 2010-11-11 13:46	--------	d-----w-	c:\program files\HP
2010-11-11 13:32 . 2010-11-11 13:51	--------	d-----w-	c:\programdata\HP

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 09:41 . 2009-10-23 20:04	222080	------w-	c:\windows\system32\MpSigStub.exe
2010-09-22 22:47 . 2010-09-22 22:47	49016	----a-w-	c:\windows\system32\sirenacm.dll
2010-09-22 22:32 . 2010-09-22 22:32	301936	----a-w-	c:\windows\WLXPGSS.SCR
2010-09-15 03:50 . 2010-04-25 19:05	472808	----a-w-	c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-16 06:58	8147456	----a-w-	c:\windows\system32\wmploc.DLL
2009-10-13 21:38 . 2009-10-13 21:36	3481968	----a-w-	c:\program files\FLV PlayerFCSetup.exe
.

(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}"= "c:\program files\PHPNukeFR	bPHPN.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]
2008-11-23 22:03	1784856	----a-w-	c:\program files\PHPNukeFR	bPHPN.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}"= "c:\program files\PHPNukeFR	bPHPN.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{258FE8B8-A13C-4B91-9A0C-C2D3CAB8B990}"= "c:\program files\PHPNukeFR	bPHPN.dll" [2008-11-23 1784856]

[HKEY_CLASSES_ROOT\clsid\{258fe8b8-a13c-4b91-9a0c-c2d3cab8b990}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-10-27 10:05	40496	----a-w-	c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"CollaborationHost"="c:\windows\system32\p2phost.exe" [2008-01-21 192000]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-19 6793760]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-02-19 1833504]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-06-03 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-02-19 866824]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-04-11 249600]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-04-15 440864]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2008-10-27 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2008-10-27 346672]
"PE2CKFNT SE"="c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"etMonitor"="c:\windows\etMon.exe" [2007-09-19 102400]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-11-10 406016]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-16 175128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-16 153624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\users\marchier\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
wkcalrem.LNK - c:\program files\Microsoft Works\WkCalRem.exe [2007-6-21 46432]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
MBCameraMonitor.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-1-1 541976]
Philips GoGear SA018 Device Manager.lnk - c:\philips\GoGear SA018 Device Manager\GoGear_SA018_DeviceManager.exe [2010-10-26 1615232]
Photo Express Calendar Checker SE.lnk - c:\program files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe [2009-9-17 55296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

R2 0250021266604865mcinstcleanup;McAfee Application Installer Cleanup (0250021266604865);c:\windows\TEMP\025002~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 136176]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 DCamUSBET;ET USB 2750 Camera;c:\windows\system32\DRIVERS\etDevice.sys [2008-03-01 131712]
R3 FiltUSBET;ET USB Device Lower Filter;c:\windows\system32\DRIVERS\etFilter.sys [2008-06-12 183168]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 ScanUSBET;ET USB Still Image Capture Device;c:\windows\system32\DRIVERS\etScan.sys [2007-09-07 6656]
R3 WPFFontCache_v0400;Cache de police de Windows Presentation Foundation 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 AVPNStarter;Steganos Anonym VPN Starter Service;c:\program files\Steganos Internet Anonym VPN\AVPNStarter.exe [2009-10-06 21504]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [2009-04-15 703008]
S2 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2008-10-09 19504]
S2 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2008-10-09 16432]
S2 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2008-10-09 59952]
S2 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\MWLService.exe [2008-10-27 306736]
S2 nsi32;Service Interface du magasin réseau ;c:\windows\system32\accessibilitycpl32.exe [2010-12-05 1377280]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-04-11 61184]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-09-04 223232]
S3 tapavpn;Steganos Anonym VPN Adapter;c:\windows\system32\DRIVERS	apavpn.sys [2009-07-03 24320]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation	REG_MULTI_SZ   	FontCache
HPService	REG_MULTI_SZ   	HPSLPSVC
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Contenu du dossier 'Tâches planifiées'

