virus popup publicitaire [Résolu]

[lidouka]

bonjour, je suis victime d'un virus a la limite du spectaculaire.
lorsque j'ouvre une page qui contient de la pub, a la fin du chargement de la page, je constate (en regardant la barre d'etat) que mon pc essaie de se connecter sur un site yieldmanager.com qui detecte toutes les bannieres publicitaires de la page web et les remplace par d'autres pubs commerciales du genre "Felicitations, vous etes le 99999eme visiteur, etc."

Ces pubs qui sont tres flashy et agacent les yeux, se superposent aux pubs initiales (les vraies)
Ca me fait cela sur tous les sites que je visite

aidez moi svp, ca me pourrit ma connexion car ce virus me joue des tours comme en bloquant toutes les pages venant de google, ou en ouvrant un nouvel onglet sur mon navigateur, ou bien en crashant tout simplement mon navigateur ou encore en utilisant 100% de mon CPU, ce qui me force a redemarrer mon PC.

ps : j'ai attrapé ce virus en voulant ouvrir un fichier exe "Plus belles photos Reuters 2007.exe" telechargé via un torrent.

[rlgrand]

Bonjour,

Peux tu poster un rapport Hijackthis ?
Tu peux suivre le tuto de Manumation :
http://www.developpez.net/forums/sho...d.php?t=530859

Ces infections de pub peuvent avoir plusieurs causes. Avec le rapport, il sera possible de te dire quel outil utiliser ?

[lidouka]

rlgrand, Voici mon rapport HiJackThis

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37:03, on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPass\Cisco VPN\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ipass\epm\rstate.exe
C:\Program Files\lotus\notes\ntmulti.exe
c:\areva\e_terracontrol\bin\processstarter.service.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\ipass\epm\rstate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPass\iPassConnect\iPassConnectGUI.exe
C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe
C:\Program Files\iPass\iPassConnect\downloader\iPCCheck.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.201.204:8080
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ChangeResolution] C:\Documents and Settings\Administrator\ChangeResolution.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1864.exe 61A847B5BBF728133A9D3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [5f91a3fd] rundll32.exe "C:\WINDOWS\system32\uryofegd.dll",b
O4 - HKLM\..\Run: [BM5ca29061] Rundll32.exe "C:\WINDOWS\system32\hxbqttnx.dll",s
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\ipass\epm\rstate.exe /LOGON
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Areva T&D VPN Client.lnk = C:\Program Files\iPass\Cisco VPN\vpngui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF3AA6CA-FA66-492F-8196-C6A015F75500}: NameServer = 213.154.64.13,213.154.95.126
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mail.areva-td.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\iPass\Cisco VPN\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HABITAT Group 20 - AREVA T&D - C:\AREVA\habitat20\habitat\bin\tview_server.exe
O23 - Service: HABITAT Group 22 - AREVA T&D - C:\AREVA\habitat22\habitat\bin\tview_server.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Service de l'iPod (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\ipass\epm\rstate.exe
O23 - Service: MopUPS - Chloride Power - C:\Program Files\Chloride Power\MopUPS\ups.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Process Starter  (ProcessStarter) - AREVA T&&D Corporation - c:\areva\e_terracontrol\bin\processstarter.service.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: DeviceID Authentication Agent (ServiceWrapper) - Unknown owner - C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11338 bytes

[rlgrand]

Tu vas utiliser SDFix téléchargeable à :
http://downloads.andymanchesta.com/R...ools/SDFix.exe
Tu installes le logiciel et note bien à quel endroit tu l'as installé.
Il faut que tu redémarres en mode sans échec.
Tu lances le logicel avec RunThis.bat dans le dossier de SDFix.
Tu postes le rapport et un log hijackthis pour qu'on voie le résultat.

Il faudra après faire le nettoyage

[lidouka]

Bonjour rlgrand,
Voici le rapport de SDFix (1/2) car trop long :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850

System Report
*************

Run on 05/06/2008 at 09:42

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [160]
\??\C:\WINDOWS\system32\csrss.exe [208]
\??\C:\WINDOWS\system32\winlogon.exe [232]
C:\WINDOWS\system32\services.exe [276]
C:\WINDOWS\system32\lsass.exe [288]
C:\WINDOWS\system32\svchost.exe [472]
C:\WINDOWS\system32\svchost.exe [532]
C:\WINDOWS\system32\svchost.exe [572]
C:\WINDOWS\Explorer.EXE [840]
C:\Program Files\zabkat\xplorer2\xplorer2_UC.exe [1060]
C:\WINDOWS\system32\ctfmon.exe [1072]


Drivers - Running:

ACPI
ACPIEC
AliIde
atapi
Beep
Cdfs
Cdrom
Compbatt
Disk
dmio
dmload
drvmcdb
FltMgr
Ftdisk
i8042prt
Imapi
IntelIde
isapnp
Kbdclass
KSecDD
Mouclass
MountMgr
Msfs
mssmbios
Mup
NDIS
Npfs
Ntfs
Null
ohci1394
PartMgr
PCI
PCIIde
Pcmcia
PxHelp20
rdpdr
redbook
sr
sscdbhk5
ssrtln
swenum
SynTP
TermDD
Update
usbehci
usbhub
usbuhci
VgaSave
ViaIde
VolSnap
WmiAcpi
WudfPf


Drivers - Stopped:

Abiosdsk
abp480n5
adpu160m
aeaudio
aec
AFD
AgereSoftModem
Aha154x
aic78u2
aic78xx
amsint
Arp1394
asc
asc3350p
asc3550
AseBCOM
asebcomp
ASPI32
AsyncMac
Atdisk
Atmarpc
audstub
b57w2k
BTKRNL
BTWUSB
cbidf2k
cd20xrnt
Cdaudio
Changer
ClntMgmt.sys
CmBatt
CmdIde
Cpqarray
CVirtA
CVPNDRVA
dac960nt
dmboot
DMusic
DNE
dpti2o
drmkaud
drvnddm
DS1410D
eabfiltr
eabusb
Fastfat
Fdc
Fips
Flpydisk
Gpc
GTIPCI21
HidUsb
hpn
HTTP
hwinterface
i2omgmt
i2omp
ialm
ini910u
intelppm
Ip6Fw
iPassP
IpFilterDriver
IpInIp
IpNat
IPSec
irda
IRENUM
kmixer
lbrtfdc
mnmdd
Modem
mouhid
mraid35x
MRxDAV
MRxSmb
MSIRCOMM
MSKSSRV
MSPCLOCK
MSPQM
NaiAvFilter1
NaiAvTdi1
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
NIC1394
nm
NPF
ntcdrdrv
NwlnkFlt
NwlnkFwd
Parport
ParVdm
PCIDump
PDCOMP
PDFRAME
PDRELI
PDRFRAME
perc2
perc2hib
PptpMiniport
PSched
Ptilink
ql1080
Ql10wnt
ql12160
ql1240
ql1280
RasAcd
Rasirda
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
RDPWD
ROOTMODEM
sdbus
Secdrv
serenum
Serial
Sfloppy
Simbad
SMCIRDA
smwdm
Sparrow
splitter
Srv
swmidi
symc810
symc8xx
sym_hi
sym_u3
sysaudio
Tcpip
TDPIPE
TDTCP
tfsnboio
tfsncofs
tfsndrct
tfsndres
tfsnifs
tfsnopio
tfsnpool
tfsnudf
tfsnudfa
tifm21
TosIde
Udfs
ultra
usbccgp
usbprint
usbscan
USBSTOR
vsdatant
w29n51
Wanarp
WDICA
wdmaud
WmaCDriverV32
WmaCVideo32
WpdUsb
WudfRd


Services - Running:

CryptSvc
DcomLaunch
dmserver
Eventlog
helpsvc
PlugPlay
RpcSs
srservice
winmgmt


Services - Stopped:

Alerter
ALG
AppMgmt
aspnet_state
AudioSrv
Autodesk
BITS
Browser
btwdins
CiSvc
ClipSrv
clr_optimization_v2.0.50727_32
COMSysApp
CVPND
Dhcp
dmadmin
Dnscache
DWMRCS
ERSvc
EventSystem
FastUserSwitchingCompatibility
gusvc
HABITAT
HABITAT
HidServ
hpqwmi
HTTPFilter
IISADMIN
ImapiService
iPassConnectEngine
iPassPeriodicUpdateApp
iPassPeriodicUpdateService
iPod
Irmon
lanmanserver
lanmanworkstation
LmHosts
Lotus
McAfeeFramework
McShield
McTaskManager
MDM
Messenger
mnmsrvc
MobileAutmationAgentService
MopUPS
MSDTC
MSFtpsvc
MSIServer
Multi-user
NetDDE
NetDDEdsdm
Netlogon
Netman
Nla
NtLmSsp
NtmsSvc
OpcEnum
ose
PolicyAgent
ProcessStarter
ProtectedStorage
RasAuto
RasMan
RDSessMgr
RemoteAccess
RemoteRegistry
rpcapd
RpcLocator
RSVP
SamSs
SCardSvr
Schedule
seclogon
SENS
ServiceWrapper
SharedAccess
ShellHWDetection
SolidWorks
SoundMAX
Spooler
SSDPSRV
stisvc
SwPrv
SysmonLog
TapiSrv
TermService
Themes
TlntSvr
TrkWks
upnphost
UPS
VSS
W32Time
W3SVC
WebClient
WmdmPmSN
Wmi
WmiApSrv
WMPNetworkSvc
wscsvc
wuauserv
WudfSvc
WZCSVC
xmlprov


