PC infecté par Security Tool

Logiciel & apps Logiciel Général
1

Bonjour,

Mon pc a récemment été infecté par le spyware Security Tool. Je n’arrive pas à m’en défaire, malgré plusieurs scans malwarebytes en mode sans échec, Security Tool revient toujours.
Si quelqu’un peut me donner un coup de main…

Ci dessous le rapport de smitfraudfix, je ne sais pas si ça peut aider …

SmitFraudFix v2.424

Rapport fait à 20:57:17,51, 07/11/2009
Executé à partir de C:\Documents and Settings\Administrateur\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est NTFS
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Fichiers communs\Teleca Shared\CapabilityManager.exe
C:\Program Files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Fichiers communs\Teleca Shared\logger.exe
C:\Program Files\Fichiers communs\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Hide My IP 2007\SecureSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrateur\Bureau\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrateur

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrateur\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\Favoris

»»»»»»»»»»»»»»»»»»»»»»»» Bureau

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues

»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=“C:\WINDOWS\system32\userinit.exe,”

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=""

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1397 WLAN Mini-Card - Miniport d’ordonnancement de paquets
DNS Server Search Order: 80.10.246.2
DNS Server Search Order: 80.10.246.129

Description: Dell Wireless 1397 WLAN Mini-Card - Miniport d’ordonnancement de paquets
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip…{376A4B2D-7FF4-45D1-99CD-425BCD20947C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip…{BC980BF0-18C8-4745-9D5A-5268A89D2876}: DhcpNameServer=80.10.246.2 80.10.246.129
HKLM\SYSTEM\CS1\Services\Tcpip…{BC980BF0-18C8-4745-9D5A-5268A89D2876}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip…{BC980BF0-18C8-4745-9D5A-5268A89D2876}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip…{376A4B2D-7FF4-45D1-99CD-425BCD20947C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip…{BC980BF0-18C8-4745-9D5A-5268A89D2876}: DhcpNameServer=80.10.246.2 80.10.246.129
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

3

Hey ! Merci de me donner un coup de main.

Voici le rapport de combofix

ComboFix 09-11-07.02 - Administrateur 07/11/2009 23:26.4.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.2046.1336 [GMT 1:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\supra.exe

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N’EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrateur\Application Data\wiaserva.log
c:\documents and settings\Administrateur\Bureau\Security Tool.lnk
c:\documents and settings\All Users\Application Data\25088932
c:\documents and settings\All Users\Application Data\25088932\25088932.exe

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF

((((((((((((((((((((((((((((( Fichiers créés du 2009-10-07 au 2009-11-07 ))))))))))))))))))))))))))))))))))))
.

2009-11-07 22:40 . 2009-11-07 22:40 1278501 ----a-w- c:\documents and settings\All Users\Application Data\45297431\45297431.exe
2009-11-07 22:20 . 2009-11-07 22:20 -------- d-----w- C:\UsbFix
2009-11-07 22:14 . 2009-11-07 22:15 -------- d-----w- C:\ToolBar SD
2009-11-07 19:50 . 2009-11-07 19:52 -------- d-----w- c:\program files\trend micro
2009-11-07 19:50 . 2009-11-07 19:52 -------- d-----w- C:\rsit
2009-11-07 13:51 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 13:51 . 2009-11-07 13:51 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2009-11-07 13:51 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 13:33 . 2009-11-07 13:32 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-07 13:32 . 2009-11-07 13:37 -------- d-----w- c:\documents and settings\Administrateur.housecall6.6
2009-11-07 13:04 . 2009-11-07 13:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-07 10:51 . 2009-11-07 15:35 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\ieodbc3D
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- c:\program files\Sweet Home 3D
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 15:07 . 2007-11-27 02:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-10-26 14:52 . 2009-10-26 15:10 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Teleca
2009-10-26 14:52 . 2009-10-26 14:52 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\program files\Fichiers communs\Teleca Shared
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2009-10-26 14:50 . 2009-07-02 13:42 25728 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2009-10-26 14:50 . 2009-07-02 13:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-10-26 14:50 . 2009-10-26 14:51 -------- d-----w- c:\program files\HTC
2009-10-26 14:50 . 2009-10-26 14:50 -------- d-----w- c:\windows\Downloaded Installations
2009-10-25 08:23 . 2007-07-04 02:04 888832 ----a-w- c:\windows\system32\securenet.dll
2009-10-25 08:23 . 2009-10-25 08:23 -------- d-----w- c:\program files\Hide My IP 2007
2009-10-15 17:38 . 2009-07-17 16:16 1440768 ------w- c:\windows\system32\dllcache\query.dll
2009-10-15 17:32 . 2009-09-04 21:04 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-14 15:05 . 2009-10-14 15:05 -------- d-----w- c:\documents and settings\Administrateur\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-10-14 09:41 . 2009-10-14 15:04 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-14 09:41 . 2009-10-14 15:04 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2009-10-14 09:39 . 2009-10-14 09:39 -------- d-----w- C:\Riot Games

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 22:40 . 2009-11-07 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\45297431
2009-11-07 22:39 . 2009-11-07 22:39 59509 ----a-w- c:\windows\system32\restorer32_a.exe
2009-11-07 22:39 . 2009-11-07 22:39 59509 ----a-w- c:\documents and settings\Administrateur\restorer32_a.exe
2009-11-07 22:17 . 2008-08-27 21:34 -------- d-----w- c:\documents and settings\Administrateur\Application Data\uTorrent
2009-11-07 21:19 . 2008-05-02 22:57 693576 ----a-w- c:\windows\system32\perfc00C.dat
2009-11-07 21:19 . 2008-05-02 22:57 1579898 ----a-w- c:\windows\system32\perfh00C.dat
2009-11-07 15:42 . 2008-09-08 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-07 14:40 . 2009-11-07 14:40 -------- d-----w- c:\program files\microsoft frontpage
2009-11-05 17:20 . 2008-08-19 12:52 -------- d-----w- c:\program files\Ad-Aware
2009-11-05 16:58 . 2008-11-08 11:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2009-10-14 09:39 . 2008-08-19 13:02 -------- d–h--w- c:\program files\InstallShield Installation Information
2009-09-11 14:18 . 2008-05-02 22:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-05-02 22:57 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:21 . 2008-05-02 22:57 840704 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:20 . 2008-05-02 22:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:20 . 2008-05-02 22:57 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:01 . 2008-05-02 22:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 16:54 . 2008-08-20 11:54 66768 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-11-22 18:57 . 2008-11-22 18:51 24 --sh–w- c:\windows\S4272D5A0.tmp
.

------- Sigcheck -------

[-] 2008-05-02 . 22F702A6DCBDB4F7282C4B73B95EE4E4 . 2011136 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-05-02 . A9658459BB4F4EE00FA117C9382C0D3A . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\system32\drivers\beep.sys … manque !!
c:\windows\system32\regsvc.dll … manque !!
.
((((((((((((((((((((((((((((( SnapShot_2009-11-07_21.14.02 )))))))))))))))))))))))))))))))))))))))))
.

  • 2009-11-07 22:39 . 2009-11-07 22:39 16896 c:\windows\temp\wpv971255562528.exe
  • 2009-11-07 22:39 . 2009-11-07 22:39 59509 c:\windows\temp\wpv491257061249.exe
  • 2009-11-07 22:39 . 2009-11-07 22:39 39424 c:\windows\temp\wpv391257476250.exe
  • 2009-11-07 22:39 . 2009-11-07 22:39 28928 c:\windows\temp\wpv011257179558.exe
  • 2009-11-07 21:14 . 2009-11-07 21:14 28928 c:\windows\temp\wpv011257179558.exe
  • 2009-11-07 22:39 . 2009-11-07 22:39 16384 c:\windows\temp\Perflib_Perfdata_a24.dat
  • 2009-11-07 22:40 . 2009-11-07 22:40 418816 c:\windows\temp_ex-08.exe
  • 2008-05-02 22:57 . 2009-11-07 21:19 544082 c:\windows\system32\perfc009.dat
  • 2008-05-02 22:57 . 2009-11-07 21:19 1124948 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=“c:\program files\DellTPad\Apoint.exe” [2007-12-14 159744]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [2008-12-04 186904]
“Mobile Connectivity Suite”=“c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe” [2009-05-27 598016]
“sysgif32”=“c:\windows\Temp\wpv011257179558.exe” [2009-11-07 28928]
“45297431”=“c:\docume~1\ALLUSE~1\APPLIC~1\45297431\45297431.exe” [2009-11-07 1278501]
“PromoReg”=“c:\windows\Temp_ex-08.exe” [2009-11-07 418816]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_2”=“shell32” [X]
“nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2009-08-29 124928]

c:\documents and settings\Administrateur\Menu D?marrer\Programmes\D?marrage
ukssys32.exe [2008-5-2 29952]

c:\documents and settings\All Users\Menu D?marrer\Programmes\D?marrage
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-4 805392]

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“Shell”=“Explorer.exe rundll32.exe pqrs.tmo printer”

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Fichiers communs\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\uTorrent\uTorrent.exe”=
“d:\Download\utorrent.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Java\jre1.6.0_07\bin\javaw.exe”=
“c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe”=
“d:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe”=
“c:\WINDOWS\system32\javaw.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“c:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe”=
“c:\Program Files\Windows Live\Messenger\wlcsdk.exe”=
“c:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
“c:\Riot Games\League of Legends\air\LolClient.exe”=
“c:\Riot Games\League of Legends\game\League of Legends.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“19219:TCP”= 19219:TCP:µtorrent
“5353:TCP”= 5353:TCP:Adobe CSI CS4
“8370:TCP”= 8370:TCP:League of Legends Launcher
“8370:UDP”= 8370:UDP:League of Legends Launcher
“8371:TCP”= 8371:TCP:League of Legends Launcher
“8371:UDP”= 8371:UDP:League of Legends Launcher
“6892:TCP”= 6892:TCP:League of Legends Launcher
“6892:UDP”= 6892:UDP:League of Legends Launcher
“8372:TCP”= 8372:TCP:League of Legends Launcher
“8372:UDP”= 8372:UDP:League of Legends Launcher