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 14:23]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-21 14:23]
.
.
------- Examen supplémentaire -------
.
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Tout télécharger avec Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Télécharger avec Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Télécharger la sélection avec Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Télécharger la vidéo avec Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework/microsoft/wrc32.ocx
FF - ProfilePath - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=fr&q=
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{fc600575-3013-4e8e-941c-4b00dafce730}\components\FFExternalAlert.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{fc600575-3013-4e8e-941c-4b00dafce730}\components\RadioWMPCore.dll
FF - component: c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensionsadiobar@toolbar\components	oolbarhomewmp.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39
pGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin
ew_plugin
pdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live
pOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins
p-mswmp.dll
FF - plugin: c:\program files\VistaCodecPackm\browser\plugins
ppl3260.dll
FF - plugin: c:\program files\VistaCodecPackm\browser\plugins
prpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\marchier\AppData\Roaming\Mozilla\plugins
p-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: myBabylon English4 Toolbar: {fc600575-3013-4e8e-941c-4b00dafce730} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{fc600575-3013-4e8e-941c-4b00dafce730}
FF - Extension: RadioBar Toolbar: radiobar@toolbar - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensionsadiobar@toolbar
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\marchier\AppData\Roaming\Mozilla\Firefox\Profiles\xz4dlqkv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

---- PARAMETRES FIREFOX ----
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{129FFF07-12F3-B21E-0451-4DA00723881A} - c:\programdata\atmlib32.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 11:52
Windows 6.0.6002 Service Pack 2 NTFS

Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'Explorer.exe'(2792)
c:\program files\EgisTec\MyWinLocker 3\x86\psdprotect.dll
c:\program files\EgisTec\MyWinLocker 3\x86\sysenv.dll
c:\program files\EgisTec\MyWinLocker 3\x86\mwlUI.dll
c:\program files\EgisTec\MyWinLocker 3\x86\GDIExtendCtrl.dll
c:\program files\EgisTec\MyWinLocker 3\x86\mwlOP.dll
c:\program files\EgisTec\MyWinLocker 3\x86\CryptoAPI.dll
c:\program files\EgisTec\MyWinLocker 3\x86\ShowErrMsg.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\EgisTec\MyWinLocker 3\x86\MWLService.exe
c:\programdata\duser32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conime.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Heure de fin: 2010-12-11  11:58:32 - La machine a redémarré
ComboFix-quarantined-files.txt  2010-12-11 10:58
ComboFix2.txt  2010-12-11 10:10
ComboFix3.txt  2010-12-09 22:40

Avant-CF: 311 982 329 856 octets libres
Après-CF: 311 668 527 104 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - CFBB2BD273291441A1D8D54180B97D55

gen-hackman · Answer

&#9654 Télécharge ici : Ad-remover sur ton bureau : 


&#9654 Déconnecte toi et ferme toutes applications en cours ! 

si tu as XP => double clique
si tu as Vista ou windows 7 => clic droit "executer en tant que...." 

&#9654 sur "Ad-R.exe" pour lancer l'installation et laisse les paramètres d'installation par défaut . 

&#9654 clique le raccourci Ad-remover qui est sur ton bureau pour lancer l'outil .
 
&#9654 Au menu principal choisis "option Nettoyer" et tape sur [entrée] .

&#9654 Laisse travailler l'outil et ne touche à rien ... 

&#9654 Poste le rapport qui apparait à la fin , sur le forum ...

( Le rapport est sauvegardé aussi sous C:\Ad-report.log ) 
( CTRL+A Pour tout sélectionner , CTRL+C pour copier et CTRL+V pour coller ) 

&#9654 Note : "Process.exe", une composante de l'outil, est détecté par certains antivirus (AntiVir, Dr.Web, Kaspersky Anti-Virus) comme étant un RiskTool. 
Il ne s'agit pas d'un virus, mais d'un utilitaire destiné à mettre fin à des processus. 
Mis entre de mauvaises mains, cet utilitaire pourrait arrêter des logiciels de sécurité (Antivirus, Firewall...) d'où l'alerte émise par ces antivirus.