Files Created/Modified - 60 Days:


C:\

22 May 2008 11:03:32            322 ..SH.     "C:\boot.ini"
 5 Jun 2008  9:37:24  1 598 029 824 A.SH.     "C:\PAGEFILE.SYS"
19 May 2008 14:42:00         35 070 A....     "C:\x2settings.reg"


C:\WINDOWS\

 5 Jun 2008  9:28:36              0 A....     "C:\WINDOWS\0.log"
 5 Jun 2008  9:32:16         12 942 A....     "C:\WINDOWS\BM5ca29061.txt"
 5 Jun 2008  9:33:40        109 885 A....     "C:\WINDOWS\BM5ca29061.xml"
 5 Jun 2008  9:37:56          2 048 A.S..     "C:\WINDOWS\bootstat.dat"
 8 May 2008 15:37:32            295 A....     "C:\WINDOWS\CMT.INI"
 6 May 2008 15:34:06          3 806 A....     "C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt"
 3 Jun 2008 14:04:08         41 984 A....     "C:\WINDOWS\mrofinu1864.exe"
 5 Jun 2008  9:38:16        230 626 A....     "C:\WINDOWS\ntbtlog.txt"
 5 Jun 2008  9:29:14             22 A....     "C:\WINDOWS\pskt.ini"
 5 Jun 2008  9:36:30         32 564 A....     "C:\WINDOWS\SchedLgU.Txt"
22 May 2008 11:03:32            227 A....     "C:\WINDOWS\system.ini"
 2 Jun 2008 12:48:34          6 311 A....     "C:\WINDOWS\UEDIT32.INI"
 5 Jun 2008  9:36:30            216 A....     "C:\WINDOWS\wiadebug.log"
 5 Jun 2008  9:36:30             48 A....     "C:\WINDOWS\wiaservc.log"
22 May 2008 11:03:32            610 A....     "C:\WINDOWS\win.ini"
 4 Jun 2008 15:13:00             95 A....     "C:\WINDOWS\winamp.ini"
 5 Jun 2008  9:36:28          1 764 A....     "C:\WINDOWS\WindowsUpdate.log"
 4 Jun 2008 12:00:32             64 A.S..     "C:\WINDOWS\CSC\00000001"
 4 Jun 2008 11:56:30             64 A.S..     "C:\WINDOWS\CSC\00000002"
 5 Jun 2008  9:38:00              0 A....     "C:\WINDOWS\Debug\PASSWD.LOG"
 6 May 2008 15:15:28         29 077 A....     "C:\WINDOWS\Help\HYPERTRM.chw"
 2 Jun 2008 10:33:12          7 800 A....     "C:\WINDOWS\inf\certclas.PNF"
 4 Jun 2008 15:23:58             23 A....     "C:\WINDOWS\Internet Logs\fwpktlog.txt"
 5 Jun 2008  9:29:58        148 344 A....     "C:\WINDOWS\Internet Logs\tvDebug.log"
22 May 2008 10:29:50         14 848 A....     "C:\WINDOWS\system32\BASSMOD.dll"
 4 Jun 2008 13:04:36              0 A....     "C:\WINDOWS\system32\clkcnt.txt"
 5 Jun 2008  9:29:44      1 541 744 ..SH.     "C:\WINDOWS\system32\dgefoyru.ini"
 2 Jun 2008 16:38:32        211 288 A....     "C:\WINDOWS\system32\FNTCACHE.DAT"
 3 Jun 2008 14:09:12        373 248 A....     "C:\WINDOWS\system32\hgGyyvuR.dll"
 4 Jun 2008 13:06:24        126 976 A....     "C:\WINDOWS\system32\hxbqttnx.dll"
20 May 2008 15:40:42            740 A....     "C:\WINDOWS\system32\ipss.bat"
 3 Jun 2008 14:03:58         58 880 A....     "C:\WINDOWS\system32\ljJdbYRI.dll"
 4 Jun 2008 11:43:48            143 A....     "C:\WINDOWS\system32\mcrh.tmp"
 5 Jun 2008  9:41:04        429 175 A.SH.     "C:\WINDOWS\system32\RuvyyGgh.ini"
 5 Jun 2008  9:39:02        429 175 A.SH.     "C:\WINDOWS\system32\RuvyyGgh.ini2"
15 May 2008 16:54:34        133 632 A....     "C:\WINDOWS\system32\SpoonUninstall.exe"
 4 Jun 2008 13:09:26        116 736 A....     "C:\WINDOWS\system32\uryofegd.dll"
 4 Jun 2008 12:03:00          1 158 A....     "C:\WINDOWS\system32\wpa.dbl"
30 May 2008 17:15:02            404 A....     "C:\WINDOWS\Tasks\Maintenance en 1 clic.job"
 5 Jun 2008  9:36:30              6 A..H.     "C:\WINDOWS\Tasks\SA.DAT"
 5 Jun 2008  9:37:56          3 828 A....     "C:\WINDOWS\Debug\UserMode\userenv.log"
 5 Jun 2008  9:29:06            281 A....     "C:\WINDOWS\system32\dla\DLA.INI"
 5 Jun 2008  9:36:30        224 509 A....     "C:\WINDOWS\system32\inetsrv\MetaBase.bin"
 4 Jun 2008 12:01:46      2 115 020 A....     "C:\WINDOWS\system32\Restore\rstrlog.dat"
 4 Jun 2008 11:48:14         46 198 A....     "C:\WINDOWS\system32\Logfiles\HTTPERR\httperr1.log"
11 Apr 2008 15:19:52          5 223 A....     "C:\WINDOWS\system32\Logfiles\W3SVC1\ex080411.log"
22 Apr 2008 16:41:54          1 396 A....     "C:\WINDOWS\system32\Logfiles\W3SVC1\ex080422.log"
26 May 2008 17:25:46         31 438 A....     "C:\WINDOWS\system32\Logfiles\W3SVC1\ex080526.log"
 5 Jun 2008  0:00:02          1 027 A....     "C:\WINDOWS\system32\Logfiles\W3SVC1\ex080604.log"
 5 Jun 2008  9:36:50         12 288 A....     "C:\WINDOWS\system32\Logfiles\WUDF\WUDFTrace.etl"
 2 Jun 2008 13:18:26          2 010 A....     "C:\WINDOWS\system32\spool\drivers\w32x86\3\SE0CSTMN.DAT"