R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [02/05/2008 23:57 76208]
R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [02/05/2008 23:57 210224]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [01/12/2008 12:54 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [01/12/2008 12:54 41680]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [19/08/2008 14:24 54784]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [20/08/2008 12:40 149208]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [20/08/2008 12:40 277624]
R3 SecureSrv;SecureSrv;c:\program files\Hide My IP 2007\SecureSrv.exe [25/10/2009 09:23 368718]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [26/10/2009 15:50 25728]
S3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [03/10/2008 14:54 174592]
S3 PEEK5;PEEK5 Protocol Driver;c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS [07/10/2009 09:45 13184]

— Autres Services/Pilotes en mémoire —

Deregistered - mbr
.
.
------- Examen supplémentaire -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Ajouter la cible du lien à un fichier PDF existant - c:\program files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Ajouter à un fichier PDF existant - c:\program files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convertir au format Adobe PDF - c:\program files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir la cible du lien au format Adobe PDF - c:\program files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\securenet.dll
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default
FF - prefs.js: browser.startup.homepage - igoogle.fr
FF - component: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

        • ORPHELINS SUPPRIMES - - - -

Toolbar-ITBar7Layout - (no file)
Toolbar-ITBar7Position - (no file)
HKLM-Run-25088932 - c:\docume~1\ALLUSE~1\APPLIC~1\25088932\25088932.exe

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, www.gmer.net…
Rootkit scan 2009-11-07 23:39
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés …

Recherche d’éléments en démarrage automatique cachés …

Recherche de fichiers cachés …

c:\windows\system32\restorer32_a.exe 59509 bytes executable

Scan terminé avec succès
Fichiers cachés: 1

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spqc.sys hal.dll >>UNKNOWN [0x8A5B0938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x414D0 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x3E464 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x396AE != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x38964 != 0xB9D79D10 iaStor.sys
\Driver\iaStor IRP hooks detected !

.
--------------------- DLLs chargées dans les processus actifs ---------------------

              • ‘winlogon.exe’(1092)
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\Ati2evxx.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTServ.dll
                c:\windows\system32\COMRes.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

              • ‘lsass.exe’(1148)
                c:\windows\system32\setupapi.dll

              • ‘Explorer.exe’(7828)
                c:\windows\system32\SHDOCVW.dll
                c:\program files\Logitech\SetPoint\lgscroll.dll
                c:\windows\system32\COMRes.dll
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\stacapi.dll
                c:\windows\system32\wpdshserviceobj.dll
                c:\windows\system32\portabledevicetypes.dll
                c:\windows\system32\portabledeviceapi.dll
                c:\windows\system32\NETSHELL.dll
                c:\windows\system32\credui.dll
                c:\windows\system32\eappprxy.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
                .
                ------------------------ Autres processus actifs ------------------------
                .
                c:\windows\system32\Ati2evxx.exe
                c:\windows\system32\Ati2evxx.exe
                c:\program files\Fichiers communs\Teleca Shared\CapabilityManager.exe
                c:\program files\Fichiers communs\Teleca Shared\logger.exe
                c:\program files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
                c:\program files\Fichiers communs\Teleca Shared\Generic.exe
                c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
                c:\program files\Bonjour\mDNSResponder.exe
                c:\program files\Java\jre6\bin\jqs.exe
                c:\program files\IDT\WDM\STacSV.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
                c:\program files\DellTPad\ApMsgFwd.exe
                c:\program files\DellTPad\HidFind.exe
                c:\program files\DellTPad\Apntex.exe
                c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
                c:\windows\system32\wscntfy.exe
                c:\windows\Temp\wpv971255562528.exe
                .

.
Heure de fin: 2009-11-07 23:44 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-11-07 22:44
ComboFix2.txt 2009-11-07 21:19
ComboFix3.txt 2009-11-07 15:39
ComboFix4.txt 2009-11-07 14:29

Avant-CF: 1 287 684 096 octets libres
Après-CF: 1 255 514 112 octets libres

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

    • End Of File - - 04B99CAB1080046A66D85646B76E349D
5

J’ai installé la console de récupération, mais je n’ai pas eu de rapport. J’ai redémarré pour voir si elle était bien installée, et j’ai bien eu l’écran de sélection, donc je pense que c’est bon. Oui j’ai un CD de windows dispo qui doit trainer quelque part.
Sinon pour les utilisations de combofix, je l’ai utilisé en regardant des topics similaires sur d’autres forum avant de poster.

Je vais relancer le scan combofix, je poste le rapport asap.

Vraiment merci de te pencher sur mon problème en tout cas :wink:

6

Voici le contenu du rapport de combofix :

ComboFix 09-11-07.02 - Administrateur 08/11/2009 1:52.5.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.2046.1465 [GMT 1:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\supra.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrateur\Application Data\wiaserva.log
c:\documents and settings\Administrateur\Bureau\Security Tool.lnk
c:\documents and settings\All Users\Application Data\62119524
c:\documents and settings\All Users\Application Data\62119524\62119524.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf

((((((((((((((((((((((((((((( Fichiers créés du 2009-10-08 au 2009-11-08 ))))))))))))))))))))))))))))))))))))
.

2009-11-08 00:59 . 2009-11-08 00:59 1278501 ----a-w- c:\documents and settings\All Users\Application Data\58806835\58806835.exe
2009-11-08 00:59 . 2009-11-08 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\58806835
2009-11-08 00:59 . 2009-11-08 00:59 59509 ----a-w- c:\windows\system32\restorer32_a.exe
2009-11-08 00:59 . 2009-11-08 00:59 59509 ----a-w- c:\documents and settings\Administrateur\restorer32_a.exe
2009-11-07 22:20 . 2009-11-07 22:20 -------- d-----w- C:\UsbFix
2009-11-07 22:14 . 2009-11-07 22:15 -------- d-----w- C:\ToolBar SD
2009-11-07 19:50 . 2009-11-07 23:46 -------- d-----w- c:\program files\trend micro
2009-11-07 19:50 . 2009-11-07 19:52 -------- d-----w- C:\rsit
2009-11-07 13:51 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 13:51 . 2009-11-07 13:51 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2009-11-07 13:51 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 13:33 . 2009-11-07 13:32 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-07 13:32 . 2009-11-07 13:37 -------- d-----w- c:\documents and settings\Administrateur.housecall6.6
2009-11-07 13:04 . 2009-11-07 13:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-07 10:51 . 2009-11-07 15:35 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\ieodbc3D
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- c:\program files\Sweet Home 3D
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 15:07 . 2007-11-27 02:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-10-26 14:52 . 2009-10-26 15:10 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Teleca
2009-10-26 14:52 . 2009-10-26 14:52 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\program files\Fichiers communs\Teleca Shared
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2009-10-26 14:50 . 2009-07-02 13:42 25728 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2009-10-26 14:50 . 2009-07-02 13:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-10-26 14:50 . 2009-10-26 14:51 -------- d-----w- c:\program files\HTC
2009-10-26 14:50 . 2009-10-26 14:50 -------- d-----w- c:\windows\Downloaded Installations
2009-10-25 08:23 . 2007-07-04 02:04 888832 ----a-w- c:\windows\system32\securenet.dll
2009-10-15 17:38 . 2009-07-17 16:16 1440768 ------w- c:\windows\system32\dllcache\query.dll
2009-10-15 17:32 . 2009-09-04 21:04 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-14 15:05 . 2009-10-14 15:05 -------- d-----w- c:\documents and settings\Administrateur\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-10-14 09:41 . 2009-10-14 15:04 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-14 09:41 . 2009-10-14 15:04 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2009-10-14 09:39 . 2009-10-14 09:39 -------- d-----w- C:\Riot Games

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 00:55 . 2008-05-02 22:57 696178 ----a-w- c:\windows\system32\perfc00C.dat
2009-11-08 00:55 . 2008-05-02 22:57 1584522 ----a-w- c:\windows\system32\perfh00C.dat
2009-11-07 22:17 . 2008-08-27 21:34 -------- d-----w- c:\documents and settings\Administrateur\Application Data\uTorrent
2009-11-07 15:42 . 2008-09-08 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-07 14:40 . 2009-11-07 14:40 -------- d-----w- c:\program files\microsoft frontpage
2009-11-05 17:20 . 2008-08-19 12:52 -------- d-----w- c:\program files\Ad-Aware
2009-11-05 16:58 . 2008-11-08 11:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2009-10-14 09:39 . 2008-08-19 13:02 -------- d–h--w- c:\program files\InstallShield Installation Information
2009-09-11 14:18 . 2008-05-02 22:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-05-02 22:57 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:21 . 2008-05-02 22:57 840704 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:20 . 2008-05-02 22:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:20 . 2008-05-02 22:57 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:01 . 2008-05-02 22:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 16:54 . 2008-08-20 11:54 66768 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-11-22 18:57 . 2008-11-22 18:51 24 --sh–w- c:\windows\S4272D5A0.tmp
.

------- Sigcheck -------

[-] 2008-05-02 . 22F702A6DCBDB4F7282C4B73B95EE4E4 . 2011136 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-05-02 . A9658459BB4F4EE00FA117C9382C0D3A . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\system32\drivers\beep.sys … manque !!
c:\windows\system32\regsvc.dll … manque !!
.
((((((((((((((((((((((((((((( SnapShot_2009-11-07_21.14.02 )))))))))))))))))))))))))))))))))))))))))
.

