Infection
Résolu
concierge1
-
Destrio Messages postés 312 Date d'inscription Statut Contributeur Dernière intervention -
Destrio Messages postés 312 Date d'inscription Statut Contributeur Dernière intervention -
Bonjour,
voici ma config navigation
mon ordi est infecte, et je ne peux plus installer d anti virus ou d anti trojan, une fois l instalation faite, windows ne reconnait plus le programme.
si je lance un scan avec un des antivirus, celui se coupe et disparait du process, j ai vraiment tout essaye : divers anti virus gratuits : avg, avast, trojan killer, spybot etc...j ai desactive par ms config le fichier arking.exe, mais rien a faire je n arrive pas l enlever ni meme installer un anti virus meme pas un scan en ligne.
Pouvez m aider??
merci a vous tous
voici ma config navigation
mon ordi est infecte, et je ne peux plus installer d anti virus ou d anti trojan, une fois l instalation faite, windows ne reconnait plus le programme.
si je lance un scan avec un des antivirus, celui se coupe et disparait du process, j ai vraiment tout essaye : divers anti virus gratuits : avg, avast, trojan killer, spybot etc...j ai desactive par ms config le fichier arking.exe, mais rien a faire je n arrive pas l enlever ni meme installer un anti virus meme pas un scan en ligne.
Pouvez m aider??
merci a vous tous
48 réponses
Tu as essayé de faire un scan avec Malwarebytes' Anti-Malware ?
--> https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
--> https://www.malekal.com/tutoriel-malwarebyte-anti-malware/
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Malware byte est installe.
et mis a jour, a l instant...maintenant ce dont j ai peur c est des la tentive de scan de l ordi...que ca re bug de nouveau ... et que le logiciel se coupe...
je tente?
et mis a jour, a l instant...maintenant ce dont j ai peur c est des la tentive de scan de l ordi...que ca re bug de nouveau ... et que le logiciel se coupe...
je tente?
/!\ Désactive tes protections résidentes (Antivirus, etc...) /!\
--> Télécharge ComboFix (de sUBs) sur ton Bureau.
--> Double-clique sur ComboFix.exe (le .exe n'est pas forcément visible) afin de le lancer.
--> Il va te demander d'installer la console de récupération : accepte.
--> Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport (C:\Combofix.txt) dans ta prochaine réponse.
Pour t'aider : Un guide et un tutoriel sur l'utilisation de ComboFix
--> Télécharge ComboFix (de sUBs) sur ton Bureau.
--> Double-clique sur ComboFix.exe (le .exe n'est pas forcément visible) afin de le lancer.
--> Il va te demander d'installer la console de récupération : accepte.
--> Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport (C:\Combofix.txt) dans ta prochaine réponse.
Pour t'aider : Un guide et un tutoriel sur l'utilisation de ComboFix
apres les manips j ai avast qui s est mis a jour tout seul ce qu il ne faisais pas avant...
j attends le resultat du scan pour passer sur l etape Combofix, j en profite pour te remercier car j ai vraiment avance grace a ton aide, ta presence et reactivite!
je te fais un retour asap
j attends le resultat du scan pour passer sur l etape Combofix, j en profite pour te remercier car j ai vraiment avance grace a ton aide, ta presence et reactivite!
je te fais un retour asap
le scan de avast a plante j ai le message suivant:
the app failed to initialize properly 0xc0000005 click ok to terminate process...
je m occupe du combofix
the app failed to initialize properly 0xc0000005 click ok to terminate process...
