ouf je croie que j'ai réussi. enfin pas sur
ComboFix 08-11-19.08 - didier 2008-11-20 13:40:55.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6000.0.1252.1.1036.18.1528 [GMT 1:00]
Lancé depuis: c:\users\didier\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((( Fichiers créés du 2008-10-20 au 2008-11-20 ))))))))))))))))))))))))))))))))))))
.
Pas de nouveau fichier créé dans ce laps de temps
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 12:29 352,615 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2008-11-20 12:04 --------- d-----w c:\users\didier\AppData\Roaming\OpenOffice.org2
2008-11-20 10:54 --------- d-----w c:\program files\Trend Micro
2008-11-20 08:39 --------- d-----w c:\progra~2\Spybot - Search & Destroy
2008-11-18 19:44 --------- d-----w c:\program files\UsbFix
2008-11-18 14:36 --------- d-----w c:\program files\FindyKill
2008-11-18 08:22 --------- d-----w c:\program files\Avira
2008-11-18 08:22 --------- d-----w c:\progra~2\Avira
2008-11-17 14:41 2,670 ----a-w c:\windows\System32\tmp.reg
2008-11-17 14:11 691 ----a-w c:\users\didier\AppData\Roaming\GetValue.vbs
2008-11-17 14:11 35 ----a-w c:\users\didier\AppData\Roaming\SetValue.bat
2008-11-11 12:58 --------- d-----w c:\program files\Common Files\Adobe
2008-11-11 12:40 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-11 12:31 1,383,424 ----a-w c:\windows\Internet Logs\xDB5270.tmp
2008-11-11 09:33 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-02 20:50 47,560 ----a-w c:\windows\System32\SPReview.exe
2008-11-02 20:50 152,576 ----a-w c:\windows\System32\SPWizUI.dll
2008-11-02 19:18 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-02 19:18 --------- d-----w c:\progra~2\NortonInstaller
2008-11-02 19:14 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-11-02 19:14 --------- d-----w c:\program files\Java
2008-11-02 17:05 --------- d-----w c:\program files\CCleaner
2008-10-31 14:55 --------- d-----w c:\progra~2\IncrediMail
2008-10-29 17:14 --------- d-----w c:\progra~2\IM
2008-10-22 16:01 --------- d-----w c:\program files\Zone Labs
2008-10-22 16:01 --------- d-----w c:\progra~2\CheckPoint
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-22 15:04 --------- d-----w c:\users\didier\AppData\Roaming\VSRevoGroup
2008-10-22 15:03 --------- d-----w c:\program files\VS Revo Group
2008-10-21 17:24 --------- d-----w c:\users\didier\AppData\Roaming\Malwarebytes
2008-10-21 17:24 --------- d-----w c:\progra~2\Malwarebytes
2008-10-21 16:16 --------- d---a-w c:\progra~2\TEMP
2008-10-19 15:41 --------- d-----w c:\progra~2\bsxgfmle
2008-10-16 16:11 --------- d-----w c:\program files\Windows Mail
2008-10-07 18:58 --------- d-----w c:\program files\eMule
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-30 15:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-21 12:42 --------- d-----w c:\program files\YesMessenger
2008-09-20 01:13 2,029,568 ----a-w c:\windows\System32\win32k.sys
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-10 03:25 1,341,440 ----a-w c:\windows\System32\msxml6.dll
2008-09-10 03:21 2,048 ----a-w c:\windows\System32\msxml6r.dll
2008-09-05 04:48 1,194,496 ----a-w c:\windows\System32\msxml3.dll
2008-09-05 04:45 2,048 ----a-w c:\windows\System32\msxml3r.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 c:\windows\System32\oobefldr.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-05 81920]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-02 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-20 c:\windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{155959DC-7830-44AD-AA63-BEF2A781EB22}"= Disabled:UDP:c:\users\didier\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SY00OU0C\incredimail_install[1].exe:IncrediMail Installer