  • 2009-11-08 00:58 . 2009-11-08 00:58 28928 c:\windows\temp\wpv481257179558.exe
  • 2009-11-08 00:58 . 2009-11-08 00:58 16896 c:\windows\temp\wpv391255562528.exe
  • 2009-11-08 00:58 . 2009-11-08 00:58 59509 c:\windows\temp\wpv291257061249.exe
  • 2009-11-08 00:59 . 2009-11-08 00:59 16384 c:\windows\temp\Perflib_Perfdata_814.dat
  • 2009-11-08 00:59 . 2009-11-08 00:59 417792 c:\windows\temp_ex-08.exe
  • 2008-05-02 22:57 . 2009-11-08 00:55 546108 c:\windows\system32\perfc009.dat
  • 2008-05-02 22:57 . 2009-11-08 00:55 1127934 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“restorer32_a”=“c:\documents and settings\Administrateur\restorer32_a.exe” [2009-11-08 59509]
“ieodbc3D”=“c:\documents and settings\Administrateur\Local Settings\Application Data\ieodbc3D\ieodbc3D.dll” [2009-11-06 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=“c:\program files\DellTPad\Apoint.exe” [2007-12-14 159744]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [2008-12-04 186904]
“Mobile Connectivity Suite”=“c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe” [2009-05-27 598016]
“Malwarebytes Anti-Malware (reboot)”=“c:\program files\Malwarebytes’ Anti-Malware\mbam.exe” [2009-09-10 1312080]
“sysgif32”=“c:\windows\Temp\wpv481257179558.exe” [2009-11-08 28928]
“restorer32_a”=“c:\windows\system32\restorer32_a.exe” [2009-11-08 59509]
“58806835”=“c:\docume~1\ALLUSE~1\APPLIC~1\58806835\58806835.exe” [2009-11-08 1278501]
“PromoReg”=“c:\windows\Temp_ex-08.exe” [2009-11-08 417792]
“Regedit32”=“c:\windows\system32\regedit.exe” [BU]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_2”=“shell32” [X]
“nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2009-08-29 124928]

c:\documents and settings\Administrateur\Menu D?marrer\Programmes\D?marrage
ukssys32.exe [2008-5-2 29952]

c:\documents and settings\All Users\Menu D?marrer\Programmes\D?marrage
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-4 805392]

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“Shell”=“Explorer.exe rundll32.exe pqrs.tmo printer”

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Fichiers communs\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\uTorrent\uTorrent.exe”=
“d:\Download\utorrent.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Java\jre1.6.0_07\bin\javaw.exe”=
“c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe”=
“d:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe”=
“c:\WINDOWS\system32\javaw.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“c:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe”=
“c:\Program Files\Windows Live\Messenger\wlcsdk.exe”=
“c:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
“c:\Riot Games\League of Legends\air\LolClient.exe”=
“c:\Riot Games\League of Legends\game\League of Legends.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“19219:TCP”= 19219:TCP:µtorrent
“5353:TCP”= 5353:TCP:Adobe CSI CS4
“8370:TCP”= 8370:TCP:League of Legends Launcher
“8370:UDP”= 8370:UDP:League of Legends Launcher
“8371:TCP”= 8371:TCP:League of Legends Launcher
“8371:UDP”= 8371:UDP:League of Legends Launcher
“6892:TCP”= 6892:TCP:League of Legends Launcher
“6892:UDP”= 6892:UDP:League of Legends Launcher
“8372:TCP”= 8372:TCP:League of Legends Launcher
“8372:UDP”= 8372:UDP:League of Legends Launcher

R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [02/05/2008 23:57 76208]
R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [02/05/2008 23:57 210224]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [01/12/2008 12:54 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [01/12/2008 12:54 41680]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [19/08/2008 14:24 54784]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [20/08/2008 12:40 149208]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [20/08/2008 12:40 277624]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [26/10/2009 15:50 25728]
S3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [03/10/2008 14:54 174592]
S3 PEEK5;PEEK5 Protocol Driver;??\c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS --> c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS [?]

— Autres Services/Pilotes en mémoire —

Deregistered - mbr
.
.
------- Examen supplémentaire -------
.
uStart Page = search.net-studio.org
uLocal Page = search.net-studio.org
mStart Page = search.net-studio.org
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default
FF - prefs.js: browser.startup.homepage - igoogle.fr
FF - component: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

        • ORPHELINS SUPPRIMES - - - -

Toolbar-ITBar7Layout - (no file)
Toolbar-ITBar7Position - (no file)

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, www.gmer.net…
Rootkit scan 2009-11-08 01:59
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés …

Recherche d’éléments en démarrage automatique cachés …

Recherche de fichiers cachés …

Scan terminé avec succès
Fichiers cachés: 0

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spql.sys hal.dll >>UNKNOWN [0x8A5B0938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x414D0 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x3E464 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x396AE != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x38964 != 0xB9D79D10 iaStor.sys
\Driver\iaStor IRP hooks detected !

.
--------------------- DLLs chargées dans les processus actifs ---------------------

              • ‘winlogon.exe’(1140)
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\Ati2evxx.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTServ.dll
                c:\windows\system32\COMRes.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

              • ‘lsass.exe’(1196)
                c:\windows\system32\setupapi.dll

              • ‘Explorer.exe’(8060)
                c:\windows\system32\SHDOCVW.dll
                c:\documents and settings\Administrateur\Local Settings\Application Data\ieodbc3D\ieodbc3D.dll
                c:\program files\Logitech\SetPoint\lgscroll.dll
                c:\windows\system32\COMRes.dll
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\stacapi.dll
                c:\windows\system32\wpdshserviceobj.dll
                c:\windows\system32\portabledevicetypes.dll
                c:\windows\system32\portabledeviceapi.dll
                c:\windows\system32\NETSHELL.dll
                c:\windows\system32\credui.dll
                c:\windows\system32\eappprxy.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
                .
                ------------------------ Autres processus actifs ------------------------
                .
                c:\windows\system32\Ati2evxx.exe
                c:\windows\system32\Ati2evxx.exe
                c:\program files\Fichiers communs\Teleca Shared\CapabilityManager.exe
                c:\program files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
                c:\program files\Fichiers communs\Teleca Shared\logger.exe
                c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                c:\program files\Bonjour\mDNSResponder.exe
                c:\program files\Java\jre6\bin\jqs.exe
                c:\program files\IDT\WDM\STacSV.exe
                c:\program files\Fichiers communs\Teleca Shared\Generic.exe
                c:\program files\DellTPad\ApMsgFwd.exe
                c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
                c:\program files\DellTPad\HidFind.exe
                c:\program files\DellTPad\Apntex.exe
                c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
                c:\windows\system32\wscntfy.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
                c:\windows\system32\rundll32.exe
                .

.
Heure de fin: 2009-11-08 2:04 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-11-08 01:04
ComboFix2.txt 2009-11-07 22:44
ComboFix3.txt 2009-11-07 21:19
ComboFix4.txt 2009-11-07 15:39
ComboFix5.txt 2009-11-08 00:40

Avant-CF: 1 292 034 048 octets libres
Après-CF: 1 255 481 344 octets libres

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

    • End Of File - - 75D906B4D3791F1BC76FBC2C6AD49696
8

Voici le rapport combofix. Je vais faire les autres manips

ComboFix 09-11-07.02 - Administrateur 08/11/2009 10:28.6.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.2046.1474 [GMT 1:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\supra.exe
Commutateurs utilisés :: c:\documents and settings\Administrateur\Bureau\CFScript.txt

FILE ::
“c:\windows\system32\perfc009.dat”
“c:\windows\system32\perfc00C.dat”
“c:\windows\system32\perfh009.dat”
“c:\windows\system32\perfh00C.dat”

file zipped: c:\documents and settings\Administrateur\Local Settings\Application Data\ieodbc3D\ieodbc3D.dll
file zipped: c:\documents and settings\Administrateur\restorer32_a.exe
file zipped: c:\documents and settings\All Users\Application Data\58806835\58806835.exe
file zipped: c:\windows\S4272D5A0.tmp
file zipped: c:\windows\system32\restorer32_a.exe
file zipped: c:\windows\system32\securenet.dll
file zipped: c:\windows\temp_ex-08.exe
file zipped: c:\windows\temp\Perflib_Perfdata_814.dat
file zipped: c:\windows\temp\wpv481257179558.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrateur\Application Data\wiaserva.log
c:\documents and settings\Administrateur\Bureau\Security Tool.lnk
c:\documents and settings\Administrateur\Local Settings\Application Data\ieodbc3D
c:\documents and settings\Administrateur\Local Settings\Application Data\ieodbc3D\ieodbc3D.dll
c:\documents and settings\Administrateur\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Administrateur\restorer32_a.exe
c:\documents and settings\All Users\Application Data\58806835
c:\documents and settings\All Users\Application Data\58806835\58806835.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\perfc00C.dat
c:\windows\system32\perfh00C.dat
c:\windows\system32\pthreadVC.dll
c:\windows\system32\restorer32_a.exe
c:\windows\system32\securenet.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\temp_ex-08.exe
c:\windows\temp\Perflib_Perfdata_814.dat
c:\windows\temp\wpv481257179558.exe
c:\windows\S4272D5A0.tmp . . . . impossible à supprimer

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf

((((((((((((((((((((((((((((( Fichiers créés du 2009-10-08 au 2009-11-08 ))))))))))))))))))))))))))))))))))))
.