je m occupe du combofix
ComboFix 11-07-12.05 - yo 12/07/2011 18:14:15.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.711 [GMT 2:00]
Running from: c:\documents and settings\yla\My Documents\Téléchargements\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\y a\Application Data\Heed
c:\documents and settings\ys ea\Application Data\Heed\hiyzw.fei
c:\documents and settings\ys la\Application Data\Heed\hiyzw.tmp
c:\documents and settings\y a\Desktop\Internet Explorer.lnk
C:\install.exe
c:\windows\$NtUninstallKB16803$\2227124963\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB16803$\2227124963\click.tlb
c:\windows\$NtUninstallKB16803$\2227124963\L\eaoyrryi
c:\windows\$NtUninstallKB16803$\2227124963\loader.tlb
c:\windows\$NtUninstallKB16803$\2227124963\U\@00000001
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cf
c:\windows\$NtUninstallKB16803$\2227124963\U\@80000000
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cf
c:\windows\SW_Win3112X32.DLL
c:\windows\system32\drivers\1257156655.sys
c:\windows\$NtUninstallKB16803$ . . . . Failed to delete
c:\windows\$NtUninstallKB16803$\3368064693 . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1257156655
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 14:59 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-12 14:59 . 2011-05-29 07:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-12 14:59 . 2011-07-12 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-12 13:51 . 2011-07-12 15:18 -------- d-----w- C:\UsbFix
2011-07-12 09:25 . 2011-07-12 10:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-12 09:22 . 2011-07-12 09:22 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-07-12 09:19 . 2011-07-12 09:19 2 --shatr- c:\windows\winstart.bat
2011-07-12 09:19 . 2011-07-12 09:19 -------- d-----w- c:\program files\Greatis
2011-07-12 08:58 . 2011-07-12 08:58 -------- d-----w- c:\documents and settings\ya\Local Settings\Application Data\PCHealth
2011-07-12 02:13 . 2011-07-12 02:13 -------- d-----w- c:\documents and settings\youa\Application Data\Malwarebytes
2011-07-12 01:59 . 2011-07-12 01:59 -------- d-----w- c:\windows\ServicePackFiles
2011-07-12 01:51 . 2011-07-12 01:51 -------- d-----w- C:\d3ab80f35deb7e5aea6c0ad1
2011-07-12 01:45 . 2011-07-12 01:48 -------- d-----w- C:\b304391087783dd17cae801c
2011-07-12 01:41 . 2011-07-12 01:41 -------- d-----w- C:\6eeb817ab9429940479e3bc980f0e0
2011-07-12 01:05 . 2011-07-12 01:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-07-11 23:35 . 2011-07-11 23:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-07-11 23:24 . 2011-07-11 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-11 23:15 . 2011-07-11 23:16 -------- d-----w- c:\documents and settings\Administrator
2011-07-11 22:14 . 2011-07-12 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-11 22:14 . 2011-07-11 22:14 -------- d-----w- c:\program files\AVAST Software
2011-07-11 21:48 . 2011-03-22 08:14 29832 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2011-07-11 21:48 . 2011-03-22 08:14 23176 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-11 21:48 . 2011-03-22 08:14 176776 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-11 21:35 . 2011-07-12 11:46 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-07-11 17:34 . 2011-07-11 17:34 -------- d-----w- c:\program files\MSSOAP
2011-07-11 17:33 . 2011-07-11 17:33 -------- d-----w- c:\program files\Webroot
2011-07-11 17:00 . 2011-07-11 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-07-11 06:03 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2011-07-11 05:59 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-07-11 05:51 . 2011-04-29 16:19 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-11 05:44 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-07-11 05:44 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-07-11 05:44 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-07-11 05:44 . 2010-12-09 13:07 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-07-10 13:58 . 2011-07-10 14:01 -------- d-----w- c:\documents and settings\y ela\Local Settings\Application Data\Emex3
2011-07-07 19:38 . 2011-07-07 20:12 -------- d-----w- c:\program files\CamStudio
2011-07-07 11:04 . 2011-07-07 11:04 -------- d-----w- c:\documents and settings\yo ela\.spamassassin
2011-07-07 11:04 . 2011-07-07 11:04 -------- d-----w- c:\documents and settings\y ela\.razor
2011-07-07 09:38 . 2011-07-07 12:33 -------- d-----w- c:\documents and settings\u la\Application Data\SendBlaster2
2011-07-07 09:35 . 2011-07-07 09:35 65536 ----a-r- c:\documents and settings\yoa\Application Data\Microsoft\Installer\{CF950023-9C75-4843-8B68-FD8A5D641B4B}\NewShortcut2_1E583890E48F4F2CBADA36A82A9A538B.exe
2011-07-07 09:35 . 2011-07-07 09:35 65536 ----a-r- c:\documents and settings\yoa\Application Data\Microsoft\Installer\{CF950023-9C75-4843-8B68-FD8A5D641B4B}\NewShortcut1_1E583890E48F4F2CBADA36A82A9A538B.exe
2011-07-07 09:35 . 2011-07-07 09:35 -------- d-----w- c:\program files\SendBlaster
2011-07-05 11:11 . 2011-07-05 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\eTarget
2011-07-05 11:11 . 2011-07-05 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SL2o
2011-07-04 18:39 . 2011-07-04 18:39 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-04 18:39 . 2011-07-04 18:39 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-04 08:57 . 2011-07-04 08:57 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-07-03 21:42 . 2011-07-03 21:42 -------- d-----w- c:\documents and settings\JeJka\Application Data\go
2011-07-03 21:37 . 2011-07-03 21:37 -------- d-----w- c:\documents and settings\JeJka\Application Data\TuneUp Software
2011-07-03 10:37 . 2011-07-03 10:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
2011-07-02 10:34 . 2011-06-08 11:42 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-07-02 10:24 . 2011-06-08 11:48 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-07-02 10:23 . 2011-07-02 10:23 -------- d-----w- c:\documents and settings\a\Application Data\TuneUp Software