C:\Program Files\

28 May 2008 14:40:18      1 197 296 A....     "C:\Program Files\CCleaner\CCleaner.exe"
 4 Jun 2008 16:30:26        114 470 A....     "C:\Program Files\CCleaner\uninst.exe"
10 May 2008 16:24:50        189 094 A....     "C:\Program Files\EasyPHP 2.0b1\unins000.dat"
10 May 2008 16:24:00        704 346 A....     "C:\Program Files\EasyPHP 2.0b1\unins000.exe"
15 May 2008 17:22:36         23 873 A....     "C:\Program Files\Free Audio Pack\unins000.dat"
15 May 2008 17:18:14        691 481 A....     "C:\Program Files\Free Audio Pack\unins000.exe"
18 Apr 2008 11:56:22         13 952 A....     "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
18 Apr 2008 11:56:32      7 660 656 A....     "C:\Program Files\Mozilla Firefox\firefox.exe"
18 Apr 2008 11:56:32        200 829 A....     "C:\Program Files\Mozilla Firefox\freebl3.dll"
18 Apr 2008 11:56:32        458 856 A....     "C:\Program Files\Mozilla Firefox\js3250.dll"
18 Apr 2008 11:56:34        161 392 A....     "C:\Program Files\Mozilla Firefox\nspr4.dll"
18 Apr 2008 11:56:34        378 472 A....     "C:\Program Files\Mozilla Firefox\nss3.dll"
18 Apr 2008 11:56:34        276 080 A....     "C:\Program Files\Mozilla Firefox\nssckbi.dll"
18 Apr 2008 11:56:34         34 424 A....     "C:\Program Files\Mozilla Firefox\plc4.dll"
18 Apr 2008 11:56:34         30 320 A....     "C:\Program Files\Mozilla Firefox\plds4.dll"
18 Apr 2008 11:56:34        112 232 A....     "C:\Program Files\Mozilla Firefox\smime3.dll"
18 Apr 2008 11:56:36        254 060 A....     "C:\Program Files\Mozilla Firefox\softokn3.dll"
18 Apr 2008 11:56:36        132 712 A....     "C:\Program Files\Mozilla Firefox\ssl3.dll"
18 Apr 2008 11:56:36        132 232 A....     "C:\Program Files\Mozilla Firefox\updater.exe"
18 Apr 2008 11:56:36         13 416 A....     "C:\Program Files\Mozilla Firefox\xpcom.dll"
18 Apr 2008 11:56:38         73 848 A....     "C:\Program Files\Mozilla Firefox\xpcom_compat.dll"
18 Apr 2008 11:56:38        422 000 A....     "C:\Program Files\Mozilla Firefox\xpcom_core.dll"
18 Apr 2008 11:56:38         73 336 A....     "C:\Program Files\Mozilla Firefox\xpicleanup.exe"
18 Apr 2008 11:56:40         12 400 A....     "C:\Program Files\Mozilla Firefox\xpistub.dll"
 3 Jun 2008 14:05:38        472 368 A....     "C:\Program Files\uTorrent\uTorrent.exe"
22 May 2008 11:35:10            617 A....     "C:\Program Files\AREVA\CKJM\PROG_TRANSDUCERS.zip"
26 May 2008 18:50:00         79 367 A....     "C:\Program Files\Google\Google Talk\uninstall.exe"
 5 Jun 2008  9:30:04            894 A....     "C:\Program Files\iPass\EPM\MA_DMI.DAT"
24 Apr 2008 11:11:56         53 248 A....     "C:\Program Files\iPass\iPassConnect\DebugLog.dll"
24 Apr 2008 11:12:08         45 056 A....     "C:\Program Files\iPass\iPassConnect\InstlMdm.dll"
24 Apr 2008 11:11:26        126 976 A....     "C:\Program Files\iPass\iPassConnect\iPass_3G.dll"
24 Apr 2008 11:12:36        196 608 A....     "C:\Program Files\iPass\iPassConnect\loader.dll"
24 Apr 2008 11:12:42          8 743 A....     "C:\Program Files\iPass\iPassConnect\MDS_CDMA.reg"
24 Apr 2008 11:12:52         14 047 A....     "C:\Program Files\iPass\iPassConnect\MDS_GPRS.reg"
 8 Apr 2008 11:07:16      1 107 159 A....     "C:\Program Files\iPass\iPassConnect\NNL.dat"
24 Apr 2008 11:13:30        237 568 A....     "C:\Program Files\iPass\iPassConnect\NwtGatewayDLL.dll"
 8 Apr 2008 11:05:54        768 786 A....     "C:\Program Files\iPass\iPassConnect\rc.dat"
24 Apr 2008 11:15:44         17 920 A....     "C:\Program Files\iPass\iPassConnect\swdrvintfnt.dll"
24 Apr 2008 11:13:56        172 032 A....     "C:\Program Files\iPass\iPassConnect\SWI32_AC710_GPRS.dll"
24 Apr 2008 11:14:30        233 562 A....     "C:\Program Files\iPass\iPassConnect\SWI32_AC710_3G.dll"
24 Apr 2008 11:14:56        233 472 A....     "C:\Program Files\iPass\iPassConnect\Swi_Cdma1x.dll"
24 Apr 2008 11:15:34        307 200 A....     "C:\Program Files\iPass\iPassConnect\Swi_Evdo.dll"
24 Apr 2008 11:17:52        446 538 A....     "C:\Program Files\iPass\iPassConnect\swi_evdomx.dll"
24 Apr 2008 11:18:04         13 824 A....     "C:\Program Files\iPass\iPassConnect\swmxintf.dll"
24 Apr 2008 11:16:40        614 461 A....     "C:\Program Files\iPass\iPassConnect\XDA.dll"
24 Apr 2008 11:17:00        114 688 A....     "C:\Program Files\iPass\iPassConnect\XdaTest.exe"
18 Apr 2008 11:56:24         67 696 A....     "C:\Program Files\Mozilla Firefox\components\jar50.dll"
18 Apr 2008 11:56:24         54 376 A....     "C:\Program Files\Mozilla Firefox\components\jsd3250.dll"
18 Apr 2008 11:56:24         34 952 A....     "C:\Program Files\Mozilla Firefox\components\myspell.dll"
18 Apr 2008 11:56:24         46 720 A....     "C:\Program Files\Mozilla Firefox\components\spellchk.dll"
18 Apr 2008 11:56:24        172 144 A....     "C:\Program Files\Mozilla Firefox\components\xpinstal.dll"
18 Apr 2008 11:56:34         22 664 A....     "C:\Program Files\Mozilla Firefox\plugins\npnul32.dll"
18 Apr 2008 11:56:36        450 936 A....     "C:\Program Files\Mozilla Firefox\uninstall\helper.exe"
 4 Jun 2008 16:26:30        396 288 A....     "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
22 May 2008 11:05:48         67 553 A....     "C:\Program Files\zabkat\xplorer2\Uninstall.exe"
22 May 2008 10:25:32      1 185 917 A....     "C:\Program Files\BitLord\Downloads\Xplorer2Pro\xplorer2_setup.exe"
 2 Jun 2008  5:20:00      1 663 866 A....     "C:\Program Files\Common Files\Network Associates\Engine\Clean.dat"
 2 Jun 2008  5:20:00        867 559 A....     "C:\Program Files\Common Files\Network Associates\Engine\Names.dat"
 2 Jun 2008  5:20:00     29 965 786 A....     "C:\Program Files\Common Files\Network Associates\Engine\Scan.dat"
22 May 2008 10:18:34         33 792 A....     "C:\Program Files\BitLord\Downloads\Xplorer2Pro\Crack\xplorer2.v1.6.0.0.unicode-patch.exe"
22 May 2008 10:26:26      6 106 621 A....     "C:\Program Files\BitLord\Downloads\Xplorer2Pro\Crack\xplorer2_setup_full.exe"
30 May 2008  5:20:00      1 654 950 A....     "C:\Program Files\Common Files\Network Associates\Engine\OldEngine\Clean.dat"
30 May 2008  5:20:00        867 340 A....     "C:\Program Files\Common Files\Network Associates\Engine\OldEngine\Names.dat"
30 May 2008  5:20:00     29 941 618 A....     "C:\Program Files\Common Files\Network Associates\Engine\OldEngine\Scan.dat"
22 May 2008 12:26:00          1 152 A....     "C:\Program Files\lotus\notes\data\ACD-DirCat.ft\ftginfo.dat"
22 May 2008 12:25:48          1 152 A....     "C:\Program Files\lotus\notes\data\ATD-DirCat.ft\ftginfo.dat"
18 Apr 2008 11:56:24         99 840 A....     "C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\BrandRes.dll"
18 Apr 2008 11:56:24        156 544 A....     "C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\fullsoft.dll"
18 Apr 2008 11:56:24         14 456 A....     "C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll"
18 Apr 2008 11:56:26        407 040 A....     "C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org\components\talkback.exe"
 5 May 2008 10:41:04        200 704 A....     "C:\Program Files\AREVA\SCT\SCT 3.39.A\SCT\Data\odf\odfoundry.exe"


Files with hidden attributes:

Tue 23 Jan 2007           108 A.SHR --- "C:\WINDOWS\neoqaz2.dll"
Sun 23 Dec 2007     6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 13 Jul 1998        15,872 A.SH. --- "C:\WINDOWS\system32\WINSKFR.DLL"
Sun 22 Apr 2007         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 15 Nov 2005        78,104 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 24 Nov 2005        17,920 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setup.dll"
Thu 24 Nov 2005        12,880 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Wed  6 Dec 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu  8 Mar 2007       496,640 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\SENELEC_ILOG\0560 - Services techniques Logiciel\Point a point\~WRL0171.tmp"
Wed 22 Mar 2006       175,104 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\03-Mars-2006\~WRL1164.tmp"
Fri  7 Apr 2006       191,488 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL1639.tmp"
Fri  7 Apr 2006       190,464 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL2140.tmp"
Fri  7 Apr 2006       187,904 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL2820.tmp"
Thu 30 Mar 2006       189,440 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL3698.tmp"
Tue 13 Jun 2006       185,344 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\06_Juin_2006\~WRL3356.tmp"
Wed  9 Aug 2006        60,416 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\08_Aout_2006\~WRL1138.tmp"
Wed  9 Aug 2006       157,184 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\08_Aout_2006\~WRL2183.tmp"
Tue  5 Sep 2006       567,808 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\09_Septembre_2006\~WRL0694.tmp"
Wed  6 Sep 2006        56,320 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\09_Septembre_2006\~WRL1657.tmp"
Mon  4 Sep 2006        68,608 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\09_Septembre_2006\~WRL3116.tmp"
Tue  3 Oct 2006       195,072 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\10_Octobre_2006\~WRL0752.tmp"
Thu 14 Jun 2007       713,728 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\SENELEC_ILOG\0560 - Services techniques Logiciel\180 - SAT\Basculement\~WRL2487.tmp"


Program Folders:

C:\Program Files\

7-Zip
activePDF
Adobe
Altiris
Analog Devices
AnswerWorks 4.0
AREVA
ASE
AutoCAD 2007
Autodesk
BitLord
CCleaner
Chloride Power
Common Files
ComPlus Applications
DivX
Easy Internet signup
EasyPHP 2.0b1
EasyPHP1-8
El Juky
Elaborate Bytes
Fichiers communs
FileZilla
Free Audio Pack
GetRight
Google
HP Accessories Product Tour
HPQ
InstallShield Installation Information
Intel
Internet Explorer
InterVideo
Investintech.com Inc
iPass
IrfanView
Java
lotus
Matroska Pack
Media Player Classic
Messenger
Microsoft ActiveSync
microsoft frontpage
Microsoft Office
Microsoft Visual Studio
Microsoft Works
Microsoft.NET
Movie Maker
Movies Extractor Scout
Mozilla Firefox
mp3split
MSN
MSN Gaming Zone
NetMeeting
Network Associates
Online Services
Outlook Express
PHP Expert Editor
Picasa2
Program Shortcuts
Real
Real Alternative
RealPlayer
Services en ligne
SHARP
Skype
Sonic
SuperCopier2
Symantec
Synaptics
Trend Micro
TVAnts
Ultra Edit
UltraEdit
Uninstall Information
uTorrent
VideoLAN
WIDCOMM
Winamp
Windows Media Connect
Windows Media Connect 2
Windows Media Player
Windows NT
Windows Resource Kits
WindowsUpdate
WinPcap
WinRAR
xerox
zabkat
zabkat(2)
Zero G Registry

C:\Program Files\Common Files\

Adobe
Autodesk Shared
Cisco Systems
Crystal Decisions
DESIGNER
Deterministic Networks
Download Manager
eDrawings2007
InstallShield
Java
L&H
Microsoft Shared
MSSoap
Network Associates
ODBC
OPC Foundation
Real
Services
Sharp Shared
SolidWorks Shared
Sonic
SpeechEngines
SureThing Shared
Symantec Shared
System


Add/Remove Programs:

Agere Systems AC'97 Modem
Areva - Computer SCT V3.37.A
Areva - Computer SCT V3.38
Areva - Computer SCT V3.38.A
Areva - Computer SCT V3.39.A
AREVA PACiS - Configuration Editor 3.74
AREVA PACiS - Configuration Editor 3.78
Autodesk DWF Viewer
BitLord 1.1
CCleaner (remove only)
CKJM
DeviceID
EasyPHP 2.0b1
FileZilla (remove only)
Free Mp3 Wma Converter V 1.7.2
GetRight
Google Desktop
Haali Media Splitter
HijackThis 2.0.2
e-terracontrol 3.4.0
Texas Instruments PCIxx21/x515 drivers.
IrfanView (remove only)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB891781
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Update for Windows XP (KB894391)
Hotfix for Windows XP (KB896344)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Step By Step Interactive Training (KB898458)
Update for Windows XP (KB898461)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Update for Windows XP (KB900485)
Security Update for Windows XP (KB900725)
Update for Windows XP (KB900930)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Update for Windows XP (KB904942)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Update for Windows XP (KB908531)
Microsoft Base Smart Card Cryptographic Service Provider Package
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Update for Windows XP (KB916595)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Update for Windows XP (KB920342)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Update for Windows XP (KB920872)
Security Update for Windows XP (KB921398)
Update for Windows XP (KB922582)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Update for Windows XP (KB925876)
Hotfix for Windows XP (KB926239)
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Matroska Pack
McAfee Anti-Spyware Enterprise Module
MiCOM COMPUTER
MiCOM COMPUTER
MiCOM COMPUTER
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Module de prise en charge linguistique de Microsoft .NET Framework 2.0 - FRA
MopUPS
Mozilla Firefox (2.0.0.14)
MP3 Splitter
Microsoft Compression Client Pack 1.0 for Windows XP
PHP Expert Editor 3.3
Picasa 2
PrimoPDF
Real Alternative 1.52
SHARP AR-M160/M205/5220 Series MFP Driver
Sharpdesk
Macromedia Flash Player 8
Skype 1.4
SuperCopier2
Synaptics Pointing Device Driver
TVAnts 1.0
Désinstallation d'UltraEdit-32
VideoLAN VLC media player 0.8.6a
Windows Genuine Advantage Validation Tool (KB892130)
Winamp (remove only)
Windows Media Format 11 runtime
Windows Media Player 11
WinPcap 3.1
WinRAR archiver
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
xplorer² professional
ZipMail V9 for Lotus Notes
Sonic Update Manager
Sonic DLA
Microsoft Visual J# .NET Redistributable Package 1.1
e-terraplatform 22
eDrawings 2007
Google Talk (remove only)
7-Zip 4.42
Google Toolbar for Internet Explorer
e-terrabrowser 3.4.0234
FG Display Builder 5.5.0058
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 4
HP Integrated Module with Bluetooth wireless technology
HP Wireless Assistant
ActivePerl 5.8.7 Build 815
VPN Client
AutoCAD 2007 - Français
ASE2000 Communication Test Set
InterVideo DVD Check
McAfee VirusScan Enterprise
Microsoft .NET Framework 2.0
PrimoPDF Redistribution Package
Intel(R) Graphics Media Accelerator Driver for Mobile
e-terracontrol 3.4.0
TIxx21
Microsoft Office Standard Edition 2003
Lotus Notes 7.0.3 fr
HP ProtectTools Security Manager 1.00 C3
InterVideo WinDVD
Sonic RecordNow!
Microsoft .NET Framework 1.1 French Language Pack
HP Help and Support
iPassConnect MARS
Adobe Reader 7.0
HP BIOS Configuration for ProtectTools 1.00 B7
Windows Rights Management Client with Service Pack 2
Microsoft Project 2000
Microsoft .NET Framework 1.1
Quick Launch Buttons 5.00 D5
HP Accessories Product Tour
HpSdpAppCoreApp
e-terrahabitat 22
Windows Rights Management Client Backwards Compatibility SP2
SoundMAX
Microsoft .NET Framework 2.0 Language Pack - FRA
Google Desktop
Windows Resource Kit Tools
µTorrent

[lidouka]

Suite SDFix (2/2)

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"KernelFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
  00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
  5c,00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,6b,\
  00,00,00
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"hpWirelessAssistant"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,\
  6d,00,46,00,69,00,6c,00,65,00,73,00,25,00,5c,00,48,00,50,00,51,00,5c,00,48,\
  00,50,00,20,00,57,00,69,00,72,00,65,00,6c,00,65,00,73,00,73,00,20,00,41,00,\
  73,00,73,00,69,00,73,00,74,00,61,00,6e,00,74,00,5c,00,48,00,50,00,20,00,57,\
  00,69,00,72,00,65,00,6c,00,65,00,73,00,73,00,20,00,41,00,73,00,73,00,69,00,\
  73,00,74,00,61,00,6e,00,74,00,2e,00,65,00,78,00,65,00,22,00,00,00
"WatchDog"="C:\\Program Files\\InterVideo\\DVD Check\\DVDCheck.exe"
"ChangeResolution"="C:\\Documents and Settings\\Administrator\\ChangeResolution.exe"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"NoteBurner"="C:\\Program Files\\NoteBurner\\VTBurnerGUI.exe /silence"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"runner1"="C:\\WINDOWS\\mrofinu1864.exe 61A847B5BBF728133A9D3C466188719AB689201522886B092CBD44BD8689220221DD3257"
"5f91a3fd"="rundll32.exe \"C:\\WINDOWS\\system32\\uryofegd.dll\",b"
"BM5ca29061"="Rundll32.exe \"C:\\WINDOWS\\system32\\hxbqttnx.dll\",s"
"EPM Agent"="c:\\PROGRA~1\\ipass\\epm\\rstate.exe /LOGON"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SharpTray"="\"C:\\Program Files\\Sharp\\Sharpdesk\\SharpTray.exe\""
"SuperCopier2.exe"="C:\\Program Files\\SuperCopier2\\SuperCopier2.exe"


Bot Check:

SERVICE_NAME: wscsvc
        DISPLAY_NAME       : Security Center  
        START_TYPE         : 2   AUTO_START
 
SERVICE_NAME: sharedaccess
        DISPLAY_NAME       : Windows Firewall/Internet Connection Sharing (ICS)  
        START_TYPE         : 2   AUTO_START
 
SERVICE_NAME: wuauserv
        DISPLAY_NAME       : Automatic Updates  
        START_TYPE         : 4   DISABLED
 
SERVICE_NAME: srservice
        DISPLAY_NAME       : System Restore Service  
        START_TYPE         : 2   AUTO_START
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000001
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"WaitToKillServiceTimeout"="20000"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]
@=""

@=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"
 

ShellExecuteHooks:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{F53BAFE5-CE7A-4E95-95AC-A3912EFD3739}"=""
 
 

Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
   ComSpec	REG_EXPAND_SZ  	%SystemRoot%\system32\cmd.exe
   OS	REG_SZ         	Windows_NT
   Path	REG_EXPAND_SZ  	C:\Program Files\Windows Resource Kits\Tools\;C:\Perl\bin\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\PROGRA~1\ULTRAE~2
   PATHEXT	REG_SZ         	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
   PrintComTraffic	REG_SZ         	YES
   TEMP	REG_SZ         	c:\TEMP
   TMP	REG_SZ         	c:\TEMP
   WEBFGROOT	REG_SZ         	C:\AREVA\e_terrabrowser\
   windir	REG_EXPAND_SZ  	%SystemRoot%
   SDImgTemp	REG_SZ         	C:\Program Files\Sharp\Sharpdesk\Imaging\Temp
   SAFEBOOT_OPTION	REG_SZ         	MINIMAL

SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
   SecurityProviders	REG_SZ         	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
   Authentication Packages	REG_MULTI_SZ   	msv1_0\0C:\WINDOWS\system32\hgGyyvuR\0\0


Subsystem Startup:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"


Midi Drivers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi"="wdmaud.drv"


Non-Default IFEO Debugger:


Non-Default Installed Components:


Non-Default Safeboot Minimal:


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!