2009-11-07 22:20 . 2009-11-07 22:20 -------- d-----w- C:\UsbFix
2009-11-07 22:14 . 2009-11-07 22:15 -------- d-----w- C:\ToolBar SD
2009-11-07 19:50 . 2009-11-07 23:46 -------- d-----w- c:\program files\trend micro
2009-11-07 19:50 . 2009-11-07 19:52 -------- d-----w- C:\rsit
2009-11-07 13:51 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 13:51 . 2009-11-07 13:51 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2009-11-07 13:51 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 13:33 . 2009-11-07 13:32 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-07 13:32 . 2009-11-07 13:37 -------- d-----w- c:\documents and settings\Administrateur.housecall6.6
2009-11-07 13:04 . 2009-11-07 13:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- c:\program files\Sweet Home 3D
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 15:07 . 2007-11-27 02:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-10-26 14:52 . 2009-10-26 15:10 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Teleca
2009-10-26 14:52 . 2009-10-26 14:52 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\program files\Fichiers communs\Teleca Shared
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2009-10-26 14:50 . 2009-07-02 13:42 25728 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2009-10-26 14:50 . 2009-07-02 13:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-10-26 14:50 . 2009-10-26 14:51 -------- d-----w- c:\program files\HTC
2009-10-26 14:50 . 2009-10-26 14:50 -------- d-----w- c:\windows\Downloaded Installations
2009-10-15 17:38 . 2009-07-17 16:16 1440768 ------w- c:\windows\system32\dllcache\query.dll
2009-10-15 17:32 . 2009-09-04 21:04 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-14 15:05 . 2009-10-14 15:05 -------- d-----w- c:\documents and settings\Administrateur\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-10-14 09:41 . 2009-10-14 15:04 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-14 09:41 . 2009-10-14 15:04 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2009-10-14 09:39 . 2009-10-14 09:39 -------- d-----w- C:\Riot Games

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 09:37 . 2009-11-08 09:37 0 ------w- c:\windows\S4272D5A0.tmp
2009-11-08 01:35 . 2008-09-08 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-07 22:17 . 2008-08-27 21:34 -------- d-----w- c:\documents and settings\Administrateur\Application Data\uTorrent
2009-11-07 14:40 . 2009-11-07 14:40 -------- d-----w- c:\program files\microsoft frontpage
2009-11-05 17:20 . 2008-08-19 12:52 -------- d-----w- c:\program files\Ad-Aware
2009-11-05 16:58 . 2008-11-08 11:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2009-10-14 09:39 . 2008-08-19 13:02 -------- d–h--w- c:\program files\InstallShield Installation Information
2009-09-11 14:18 . 2008-05-02 22:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-05-02 22:57 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:21 . 2008-05-02 22:57 840704 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:20 . 2008-05-02 22:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:20 . 2008-05-02 22:57 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:01 . 2008-05-02 22:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 16:54 . 2008-08-20 11:54 66768 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

------- Sigcheck -------

[-] 2008-05-02 . 22F702A6DCBDB4F7282C4B73B95EE4E4 . 2011136 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-05-02 . A9658459BB4F4EE00FA117C9382C0D3A . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\system32\drivers\beep.sys … manque !!
c:\windows\system32\regsvc.dll … manque !!
.
((((((((((((((((((((((((((((( SnapShot_2009-11-07_21.14.02 )))))))))))))))))))))))))))))))))))))))))
.

  • 2009-11-08 09:38 . 2009-11-08 09:38 16384 c:\windows\temp\Perflib_Perfdata_284.dat
  • 2009-04-14 16:27 . 2009-11-08 01:35 35088 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\oisicon.exe
  • 2009-04-14 16:27 . 2009-11-07 15:42 35088 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\oisicon.exe
  • 2009-04-14 16:27 . 2009-11-08 01:35 18704 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\mspicons.exe
  • 2009-04-14 16:27 . 2009-11-07 15:42 18704 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\mspicons.exe
  • 2009-04-14 16:27 . 2009-11-07 15:42 20240 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\cagicon.exe
  • 2009-04-14 16:27 . 2009-11-08 01:35 20240 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\cagicon.exe
  • 2008-05-02 22:57 . 2009-11-08 09:27 547060 c:\windows\system32\perfc009.dat
  • 2009-04-14 16:27 . 2009-11-07 15:42 239376 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\pj11icon.exe
  • 2009-04-14 16:27 . 2009-11-08 01:35 239376 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\pj11icon.exe
  • 2009-04-14 16:27 . 2009-11-07 15:42 217864 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\misc.exe
  • 2009-04-14 16:27 . 2009-11-08 01:35 217864 c:\windows\Installer{90120000-003B-0000-0000-0000000FF1CE}\misc.exe
  • 2008-05-02 22:57 . 2009-11-08 09:27 1129270 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=“c:\program files\DellTPad\Apoint.exe” [2007-12-14 159744]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [2008-12-04 186904]
“Mobile Connectivity Suite”=“c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe” [2009-05-27 598016]
“Malwarebytes Anti-Malware (reboot)”=“c:\program files\Malwarebytes’ Anti-Malware\mbam.exe” [2009-09-10 1312080]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_2”=“shell32” [X]
“nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2009-08-29 124928]

c:\documents and settings\Administrateur\Menu D?marrer\Programmes\D?marrage
ukssys32.exe [2008-5-2 29952]

c:\documents and settings\All Users\Menu D?marrer\Programmes\D?marrage
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-4 805392]

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Fichiers communs\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\uTorrent\uTorrent.exe”=
“d:\Download\utorrent.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Java\jre1.6.0_07\bin\javaw.exe”=
“c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe”=
“d:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe”=
“c:\WINDOWS\system32\javaw.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“c:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe”=
“c:\Program Files\Windows Live\Messenger\wlcsdk.exe”=
“c:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
“c:\Riot Games\League of Legends\air\LolClient.exe”=
“c:\Riot Games\League of Legends\game\League of Legends.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“19219:TCP”= 19219:TCP:µtorrent
“5353:TCP”= 5353:TCP:Adobe CSI CS4
“8370:TCP”= 8370:TCP:League of Legends Launcher
“8370:UDP”= 8370:UDP:League of Legends Launcher
“8371:TCP”= 8371:TCP:League of Legends Launcher
“8371:UDP”= 8371:UDP:League of Legends Launcher
“6892:TCP”= 6892:TCP:League of Legends Launcher
“6892:UDP”= 6892:UDP:League of Legends Launcher
“8372:TCP”= 8372:TCP:League of Legends Launcher
“8372:UDP”= 8372:UDP:League of Legends Launcher

R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [02/05/2008 23:57 76208]
R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [02/05/2008 23:57 210224]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [01/12/2008 12:54 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [01/12/2008 12:54 41680]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [19/08/2008 14:24 54784]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [20/08/2008 12:40 149208]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [20/08/2008 12:40 277624]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [26/10/2009 15:50 25728]
S3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [03/10/2008 14:54 174592]
S3 PEEK5;PEEK5 Protocol Driver;??\c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS --> c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS [?]

— Autres Services/Pilotes en mémoire —

Deregistered - mbr
.
.
------- Examen supplémentaire -------
.
uStart Page = search.net-studio.org
uLocal Page = search.net-studio.org
mStart Page = search.net-studio.org
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default
FF - prefs.js: browser.startup.homepage - igoogle.fr
FF - component: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

        • ORPHELINS SUPPRIMES - - - -

Toolbar-ITBar7Layout - (no file)
Toolbar-ITBar7Position - (no file)

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, www.gmer.net…
Rootkit scan 2009-11-08 10:43
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés …

Recherche d’éléments en démarrage automatique cachés …

Recherche de fichiers cachés …

Scan terminé avec succès
Fichiers cachés: 0

.
--------------------- DLLs chargées dans les processus actifs ---------------------

              • ‘winlogon.exe’(1300)
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\Ati2evxx.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTServ.dll
                c:\windows\system32\COMRes.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

              • ‘lsass.exe’(1372)
                c:\windows\system32\setupapi.dll

              • ‘explorer.exe’(4224)
                c:\windows\system32\SHDOCVW.dll
                c:\program files\Logitech\SetPoint\lgscroll.dll
                c:\windows\system32\COMRes.dll
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\stacapi.dll
                c:\windows\system32\wpdshserviceobj.dll
                c:\windows\system32\portabledevicetypes.dll
                c:\windows\system32\portabledeviceapi.dll
                c:\windows\system32\NETSHELL.dll
                c:\windows\system32\credui.dll
                c:\windows\system32\eappprxy.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
                .
                ------------------------ Autres processus actifs ------------------------
                .
                c:\windows\system32\Ati2evxx.exe
                c:\windows\system32\Ati2evxx.exe
                c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                c:\program files\Bonjour\mDNSResponder.exe
                c:\program files\Java\jre6\bin\jqs.exe
                c:\program files\IDT\WDM\STacSV.exe
                c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
                c:\windows\system32\wscntfy.exe
                c:\program files\Fichiers communs\Teleca Shared\CapabilityManager.exe
                c:\program files\Fichiers communs\Teleca Shared\logger.exe
                c:\program files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
                c:\program files\Fichiers communs\Teleca Shared\Generic.exe
                c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
                c:\program files\DellTPad\ApMsgFwd.exe
                c:\program files\DellTPad\Apntex.exe
                c:\program files\DellTPad\HidFind.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
                .

.
Heure de fin: 2009-11-08 10:44 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-11-08 09:44
ComboFix2.txt 2009-11-08 01:04
ComboFix3.txt 2009-11-07 22:44
ComboFix4.txt 2009-11-07 21:19
ComboFix5.txt 2009-11-08 09:27

Avant-CF: 1 205 256 192 octets libres
Après-CF: 1 175 691 264 octets libres

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

    • End Of File - - CF1D01AF5ABFEA2BF1B029EB7898F0BE
9

Je viens d’exécuter RSIT. Voici le rapport :

Logfile of random’s system information tool 1.06 (written by random/random)
Run by Administrateur at 2009-11-08 10:52:00
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 1 GB (3%) free of 40 GB
Total RAM: 2046 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:18, on 08/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.21115)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Fichiers communs\Teleca Shared\CapabilityManager.exe
C:\Program Files\Fichiers communs\Teleca Shared\logger.exe
C:\Program Files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Fichiers communs\Teleca Shared\Generic.exe
C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\RSIT(2).exe
C:\Program Files\trend micro\Administrateur.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com…
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com…
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com…
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = search.net-studio.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = search.net-studio.org
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM…\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM…\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM…\Run: [Mobile Connectivity Suite] “C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM…\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKUS\S-1-5-18…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18…\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,4,N (User ‘SYSTEM’)
O4 - HKUS.DEFAULT…\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User ‘Default user’)
O4 - Startup: ukssys32.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - support.euro.dell.com…
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Fichiers communs\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe


End of file - 7018 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-02-15 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-15 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-15 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
SmartSelect Class - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11 345480]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=C:\Program Files\DellTPad\Apoint.exe [2007-12-14 159744]
“IAAnotif”=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2008-12-04 186904]
“Mobile Connectivity Suite”=C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe [2009-05-27 598016]
“Malwarebytes Anti-Malware (reboot)”=C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]