2011-07-02 10:23 . 2011-07-12 10:51 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-07-02 10:22 . 2011-07-02 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2011-07-02 10:22 . 2011-07-02 10:22 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-06-22 21:21 . 2011-06-22 21:21 -------- d-----w- c:\program files\CPUID
2011-06-13 19:03 . 2011-06-13 19:04 -------- d-----w- c:\windows\_PrimaxInstallTempDir1
2011-06-13 18:19 . 2011-06-13 18:19 -------- d-----w- c:\program files\Synaptics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 19:21 . 2011-05-23 17:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-24 17:14 . 2010-04-27 11:50 222080 -c----w- c:\windows\system32\MpSigStub.exe
2011-05-02 15:31 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-14 07:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-14 07:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2008-04-14 07:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2008-04-14 07:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2008-04-14 07:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2008-04-14 07:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2008-04-14 07:00 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 07:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-07-04 18:39 . 2011-03-24 08:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ya^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\yla\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-01-06 23:53 2289664 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsLKNotify]
2009-02-23 15:03 320808 ----a-w- c:\program files\CapsLKNotify\CapsLKNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 07:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 20:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-28 20:51 136176 ----atw- c:\documents and settings\y
ela\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-02-15 21:34 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-02-15 21:34 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 09:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2004-07-14 13:36 57344 ----a-w- c:\windows\system32\ICO.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OA012Mon]
2009-09-01 16:02 24576 ----a-w- c:\windows\OA012Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-15 21:34 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-15 21:32 17529856 ------w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 09:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 09:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-15 22:49 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WSED]
2009-05-27 21:24 247080 ----a-w- c:\program files\WSED\WSED.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"api32"=c:\docume~1\YO~1\LOCALS~1\Temp\apiqq.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\ya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"King_ar"=c:\windows\system32\arking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\ya\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Documents and Settings\\y\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\y ela\\My Documents\\Downloads\\sdsetup_aff.exe"=
"c:\\Program Files\\TuneUp Utilities 2011\\TURatingSynch.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\ys ela\\My Documents\\Téléchargements\\esetsmartinstaller_fra.exe"=
"c:\\Documents and Settings\\yla\\My Documents\\Téléchargements\\ccsetup308_slim.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
.
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/07/2011 23:48 29832]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [08/06/2011 13:45 1524544]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/12/2009 05:45 143840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/07/2011 16:59 22712]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/12/2009 07:08 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/12/2009 07:08 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/12/2009 07:08 272256]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/12/2009 07:08 162816]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [07/10/2010 13:34 10064]
S0 cerc6;cerc6; [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/12/2009 05:40 14248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/07/2011 16:59 366640]
S2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/12/2009 07:08 1684736]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [12/07/2011 11:22 24416]
S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3873710248-4096894950-999342476-1006Core.job
- c:\documents and settings\y ela\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 20:51]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3873710248-4096894950-999342476-1006UA.job
- c:\documents and settings\yla\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 20:51]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=localhost:8118
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.81.29.254 62.42.230.24
FF - ProfilePath - c:\documents and settings\ya\Application Data\Mozilla\Firefox\Profiles\k42wlqko.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.fr/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-sta - xfnop.dll
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
AddRemove-Convert XLS_is1 - c:\program files\Softinterface
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-12 18:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1655GSX rev.FG010D -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF754F000]<< >>UNKNOWN [0xF753F000]<< >>UNKNOWN [0xF73A1000]<< >>UNKNOWN [0x806E5000]<< >>UNKNOWN [0x87072EC5]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x870FAAB8]
\Driver\Disk[0x87169968] -> IRP_MJ_CREATE -> 0xF7555BB0
3 [0xF754FFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x8716A9E8]
\Driver\ACPI[0x8719CD30] -> IRP_MJ_CREATE -> 0xF73A7CB8
5 [0xF73A7620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x87110940]
[0x87168288] -> IRP_MJ_CREATE -> 0x87072EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1655GSX_______________________FG010D__#5&33dc7a75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x87072AEA
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-07-12 18:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-12 16:48
.