Celui de HiJackThis, a suivre ...

[lidouka]

Log de HiJackThis :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:54:35, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.201.204:8080
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ChangeResolution] C:\Documents and Settings\Administrator\ChangeResolution.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1864.exe 61A847B5BBF728133A9D3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [5f91a3fd] rundll32.exe "C:\WINDOWS\system32\uryofegd.dll",b
O4 - HKLM\..\Run: [BM5ca29061] Rundll32.exe "C:\WINDOWS\system32\hxbqttnx.dll",s
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\ipass\epm\rstate.exe /LOGON
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Areva T&D VPN Client.lnk = C:\Program Files\iPass\Cisco VPN\vpngui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF3AA6CA-FA66-492F-8196-C6A015F75500}: NameServer = 213.154.64.13,213.154.95.126
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mail.areva-td.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\iPass\Cisco VPN\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HABITAT Group 20 - AREVA T&D - C:\AREVA\habitat20\habitat\bin\tview_server.exe
O23 - Service: HABITAT Group 22 - AREVA T&D - C:\AREVA\habitat22\habitat\bin\tview_server.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Service de l'iPod (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\ipass\epm\rstate.exe
O23 - Service: MopUPS - Chloride Power - C:\Program Files\Chloride Power\MopUPS\ups.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Process Starter  (ProcessStarter) - AREVA T&&D Corporation - c:\areva\e_terracontrol\bin\processstarter.service.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: DeviceID Authentication Agent (ServiceWrapper) - Unknown owner - C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8569 bytes

Merci de ton aide.

[rlgrand]

Bonjour,

Ce n'est pas le bon rapport. As-tu bien utilisé le lien donné ?
Le rapport est du style :

Citation:

SDFix: Version 1.188
Run by Administrateur on 05/06/2008 at 13:30

Microsoft Windows XP [version 5.1.2600]
Running From: C:\sdfix\SDFix

Checking Services :

Restoring Windows Registry Values
....

Recommence la manipulation, STP.
SDFix est bien à lancer à partir du mode sans échec.
Suis les indications. Le rapport apparaitra après redémarrage de l'ordinateur, sous ta session. Tu le sauvegardes alors.
Après, tu lances Hijackthis.

A+.

[lidouka]

ok rlgrand, j'ai relance le rapport
voici le nouveau rapport SDFix

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

SDFix: Version 1.187 
Run by ems on 05/06/2008 at 14:43

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files : 

Trojan Files Found:

C:\WINDOWS\system32\ljJdbYRI.dll - Deleted
C:\WINDOWS\mrofinu1864.exe - Deleted





Removing Temp Files

ADS Check :

C:\WINDOWS
  :                                      108
Total size: 108 bytes.
WINDOWS: Access is denied. 

Checking for remaining Streams

C:\WINDOWS
  :                                      108
Total size: 108 bytes.
 
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 15:00:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Areva\\habitat20\\habitat\\bin\\procman.exe"="C:\\Areva\\habitat20\\habitat\\bin\\procman.exe:*:Enabled:procman"
"C:\\Areva\\habitat20\\habitat\\bin\\rfgdice.exe"="C:\\Areva\\habitat20\\habitat\\bin\\rfgdice.exe:*:Enabled:rfgdice"
"C:\\Areva\\habitat20\\habitat\\bin\\ruserserver.exe"="C:\\Areva\\habitat20\\habitat\\bin\\ruserserver.exe:*:Enabled:ruserserver"
"C:\\Areva\\habitat20\\habitat\\bin\\mlfdmn.exe"="C:\\Areva\\habitat20\\habitat\\bin\\mlfdmn.exe:*:Enabled:mlfdmn"
"C:\\Areva\\habitat20\\habitat\\bin\\nioarc.exe"="C:\\Areva\\habitat20\\habitat\\bin\\nioarc.exe:*:Enabled:nioarc"
"C:\\Areva\\habitat20\\habitat\\bin\\webfgserver.exe"="C:\\Areva\\habitat20\\habitat\\bin\\webfgserver.exe:*:Enabled:webfgserver"
"C:\\Areva\\habitat20\\habitat\\bin\\procdbclk.exe"="C:\\Areva\\habitat20\\habitat\\bin\\procdbclk.exe:*:Enabled:procdbclk"
"C:\\Areva\\habitat20\\habitat\\bin\\permsrv.exe"="C:\\Areva\\habitat20\\habitat\\bin\\permsrv.exe:*:Enabled:permsrv"
"C:\\Areva\\habitat22\\habitat\\bin\\rfgdice.exe"="C:\\Areva\\habitat22\\habitat\\bin\\rfgdice.exe:*:Enabled:rfgdice"
"C:\\Areva\\habitat22\\habitat\\bin\\ruserserver.exe"="C:\\Areva\\habitat22\\habitat\\bin\\ruserserver.exe:*:Enabled:ruserserver"
"C:\\Areva\\habitat22\\habitat\\bin\\mlfdmn.exe"="C:\\Areva\\habitat22\\habitat\\bin\\mlfdmn.exe:*:Enabled:mlfdmn"
"C:\\Areva\\habitat22\\habitat\\bin\\procman.exe"="C:\\Areva\\habitat22\\habitat\\bin\\procman.exe:*:Enabled:procman"
"C:\\Areva\\habitat22\\habitat\\bin\\webfgserver.exe"="C:\\Areva\\habitat22\\habitat\\bin\\webfgserver.exe:*:Enabled:webfgserver"
"C:\\Areva\\habitat22\\habitat\\bin\\nioarc.exe"="C:\\Areva\\habitat22\\habitat\\bin\\nioarc.exe:*:Enabled:nioarc"
"C:\\Areva\\habitat22\\habitat\\bin\\procdbclk.exe"="C:\\Areva\\habitat22\\habitat\\bin\\procdbclk.exe:*:Enabled:procdbclk"
"C:\\Areva\\habitat22\\habitat\\bin\\permsrv.exe"="C:\\Areva\\habitat22\\habitat\\bin\\permsrv.exe:*:Enabled:permsrv"
"C:\\Areva\\habitat22\\habitat\\bin\\nioclerk.exe"="C:\\Areva\\habitat22\\habitat\\bin\\nioclerk.exe:*:Enabled:nioclerk"
"C:\\Areva\\habitat22\\habitat\\bin\\nioserve.exe"="C:\\Areva\\habitat22\\habitat\\bin\\nioserve.exe:*:Enabled:nioserve"
"C:\\Areva\\habitat22\\habitat\\bin\\cfgctrl.exe"="C:\\Areva\\habitat22\\habitat\\bin\\cfgctrl.exe:*:Enabled:cfgctrl"
"C:\\Areva\\habitat22\\habitat\\bin\\alarm.exe"="C:\\Areva\\habitat22\\habitat\\bin\\alarm.exe:*:Enabled:alarm"
"C:\\Areva\\habitat22\\habuser\\bin\\control.exe"="C:\\Areva\\habitat22\\habuser\\bin\\control.exe:*:Enabled:control"
"C:\\Areva\\habitat22\\habuser\\bin\\sccommit.exe"="C:\\Areva\\habitat22\\habuser\\bin\\sccommit.exe:*:Enabled:sccommit"
"C:\\Areva\\habitat22\\habuser\\bin\\scadatop.exe"="C:\\Areva\\habitat22\\habuser\\bin\\scadatop.exe:*:Enabled:scadatop"
"C:\\Areva\\habitat22\\habuser\\bin\\scadfreq.exe"="C:\\Areva\\habitat22\\habuser\\bin\\scadfreq.exe:*:Enabled:scadfreq"
"C:\\Areva\\habitat22\\habuser\\bin\\scsrv.exe"="C:\\Areva\\habitat22\\habuser\\bin\\scsrv.exe:*:Enabled:scsrv"
"C:\\Areva\\habitat22\\habuser\\bin\\scanner.exe"="C:\\Areva\\habitat22\\habuser\\bin\\scanner.exe:*:Enabled:scanner"
"C:\\Areva\\habitat22\\habuser\\bin\\usercalc.exe"="C:\\Areva\\habitat22\\habuser\\bin\\usercalc.exe:*:Enabled:usercalc"
"C:\\Areva\\habitat22\\habuser\\bin\\psascheds.exe"="C:\\Areva\\habitat22\\habuser\\bin\\psascheds.exe:*:Enabled:psascheds"
"C:\\Areva\\habitat22\\habuser\\bin\\loadshed.exe"="C:\\Areva\\habitat22\\habuser\\bin\\loadshed.exe:*:Enabled:loadshed"
"C:\\Areva\\habitat22\\habuser\\bin\\schist.exe"="C:\\Areva\\habitat22\\habuser\\bin\\schist.exe:*:Enabled:schist"
"C:\\Areva\\habitat22\\habuser\\bin\\tagnotes.exe"="C:\\Areva\\habitat22\\habuser\\bin\\tagnotes.exe:*:Enabled:tagnotes"
"C:\\Areva\\habitat22\\habuser\\bin\\sqsman.exe"="C:\\Areva\\habitat22\\habuser\\bin\\sqsman.exe:*:Enabled:sqsman"
"C:\\Areva\\habitat22\\habuser\\bin\\stgenrap.exe"="C:\\Areva\\habitat22\\habuser\\bin\\stgenrap.exe:*:Enabled:stgenrap"
"C:\\Areva\\habitat22\\habuser\\bin\\rtagc.exe"="C:\\Areva\\habitat22\\habuser\\bin\\rtagc.exe:*:Enabled:rtagc"
"C:\\Areva\\habitat22\\habuser\\bin\\recon.exe"="C:\\Areva\\habitat22\\habuser\\bin\\recon.exe:*:Enabled:recon"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Areva\\e_terracontrol\\bin\\scada.exe"="C:\\Areva\\e_terracontrol\\bin\\scada.exe:*:Enabled:SCADA"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\sdfix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 23 Jan 2007           108 A.SHR --- "C:\WINDOWS\neoqaz2.dll"
Sun 23 Dec 2007     6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 13 Jul 1998        15,872 A.SH. --- "C:\WINDOWS\system32\WINSKFR.DLL"
Sun 22 Apr 2007         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 15 Nov 2005        78,104 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 24 Nov 2005        17,920 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setup.dll"
Thu 24 Nov 2005        12,880 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Wed  6 Dec 2006             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu  8 Mar 2007       496,640 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\SENELEC_ILOG\0560 - Services techniques Logiciel\Point a point\~WRL0171.tmp"
Wed 22 Mar 2006       175,104 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\03-Mars-2006\~WRL1164.tmp"
Fri  7 Apr 2006       191,488 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL1639.tmp"
Fri  7 Apr 2006       190,464 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL2140.tmp"
Fri  7 Apr 2006       187,904 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL2820.tmp"
Thu 30 Mar 2006       189,440 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\04-Avril-2006\~WRL3698.tmp"
Tue 13 Jun 2006       185,344 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\06_Juin_2006\~WRL3356.tmp"
Wed  9 Aug 2006        60,416 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\08_Aout_2006\~WRL1138.tmp"
Wed  9 Aug 2006       157,184 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\08_Aout_2006\~WRL2183.tmp"
Tue  5 Sep 2006       567,808 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\09_Septembre_2006\~WRL0694.tmp"
Wed  6 Sep 2006        56,320 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\09_Septembre_2006\~WRL1657.tmp"
Mon  4 Sep 2006        68,608 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\09_Septembre_2006\~WRL3116.tmp"
Tue  3 Oct 2006       195,072 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\orgdoc\0110 - Courrier client - Ing conseil\0112 - courriers sortants\10_Octobre_2006\~WRL0752.tmp"
Thu 14 Jun 2007       713,728 A..H. --- "C:\Documents and Settings\ems\My Documents\_projet senelec\SENELEC_ILOG\0560 - Services techniques Logiciel\180 - SAT\Basculement\~WRL2487.tmp"