C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\Démarrage
ukssys32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-04-22 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-05-02 200064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2008-05-02 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-05-02 240128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
“dontdisplaylastusername”=0
“legalnoticecaption”=
“legalnoticetext”=
“shutdownwithoutlogon”=1
“undockwithoutlogon”=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
“NoDriveAutoRun”=67108863
“NoDriveTypeAutoRun”=323
“NoDrives”=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
“HonorAutoRunSetting”=
“NoDriveAutoRun”=
“NoDriveTypeAutoRun”=
“NoDrives”=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\uTorrent\uTorrent.exe”=“C:\Program Files\uTorrent\uTorrent.exe::Enabled:µTorrent"
“D:\Download\utorrent.exe”="D:\Download\utorrent.exe::Enabled:µTorrent”
“C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour"
“C:\Program Files\iTunes\iTunes.exe”="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes”
“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=“C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE::Enabled:Microsoft Office Outlook"
“C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe”="C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe::Enabled:Java™ Platform SE binary”
“C:\wamp\bin\apache\apache2.2.6\bin\httpd.exe”=“C:\wamp\bin\apache\apache2.2.6\bin\httpd.exe::Enabled:Apache HTTP Server"
“D:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe”="D:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe::Enabled:VirtualBox”
“C:\WINDOWS\system32\javaw.exe”=“C:\WINDOWS\system32\javaw.exe::Enabled:Java™ Platform SE binary"
“C:\Program Files\Mozilla Firefox\firefox.exe”="C:\Program Files\Mozilla Firefox\firefox.exe::Enabled:Firefox”
“C:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe”=“C:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe::Enabled:Adobe CSI CS4"
“C:\Program Files\Windows Live\Messenger\wlcsdk.exe”="C:\Program Files\Windows Live\Messenger\wlcsdk.exe::Enabled:Windows Live Call”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe::Enabled:Skype”
“C:\Riot Games\League of Legends\air\LolClient.exe”=“C:\Riot Games\League of Legends\air\LolClient.exe::Enabled:League of Legends Lobby"
“C:\Riot Games\League of Legends\game\League of Legends.exe”="C:\Riot Games\League of Legends\game\League of Legends.exe::Enabled:League of Legends Game Client”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Windows Live\Messenger\wlcsdk.exe”=“C:\Program Files\Windows Live\Messenger\wlcsdk.exe::Enabled:Windows Live Call"
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger”

======List of files/folders created in the last 1 months======

2009-11-08 10:48:05 ----A---- C:\WINDOWS\resetlog.txt
2009-11-08 10:44:42 ----A---- C:\ComboFix.txt
2009-11-08 10:42:49 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-11-08 10:37:49 ----N---- C:\WINDOWS\S4272D5A0.tmp
2009-11-08 10:36:25 ----D---- C:\WINDOWS\temp
2009-11-08 01:41:27 ----A---- C:\Boot.bak
2009-11-08 01:41:21 ----RASHD---- C:\cmdcons
2009-11-07 23:20:11 ----D---- C:\UsbFix
2009-11-07 23:15:14 ----A---- C:\TB.txt
2009-11-07 23:14:57 ----D---- C:\ToolBar SD
2009-11-07 20:50:40 ----D---- C:\Program Files\trend micro
2009-11-07 20:50:39 ----D---- C:\rsit
2009-11-07 15:40:47 ----D---- C:\WINDOWS\system32\xircom
2009-11-07 15:40:47 ----D---- C:\WINDOWS\system32\oobe
2009-11-07 15:40:47 ----D---- C:\WINDOWS\system32\npp
2009-11-07 15:40:47 ----D---- C:\WINDOWS\system32\ime
2009-11-07 15:40:47 ----D---- C:\WINDOWS\msagent
2009-11-07 15:40:47 ----D---- C:\Program Files\xerox
2009-11-07 15:40:47 ----D---- C:\Program Files\windows nt
2009-11-07 15:40:47 ----D---- C:\Program Files\netmeeting
2009-11-07 15:40:47 ----D---- C:\Program Files\msn gaming zone
2009-11-07 15:40:47 ----D---- C:\Program Files\movie maker
2009-11-07 15:40:47 ----D---- C:\Program Files\microsoft frontpage
2009-11-07 15:40:47 ----D---- C:\Program Files\Fichiers communs\speechengines
2009-11-07 15:20:05 ----A---- C:\WINDOWS\zip.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\SWSC.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\SWREG.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\sed.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\PEV.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\NIRCMD.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\MBR.exe
2009-11-07 15:20:05 ----A---- C:\WINDOWS\grep.exe
2009-11-07 15:20:02 ----D---- C:\WINDOWS\ERDNT
2009-11-07 15:19:44 ----D---- C:\Qoobox
2009-11-07 15:16:19 ----A---- C:\WINDOWS\system32\tmp.txt
2009-11-07 15:16:06 ----A---- C:\rapport.txt
2009-11-07 14:51:00 ----D---- C:\Program Files\Malwarebytes’ Anti-Malware
2009-11-07 12:02:37 ----A---- C:\WINDOWS\ntbtlog.txt
2009-11-03 13:55:21 ----D---- C:\Program Files\Sweet Home 3D
2009-11-02 22:52:46 ----A---- C:\liste.txt
2009-11-02 19:21:49 ----D---- C:\Documents and Settings\Administrateur\Application Data\Malwarebytes
2009-11-02 19:21:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-26 20:44:29 ----A---- C:\WINDOWS\DbgOut.INI
2009-10-26 16:07:20 ----N---- C:\WINDOWS\system32\spmsgXP_2k3.dll
2009-10-26 15:52:11 ----D---- C:\Documents and Settings\Administrateur\Application Data\Teleca
2009-10-26 15:51:44 ----D---- C:\Documents and Settings\All Users\Application Data\HTC
2009-10-26 15:51:40 ----D---- C:\Program Files\Fichiers communs\Teleca Shared
2009-10-26 15:51:39 ----D---- C:\Documents and Settings\All Users\Application Data\Teleca
2009-10-26 15:50:48 ----A---- C:\WINDOWS\system32\WdfCoInstaller01007.dll
2009-10-26 15:50:40 ----D---- C:\Program Files\HTC
2009-10-26 15:50:07 ----D---- C:\WINDOWS\Downloaded Installations
2009-10-14 16:05:03 ----D---- C:\Documents and Settings\Administrateur\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-10-14 10:41:05 ----D---- C:\Program Files\Fichiers communs\Adobe AIR
2009-10-14 10:39:51 ----D---- C:\Riot Games

======List of files/folders modified in the last 1 months======

2009-11-08 10:50:27 ----D---- C:\WINDOWS\Prefetch
2009-11-08 10:48:05 ----D---- C:\WINDOWS
2009-11-08 10:47:03 ----D---- C:\Program Files\Mozilla Firefox
2009-11-08 10:42:49 ----D---- C:\WINDOWS\system32
2009-11-08 10:40:23 ----D---- C:\WINDOWS\system32\CatRoot2
2009-11-08 10:38:38 ----A---- C:\WINDOWS\system.ini
2009-11-08 10:37:45 ----D---- C:\WINDOWS\system32\drivers
2009-11-08 10:36:57 ----D---- C:\WINDOWS\system32\config
2009-11-08 10:35:59 ----D---- C:\Program Files
2009-11-08 10:32:53 ----D---- C:\WINDOWS\AppPatch
2009-11-08 10:32:51 ----D---- C:\Program Files\Fichiers communs
2009-11-08 10:27:33 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-11-08 10:27:23 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-11-08 02:35:36 ----SHD---- C:\WINDOWS\Installer
2009-11-08 02:35:36 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-11-08 01:41:27 ----RASH---- C:\boot.ini
2009-11-07 23:17:54 ----D---- C:\Documents and Settings\Administrateur\Application Data\uTorrent
2009-11-07 16:41:39 ----RSD---- C:\WINDOWS\assembly
2009-11-07 15:40:47 ----D---- C:\WINDOWS\system32\wbem
2009-11-07 15:40:47 ----D---- C:\WINDOWS\pchealth
2009-11-07 15:40:47 ----D---- C:\WINDOWS\ime
2009-11-07 15:40:47 ----D---- C:\WINDOWS\Help
2009-11-07 15:40:47 ----D---- C:\Program Files\Internet Explorer
2009-11-07 15:40:47 ----D---- C:\Program Files\Fichiers communs\Microsoft Shared
2009-11-07 15:28:08 ----D---- C:\WINDOWS\inf
2009-11-05 21:13:30 ----D---- C:\WINDOWS\Debug
2009-11-05 18:20:06 ----D---- C:\Program Files\Ad-Aware
2009-11-05 17:58:47 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-11-05 14:10:10 ----SHD---- C:\RECYCLER
2009-11-04 02:50:18 ----D---- C:\WINDOWS\system32\dllcache
2009-11-04 02:50:12 ----HD---- C:\WINDOWS$hf_mig$
2009-11-03 22:16:13 ----D---- C:\Documents and Settings\Administrateur\Application Data\Microsoft
2009-10-26 15:50:49 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-10-21 05:05:10 ----N---- C:\WINDOWS\system32\mshtml.dll
2009-10-16 07:19:32 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-15 23:09:23 ----D---- C:\WINDOWS\WinSxS
2009-10-15 23:06:10 ----D---- C:\WINDOWS\system32\fr-fr
2009-10-14 10:42:20 ----D---- C:\WINDOWS\system32\DirectX
2009-10-14 10:39:50 ----HD---- C:\Program Files\InstallShield Installation Information