Pre-Run: 109,634,273,280 bytes free
Post-Run: 109,790,457,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\W="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 41B9C158C14D072643A9A494F63418CF
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.711 [GMT 2:00]
Running from: c:\documents and settings\yla\My Documents\Téléchargements\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\y a\Application Data\Heed
c:\documents and settings\ys ea\Application Data\Heed\hiyzw.fei
c:\documents and settings\ys la\Application Data\Heed\hiyzw.tmp
c:\documents and settings\y a\Desktop\Internet Explorer.lnk
C:\install.exe
c:\windows\$NtUninstallKB16803$\2227124963\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB16803$\2227124963\click.tlb
c:\windows\$NtUninstallKB16803$\2227124963\L\eaoyrryi
c:\windows\$NtUninstallKB16803$\2227124963\loader.tlb
c:\windows\$NtUninstallKB16803$\2227124963\U\@00000001
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cf
c:\windows\$NtUninstallKB16803$\2227124963\U\@80000000
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cf
c:\windows\SW_Win3112X32.DLL
c:\windows\system32\drivers\1257156655.sys
c:\windows\$NtUninstallKB16803$ . . . . Failed to delete
c:\windows\$NtUninstallKB16803$\3368064693 . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1257156655
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 14:59 . 2011-05-29 07:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-12 14:59 . 2011-05-29 07:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-12 14:59 . 2011-07-12 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-12 13:51 . 2011-07-12 15:18 -------- d-----w- C:\UsbFix
2011-07-12 09:25 . 2011-07-12 10:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-12 09:22 . 2011-07-12 09:22 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2011-07-12 09:19 . 2011-07-12 09:19 2 --shatr- c:\windows\winstart.bat
2011-07-12 09:19 . 2011-07-12 09:19 -------- d-----w- c:\program files\Greatis
2011-07-12 08:58 . 2011-07-12 08:58 -------- d-----w- c:\documents and settings\ya\Local Settings\Application Data\PCHealth
2011-07-12 02:13 . 2011-07-12 02:13 -------- d-----w- c:\documents and settings\youa\Application Data\Malwarebytes
2011-07-12 01:59 . 2011-07-12 01:59 -------- d-----w- c:\windows\ServicePackFiles
2011-07-12 01:51 . 2011-07-12 01:51 -------- d-----w- C:\d3ab80f35deb7e5aea6c0ad1
2011-07-12 01:45 . 2011-07-12 01:48 -------- d-----w- C:\b304391087783dd17cae801c
2011-07-12 01:41 . 2011-07-12 01:41 -------- d-----w- C:\6eeb817ab9429940479e3bc980f0e0
2011-07-12 01:05 . 2011-07-12 01:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-07-11 23:35 . 2011-07-11 23:35 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-07-11 23:24 . 2011-07-11 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-11 23:15 . 2011-07-11 23:16 -------- d-----w- c:\documents and settings\Administrator
2011-07-11 22:14 . 2011-07-12 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-11 22:14 . 2011-07-11 22:14 -------- d-----w- c:\program files\AVAST Software
2011-07-11 21:48 . 2011-03-22 08:14 29832 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2011-07-11 21:48 . 2011-03-22 08:14 23176 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-07-11 21:48 . 2011-03-22 08:14 176776 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-07-11 21:35 . 2011-07-12 11:46 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-07-11 17:34 . 2011-07-11 17:34 -------- d-----w- c:\program files\MSSOAP
2011-07-11 17:33 . 2011-07-11 17:33 -------- d-----w- c:\program files\Webroot
2011-07-11 17:00 . 2011-07-11 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-07-11 06:03 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2011-07-11 05:59 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-07-11 05:51 . 2011-04-29 16:19 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-07-11 05:44 . 2010-12-09 13:42 2148864 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-07-11 05:44 . 2010-12-09 13:38 2192768 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-07-11 05:44 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-07-11 05:44 . 2010-12-09 13:07 2069376 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-07-10 13:58 . 2011-07-10 14:01 -------- d-----w- c:\documents and settings\y ela\Local Settings\Application Data\Emex3
2011-07-07 19:38 . 2011-07-07 20:12 -------- d-----w- c:\program files\CamStudio
2011-07-07 11:04 . 2011-07-07 11:04 -------- d-----w- c:\documents and settings\yo ela\.spamassassin
2011-07-07 11:04 . 2011-07-07 11:04 -------- d-----w- c:\documents and settings\y ela\.razor
2011-07-07 09:38 . 2011-07-07 12:33 -------- d-----w- c:\documents and settings\u la\Application Data\SendBlaster2
2011-07-07 09:35 . 2011-07-07 09:35 65536 ----a-r- c:\documents and settings\yoa\Application Data\Microsoft\Installer\{CF950023-9C75-4843-8B68-FD8A5D641B4B}\NewShortcut2_1E583890E48F4F2CBADA36A82A9A538B.exe