Finished!

suivi du nouveau rapport HijackThis

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:07:20, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPass\Cisco VPN\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ipass\epm\rstate.exe
C:\Program Files\lotus\notes\ntmulti.exe
c:\areva\e_terracontrol\bin\processstarter.service.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\ipass\epm\rstate.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.201.204:8080
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ChangeResolution] C:\Documents and Settings\Administrator\ChangeResolution.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [5f91a3fd] rundll32.exe "C:\WINDOWS\system32\bckdaquw.dll",b
O4 - HKLM\..\Run: [BM5ca29061] Rundll32.exe "C:\WINDOWS\system32\qqlljnss.dll",s
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\ipass\epm\rstate.exe /LOGON
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Areva T&D VPN Client.lnk = C:\Program Files\iPass\Cisco VPN\vpngui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF3AA6CA-FA66-492F-8196-C6A015F75500}: NameServer = 213.154.64.13,213.154.95.126
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mail.areva-td.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\iPass\Cisco VPN\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HABITAT Group 20 - AREVA T&D - C:\AREVA\habitat20\habitat\bin\tview_server.exe
O23 - Service: HABITAT Group 22 - AREVA T&D - C:\AREVA\habitat22\habitat\bin\tview_server.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Service de l'iPod (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\ipass\epm\rstate.exe
O23 - Service: MopUPS - Chloride Power - C:\Program Files\Chloride Power\MopUPS\ups.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Process Starter  (ProcessStarter) - AREVA T&&D Corporation - c:\areva\e_terracontrol\bin\processstarter.service.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: DeviceID Authentication Agent (ServiceWrapper) - Unknown owner - C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11017 bytes

PS : Le probleme persiste, Merci de ton aide.

[rlgrand]

Bonjour, lidouka

On a fait un aps en avant.
Tu vas télécharger ComBoFix.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
On va le passer une première fois pour rechercher les infections.
Lance Combofix.exe et suis les invites.
Une fois le scan fini, un rapport va apparaitre.
Copie/colle ce rapport dans ta prochaine réponse.
Si tu ne le trouves pas, il est à C:\ComboFix.txt.

Salut.

[lidouka]

rlgrand, voici le log de ComboFix

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
ComboFix 08-06-05.2 - ems 2008-06-05 17:35:16.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.480 [GMT 0:00]
Running from: C:\Documents and Settings\ems\My Documents\isoft\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5ca29061.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dgefoyru.ini
C:\WINDOWS\system32\hgGyyvuR.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\moqyqcod.ini
C:\WINDOWS\system32\RuvyyGgh.ini
C:\WINDOWS\system32\RuvyyGgh.ini2
C:\WINDOWS\system32\wuqadkcb.ini

.
(((((((((((((((((((((((((   Files Created from 2008-05-05 to 2008-06-05  )))))))))))))))))))))))))))))))
.

2008-06-05 17:41 . 2008-06-05 17:41	<DIR>	d---s----	C:\TEMP\Temporary Internet Files
2008-06-05 17:41 . 2008-06-05 17:41	<DIR>	d---s----	C:\TEMP\History
2008-06-05 17:41 . 2008-06-05 17:43	<DIR>	d---s----	C:\TEMP\Cookies
2008-06-05 17:38 . 2008-06-05 17:43	<DIR>	d--------	C:\TEMP
2008-06-05 17:28 . 2008-06-05 17:28	117,248	--a------	C:\WINDOWS\system32\docqyqom.dll
2008-06-05 17:26 . 2008-06-05 17:26	126,976	--a------	C:\WINDOWS\system32\dxfaxpex.dll
2008-06-05 14:33 . 2008-06-05 14:33	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-06-05 13:30 . 2008-06-05 13:30	<DIR>	d--------	C:\Program Files\zabkat
2008-06-05 13:11 . 2008-06-05 13:11	147,456	--a------	C:\WINDOWS\system32\bckdaquw.dll
2008-06-05 13:05 . 2008-06-05 13:05	156,160	--a------	C:\WINDOWS\system32\qqlljnss.dll
2008-06-05 09:35 . 2008-06-05 09:35	<DIR>	d--------	C:\sdfix
2008-06-04 16:30 . 2008-06-04 16:30	<DIR>	d--------	C:\Program Files\CCleaner
2008-06-04 16:26 . 2008-06-04 16:26	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-04 13:06 . 2008-06-04 13:06	126,976	--a------	C:\WINDOWS\system32\hxbqttnx.dll
2008-06-03 14:05 . 2008-06-03 14:14	<DIR>	d--------	C:\Documents and Settings\ems\Application Data\uTorrent
2008-06-03 14:04 . 2008-06-03 14:05	<DIR>	d--------	C:\Program Files\uTorrent
2008-05-19 14:41 . 2008-05-19 14:41	35,070	--a------	C:\x2settings.reg
2008-05-15 17:22 . 2008-05-15 17:22	<DIR>	d--------	C:\Program Files\Free Audio Pack
2008-05-15 16:54 . 2008-05-15 16:54	133,632	--a------	C:\WINDOWS\system32\SpoonUninstall.exe
2008-05-08 16:48 . 2008-05-10 16:24	<DIR>	d--------	C:\Program Files\EasyPHP 2.0b1