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
R1 intelppm;Pilote de processeur Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 40576]
R1 VBoxDrv;VirtualBox Service; C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys [2008-09-12 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver; C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys [2008-09-12 41680]
R1 WmiAcpi;Interface de gestion Microsoft Windows pour ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 adfs;adfs; C:\WINDOWS\system32\drivers\adfs.sys [2008-08-14 74720]
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2007-03-21 37376]
R2 tmcomm;tmcomm; ??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2007-12-14 155136]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-04-22 3006976]
R3 BCM43XX;Pilote pour carte réseau Broadcom 802.11; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2008-03-21 1287552]
R3 catchme;catchme; ??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
R3 CmBatt;Pilote pour Batterie à méthode de contrôle ACPI Microsoft; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2007-02-16 34760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HdAudAddService;ATI Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\AtiHdAud.sys [2006-12-28 84992]
R3 HDAudBus;Pilote de bus Microsoft UAA pour High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-05-02 144384]
R3 hidusb;Pilote de classe HID Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-05-02 10368]
R3 itecir;ITECIR Infrared Receiver; C:\WINDOWS\system32\DRIVERS\itecir.sys [2007-12-18 54784]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 mouhid;Pilote HID de souris; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12288]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver; C:\WINDOWS\system32\DRIVERS\OA001Ufd.sys [2008-01-31 149208]
R3 OA001Vid;Creative Camera OA001 Function Driver; C:\WINDOWS\system32\DRIVERS\OA001Vid.sys [2008-02-16 277624]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-05-02 79232]
R3 STHDA;IDT High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-09-14 1248056]
R3 usbccgp;Pilote parent générique USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-05-02 32128]
R3 usbehci;Pilote miniport de contrôleur d’hôte amélioré Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Concentrateur USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Pilote miniport de contrôleur hôte universel USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2008-01-19 503144]
S3 Arp1394;Protocole client ARP 1394; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-05-02 60800]
S3 auex2e10;auex2e10; C:\WINDOWS\system32\drivers\auex2e10.sys []
S3 CCDECODE;Décodeur sous-titre fermé; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HTCAND32;HTC Device Driver; C:\WINDOWS\System32\Drivers\ANDROIDUSB.sys [2009-07-02 25728]
S3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\k57xp32.sys [2008-01-29 174592]
S3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-02-29 28944]
S3 mbr;mbr; ??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys []
S3 MSTEE;Convertisseur en T/site-à-site de répartition Microsoft; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;Codec NABTS/FEC VBI; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Connection TV/vidéo Microsoft; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;Pilote réseau 1394; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-05-02 61824]
S3 PEEK5;PEEK5 Protocol Driver; ??\C:\DOCUME~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS []
S3 sffdisk;Pilote de classe de stockage SFF; C:\WINDOWS\system32\DRIVERS\sffdisk.sys [2008-05-02 11904]
S3 sffp_sd;Pilote de protocole de stockage SFF pour SDBus; C:\WINDOWS\system32\DRIVERS\sffp_sd.sys [2008-05-02 11008]
S3 SLIP;Détrameur décalage BDA; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbprint;Classe d’imprimantes USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Pilote de scanneur USB; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;Pilote de stockage de masse USB; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbvideo;Périphérique vidéo USB (WDM); C:\WINDOWS\System32\Drivers\usbvideo.sys [2008-04-13 121984]
S3 WSTCODEC;Codec Teletext standard; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2008-05-02 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-05-02 82944]
S4 atapi;atapi; C:\WINDOWS\system32\drivers\atapi.sys [2008-05-02 96512]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Environnement de prise en charge de Fournisseur de services non-IFS Windows Sockets 2.0; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-05-02 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-04-22 540672]
R2 Bonjour Service;Service Bonjour; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 IAANTMON;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2008-12-04 354840]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-15 152984]
R2 STacSV;Audio Service; C:\Program Files\IDT\WDM\STacSV.exe [2007-09-14 204800]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-06-02 593920]
S3 aspnet_state;Service d’état ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-04-07 655624]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-20 136120]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;Service de l’iPod; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Fichiers communs\Logishrd\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Fichiers communs\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 wampapache;wampapache; c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe [2007-09-05 24635]
S3 wampmysqld;wampmysqld; c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe [2007-07-06 5730304]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Service Partage réseau du Lecteur Windows Media; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-11-03 918016]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-05-02 14336]
S4 NetTcpPortSharing;Service de partage de ports Net.Tcp; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

Par contre, je dois m’absenter aujourd’hui, je serai de retour en début de soirée. A tout a l’heure.

11

Hey.

Bon, je viens de relancer combofix comme tu m’as dit, et il ne m’a pas sorti la fenêtre “envoi de fichiers pour analyses supplémentaires”, mais a redémarré l’ordi comme d’habitude. Après le reboot, j’ai eu un écran bleu windows.
Je relance combofix comme précédemment ?

13

Hop, j’ai relancé combofix “normalement”. Voici le rapport.

ComboFix 09-11-07.04 - Administrateur 08/11/2009 21:46.8.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.2046.1339 [GMT 1:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\supra.exe
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrateur\Application Data\wiaserva.log
c:\documents and settings\Administrateur\Bureau\Security Tool.lnk
c:\documents and settings\Administrateur\restorer32_a.exe
c:\documents and settings\All Users\Application Data\61067121
c:\documents and settings\All Users\Application Data\61067121\61067121.exe
c:\windows\system32\restorer32_a.exe
.
---- Exécution préalable -------
.
c:\documents and settings\Administrateur\Application Data\wiaserva.log
c:\documents and settings\Administrateur\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Administrateur\restorer32_a.exe
c:\documents and settings\All Users\Application Data\58300925\58300925.exe
c:\documents and settings\All Users\Application Data\84220218\84220218.exe
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\restorer32_a.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\S4272D5A0.tmp . . . . impossible à supprimer

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf
-------\Legacy_NPF

((((((((((((((((((((((((((((( Fichiers créés du 2009-10-08 au 2009-11-08 ))))))))))))))))))))))))))))))))))))
.

2009-11-08 21:02 . 2009-11-08 21:02 1276965 ----a-w- c:\documents and settings\All Users\Application Data\48553227\48553227.exe
2009-11-08 20:13 . 2009-11-08 20:14 -------- d-----w- C:\supra
2009-11-07 22:20 . 2009-11-07 22:20 -------- d-----w- C:\UsbFix
2009-11-07 22:14 . 2009-11-07 22:15 -------- d-----w- C:\ToolBar SD
2009-11-07 19:50 . 2009-11-08 09:52 -------- d-----w- c:\program files\trend micro
2009-11-07 19:50 . 2009-11-07 19:52 -------- d-----w- C:\rsit
2009-11-07 13:51 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 13:51 . 2009-11-07 13:51 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2009-11-07 13:51 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 13:33 . 2009-11-07 13:32 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-07 13:32 . 2009-11-07 13:37 -------- d-----w- c:\documents and settings\Administrateur.housecall6.6
2009-11-07 13:04 . 2009-11-07 13:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- c:\program files\Sweet Home 3D
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 15:07 . 2007-11-27 02:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-10-26 14:52 . 2009-10-26 15:10 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Teleca
2009-10-26 14:52 . 2009-10-26 14:52 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\program files\Fichiers communs\Teleca Shared
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2009-10-26 14:50 . 2009-07-02 13:42 25728 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2009-10-26 14:50 . 2009-07-02 13:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-10-26 14:50 . 2009-10-26 14:51 -------- d-----w- c:\program files\HTC
2009-10-26 14:50 . 2009-10-26 14:50 -------- d-----w- c:\windows\Downloaded Installations
2009-10-15 17:38 . 2009-07-17 16:16 1440768 ------w- c:\windows\system32\dllcache\query.dll
2009-10-15 17:32 . 2009-09-04 21:04 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-14 15:05 . 2009-10-14 15:05 -------- d-----w- c:\documents and settings\Administrateur\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-10-14 09:41 . 2009-10-14 15:04 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-14 09:41 . 2009-10-14 15:04 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2009-10-14 09:39 . 2009-10-14 09:39 -------- d-----w- C:\Riot Games

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 21:03 . 2009-11-08 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\48553227
2009-11-08 20:38 . 2009-11-08 09:42 4500 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-08 20:30 . 2009-11-08 20:30 0 --sh–w- c:\windows\S4272D5A0.tmp
2009-11-08 01:35 . 2008-09-08 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-07 22:17 . 2008-08-27 21:34 -------- d-----w- c:\documents and settings\Administrateur\Application Data\uTorrent
2009-11-07 14:40 . 2009-11-07 14:40 -------- d-----w- c:\program files\microsoft frontpage
2009-11-05 17:20 . 2008-08-19 12:52 -------- d-----w- c:\program files\Ad-Aware
2009-11-05 16:58 . 2008-11-08 11:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2009-10-14 09:39 . 2008-08-19 13:02 -------- d–h--w- c:\program files\InstallShield Installation Information
2009-09-11 14:18 . 2008-05-02 22:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-05-02 22:57 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:21 . 2008-05-02 22:57 840704 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:20 . 2008-05-02 22:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:20 . 2008-05-02 22:57 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:01 . 2008-05-02 22:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 16:54 . 2008-08-20 11:54 66768 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

------- Sigcheck -------

[-] 2008-05-02 . 22F702A6DCBDB4F7282C4B73B95EE4E4 . 2011136 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-05-02 . A9658459BB4F4EE00FA117C9382C0D3A . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\system32\drivers\beep.sys … manque !!
c:\windows\system32\regsvc.dll … manque !!
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=“c:\program files\DellTPad\Apoint.exe” [2007-12-14 159744]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [2008-12-04 186904]
“Mobile Connectivity Suite”=“c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe” [2009-05-27 598016]
“Malwarebytes Anti-Malware (reboot)”=“c:\program files\Malwarebytes’ Anti-Malware\mbam.exe” [2009-09-10 1312080]
“sysgif32”=“c:\windows\Temp\wpv221257179558.exe” [2009-11-08 28928]
“PromoReg”=“c:\windows\Temp_ex-08.exe” [2009-11-08 410112]
“48553227”=“c:\docume~1\ALLUSE~1\APPLIC~1\48553227\48553227.exe” [2009-11-08 1276965]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_2”=“shell32” [X]
“nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2009-08-29 124928]

c:\documents and settings\Administrateur\Menu D?marrer\Programmes\D?marrage
ukssys32.exe [2008-5-2 29952]

c:\documents and settings\All Users\Menu D?marrer\Programmes\D?marrage
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-4 805392]