2011-07-07 09:35 . 2011-07-07 09:35 65536 ----a-r- c:\documents and settings\yoa\Application Data\Microsoft\Installer\{CF950023-9C75-4843-8B68-FD8A5D641B4B}\NewShortcut1_1E583890E48F4F2CBADA36A82A9A538B.exe
2011-07-07 09:35 . 2011-07-07 09:35 -------- d-----w- c:\program files\SendBlaster
2011-07-05 11:11 . 2011-07-05 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\eTarget
2011-07-05 11:11 . 2011-07-05 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SL2o
2011-07-04 18:39 . 2011-07-04 18:39 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-04 18:39 . 2011-07-04 18:39 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-04 08:57 . 2011-07-04 08:57 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-07-03 21:42 . 2011-07-03 21:42 -------- d-----w- c:\documents and settings\JeJka\Application Data\go
2011-07-03 21:37 . 2011-07-03 21:37 -------- d-----w- c:\documents and settings\JeJka\Application Data\TuneUp Software
2011-07-03 10:37 . 2011-07-03 10:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\TuneUp Software
2011-07-02 10:34 . 2011-06-08 11:42 29504 ----a-w- c:\windows\system32\uxtuneup.dll
2011-07-02 10:24 . 2011-06-08 11:48 31552 ----a-w- c:\windows\system32\TURegOpt.exe
2011-07-02 10:23 . 2011-07-02 10:23 -------- d-----w- c:\documents and settings\a\Application Data\TuneUp Software
2011-07-02 10:23 . 2011-07-12 10:51 -------- d-----w- c:\program files\TuneUp Utilities 2011
2011-07-02 10:22 . 2011-07-02 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2011-07-02 10:22 . 2011-07-02 10:22 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{24036256-BFDB-4CD3-BE8A-A3D6160F2E16}
2011-06-22 21:21 . 2011-06-22 21:21 -------- d-----w- c:\program files\CPUID
2011-06-13 19:03 . 2011-06-13 19:04 -------- d-----w- c:\windows\_PrimaxInstallTempDir1
2011-06-13 18:19 . 2011-06-13 18:19 -------- d-----w- c:\program files\Synaptics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 19:21 . 2011-05-23 17:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-24 17:14 . 2010-04-27 11:50 222080 -c----w- c:\windows\system32\MpSigStub.exe
2011-05-02 15:31 . 2008-04-26 01:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-14 07:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-14 07:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 15:51 . 2008-04-14 07:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 15:51 . 2008-04-14 07:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 15:51 . 2008-04-14 07:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 15:51 . 2008-04-14 07:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-04-25 12:01 . 2008-04-14 07:00 389120 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 07:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-07-04 18:39 . 2011-03-24 08:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ya^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\yla\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-01-06 23:53 2289664 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsLKNotify]
2009-02-23 15:03 320808 ----a-w- c:\program files\CapsLKNotify\CapsLKNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 07:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 20:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-28 20:51 136176 ----atw- c:\documents and settings\y
ela\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-02-15 21:34 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-02-15 21:34 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 09:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2004-07-14 13:36 57344 ----a-w- c:\windows\system32\ICO.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OA012Mon]
2009-09-01 16:02 24576 ----a-w- c:\windows\OA012Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-15 21:34 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-15 21:32 17529856 ------w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 09:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 09:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-15 22:49 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WSED]
2009-05-27 21:24 247080 ----a-w- c:\program files\WSED\WSED.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"api32"=c:\docume~1\YO~1\LOCALS~1\Temp\apiqq.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\ya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"King_ar"=c:\windows\system32\arking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\ya\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Documents and Settings\\y\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Documents and Settings\\y ela\\My Documents\\Downloads\\sdsetup_aff.exe"=
"c:\\Program Files\\TuneUp Utilities 2011\\TURatingSynch.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\MFAData\\SelfUpd\\avgmfapx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\ys ela\\My Documents\\Téléchargements\\esetsmartinstaller_fra.exe"=
"c:\\Documents and Settings\\yla\\My Documents\\Téléchargements\\ccsetup308_slim.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
.