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 16:34	---------	d-----w	C:\Program Files\GetRight
2008-05-26 18:49	---------	d-----w	C:\Program Files\Google
2008-04-08 21:06	---------	d-----w	C:\Documents and Settings\ems\Application Data\Skype
2008-03-18 12:06	32	----a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-01-23 07:34	108	--sha-r	C:\WINDOWS\neoqaz2.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:07 1667584]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2003-07-18 10:58 28672]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 16:45 1052672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-16 09:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-16 09:15 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 11:20 88363 C:\WINDOWS\AGRSMMSG.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 17:11 1388544]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 09:05 122939]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 18:38 688218]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-11-01 18:11 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-09-08 00:28 213054]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-11-12 20:40 790528]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2004-10-26 16:17 184320]
"ChangeResolution"="C:\Documents and Settings\Administrator\ChangeResolution.exe" [ ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-08-07 18:32 136768]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-02 13:43 1836544]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 23:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 23:30 81920]
"NoteBurner"="C:\Program Files\NoteBurner\VTBurnerGUI.exe" [ ]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22 3739648]
"5f91a3fd"="C:\WINDOWS\system32\docqyqom.dll" [2008-06-05 17:28 117248]
"BM5ca29061"="C:\WINDOWS\system32\dxfaxpex.dll" [2008-06-05 17:26 126976]
"EPM Agent"="c:\PROGRA~1\ipass\epm\rstate.exe" [2006-01-09 20:52 94208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Areva T&D VPN Client.lnk - C:\Program Files\iPass\Cisco VPN\vpngui.exe [2008-02-21 10:03:40 1528880]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-10-26 12:20:42 569405]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyPHP]
--a------ 2006-11-19 22:16 176128 C:\Program Files\EasyPHP 2.0b1\EasyPHP.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\procman.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\rfgdice.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\ruserserver.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\mlfdmn.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\nioarc.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\webfgserver.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\procdbclk.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\permsrv.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\rfgdice.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\ruserserver.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\mlfdmn.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\procman.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\webfgserver.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\nioarc.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\procdbclk.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\permsrv.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\nioclerk.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\nioserve.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\cfgctrl.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\alarm.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\control.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\sccommit.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scadatop.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scadfreq.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scsrv.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scanner.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\usercalc.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\psascheds.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\loadshed.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\schist.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\tagnotes.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\sqsman.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\stgenrap.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\rtagc.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\recon.exe"=
"C:\\Areva\\e_terracontrol\\bin\\scada.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2007-04-16 09:40]
R1 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 21:10]
R2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\ipass\epm\rstate.exe" [2006-01-09 20:52]
R2 ProcessStarter;Process Starter ;c:\areva\e_terracontrol\bin\processstarter.service.exe [2006-03-16 15:59]
R3 AseBCOM;ASE BCOM Port Enumerator;C:\WINDOWS\system32\DRIVERS\AseBCOM.sys [2003-02-27 19:42]
R3 asebcomp;ASE BCOM PCMCIA Port Driver;C:\WINDOWS\system32\DRIVERS\asebcomp.sys [2001-03-08 22:43]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 16:26]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 HABITAT Group 20;HABITAT Group 20;C:\AREVA\habitat20\habitat\bin\tview_server.exe [2006-03-29 19:00]
S3 HABITAT Group 22;HABITAT Group 22;C:\AREVA\habitat22\habitat\bin\tview_server.exe [2006-03-29 19:00]
S3 MopUPS;MopUPS;C:\Program Files\Chloride Power\MopUPS\ups.exe [2001-06-20 17:33]
S3 ServiceWrapper;DeviceID Authentication Agent;C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe [2006-06-20 13:57]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-12-28 14:47]
S3 WmaCVideo32;WmaCVideo32;C:\WINDOWS\system32\DRIVERS\WmaCVideo32.sys [2007-12-28 14:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42148976-8be4-11dc-b1cf-001560be2b3d}]
\Shell\AutoRun\command - E:\ie.exe
\Shell\explore\Command - E:\ie.exe
\Shell\open\Command - E:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a138d3a-ecdb-11db-b10e-0014380e7d34}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c08f757-c27a-11dc-b21c-00059a3c7800}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8effec8a-e9d8-11db-b10a-0014380e7d34}]
\Shell\AutoRun\command - a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b667e3-c57c-11db-b0f2-0014380e7d34}]
\Shell\AutoRun\command - RavMon.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 17:15:00 C:\WINDOWS\Tasks\Maintenance en 1 clic.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 17:43:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????0?6?5?7??????? ???B???????????????B? ?????? 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\ems\LOCALS~1\Temp\mc29.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\docqyqom.dll
-> C:\WINDOWS\system32\dxfaxpex.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPass\Cisco VPN\cvpnd.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\WINDOWS\system32\DWRCST.EXE
C:\Program Files\HPQ\Shared\hpqwmi.exe
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-05 17:48:31 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-05 17:48:18

Pre-Run: 8,892,907,520 bytes free
Post-Run: 9,017,700,352 bytes free

226

[rlgrand]

Je regarde le rapport et je t'envoie le script demain.

A+

[lidouka]

ok rlgrand
a demain et merci de ton aide

[rlgrand]

Bonjour, Lidouka

Le script CFScript.txt en pièce jointe est à enregistrer sur le bureau ( l'icone de combofix doit aussi s'y trouver, sinon, tu relécharges combofix et tu l'enregistres aussi sur le bureau ).
Glisse/dépose le script sur ComBoFix. Tu suis les invites.
Ton bureau va disparaître à plusieurs reprises. Normal.
Une fois le scan achevé, tu enregistres le rapport et tu le postes avec un rapport Hijackthis.

On passe après au nettoyage.

Salut.

[lidouka]

bonjour rlgrand, content de te lire :-)
rapport comboFix

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
ComboFix 08-06-05.2 - ems 2008-06-06 14:52:46.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.450 [GMT 0:00]Running from: C:\Documents and Settings\ems\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ems\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\bckdaquw.dll
C:\WINDOWS\system32\docqyqom.dll
C:\WINDOWS\system32\dxfaxpex.dll
C:\WINDOWS\system32\hxbqttnx.dll
C:\WINDOWS\system32\qqlljnss.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5ca29061.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bckdaquw.dll
C:\WINDOWS\system32\docqyqom.dll
C:\WINDOWS\system32\dxfaxpex.dll
C:\WINDOWS\system32\hxbqttnx.dll
C:\WINDOWS\system32\qqlljnss.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Service_mchInjDrv


(((((((((((((((((((((((((   Files Created from 2008-05-06 to 2008-06-06  )))))))))))))))))))))))))))))))
.

2008-06-06 14:55 . 2008-06-06 14:58	<DIR>	d--------	C:\TEMP
2008-06-06 13:04 . 2008-06-06 13:04	<DIR>	d--------	C:\Program Files\TuneUp Utilities 2007
2008-06-06 13:04 . 2007-01-17 14:47	24,072	--a------	C:\WINDOWS\system32\uxtuneup.dll
2008-06-06 13:03 . 2008-06-06 13:03	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2008-06-05 17:48 . 2008-06-06 13:56	706	---hs----	C:\WINDOWS\system32\moqyqcod.ini
2008-06-05 14:33 . 2008-06-05 14:33	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-06-05 13:30 . 2008-06-05 13:30	<DIR>	d--------	C:\Program Files\zabkat
2008-06-05 09:35 . 2008-06-05 09:35	<DIR>	d--------	C:\sdfix
2008-06-04 16:30 . 2008-06-04 16:30	<DIR>	d--------	C:\Program Files\CCleaner
2008-06-04 16:26 . 2008-06-04 16:26	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-03 14:05 . 2008-06-03 14:14	<DIR>	d--------	C:\Documents and Settings\ems\Application Data\uTorrent
2008-06-03 14:04 . 2008-06-03 14:05	<DIR>	d--------	C:\Program Files\uTorrent
2008-05-19 14:41 . 2008-05-19 14:41	35,070	--a------	C:\x2settings.reg
2008-05-15 17:22 . 2008-05-15 17:22	<DIR>	d--------	C:\Program Files\Free Audio Pack
2008-05-15 16:54 . 2008-05-15 16:54	133,632	--a------	C:\WINDOWS\system32\SpoonUninstall.exe
2008-05-08 16:48 . 2008-05-10 16:24	<DIR>	d--------	C:\Program Files\EasyPHP 2.0b1