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“Shell”=“Explorer.exe rundll32.exe pqrs.tmo printer”

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Fichiers communs\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\uTorrent\uTorrent.exe”=
“d:\Download\utorrent.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Java\jre1.6.0_07\bin\javaw.exe”=
“c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe”=
“d:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe”=
“c:\WINDOWS\system32\javaw.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“c:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe”=
“c:\Program Files\Windows Live\Messenger\wlcsdk.exe”=
“c:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
“c:\Riot Games\League of Legends\air\LolClient.exe”=
“c:\Riot Games\League of Legends\game\League of Legends.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“19219:TCP”= 19219:TCP:µtorrent
“5353:TCP”= 5353:TCP:Adobe CSI CS4
“8370:TCP”= 8370:TCP:League of Legends Launcher
“8370:UDP”= 8370:UDP:League of Legends Launcher
“8371:TCP”= 8371:TCP:League of Legends Launcher
“8371:UDP”= 8371:UDP:League of Legends Launcher
“6892:TCP”= 6892:TCP:League of Legends Launcher
“6892:UDP”= 6892:UDP:League of Legends Launcher
“8372:TCP”= 8372:TCP:League of Legends Launcher
“8372:UDP”= 8372:UDP:League of Legends Launcher

R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [02/05/2008 23:57 76208]
R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [02/05/2008 23:57 210224]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [01/12/2008 12:54 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [01/12/2008 12:54 41680]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [19/08/2008 14:24 54784]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [20/08/2008 12:40 149208]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [20/08/2008 12:40 277624]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [26/10/2009 15:50 25728]
S3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [03/10/2008 14:54 174592]
S3 PEEK5;PEEK5 Protocol Driver;??\c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS --> c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS [?]

— Autres Services/Pilotes en mémoire —

Deregistered - mbr
.
.
------- Examen supplémentaire -------
.
uStart Page = search.net-studio.org
uLocal Page = search.net-studio.org
mStart Page = search.net-studio.org
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default
FF - prefs.js: browser.startup.homepage - igoogle.fr
FF - component: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

        • ORPHELINS SUPPRIMES - - - -

Toolbar-ITBar7Layout - (no file)
Toolbar-ITBar7Position - (no file)
HKCU-Run-restorer32_a - c:\documents and settings\Administrateur\restorer32_a.exe
HKLM-Run-restorer32_a - c:\windows\system32\restorer32_a.exe
HKLM-Run-58300925 - c:\documents and settings\All Users\Application Data\58300925\58300925.exe
HKLM-Run-84220218 - c:\docume~1\ALLUSE~1\APPLIC~1\84220218\84220218.exe
HKLM-Run-61067121 - c:\docume~1\ALLUSE~1\APPLIC~1\61067121\61067121.exe

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, www.gmer.net…
Rootkit scan 2009-11-08 22:02
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés …

Recherche d’éléments en démarrage automatique cachés …

Recherche de fichiers cachés …

Scan terminé avec succès
Fichiers cachés: 0

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spbl.sys hal.dll >>UNKNOWN [0x8A5B0938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x414D0 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x3E464 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x396AE != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x38964 != 0xB9D79D10 iaStor.sys
\Driver\iaStor IRP hooks detected !

.
--------------------- DLLs chargées dans les processus actifs ---------------------

              • ‘winlogon.exe’(544)
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\Ati2evxx.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTServ.dll
                c:\windows\system32\COMRes.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

              • ‘lsass.exe’(600)
                c:\windows\system32\setupapi.dll

              • ‘Explorer.exe’(6836)
                c:\windows\system32\SHDOCVW.dll
                c:\program files\Logitech\SetPoint\lgscroll.dll
                c:\windows\system32\COMRes.dll
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\wpdshserviceobj.dll
                c:\windows\system32\portabledevicetypes.dll
                c:\windows\system32\portabledeviceapi.dll
                c:\windows\system32\NETSHELL.dll
                c:\windows\system32\credui.dll
                c:\windows\system32\eappprxy.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
                .
                ------------------------ Autres processus actifs ------------------------
                .
                c:\windows\system32\Ati2evxx.exe
                c:\windows\system32\Ati2evxx.exe
                c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                c:\program files\Bonjour\mDNSResponder.exe
                c:\program files\Java\jre6\bin\jqs.exe
                c:\program files\IDT\WDM\STacSV.exe
                c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
                c:\program files\Fichiers communs\Teleca Shared\CapabilityManager.exe
                c:\program files\Fichiers communs\Teleca Shared\logger.exe
                c:\windows\system32\wscntfy.exe
                c:\program files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
                c:\program files\Fichiers communs\Teleca Shared\Generic.exe
                c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
                c:\program files\DellTPad\ApMsgFwd.exe
                c:\program files\DellTPad\HidFind.exe
                c:\program files\DellTPad\Apntex.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
                .

.
Heure de fin: 2009-11-08 22:10 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-11-08 21:10
ComboFix2.txt 2009-11-08 09:44

Avant-CF: 2 172 882 944 octets libres
Après-CF: 2 144 153 600 octets libres

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

    • End Of File - - 4276DD6BBA730DDED9152DAB6F2F47E6
15

Re, combofix m’a toujours pas sorti la fenêtre “envoi de fichier…”. Il m’a demandé de faire une mise à jour par contre (que j’ai accepté). Voici le rapport.

ComboFix 09-11-08.02 - Administrateur 08/11/2009 22:39.9.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.2046.1304 [GMT 1:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\supra.exe
Commutateurs utilisés :: c:\documents and settings\Administrateur\Bureau\CFScript.txt

FILE ::
“c:\windows\S4272D5A0.tmp”
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrateur\Bureau\Security Tool.lnk
c:\documents and settings\All Users\Application Data\48553227
c:\documents and settings\All Users\Application Data\48553227\48553227.exe
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\S4272D5A0.tmp . . . . impossible à supprimer

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf

((((((((((((((((((((((((((((( Fichiers créés du 2009-10-08 au 2009-11-08 ))))))))))))))))))))))))))))))))))))
.

2009-11-08 21:51 . 2009-11-08 21:51 1276965 ----a-w- c:\documents and settings\All Users\Application Data\66532426\66532426.exe
2009-11-08 21:51 . 2009-11-08 21:51 59509 ----a-w- c:\windows\system32\restorer32_a.exe
2009-11-08 20:13 . 2009-11-08 20:14 -------- d-----w- C:\supra
2009-11-07 22:20 . 2009-11-07 22:20 -------- d-----w- C:\UsbFix
2009-11-07 22:14 . 2009-11-07 22:15 -------- d-----w- C:\ToolBar SD
2009-11-07 19:50 . 2009-11-08 09:52 -------- d-----w- c:\program files\trend micro
2009-11-07 19:50 . 2009-11-07 19:52 -------- d-----w- C:\rsit
2009-11-07 13:51 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 13:51 . 2009-11-07 13:51 -------- d-----w- c:\program files\Malwarebytes’ Anti-Malware
2009-11-07 13:51 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 13:33 . 2009-11-07 13:32 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-07 13:32 . 2009-11-07 13:37 -------- d-----w- c:\documents and settings\Administrateur.housecall6.6
2009-11-07 13:04 . 2009-11-07 13:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- c:\program files\Sweet Home 3D
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes
2009-11-02 18:21 . 2009-11-02 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 15:07 . 2007-11-27 02:24 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-10-26 14:52 . 2009-10-26 15:10 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Teleca
2009-10-26 14:52 . 2009-10-26 14:52 -------- d-----w- c:\documents and settings\Administrateur\Local Settings\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HTC
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\program files\Fichiers communs\Teleca Shared
2009-10-26 14:51 . 2009-10-26 14:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Teleca
2009-10-26 14:50 . 2009-07-02 13:42 25728 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2009-10-26 14:50 . 2009-07-02 13:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2009-10-26 14:50 . 2009-10-26 14:51 -------- d-----w- c:\program files\HTC
2009-10-26 14:50 . 2009-10-26 14:50 -------- d-----w- c:\windows\Downloaded Installations
2009-10-15 17:38 . 2009-07-17 16:16 1440768 ------w- c:\windows\system32\dllcache\query.dll
2009-10-15 17:32 . 2009-09-04 21:04 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-10-14 15:05 . 2009-10-14 15:05 -------- d-----w- c:\documents and settings\Administrateur\Application Data\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-10-14 09:41 . 2009-10-14 15:04 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-10-14 09:41 . 2009-10-14 15:04 -------- d-----w- c:\program files\Fichiers communs\Adobe AIR
2009-10-14 09:39 . 2009-10-14 09:39 -------- d-----w- C:\Riot Games

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-08 21:52 . 2009-11-08 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\66532426
2009-11-08 21:51 . 2009-11-08 21:51 59509 ----a-w- c:\documents and settings\Administrateur\restorer32_a.exe
2009-11-08 21:50 . 2009-11-08 20:30 0 ------w- c:\windows\S4272D5A0.tmp
2009-11-08 21:06 . 2009-11-08 09:42 4500 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-08 01:35 . 2008-09-08 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-07 22:17 . 2008-08-27 21:34 -------- d-----w- c:\documents and settings\Administrateur\Application Data\uTorrent
2009-11-07 14:40 . 2009-11-07 14:40 -------- d-----w- c:\program files\microsoft frontpage
2009-11-05 17:20 . 2008-08-19 12:52 -------- d-----w- c:\program files\Ad-Aware
2009-11-05 16:58 . 2008-11-08 11:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-10-26 15:07 . 2009-10-26 15:07 0 —ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2009-10-14 09:39 . 2008-08-19 13:02 -------- d–h--w- c:\program files\InstallShield Installation Information
2009-09-11 14:18 . 2008-05-02 22:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:04 . 2008-05-02 22:57 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:21 . 2008-05-02 22:57 840704 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:20 . 2008-05-02 22:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:20 . 2008-05-02 22:57 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:01 . 2008-05-02 22:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 16:54 . 2008-08-20 11:54 66768 ----a-w- c:\documents and settings\Administrateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

— c:\windows\system32\drivers\adfs.sys —
Company: Adobe Systems, Inc.
File Description: Adobe Drive File System Driver
File Version: 1.00.00
Product Name: Adobe Drive
Copyright: © 2003-08 Adobe Systems, Inc.
Original Filename: ADFS.Sys
File size: 74720
Created time: 2008-08-14 06:57
Modified time: 2008-08-14 06:57
MD5: 6D7F09CD92A9FEF3A8EFCE66231FDD79
SHA1: 82070EA3D534BE683FFDEA09E44BC4AA88F15CC1

------- Sigcheck -------

[-] 2008-05-02 . 22F702A6DCBDB4F7282C4B73B95EE4E4 . 2011136 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-05-02 . A9658459BB4F4EE00FA117C9382C0D3A . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\system32\drivers\beep.sys … manque !!
c:\windows\system32\regsvc.dll … manque !!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-08_21.02.22 )))))))))))))))))))))))))))))))))))))))))
.