"{15D2841F-2812-4967-88B5-D09596F5752C}"= Disabled:TCP:c:\users\didier\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SY00OU0C\incredimail_install[1].exe:IncrediMail Installer
"{B209D284-9531-4A42-8705-D0D728F4C4D5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{845AF95F-0751-4E63-979F-EFD129AF8912}c:\\program files\\orangehss\\browser\\browser.exe"= UDP:c:\program files\orangehss\browser\browser.exe:Browser
"UDP Query User{E55C60D0-72D6-42FB-A606-35C1C6B21223}c:\\program files\\orangehss\\browser\\browser.exe"= TCP:c:\program files\orangehss\browser\browser.exe:Browser
"TCP Query User{B1ADF0FA-DD93-4457-BF63-46732ABEAD9E}c:\\program files\\common files\\ahead\\nero web\\setupx.exe"= UDP:c:\program files\common files\ahead\nero web\setupx.exe:MSI starter
"UDP Query User{F5FF199F-52A2-49D1-A1DD-2AE1E99FD384}c:\\program files\\common files\\ahead\\nero web\\setupx.exe"= TCP:c:\program files\common files\ahead\nero web\setupx.exe:MSI starter
"TCP Query User{8B0893EF-7843-4A64-83B1-92D82E47789C}c:\\program files\\logitech\\desktop messenger\\8876480\\program\\backweb-8876480.exe"= UDP:c:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe:Logitech Desktop Messenger
"UDP Query User{7EA43367-6138-4A1E-B5E8-2BEEB5BE2CBA}c:\\program files\\logitech\\desktop messenger\\8876480\\program\\backweb-8876480.exe"= TCP:c:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe:Logitech Desktop Messenger
"TCP Query User{713B60D1-B4CE-4B28-8569-C131E584683B}c:\\program files\\hercules\\dualpix exchange\\station2.exe"= UDP:c:\program files\hercules\dualpix exchange\station2.exe:Hercules Webcam Station Evolution SE
"UDP Query User{5EAE581D-1AD4-4B5C-AA77-E147CBEB8F80}c:\\program files\\hercules\\dualpix exchange\\station2.exe"= TCP:c:\program files\hercules\dualpix exchange\station2.exe:Hercules Webcam Station Evolution SE
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
R0 AtiPcie;ATI PCI Express (3GIO) Filter;c:\windows\system32\DRIVERS\AtiPcie.sys [2007-08-08 8192]
S2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler;c:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [2006-12-08 204800]
S3 camfilt2;camfilt2;c:\windows\system32\Drivers\camfilt2.sys [2008-08-30 94208]
S3 PCAMp50;PCAMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50.sys [2007-09-01 28224]
S3 PCASp50;PCASp50 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50.sys [2007-09-01 27072]
*Newly Created Service* - ECACHE
*Newly Created Service* - PROCEXP90
*Newly Created Service* - PXHELP20
.
- - - - ORPHELINS SUPPRIMES - - - -
HKLM-RunOnce-<NO NAME> - (no file)
.
------- Examen supplémentaire -------
.
FireFox -: Profile - c:\users\didier\AppData\Roaming\Mozilla\Firefox\Profiles\3k20sri2.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF -: plugin - c:\program files\Common Files\fluxDVD\APIX\NPAPIX.dll
FF -: plugin - c:\program files\Common Files\fluxDVD\BrowserIntegration\NPFluxBrowserHelper.dll
FF -: plugin - c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 13:45:21
Windows 6.0.6000 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
PROCESSUS: c:\windows\Explorer.exe
-> c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnfps.dll
.
Heure de fin: 2008-11-20 13:46:40
ComboFix-quarantined-files.txt 2008-11-20 12:46:27
Avant-CF: Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application.
Après-CF: 122,523,697,152 octets libres
155 --- E O F --- 2008-11-19 16:02:29