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/07/2011 23:48 29832]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [08/06/2011 13:45 1524544]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [12/12/2009 05:45 143840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/07/2011 16:59 22712]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [12/12/2009 07:08 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [12/12/2009 07:08 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [12/12/2009 07:08 272256]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [12/12/2009 07:08 162816]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [07/10/2010 13:34 10064]
S0 cerc6;cerc6; [x]
S0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [12/12/2009 05:40 14248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 14:16 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/07/2011 16:59 366640]
S2 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/12/2009 07:08 1684736]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [12/07/2011 11:22 24416]
S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 14:16 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3873710248-4096894950-999342476-1006Core.job
- c:\documents and settings\y ela\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 20:51]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3873710248-4096894950-999342476-1006UA.job
- c:\documents and settings\yla\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-28 20:51]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=localhost:8118
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.81.29.254 62.42.230.24
FF - ProfilePath - c:\documents and settings\ya\Application Data\Mozilla\Firefox\Profiles\k42wlqko.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.fr/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-sta - xfnop.dll
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-TrojanScanner - c:\program files\Trojan Remover\Trjscan.exe
MSConfigStartUp-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
AddRemove-Convert XLS_is1 - c:\program files\Softinterface
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-12 18:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1655GSX rev.FG010D -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x804D7000]<< >>UNKNOWN [0xF754F000]<< >>UNKNOWN [0xF753F000]<< >>UNKNOWN [0xF73A1000]<< >>UNKNOWN [0x806E5000]<< >>UNKNOWN [0x87072EC5]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x870FAAB8]
\Driver\Disk[0x87169968] -> IRP_MJ_CREATE -> 0xF7555BB0
3 [0xF754FFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x8716A9E8]
\Driver\ACPI[0x8719CD30] -> IRP_MJ_CREATE -> 0xF73A7CB8
5 [0xF73A7620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x87110940]
[0x87168288] -> IRP_MJ_CREATE -> 0x87072EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1655GSX_______________________FG010D__#5&33dc7a75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x87072AEA
user & kernel MBR OK
sectors 312581806 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-07-12 18:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-12 16:48
.
Pre-Run: 109,634,273,280 bytes free
Post-Run: 109,790,457,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\W="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 41B9C158C14D072643A9A494F63418CF
Slt
pou voir à quoi correspond ce code d'erreur, va sur http://www.docmemo.com/windows/erreurscodes.php
pou voir à quoi correspond ce code d'erreur, va sur http://www.docmemo.com/windows/erreurscodes.php
.