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 16:34	---------	d-----w	C:\Program Files\GetRight
2008-05-26 18:49	---------	d-----w	C:\Program Files\Google
2008-04-08 21:06	---------	d-----w	C:\Documents and Settings\ems\Application Data\Skype
2008-03-18 12:06	32	----a-w	C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-01-23 07:34	108	--sha-r	C:\WINDOWS\neoqaz2.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-06-05_17.47.51.67   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 17:42:10	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-06-06 14:57:47	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
- 2008-06-05 17:43:12	224,509	----a-w	C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-06 14:58:28	224,517	----a-w	C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-06-02 13:18:24	2,010	----a-w	C:\WINDOWS\system32\spool\drivers\w32x86\3\SE0CSTMN.DAT
+ 2008-06-06 13:51:04	1,998	----a-w	C:\WINDOWS\system32\spool\drivers\w32x86\3\SE0CSTMN.DAT
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:07 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"SharpTray"="C:\Program Files\Sharp\Sharpdesk\SharpTray.exe" [2003-07-18 10:58 28672]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 16:45 1052672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-16 09:19 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-16 09:15 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 11:20 88363 C:\WINDOWS\AGRSMMSG.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 17:11 1388544]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01 110592]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-03 09:05 122939]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 18:40 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 18:38 688218]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-11-01 18:11 290816]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-09-08 00:28 213054]
"hpWirelessAssistant"="C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-11-12 20:40 790528]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2004-10-26 16:17 184320]
"ChangeResolution"="C:\Documents and Settings\Administrator\ChangeResolution.exe" [ ]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-08-07 18:32 136768]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-02 13:43 1836544]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 23:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 23:30 81920]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22 3739648]
"EPM Agent"="c:\PROGRA~1\ipass\epm\rstate.exe" [2006-01-09 20:52 94208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Areva T&D VPN Client.lnk - C:\Program Files\iPass\Cisco VPN\vpngui.exe [2008-02-21 10:03:40 1528880]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-10-26 12:20:42 569405]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyPHP]
--a------ 2006-11-19 22:16 176128 C:\Program Files\EasyPHP 2.0b1\EasyPHP.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\procman.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\rfgdice.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\ruserserver.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\mlfdmn.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\nioarc.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\webfgserver.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\procdbclk.exe"=
"C:\\Areva\\habitat20\\habitat\\bin\\permsrv.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\rfgdice.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\ruserserver.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\mlfdmn.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\procman.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\webfgserver.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\nioarc.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\procdbclk.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\permsrv.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\nioclerk.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\nioserve.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\cfgctrl.exe"=
"C:\\Areva\\habitat22\\habitat\\bin\\alarm.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\control.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\sccommit.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scadatop.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scadfreq.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scsrv.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\scanner.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\usercalc.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\psascheds.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\loadshed.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\schist.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\tagnotes.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\sqsman.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\stgenrap.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\rtagc.exe"=
"C:\\Areva\\habitat22\\habuser\\bin\\recon.exe"=
"C:\\Areva\\e_terracontrol\\bin\\scada.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 hwinterface;hwinterface;C:\WINDOWS\system32\Drivers\hwinterface.sys [2007-04-16 09:40]
R1 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 21:10]
R2 MobileAutmationAgentService;iPass Endpoint Policy Management Agent;"c:\program files\ipass\epm\rstate.exe" [2006-01-09 20:52]
R2 ProcessStarter;Process Starter ;c:\areva\e_terracontrol\bin\processstarter.service.exe [2006-03-16 15:59]
R2 UxTuneUp;Extension de conception TuneUp;C:\WINDOWS\System32\svchost.exe [2004-08-04 08:00]
R3 AseBCOM;ASE BCOM Port Enumerator;C:\WINDOWS\system32\DRIVERS\AseBCOM.sys [2003-02-27 19:42]
R3 asebcomp;ASE BCOM PCMCIA Port Driver;C:\WINDOWS\system32\DRIVERS\asebcomp.sys [2001-03-08 22:43]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 16:26]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 HABITAT Group 20;HABITAT Group 20;C:\AREVA\habitat20\habitat\bin\tview_server.exe [2006-03-29 19:00]
S3 HABITAT Group 22;HABITAT Group 22;C:\AREVA\habitat22\habitat\bin\tview_server.exe [2006-03-29 19:00]
S3 MopUPS;MopUPS;C:\Program Files\Chloride Power\MopUPS\ups.exe [2001-06-20 17:33]
S3 ServiceWrapper;DeviceID Authentication Agent;C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe [2006-06-20 13:57]
S3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys [2007-12-28 14:47]
S3 WmaCVideo32;WmaCVideo32;C:\WINDOWS\system32\DRIVERS\WmaCVideo32.sys [2007-12-28 14:47]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42148976-8be4-11dc-b1cf-001560be2b3d}]
\Shell\AutoRun\command - E:\ie.exe
\Shell\explore\Command - E:\ie.exe
\Shell\open\Command - E:\ie.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a138d3a-ecdb-11db-b10e-0014380e7d34}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c08f757-c27a-11dc-b21c-00059a3c7800}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8effec8a-e9d8-11db-b10a-0014380e7d34}]
\Shell\AutoRun\command - a.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95b667e3-c57c-11db-b0f2-0014380e7d34}]
\Shell\AutoRun\command - RavMon.exe

*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 13:04:36 C:\WINDOWS\Tasks\Maintenance en 1 clic.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 14:58:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????0?6?5?7??????? ???B???????????????B? ?????? 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\ems\LOCALS~1\Temp\mc2C.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\scardsvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPass\Cisco VPN\cvpnd.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\DWRCST.EXE
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\Program Files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2008-06-06 15:03:53 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-06 15:03:40
ComboFix2.txt  2008-06-05 17:48:32

Pre-Run: 8,927,072,256 bytes free
Post-Run: 8,922,542,080 bytes free

230

rapport HijackThis

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:04:27, on 06/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPass\Cisco VPN\cvpnd.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\ipass\epm\rstate.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\lotus\notes\ntmulti.exe
c:\areva\e_terracontrol\bin\processstarter.service.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\ipass\epm\rstate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.201.204:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [ChangeResolution] C:\Documents and Settings\Administrator\ChangeResolution.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [EPM Agent] c:\PROGRA~1\ipass\epm\rstate.exe /LOGON
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Areva T&D VPN Client.lnk = C:\Program Files\iPass\Cisco VPN\vpngui.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mail.areva-td.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mail.areva-td.com,prod.atd.corp
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\iPass\Cisco VPN\cvpnd.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HABITAT Group 20 - AREVA T&D - C:\AREVA\habitat20\habitat\bin\tview_server.exe
O23 - Service: HABITAT Group 22 - AREVA T&D - C:\AREVA\habitat22\habitat\bin\tview_server.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: Service de l'iPod (iPod Service) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: iPass Endpoint Policy Management Agent (MobileAutmationAgentService) - iPass Inc. - c:\program files\ipass\epm\rstate.exe
O23 - Service: MopUPS - Chloride Power - C:\Program Files\Chloride Power\MopUPS\ups.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Process Starter  (ProcessStarter) - AREVA T&&D Corporation - c:\areva\e_terracontrol\bin\processstarter.service.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: DeviceID Authentication Agent (ServiceWrapper) - Unknown owner - C:\PROGRA~1\iPass\DeviceID\bin\ServiceWrapper.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10781 bytes

Merci de ton aide !

[rlgrand]

Bonjour,

Comment se comporte le PC ?

[lidouka]

Apres une serie de tests, je peux dire desormais que le PC se comporte bien, tres bien meme.

dans ton avant dernier post tu disais que nous allions proceder a un nettoyage. ca tient toujours ?

sinon, je te remercie chaleureusement de m'avoir accompagne durant ces derniers jours.
c'est vraiment sympa.

[rlgrand]

Content pour toi.
Fais attention désormais avec le torrent ( surtout les cracks ).

Vu que le problème est réglé, on peut passer au nettoyage .
1 - Passe CCleaner ( a surtout faire nettoyage fichiers temp et registre ).
2 - Par précaution, tu vas utiliser MalwareBytes pour vérifier si il ne reste pas de trace de virus ( et dans le système volume information en particulier ).
http://www.malwarebytes.org/mbam.php
Tu mets à jour la définition des virus.
Tu détectes sous windows et désinfecte en mode sans échec.
Si il n'y a pas de souci, pas la peine de poster le rapport.
3 - Pourrais-tu me dire quel est sur ton PC le lecteur E ?

A+

[lidouka]

rlgrand, je n'ai pas de lecteur E, mais un F (amovible) qui est ma cle USB
j'ai un seul disque : le C

sinon, tu peux detailler la 2eme phase avec MalwareBytes stp ? je n'ai pas bien compris

[rlgrand]

1) Pour MalwareBytes, tu n'as besoin de le lancer en mode sans échec ( 2eme passage uniquement) uniquement si il a détecté une infection.
Lances alors le scan en MSE et nettoie ( remove selected ).

2) Si je te pose la question pour le lecteur E:, c'est par rapport au rapport combofix :

Citation:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42148976-8be4-11dc-b1cf-001560be2b3d}]
\Shell\AutoRun\command - E:\ie.exe
\Shell\explore\Command - E:\ie.exe
\Shell\open\Command - E:\ie.exe

Effectue une sauvegarde de la base de registre. Renomme le fichier fix.txt ( en pièce jointe ) en fix.reg : click droit sur ce fichier, fusionner.

3) Désactive la restauration système, puis réactive la pour créer un point de restauration propre.

Si MalwareBytes ne donne rien, je pense que c'est terminé.
Balise :

A +.