Benjamin89140 · Answer

======= RAPPORT D'AD-REMOVER 2.0.0.2,C | UNIQUEMENT XP/VISTA/7 =======

Mis à jour par TeamXscript le 08/12/10 à 10:40
Contact: AdRemover[DOT]contact[AT]gmail[DOT]com
Site web: http://www.teamxscript.org

C:\Program Files\Ad-Remover\main.exe (CLEAN [1]) -> Lancé à 12:24:12 le 11/12/2010, Mode normal

Microsoft® Windows Vista(TM) Édition Familiale Premium  Service Pack 2 (X86) 
marchier@PC-DE-MARCHIER (Acer Aspire 5738) 
 
============== ACTION(S) ==============


Fichier supprimé: C:\Users\marchier\AppData\Local
nnffg.bat
Fichier supprimé: C:\Program Files\Mozilla Firefox\extensions\searchsettings@spigot.com
Fichier supprimé: C:\Users\marchier\AppData\Roaming\Mozilla\FireFox\Profiles\xz4dlqkv.default\searchplugins\askcom.xml
Fichier supprimé: C:\Users\marchier\AppData\Roaming\Mozilla\FireFox\Profiles\xz4dlqkv.default\searchplugins\iMeshWebSearch.xml
Dossier supprimé: C:\Users\marchier\Documents\Imesh
Dossier supprimé: C:\Users\marchier\Music\Imesh
Dossier supprimé: C:\Users\marchier\AppData\LocalLow\Conduit
Dossier supprimé: C:\Program Files\Conduit
Dossier supprimé: C:\Users\marchier\AppData\Roaming\live-player
Dossier supprimé: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\live-player
Dossier supprimé: C:\Program Files\live-player
Dossier supprimé: C:\Users\marchier\AppData\LocalLow\Search Settings
Dossier supprimé: C:\Users\marchier\AppData\LocalLow\ShopperReports3
Fichier supprimé: C:\Users\marchier\AppData\Local\ebaxolcc.bat

(!) -- Fichiers temporaires supprimés.


-- Fichier ouvert: C:\Users\marchier\AppData\Roaming\Mozilla\FireFox\Profiles\xz4dlqkv.default\Prefs.js --
Ligne supprimée:  
Ligne supprimée:  
Ligne supprimée: user_pref("CT2365905.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT236... 
Ligne supprimée: user_pref("browser.search.defaultengine", "Ask.com"); 
Ligne supprimée: user_pref("browser.search.order.1", "Ask.com"); 
-- Fichier Fermé --
 

Clé supprimée: HKLM\Software\Classes\CLSID\{27BF8F8D-58B8-D41C-F913-B7EEB57EF6F6}
Clé supprimée: HKLM\Software\Classes\AppID\{A7DDCBDE-5C86-415c-8A37-763AE183E7E4}
Clé supprimée: HKLM\Software\Classes\CLSID\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}
Clé supprimée: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}
Clé supprimée: HKLM\Software\Classes\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226}
Clé supprimée: HKLM\Software\Classes\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}
Clé supprimée: HKLM\Software\Classes\Interface\{419EDA30-6DFF-432C-B534-E15D899ABEE4}
Clé supprimée: HKLM\Software\Classes\Interface\{453DB0C5-F41C-4D97-8DD6-CC72ECD5F699}
Clé supprimée: HKLM\Software\Classes\Interface\{4AFC07D0-59BB-46B8-B097-1A46E88EEF71}
Clé supprimée: HKLM\Software\Classes\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}
Clé supprimée: HKLM\Software\Classes\Interface\{6511CE4C-4722-40D0-AD3D-4AFA2F50978A}
Clé supprimée: HKLM\Software\Classes\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}
Clé supprimée: HKLM\Software\Classes\Interface\{B86D82BF-D39F-439A-A07C-43EDDC6F6EA6}
Clé supprimée: HKLM\Software\Classes\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}
Clé supprimée: HKLM\Software\Classes\Interface\{D5A1EF9A-7948-435D-8B87-D6A598317288}
Clé supprimée: HKLM\Software\Classes\Interface\{D6094FC6-821F-474C-8D73-C13066CD178D}
Clé supprimée: HKLM\Software\Classes\Interface\{DA6305B9-0869-4235-8C1D-533A65E639E5}
Clé supprimée: HKLM\Software\Classes\Interface\{F8B4EC8A-2407-4BE0-AEE2-0F430D65A90D}
Clé supprimée: HKLM\Software\Classes\TypeLib\{96F7FABC-5789-EFA4-B6ED-1272F4C1D27B}
Clé supprimée: HKLM\Software\Classes\TypeLib\{ACC62306-9A63-4864-BD2F-C8825D2D7EA6}
Clé supprimée: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
nnffg
Clé supprimée: HKLM\Software\Application Updater
Clé supprimée: HKLM\Software\Conduit
Clé supprimée: HKLM\Software\Search Settings
Clé supprimée: HKCU\Software\iMesh
Clé supprimée: HKCU\Software\AppDataLow\Software\Conduit
Clé supprimée: HKCU\Software\AppDataLow\Software\ShopperReports3
Clé supprimée: HKLM\Software\Classes\Installer\Products\D82C50F59AED6DA47AA360145789E8BA
Clé supprimée: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Userdata\S-1-5-18\Products\D82C50F59AED6DA47AA360145789E8BA
Clé supprimée: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}
Clé supprimée: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}
Clé supprimée: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Clé supprimée: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59}
Clé supprimée: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}
Clé supprimée: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5F05C28D-DEA9-4AD6-A73A-064175988EAB}
Clé supprimée: HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{89F88394-3828-4D03-A0CF-8203604C3DA6}
Clé supprimée: HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D4233F04-1789-483C-A137-731E8F113DD5}
Clé supprimée: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Search Settings