c:\documents and settings\y a\Application Data\Heed
c:\documents and settings\ys ea\Application Data\Heed\hiyzw.fei
c:\documents and settings\ys la\Application Data\Heed\hiyzw.tmp
c:\documents and settings\y a\Desktop\Internet Explorer.lnk
C:\install.exe
c:\windows\$NtUninstallKB16803$\2227124963\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB16803$\2227124963\click.tlb
c:\windows\$NtUninstallKB16803$\2227124963\L\eaoyrryi
c:\windows\$NtUninstallKB16803$\2227124963\loader.tlb
c:\windows\$NtUninstallKB16803$\2227124963\U\@00000001
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cf
c:\windows\$NtUninstallKB16803$\2227124963\U\@80000000
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cf
c:\windows\SW_Win3112X32.DLL
c:\windows\system32\drivers\1257156655.sys
c:\windows\$NtUninstallKB16803$ . . . . Failed to delete
c:\windows\$NtUninstallKB16803$\3368064693 . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ya^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\yla\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-01-06 23:53 2289664 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsLKNotify]
2009-02-23 15:03 320808 ----a-w- c:\program files\CapsLKNotify\CapsLKNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 07:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 20:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-28 20:51 136176 ----atw- c:\documents and settings\y
ela\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-02-15 21:34 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-02-15 21:34 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 09:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2004-07-14 13:36 57344 ----a-w- c:\windows\system32\ICO.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OA012Mon]
2009-09-01 16:02 24576 ----a-w- c:\windows\OA012Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-15 21:34 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-15 21:32 17529856 ------w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 09:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 09:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-15 22:49 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WSED]
2009-05-27 21:24 247080 ----a-w- c:\program files\WSED\WSED.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"api32"=c:\docume~1\YO~1\LOCALS~1\Temp\apiqq.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\ya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"King_ar"=c:\windows\system32\arking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=localhost:8118
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.81.29.254 62.42.230.24
FF - ProfilePath - c:\documents and settings\ya\Application Data\Mozilla\Firefox\Profiles\k42wlqko.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.fr/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-07-12 18:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-12 16:48
.
Pre-Run: 109,634,273,280 bytes free
Post-Run: 109,790,457,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\W="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 41B9C158C14D072643A9A494F63418CF
c:\documents and settings\y a\Application Data\Heed
c:\documents and settings\ys ea\Application Data\Heed\hiyzw.fei
c:\documents and settings\ys la\Application Data\Heed\hiyzw.tmp
c:\documents and settings\y a\Desktop\Internet Explorer.lnk
C:\install.exe
c:\windows\$NtUninstallKB16803$\2227124963\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB16803$\2227124963\click.tlb
c:\windows\$NtUninstallKB16803$\2227124963\L\eaoyrryi
c:\windows\$NtUninstallKB16803$\2227124963\loader.tlb
c:\windows\$NtUninstallKB16803$\2227124963\U\@00000001
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@000000cf
c:\windows\$NtUninstallKB16803$\2227124963\U\@80000000
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000c0
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cb
c:\windows\$NtUninstallKB16803$\2227124963\U\@800000cf
c:\windows\SW_Win3112X32.DLL
c:\windows\system32\drivers\1257156655.sys
c:\windows\$NtUninstallKB16803$ . . . . Failed to delete
c:\windows\$NtUninstallKB16803$\3368064693 . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^ya^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\yla\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2009-01-06 23:53 2289664 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapsLKNotify]
2009-02-23 15:03 320808 ----a-w- c:\program files\CapsLKNotify\CapsLKNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 07:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-06-03 20:46 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 -c--a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-28 20:51 136176 ----atw- c:\documents and settings\y
ela\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-02-15 21:34 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-02-15 21:34 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 09:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2004-07-14 13:36 57344 ----a-w- c:\windows\system32\ICO.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 20:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OA012Mon]
2009-09-01 16:02 24576 ----a-w- c:\windows\OA012Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-02-15 21:34 137752 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-15 21:32 17529856 ------w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 09:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 09:44 248552 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-03-15 22:49 1434920 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WSED]
2009-05-27 21:24 247080 ----a-w- c:\program files\WSED\WSED.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"api32"=c:\docume~1\YO~1\LOCALS~1\Temp\apiqq.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Google Update"="c:\documents and settings\ya\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"King_ar"=c:\windows\system32\arking.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
[
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=localhost:8118
uInternet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 62.81.29.254 62.42.230.24
FF - ProfilePath - c:\documents and settings\ya\Application Data\Mozilla\Firefox\Profiles\k42wlqko.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://google.fr/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2256)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesApp32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-07-12 18:48:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-12 16:48
.
Pre-Run: 109,634,273,280 bytes free
Post-Run: 109,790,457,856 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\W="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 41B9C158C14D072643A9A494F63418CF
Au pire, si c'est dû à ComboFix, il crée un point de restauration donc tu peux en principe restaurer le PC avant l'utilisation de ComboFix.
Tu es connecté en ethernet du coup ?
Tu es connecté en ethernet du coup ?
ok je vais essayer avec combofix de faire un retour sur le point de restau
je suis sur un deuxieme pc
je suis sur un deuxieme pc