Libellules.ch - forum d'informatique • Pc infecté, blue screen : Désinfections et demandes d'analyse

par **Azertybug** » 28 Mai 2010 21:38

Voila :

Fichier tcpip.sys reçu le 2010.05.28 20:33:35 (UTC)
Antivirus Version Dernière mise à jour Résultat
a-squared 4.5.0.50 2010.05.10 -
AhnLab-V3 2010.05.28.01 2010.05.28 -
AntiVir 8.2.1.242 2010.05.28 -
Antiy-AVL 2.0.3.7 2010.05.26 -
Authentium 5.2.0.5 2010.05.28 -
Avast 4.8.1351.0 2010.05.28 -
Avast5 5.0.332.0 2010.05.28 -
AVG 9.0.0.787 2010.05.28 -
BitDefender 7.2 2010.05.28 -
CAT-QuickHeal 10.00 2010.05.28 -
ClamAV 0.96.0.3-git 2010.05.28 -
Comodo 4942 2010.05.25 -
DrWeb 5.0.2.03300 2010.05.28 -
eSafe 7.0.17.0 2010.05.27 -
eTrust-Vet 35.2.7516 2010.05.28 -
F-Prot 4.6.0.103 2010.05.28 -
F-Secure 9.0.15370.0 2010.05.28 -
Fortinet 4.1.133.0 2010.05.28 -
GData 21 2010.05.28 -
Ikarus T3.1.1.84.0 2010.05.28 -
Jiangmin 13.0.900 2010.05.28 -
Kaspersky 7.0.0.125 2010.05.28 -
McAfee 5.400.0.1158 2010.05.28 -
McAfee-GW-Edition 2010.1 2010.05.28 -
Microsoft 1.5802 2010.05.28 -
NOD32 5154 2010.05.28 -
Norman 6.04.12 2010.05.28 -
nProtect 2010-05-28.01 2010.05.28 -
Panda 10.0.2.7 2010.05.28 -
PCTools 7.0.3.5 2010.05.28 -
Prevx 3.0 2010.05.28 -
Rising 22.49.04.04 2010.05.28 -
Sophos 4.53.0 2010.05.28 -
Sunbelt 6370 2010.05.28 -
Symantec 20101.1.0.89 2010.05.28 -
TheHacker 6.5.2.0.288 2010.05.27 -
TrendMicro 9.120.0.1004 2010.05.28 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.28 -
VBA32 3.12.12.5 2010.05.28 -
ViRobot 2010.5.20.2326 2010.05.28 -
VirusBuster 5.0.27.0 2010.05.28 -
Information additionnelle
File size: 898952 bytes
MD5...: 2eae4500984c2f8dacfb977060300a15
SHA1..: 7847451edc4470b52213fba751851d36f217c19e
SHA256: 43e27ad4d6900e68e8b166547dbd64a909bf7d3b0edc780eeb7a8f81a075e225
ssdeep: 24576:Yzr3Op8rp653zO52pBawrYxEOBUfwuEwrFjONEmMh/K+fhG:A56AUfWNWf A 
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xdd1b9 timedatestamp.....: 0x4b7d2a0b (Thu Feb 18 11:52:43 2010) machinetype.......: 0x14c (I386) ( 9 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xba84e 0xbaa00 6.56 233e4b70cf57f6a290d3f75e19454932 .rdata 0xbc000 0xaa24 0xac00 5.87 7aa4ef9cd347310c069f7a540cf51e49 .data 0xc7000 0x128fc 0x8200 0.74 58c9af9939179e0a0e281d1c6ff98519 PAGE 0xda000 0x998 0xa00 6.22 72e8de8ee369d01cd6ef014ff57838cf .edata 0xdb000 0x49 0x200 0.85 51cedc911a69ff94117d6e997538f023 PAGECONS 0xdc000 0x78 0x200 1.24 afcacc4c0f6d2ba7078b4f913fc3757c INIT 0xdd000 0x3e4a 0x4000 5.86 6af8e1e77533e538f9dbae0ac270390b .rsrc 0xe1000 0x3e0 0x400 3.35 555db99a4a29b28c0ca58e986a751e21 .reloc 0xe2000 0x6dd8 0x6e00 6.80 657a5131fb53234c2137edc33d8fe1f7 ( 8 imports ) > ntoskrnl.exe: RtlIpv4AddressToStringExW, MmUnlockPages, MmUserProbeAddress, PsGetCurrentProcessId, ExAcquireResourceExclusiveLite, KeEnterCriticalRegion, KeLeaveCriticalRegion, ExReleaseResourceLite, ExDeleteResourceLite, ExInitializeResourceLite, RtlUnwind, RtlAnsiCharToUnicodeChar, MmProbeAndLockPages, RtlInitializeBitMap, RtlSetBit, RtlSetBits, ExInitializeLookasideListEx, ExDeleteLookasideListEx, KeBugCheckEx, DbgPrint, RtlSubAuthoritySid, ObOpenObjectByPointer, ZwQueryInformationToken, ExGetPreviousMode, ExUuidCreate, ExAllocatePoolWithQuotaTag, KeBugCheck, KeDelayExecutionThread, KeTickCount, IoGetCurrentProcess, KeInitializeMutex, SeSetAuditParameter, SeReportSecurityEventWithSubCategory, DbgBreakPoint, MmSizeOfMdl, MmUnmapLockedPages, ObLogSecurityDescriptor, SeCaptureSubjectContextEx, SeLockSubjectContext, IoGetFileObjectGenericMapping, SeAccessCheck, SeUnlockSubjectContext, SeReleaseSubjectContext, RtlCreateSecurityDescriptor, SeExports, RtlLengthSid, RtlCreateAcl, RtlAddAccessAllowedAceEx, RtlSetDaclSecurityDescriptor, ExInterlockedFlushSList, KeInitializeSemaphore, ExAllocatePoolWithTagPriority, RtlIpv6AddressToStringExW, RtlVerifyVersionInfo, KeInitializeTimerEx, ExGetCurrentProcessorCounts, KeSetTimerEx, KeQueryActiveProcessors, KeQueryInterruptTime, KeFlushQueuedDpcs, KeCancelTimer, KeInitializeDpc, KeSetTargetProcessorDpc, KeSetImportanceDpc, KeWaitForMultipleObjects, KeInsertQueueDpc, IoAllocateWorkItem, IoQueueWorkItem, IoFreeWorkItem, MmBuildMdlForNonPagedPool, RtlInitializeGenericTableAvl, RtlGetVersion, KeQuerySystemTime, RtlLookupElementGenericTableFullAvl, ObDereferenceSecurityDescriptor, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, ExNotifyCallback, KeQueryMaximumProcessorCount, KeIsExecutingDpc, PsGetProcessSessionId, InterlockedPushEntrySList, InterlockedPopEntrySList, KefAcquireSpinLockAtDpcLevel, IoAllocateMdl, IoBuildPartialMdl, KefReleaseSpinLockFromDpcLevel, IoFreeMdl, PsGetProcessId, MmMapLockedPagesSpecifyCache, ZwQuerySystemInformation, KeTestSpinLock, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeReleaseInStackQueuedSpinLockFromDpcLevel, ObReferenceSecurityDescriptor, KeReleaseSemaphore, ExCreateCallback, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfReferenceObject, PsGetCurrentProcess, PsIsSystemThread, PsGetThreadProcess, KeGetCurrentThread, KeInitializeEvent, KeSetEvent, RtlEnumerateGenericTableLikeADirectory, RtlTimeToTimeFields, ExDeleteNPagedLookasideList, ExInitializeNPagedLookasideList, RtlLengthRequiredSid, RtlInitializeSid, RtlAddAccessAllowedAce, ObSetSecurityObjectByPointer, RtlValidSid, RtlCopySid, IoCreateDevice, IoDeleteDevice, KeReadStateEvent, KeWaitForSingleObject, KeQueryActiveProcessorCount, KeReleaseMutex, ObfDereferenceObject, ZwOpenEvent, ObReferenceObjectByHandle, ZwClose, IofCompleteRequest, IofCallDriver, IoWMIRegistrationControl, RtlCompareMemory, RtlInitUnicodeString, MmGetSystemRoutineAddress, ZwEnumerateKey, RtlQueryRegistryValues, RtlIpv4StringToAddressW, RtlSubAuthorityCountSid, RtlIntegerToUnicodeString, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, ZwQueryValueKey, RtlUnicodeStringToInteger, ZwOpenKey, RtlCompareUnicodeString, PsSetCreateProcessNotifyRoutineEx, SeLocateProcessImageName, ZwCreateFile, RtlDowncaseUnicodeString, ZwOpenProcess, KeStackAttachProcess, ZwDuplicateToken, KeUnstackDetachProcess, IoDeleteSymbolicLink, IoCreateSymbolicLink, KeQueryTimeIncrement, PsReferenceImpersonationToken, PsDereferencePrimaryToken, PsReferencePrimaryToken, PsDereferenceImpersonationToken, ObCloseHandle, VerSetConditionMask, RtlFindSetBits, RtlAreBitsClear, RtlFindClearBits, RtlClearBits, ExAcquireResourceSharedLite, RtlClearBit, RtlClearAllBits, SeOpenObjectAuditAlarmForNonObObject, RtlTestBit, RtlEqualSid, RtlIpv6StringToAddressW, memset, memcpy, ExAllocatePoolWithTag, IoWMIWriteEvent, SeQueryInformationToken, ExFreePoolWithTag > NETIO.SYS: FsbAllocateAtDpcLevel, RtlInitializeTimerWheelEntry, NetioShutdownWorkQueue, RtlComputeToeplitzHash, RtlLookupEntryHashTable, RtlGetNextEntryHashTable, RtlInsertEntryHashTable, RtlRemoveEntryHashTable, RtlCleanupTimerWheelEntry, RtlEndEnumerationHashTable, RtlEnumerateEntryHashTable, RtlInitEnumerationHashTable, RtlReturnTimerWheelEntry, RtlGetNextExpiredTimerWheelEntry, RtlDeleteElementGenericTableBasicAvl, NetioInitializeWorkQueue, RtlInsertElementGenericTableBasicAvl, FsbAllocate, NetioAdvanceToLocationInNetBuffer, RtlCopyMdlToMdlIndirect, RtlUpdateCurrentTimerWheelTick, RtlEndTimerWheelEnumeration, RtlEnumerateNextTimerWheelEntry, RtlInitializeTimerWheelEnumeration, RtlCleanupTimerWheel, RtlDeleteHashTable, RtlCreateHashTable, RtlInitializeTimerWheel, RtlContractHashTable, RtlExpandHashTable, NetioFreeOpaquePerProcessorContext, NetioAllocateOpaquePerProcessorContext, TlDefaultRequestQueryDispatchEndpoint, TlDefaultRequestMessage, TlDefaultRequestQueryDispatch, RtlEndWeakEnumerationHashTable, RtlWeaklyEnumerateEntryHashTable, RtlInitWeakEnumerationHashTable, NsiFreeTable, NsiAllocateAndGetTable, NsiSetAllParameters, RtlCopyMdlToBuffer, NetioFreeNetBufferAndNetBufferList, NetioAllocateAndReferenceNetBufferAndNetBufferList, RtlCopyBufferToMdl, NmrWaitForClientDeregisterComplete, NmrDeregisterClient, NmrClientDetachProviderComplete, NmrClientAttachProvider, NmrRegisterClient, NmrProviderDetachClientComplete, NmrRegisterProvider, NmrWaitForProviderDeregisterComplete, NmrDeregisterProvider, NetioRetreatNetBufferList, NetioAllocateAndReferenceCopyNetBufferListEx, NetioCompleteCopyNetBufferListChain