Valeur supprimée: HKLM\Software\Mozilla\Firefox\Extensions|clickpotatolite@clickpotatolite.com
Valeur supprimée: HKLM\Software\Mozilla\Firefox\Extensions|Shopperreports@shopperreports.com


============== SCAN ADDITIONNEL ==============

** Mozilla Firefox Version [3.6.13 (fr)] **

-- C:\Users\marchier\AppData\Roaming\Mozilla\FireFox\Profiles\xz4dlqkv.default\Prefs.js --
browser.download.lastDir, C:\Users\marchier\Downloads
browser.search.defaultenginename, Google
browser.search.selectedEngine, Google
browser.startup.homepage, hxxp://www.google.com/
browser.startup.homepage_override.mstone, rv:1.9.2.13
keyword.URL, hxxp://www.google.com/search?sourceid=navclient&hl=fr&q=

========================================

** Internet Explorer Version [7.0.6002.18005] **

[HKCU\Software\Microsoft\Internet Explorer\Main] 
AutoHide: yes
Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Do404Search: 0x01000000
Local Page: C:\Windows\system32\blank.htm
Search bar: hxxp://go.microsoft.com/fwlink/?linkid=54896
Show_ToolBar: yes
Start Page: hxxp://fr.msn.com/
Use Search Asst: no

[HKLM\Software\Microsoft\Internet Explorer\Main] 
AutoHide: yes
Default_Page_URL: hxxp://go.microsoft.com/fwlink/?LinkId=54896
Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Delete_Temp_Files_On_Exit: yes
Enable Browser Extensions: yes
Local Page: C:\Windows\system32\blank.htm
Search bar: hxxp://search.msn.com/spbasic.htm
Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Start Page: hxxp://fr.msn.com/
Use Search Asst: no

[HKLM\Software\Microsoft\Internet Explorer\ABOUTURLS] 
Tabs: res://ieframe.dll/tabswelcome.htm
Blank: res://mshtml.dll/blank.htm

========================================

C:\Program Files\Ad-Remover\Quarantine: 62 Fichier(s)
C:\Program Files\Ad-Remover\Backup: 16 Fichier(s)

C:\Ad-Report-CLEAN[1].txt - 11/12/2010 (7310 Octet(s)) 

Fin à: 12:25:40, 11/12/2010 
 
============== E.O.F ==============

gen-hackman · Answer

fermer toutes les fenêtres et applications lors de l'installation et de l'analyse.