  • 2009-11-08 21:51 . 2009-11-08 21:51 28928 c:\windows\temp\wpv531257179558.exe
  • 2009-11-08 21:51 . 2009-11-08 21:51 39424 c:\windows\temp\wpv221257644297.exe
  • 2009-11-08 21:51 . 2009-11-08 21:51 59509 c:\windows\temp\wpv221257061249.exe
  • 2009-11-08 21:51 . 2009-11-08 21:51 27648 c:\windows\temp\wpv041255562528.exe
  • 2009-11-08 21:01 . 2009-11-08 21:01 16384 c:\windows\temp\Perflib_Perfdata_188.dat
  • 2009-11-08 21:50 . 2009-11-08 21:50 16384 c:\windows\temp\Perflib_Perfdata_188.dat
  • 2009-11-08 21:51 . 2009-11-08 21:51 420352 c:\windows\temp_ex-08.exe
  • 2008-05-02 22:57 . 2009-11-08 21:06 548964 c:\windows\system32\perfc009.dat
  • 2008-05-02 22:57 . 2009-11-08 21:06 1131942 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“restorer32_a”=“c:\documents and settings\Administrateur\restorer32_a.exe” [2009-11-08 59509]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Apoint”=“c:\program files\DellTPad\Apoint.exe” [2007-12-14 159744]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe” [2008-12-04 186904]
“Mobile Connectivity Suite”=“c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe” [2009-05-27 598016]
“Malwarebytes Anti-Malware (reboot)”=“c:\program files\Malwarebytes’ Anti-Malware\mbam.exe” [2009-09-10 1312080]
“sysgif32”=“c:\windows\Temp\wpv531257179558.exe” [2009-11-08 28928]
“restorer32_a”=“c:\windows\system32\restorer32_a.exe” [2009-11-08 59509]
“PromoReg”=“c:\windows\Temp_ex-08.exe” [2009-11-08 420352]
“66532426”=“c:\docume~1\ALLUSE~1\APPLIC~1\66532426\66532426.exe” [2009-11-08 1276965]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“nltide_2”=“shell32” [X]
“nltide_3”=“advpack.dll” - c:\windows\system32\advpack.dll [2009-08-29 124928]

c:\documents and settings\Administrateur\Menu D?marrer\Programmes\D?marrage
ukssys32.exe [2008-5-2 29952]

c:\documents and settings\All Users\Menu D?marrer\Programmes\D?marrage
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-4 805392]

[HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer]
“NoSMHelp”= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
“Shell”=“Explorer.exe rundll32.exe pqrs.tmo printer”

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 00:42 72208 ----a-w- c:\program files\Fichiers communs\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\uTorrent\uTorrent.exe”=
“d:\Download\utorrent.exe”=
“c:\Program Files\Bonjour\mDNSResponder.exe”=
“c:\Program Files\iTunes\iTunes.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Java\jre1.6.0_07\bin\javaw.exe”=
“c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe”=
“d:\Program Files\Sun\xVM VirtualBox\VirtualBox.exe”=
“c:\WINDOWS\system32\javaw.exe”=
“c:\Program Files\Mozilla Firefox\firefox.exe”=
“c:\Program Files\Fichiers communs\Adobe\CS4ServiceManager\CS4ServiceManager.exe”=
“c:\Program Files\Windows Live\Messenger\wlcsdk.exe”=
“c:\Program Files\Windows Live\Messenger\msnmsgr.exe”=
“c:\Program Files\Skype\Phone\Skype.exe”=
“c:\Riot Games\League of Legends\air\LolClient.exe”=
“c:\Riot Games\League of Legends\game\League of Legends.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“19219:TCP”= 19219:TCP:µtorrent
“5353:TCP”= 5353:TCP:Adobe CSI CS4
“8370:TCP”= 8370:TCP:League of Legends Launcher
“8370:UDP”= 8370:UDP:League of Legends Launcher
“8371:TCP”= 8371:TCP:League of Legends Launcher
“8371:UDP”= 8371:UDP:League of Legends Launcher
“6892:TCP”= 6892:TCP:League of Legends Launcher
“6892:UDP”= 6892:UDP:League of Legends Launcher
“8372:TCP”= 8372:TCP:League of Legends Launcher
“8372:UDP”= 8372:UDP:League of Legends Launcher

R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [02/05/2008 23:57 76208]
R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [02/05/2008 23:57 210224]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [01/12/2008 12:54 95888]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [01/12/2008 12:54 41680]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [19/08/2008 14:24 54784]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [20/08/2008 12:40 149208]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [20/08/2008 12:40 277624]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [26/10/2009 15:50 25728]
S3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [03/10/2008 14:54 174592]
S3 PEEK5;PEEK5 Protocol Driver;??\c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS --> c:\docume~1\ADMINI~1\MESDOC~1\WINAIR~1\WINAIR~1\WINAIR~1\PEEK5.SYS [?]

— Autres Services/Pilotes en mémoire —

Deregistered - mbr
.
.
------- Examen supplémentaire -------
.
uStart Page = search.net-studio.org
uLocal Page = search.net-studio.org
mStart Page = search.net-studio.org
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default
FF - prefs.js: browser.startup.homepage - igoogle.fr
FF - component: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\72dpp807.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

        • ORPHELINS SUPPRIMES - - - -

Toolbar-ITBar7Layout - (no file)
Toolbar-ITBar7Position - (no file)
HKLM-Run-48553227 - c:\docume~1\ALLUSE~1\APPLIC~1\48553227\48553227.exe

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, www.gmer.net…
Rootkit scan 2009-11-08 22:50
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés …

Recherche d’éléments en démarrage automatique cachés …

Recherche de fichiers cachés …

c:\windows\system32\restorer32_a.exe 59509 bytes executable

Scan terminé avec succès
Fichiers cachés: 1

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spmj.sys hal.dll >>UNKNOWN [0x8A5AF938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, www.gmer.net…

iaStor.sys @ 0x0 0x0 bytes

\Driver\iaStor [ IRP_MJ_CREATE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_CLOSE ] 0x44468 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x414D0 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x3E464 != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_POWER ] 0x396AE != 0xB9D79D10 iaStor.sys
\Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x38964 != 0xB9D79D10 iaStor.sys
\Driver\iaStor IRP hooks detected !

.
--------------------- DLLs chargées dans les processus actifs ---------------------

              • ‘winlogon.exe’(544)
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\Ati2evxx.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll
                c:\program files\fichiers communs\logishrd\bluetooth\LBTServ.dll
                c:\windows\system32\COMRes.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

              • ‘lsass.exe’(600)
                c:\windows\system32\setupapi.dll

              • ‘Explorer.exe’(7384)
                c:\windows\system32\SHDOCVW.dll
                c:\program files\Logitech\SetPoint\lgscroll.dll
                c:\windows\system32\COMRes.dll
                c:\windows\system32\SETUPAPI.dll
                c:\windows\system32\wpdshserviceobj.dll
                c:\windows\system32\portabledevicetypes.dll
                c:\windows\system32\portabledeviceapi.dll
                c:\windows\system32\NETSHELL.dll
                c:\windows\system32\credui.dll
                c:\windows\system32\eappprxy.dll
                c:\program files\Fichiers communs\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
                .
                ------------------------ Autres processus actifs ------------------------
                .
                c:\windows\system32\Ati2evxx.exe
                c:\windows\system32\Ati2evxx.exe
                c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
                c:\program files\Bonjour\mDNSResponder.exe
                c:\program files\Java\jre6\bin\jqs.exe
                c:\program files\IDT\WDM\STacSV.exe
                c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
                c:\windows\system32\wscntfy.exe
                c:\program files\Fichiers communs\Teleca Shared\logger.exe
                c:\program files\Fichiers communs\Logishrd\KHAL2\KHALMNPR.EXE
                c:\program files\DellTPad\ApMsgFwd.exe
                c:\program files\DellTPad\HidFind.exe
                c:\program files\DellTPad\Apntex.exe
                c:\program files\Fichiers communs\Teleca Shared\Generic.exe
                c:\program files\Fichiers communs\Teleca Shared\CapabilityManager.exe
                c:\program files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
                c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
                .

.
Heure de fin: 2009-11-08 22:59 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-11-08 21:59
ComboFix2.txt 2009-11-08 21:10
ComboFix3.txt 2009-11-08 09:44

Avant-CF: 2 143 756 288 octets libres
Après-CF: 2 108 833 792 octets libres

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

    • End Of File - - C1E8CEE78D98CE299AC239948B0CB4B1
16

J’ai une autre question. J’ai deux partitions sur mon disque dur. Une qui contient le système, l’autre qui contient toutes mes données (photos etc…). Est ce que tu penses que la deuxième partition (données donc) est infectée ? Parce que sinon, je pense que je vais formater tout ça et repartir sur de bonnes bases…
Dis moi ce que tu en penses !