, NetioFreeCopyNetBufferList, NetioInitializeNetBufferListContext, TlDefaultRequestCancel, TlDefaultRequestConnect, TlDefaultRequestListen, NetioReferenceNetBufferList, TlDefaultRequestIoControl, NetioDereferenceNetBufferListChain, NetioAllocateNetBufferMdlAndData, NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData, NetioDereferenceNetBufferList, NetioFreeNetBuffer, NetioExtendNetBuffer, NetioFreeNetBufferList, FsbFree, RtlIndicateTimerWheelEntryTimerStart, NetioFreeMdl, NetioFreeNetBufferListNetBufferMdlAndDataPool, NetioAllocateNetBufferMdlAndDataPool, NetioAllocateNetBufferListNetBufferMdlAndDataPool, NetioFreeNetBufferMdlAndDataPool, RtlCleanupToeplitzHash, RtlInitializeToeplitzHash, WfpStartStreamShim, NetioAllocateMdl, NetioInsertWorkQueue, WfpStreamInspectRemoteDisconnect, WfpStreamInspectReceive, WfpStreamInspectDisconnect, WfpStreamInspectSend, WfpStreamEndpointCleanupBegin, NetioInitializeNetBufferListAndFirstNetBufferContext, NsiEnumerateObjectsAllParameters, NsiReferenceDefaultObjectSecurity, NsiDeregisterChangeNotification, NsiRegisterChangeNotification, NetioCompleteNetBufferListChain, RtlCopyMdlToMdl, NetioAllocateAndReferenceFragmentNetBufferList, SetWfpDeviceObject, IoctlKfdBatchUpdate, IoctlKfdDeleteIndex, IoctlKfdAddIndex, IoctlKfdAddCache, IoctlKfdResetState, IoctlKfdQueryLayerStatistics, IoctlKfdAbortTransaction, IoctlKfdCommitTransaction, IoctlKfdDeleteCache, KfdIsActiveCallout, HfCreateFactory, HfDestroyFactory, NsiSetObjectSecurity, NetioAllocateNetBuffer, NetioAllocateAndReferenceNetBufferList, PtGetNumNodes, PtCreateTable, PtDestroyTable, PtDeleteEntry, PtInsertEntry, PtGetExactMatch, PtEnumOverTable, PtGetLongestMatch, PtGetNextShorterMatch, RtlCompute37Hash, PtGetKey, PtSetData, PtGetData, NsiSetParameter, NetioCompleteNetBufferAndNetBufferListChain, NetioQueryNetBufferListTrafficClass, NetioAllocateAndReferenceVacantNetBufferList, NetioAllocateAndReferenceCloneNetBufferListEx, NetioExpandNetBuffer, NetioUpdateNetBufferListContext, NetioAllocateAndReferenceCloneNetBufferList, NetioFreeCloneNetBufferList, NsiGetParameter, KfdCheckAcceptBypass, KfdCheckAndCacheAcceptBypass, KfdCheckConnectBypass, KfdCheckAndCacheConnectBypass, KfdGetLayerActionFromEnumTemplate, KfdEnumLayer, KfdGetNextFilter, KfdDerefFilterContext, KfdFreeEnumHandle, WfpScavangeLeastRecentlyUsedList, KfdAleInitializeFlowTable, WfpSetBucketsToEmptyLru, WfpExpireEntryLru, WfpInsertEntryLru, WfpDeleteEntryLru, WfpStreamIsFilterPresent, KfdToggleFilterActivation, NsiGetAllParameters, WfpInitializeLeastRecentlyUsedList, KfdAleNotifyFlowDeletion, FwppStreamDeleteDpcQueue, WfpUninitializeLeastRecentlyUsedList, KfdAleUninitializeFlowHandles, KfdAleInitializeFlowHandles, KfdGetOffloadEpoch, KfdIsLsoOffloadPossibleV6, KfdIsLsoOffloadPossibleV4, KfdIsV6InTransportFastEmpty, KfdIsV4InTransportFastEmpty, KfdIsV6OutTransportFastEmpty, KfdIsV4OutTransportFastEmpty, WfpRefreshEntryLru, NetioAdvanceNetBufferList, KfdCheckClassifyNeededAndUpdateEpoch, KfdAleAcquireFlowHandleForFlow, KfdClassify, KfdAleReleaseFlowHandleForFlow, KfdGetLayerCacheEpoch, KfdIsLayerEmpty, FwppStreamInject, FwppStreamContinue, FwppCopyStreamDataToBuffer, FwppAdvanceStreamDataPastOffset, FwppTruncateStreamDataAfterOffset, NetioUnRegisterProcessorAddCallback, NetioUnInitializeNetBufferListLibrary, NetioInitializeNetBufferListLibrary, NetioRegisterProcessorAddCallback, RtlInvokeStartRoutines, RtlInvokeStopRoutines, FsbDestroyPool, WfpStopStreamShim, FsbCreatePool, NsiGetParameterEx > NDIS.SYS: NdisDeregisterProtocolDriver, NdisRegisterProtocolDriver, NdisInitiateOffload, NdisInitializeTimer, NdisAcquireReadWriteLock, NdisGetSessionToCompartmentMappingEpochAndZero, NdisTerminateOffload, NdisUpdateOffload, NdisInvalidateOffload, NdisQueryOffloadState, NdisOidRequest, NdisDirectOidRequest, NdisCompleteNetPnPEvent, NdisCloseAdapterEx, NdisOpenAdapterEx, NdisSetTimer, NdisInitializeReadWriteLock, NdisCancelTimer, NdisCancelSendNetBufferLists, NdisSendNetBufferLists, NdisReleaseReadWriteLock, NdisReturnNetBufferLists, NdisOffloadTcpSend, NdisOffloadTcpReceive, NdisOffloadTcpReceiveReturn, NdisOffloadTcpDisconnect, NdisSetOptionalHandlers, NdisOffloadTcpForward, NdisGetDataBuffer, NetDmaRegisterClient, NetDmaDeregisterClient, NetDmaFreeChannel, NetDmaAllocateChannel, NdisGetProcessorInformation, NdisFreeNetBufferList, NetDmaNullTransfer, NetDmaIsDmaCopyComplete, NdisGetThreadObjectCompartmentId, NdisGetSessionCompartmentId, NdisAdjustNetBufferCurrentMdl, NdisAdvanceNetBufferDataStart, NdisRetreatNetBufferDataStart > FLTMGR.SYS: FltGetFileNameInformationUnsafe, FltReleaseFileNameInformation > fwpkclnt.sys: FwpsCalloutUnregisterByKey0, FwpmBfeStateSubscribeChangesWithoutDevice0, FwpmBfeStateUnsubscribeChanges0, FwpsClassifyOptionSet0, FwpmEngineClose0, FwpmEngineOpen0, FwpmSecureSocketDeleteByKeyAsync0, FwpmSecureSocketAddAsync0, FwpmEventProviderIsNetEventTypeEnabled0, FwpsRequestEndpointDeleteNotification0, FwppDispatchDevCtl0, IPsecDriverExpire, IPsecDriverInitiateAcquire, FwpmEventProviderFireNetEvent0, FwpsTcpIpDispatchTableClear0, FwpmEventProviderDestroy0, FwpmEventProviderCreate0, FwpsTcpIpDispatchTableSet0, FwpsCalloutRegisterWithoutDevice0 > HAL.dll: KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql, KfAcquireSpinLock, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, KeRaiseIrqlToDpcLevel, ExReleaseFastMutex, ExAcquireFastMutex, KfRaiseIrql, KeQueryPerformanceCounter > ksecdd.sys: BCryptDestroyHash, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptGetProperty, BCryptGenRandom, BCryptHashData, BCryptEncrypt, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptFinishHash, BCryptCreateHash > msrpc.sys: NdrMesTypeDecode2, MesHandleFree, I_RpcExceptionFilter, MesDecodeBufferHandleCreate ( 1 exports ) EQoSTestHook 