&#9654 Télécharge ici :

Malwarebytes  

&#9654 Installe le ( choisis bien "francais" ; ne modifie pas les paramètres d'installe ) et mets le à jour .

(NB : Si tu as un message d'erreur t'indiquant qu'il te manque "COMCTL32.OCX" lors de l'installe, alors télécharge le ici : COMCTL32.OCX

&#9654 Potasses le Tuto pour te familiariser avec le prg :


( cela dit, il est très simple d'utilisation ).

relance malwarebytes en suivant scrupuleusement ces consignes :

! Déconnecte toi et ferme toutes applications en cours !

&#9654 Lance Malwarebyte's .

Fais un examen dit "Complet" .

&#9654 Laisse le programme travailler ( et ne rien faire d'autre avec le PC durant le scan ).
&#9654 à la fin tu cliques sur "résultat" .
&#9654 Vérifie que tous les objets infectés soient validés, puis clique sur " suppression " .

&#9654 Note : si il faut redémarrer ton PC pour finir le nettoyage, fais le !


&#9654 Poste le rapport sauvegardé après la suppression des objets infectés (dans l'onglet "rapport/log"de Malwarebytes, le dernier en date)

Benjamin89140 · Answer

Bonsoir, j'ais une erreur de malware il me dit error 714

Benjamin89140 · Answer

Et ce après le crash du pc j'ais du faire une restauration à un point, l'écran était bleue mais pas moyen de démarrer windows normalement sans faire une restauration system, je crois que mon pc est foutu, le virus est planté et est décidé de rester....

gen-hackman · Answer

il disait que ca ?

error 714 ?

Benjamin89140 · Answer

Salut

error code 714 (0.9) désolé du temps de réponse

gen-hackman · Answer

desinstalle Malwarebytes

redemarre ton pc

utilise ceci :

https://data-cdn.mbamupdates.com/v1/tools/mbam-clean/data/mbam-clean-2.3.0.1001.exe

redemarre ton pc , (normalement il le devrait le faire lui )

retelecharge-le et reinstalle-le :

http://www.malwarebytes.org/mbam-download.php

redemarre encore ton pc

Benjamin89140 · Answer

Voilà j'ais tout réinstaller et j'ais relancer un examen complet.




Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Version de la base de données: 5320

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

15/12/2010 18:21:29
mbam-log-2010-12-15 (18-21-29).txt

Type d'examen: Examen complet (C:\|)
Elément(s) analysé(s): 285229
Temps écoulé: 1 heure(s), 0 minute(s), 22 seconde(s)

Processus mémoire infecté(s): 8
Module(s) mémoire infecté(s): 3
Clé(s) du Registre infectée(s): 13
Valeur(s) du Registre infectée(s): 7
Elément(s) de données du Registre infecté(s): 1
Dossier(s) infecté(s): 2
Fichier(s) infecté(s): 44

Processus mémoire infecté(s):
c:\Windows\System32\accessibilitycpl32.exe (Trojan.Tracur.S) -> 2156 -> Unloaded process successfully.
c:\programdata\duser32.exe (Trojan.Tracur.S) -> 2256 -> Unloaded process successfully.
c:\Windows\diagperfwow.exe (Trojan.Tracur.S) -> 3740 -> Unloaded process successfully.
c:\Windows\diagperfwow.exe (Trojan.Tracur.S) -> 3796 -> Unloaded process successfully.
c:\Windows\vfpodbcwow.exe (Trojan.Tracur.S) -> 3748 -> Unloaded process successfully.
c:\Windows\vfpodbcwow.exe (Trojan.Tracur.S) -> 3836 -> Unloaded process successfully.
c:\Windows\fdBthwow.exe (Trojan.Tracur.S) -> 3756 -> Unloaded process successfully.
c:\Windows\fdBthwow.exe (Trojan.Tracur.S) -> 3844 -> Unloaded process successfully.

Module(s) mémoire infecté(s):
c:\Windows\System32\atmlib32.dll (Trojan.Tracur.S) -> Delete on reboot.
c:\programdata\atmlib32.dll (Trojan.Tracur.S) -> Delete on reboot.
c:\Windows\System32\config\systemprofile\AppData\Roaming\CD21.tmp (Trojan.Tracur.S) -> Delete on reboot.