RDS...: NSRL Reference Data Set -
pdfid.: -
trid..: Win64 Executable Generic (87.2%) Win32 Executable Generic (8.6%) Generic Win/DOS Executable (2.0%) DOS Executable Generic (2.0%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck: -

Antivirus Version Dernière mise à jour Résultat
a-squared 4.5.0.50 2010.05.10 -
AhnLab-V3 2010.05.28.01 2010.05.28 -
AntiVir 8.2.1.242 2010.05.28 -
Antiy-AVL 2.0.3.7 2010.05.26 -
Authentium 5.2.0.5 2010.05.28 -
Avast 4.8.1351.0 2010.05.28 -
Avast5 5.0.332.0 2010.05.28 -
AVG 9.0.0.787 2010.05.28 -
BitDefender 7.2 2010.05.28 -
CAT-QuickHeal 10.00 2010.05.28 -
ClamAV 0.96.0.3-git 2010.05.28 -
Comodo 4942 2010.05.25 -
DrWeb 5.0.2.03300 2010.05.28 -
eSafe 7.0.17.0 2010.05.27 -
eTrust-Vet 35.2.7516 2010.05.28 -
F-Prot 4.6.0.103 2010.05.28 -
F-Secure 9.0.15370.0 2010.05.28 -
Fortinet 4.1.133.0 2010.05.28 -
GData 21 2010.05.28 -
Ikarus T3.1.1.84.0 2010.05.28 -
Jiangmin 13.0.900 2010.05.28 -
Kaspersky 7.0.0.125 2010.05.28 -
McAfee 5.400.0.1158 2010.05.28 -
McAfee-GW-Edition 2010.1 2010.05.28 -
Microsoft 1.5802 2010.05.28 -
NOD32 5154 2010.05.28 -
Norman 6.04.12 2010.05.28 -
nProtect 2010-05-28.01 2010.05.28 -
Panda 10.0.2.7 2010.05.28 -
PCTools 7.0.3.5 2010.05.28 -
Prevx 3.0 2010.05.28 -
Rising 22.49.04.04 2010.05.28 -
Sophos 4.53.0 2010.05.28 -
Sunbelt 6370 2010.05.28 -
Symantec 20101.1.0.89 2010.05.28 -
TheHacker 6.5.2.0.288 2010.05.27 -
TrendMicro 9.120.0.1004 2010.05.28 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.28 -
VBA32 3.12.12.5 2010.05.28 -
ViRobot 2010.5.20.2326 2010.05.28 -
VirusBuster 5.0.27.0 2010.05.28 -

Information additionnelle
File size: 898952 bytes
MD5...: 2eae4500984c2f8dacfb977060300a15
SHA1..: 7847451edc4470b52213fba751851d36f217c19e
SHA256: 43e27ad4d6900e68e8b166547dbd64a909bf7d3b0edc780eeb7a8f81a075e225
ssdeep: 24576:Yzr3Op8rp653zO52pBawrYxEOBUfwuEwrFjONEmMh/K+fhG:A56AUfWNWf A 
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xdd1b9 timedatestamp.....: 0x4b7d2a0b (Thu Feb 18 11:52:43 2010) machinetype.......: 0x14c (I386) ( 9 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xba84e 0xbaa00 6.56 233e4b70cf57f6a290d3f75e19454932 .rdata 0xbc000 0xaa24 0xac00 5.87 7aa4ef9cd347310c069f7a540cf51e49 .data 0xc7000 0x128fc 0x8200 0.74 58c9af9939179e0a0e281d1c6ff98519 PAGE 0xda000 0x998 0xa00 6.22 72e8de8ee369d01cd6ef014ff57838cf .edata 0xdb000 0x49 0x200 0.85 