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\CLSID\{029E3E9D-3F99-4AED-949D-A86B299ECC32} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029E3E9D-3F99-4AED-949D-A86B299ECC32} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{029E3E9D-3F99-4AED-949D-A86B299ECC32} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
si32 (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9F3C5DE2-8BA0-7FB0-8A72-53D3157D6E13} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9F3C5DE2-8BA0-7FB0-8A72-53D3157D6E13} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9F3C5DE2-8BA0-7FB0-8A72-53D3157D6E13} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagperfwow.exe (Trojan.Tracur.S) -> Value: diagperfwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagperfwow.exe (Trojan.Tracur.S) -> Value: diagperfwow.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfpodbcwow.exe (Trojan.Tracur.S) -> Value: vfpodbcwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfpodbcwow.exe (Trojan.Tracur.S) -> Value: vfpodbcwow.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdBthwow.exe (Trojan.Tracur.S) -> Value: fdBthwow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdBthwow.exe (Trojan.Tracur.S) -> Value: fdBthwow.exe -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDBPL (Trojan.Tracur.S) -> Value: RTHDBPL -> Quarantined and deleted successfully.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\ProgramData\atmlib32.dll) Good: () -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
c:\programdata\2026374954 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Fichier(s) infecté(s):
c:\Windows\System32\atmlib32.dll (Trojan.Tracur.S) -> Delete on reboot.
c:\Windows\System32\accessibilitycpl32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\programdata\atmlib32.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\CD21.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\programdata\duser32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\diagperfwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\vfpodbcwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\fdBthwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\downloads\systempack107_231.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\downloads\Software\quicktime_update_kb678215.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\downloads\Software\xvidsetup.exe (Adware.Hotbar.Gen) -> Quarantined and deleted successfully.
c:\programdata\5f3dcfef685089da36696111ac6425ed\update.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\programdata\5f3dcfef685089da36696111ac6425ed\b\bint1 (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\clickpotatolite\bin\10.0.530.0\clickpotatolitesaax.dll.vir (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\clickpotatolite\bin\10.0.530.0\clickpotatolitesabho.dll.vir (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\clickpotatolite\bin\10.0.530.0\clickpotatolitesahook.dll.vir (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\clickpotatolite\bin\10.0.530.0\clickpotatoliteuninstaller.exe.vir (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\clickpotatolite\bin\10.0.530.0\firefox\extensions\plugins
pclntax_clickpotatolitesa.dll.vir (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\mozilla firefox\plugins
pclntax_clickpotatolitesa.dll.vir (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\programdata\atmlib32.dll.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\programdata\duser32.exe.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\programdata\5f3dcfef685089da36696111ac6425ed\b\bint1.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Windows\mfc40uwow.exe.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Windows\scriptowow.exe.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Windows\System32\config\systemprofile\AppData\Roaming\6514.tmp.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Windows\System32\config\systemprofile\AppData\Roaming\cd21.tmp.vir (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Users\marchier\AppData\Local\virtualstore\programdata\5f3dcfef685089da36696111ac6425ed\b\bint1 (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Users\marchier\downloads\xvidsetup(2).exe (Adware.Hotbar.Gen) -> Quarantined and deleted successfully.
c:\Users\marchier\downloads\xvidsetup.exe (Adware.Hotbar.Gen) -> Quarantined and deleted successfully.
c:\Windows\wmicmipluginwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\duser32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\1ED8.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\C290.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000227c0a001079c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000227c0a001079o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000227c0a001079p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\02000000227c0a001079s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000227c0a001079c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000227c0a001079o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000227c0a001079p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\02000000227c0a001079s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\programdata\2026374954
ew.i0 (Rogue.Multiple) -> Quarantined and deleted successfully.

Benjamin89140 · Answer

Y a pas eu de problèmes, redémarrage sans soucis, plus de trojans apparemment, mtn va falloir que je trouve une protection je pense^^

Aide Malware

29 réponses

Discussions similaires

Newsletters