51cedc911a69ff94117d6e997538f023 PAGECONS 0xdc000 0x78 0x200 1.24 afcacc4c0f6d2ba7078b4f913fc3757c INIT 0xdd000 0x3e4a 0x4000 5.86 6af8e1e77533e538f9dbae0ac270390b .rsrc 0xe1000 0x3e0 0x400 3.35 555db99a4a29b28c0ca58e986a751e21 .reloc 0xe2000 0x6dd8 0x6e00 6.80 657a5131fb53234c2137edc33d8fe1f7 ( 8 imports ) > ntoskrnl.exe: RtlIpv4AddressToStringExW, MmUnlockPages, MmUserProbeAddress, PsGetCurrentProcessId, ExAcquireResourceExclusiveLite, KeEnterCriticalRegion, KeLeaveCriticalRegion, ExReleaseResourceLite, ExDeleteResourceLite, ExInitializeResourceLite, RtlUnwind, RtlAnsiCharToUnicodeChar, MmProbeAndLockPages, RtlInitializeBitMap, RtlSetBit, RtlSetBits, ExInitializeLookasideListEx, ExDeleteLookasideListEx, KeBugCheckEx, DbgPrint, RtlSubAuthoritySid, ObOpenObjectByPointer, ZwQueryInformationToken, ExGetPreviousMode, ExUuidCreate, ExAllocatePoolWithQuotaTag, KeBugCheck, KeDelayExecutionThread, KeTickCount, IoGetCurrentProcess, KeInitializeMutex, SeSetAuditParameter, SeReportSecurityEventWithSubCategory, DbgBreakPoint, MmSizeOfMdl, MmUnmapLockedPages, ObLogSecurityDescriptor, SeCaptureSubjectContextEx, SeLockSubjectContext, IoGetFileObjectGenericMapping, SeAccessCheck, SeUnlockSubjectContext, SeReleaseSubjectContext, RtlCreateSecurityDescriptor, SeExports, RtlLengthSid, RtlCreateAcl, RtlAddAccessAllowedAceEx, RtlSetDaclSecurityDescriptor, ExInterlockedFlushSList, KeInitializeSemaphore, ExAllocatePoolWithTagPriority, RtlIpv6AddressToStringExW, RtlVerifyVersionInfo, KeInitializeTimerEx, ExGetCurrentProcessorCounts, KeSetTimerEx, KeQueryActiveProcessors, KeQueryInterruptTime, KeFlushQueuedDpcs, KeCancelTimer, KeInitializeDpc, KeSetTargetProcessorDpc, KeSetImportanceDpc, KeWaitForMultipleObjects, KeInsertQueueDpc, IoAllocateWorkItem, IoQueueWorkItem, IoFreeWorkItem, MmBuildMdlForNonPagedPool, RtlInitializeGenericTableAvl, RtlGetVersion, KeQuerySystemTime, RtlLookupElementGenericTableFullAvl, ObDereferenceSecurityDescriptor, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, ExNotifyCallback, KeQueryMaximumProcessorCount, KeIsExecutingDpc, PsGetProcessSessionId, InterlockedPushEntrySList, InterlockedPopEntrySList, KefAcquireSpinLockAtDpcLevel, IoAllocateMdl, IoBuildPartialMdl, KefReleaseSpinLockFromDpcLevel, IoFreeMdl, PsGetProcessId, MmMapLockedPagesSpecifyCache, ZwQuerySystemInformation, KeTestSpinLock, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeReleaseInStackQueuedSpinLockFromDpcLevel, ObReferenceSecurityDescriptor, KeReleaseSemaphore, ExCreateCallback, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfReferenceObject, PsGetCurrentProcess, PsIsSystemThread, PsGetThreadProcess, KeGetCurrentThread, KeInitializeEvent, KeSetEvent, RtlEnumerateGenericTableLikeADirectory, RtlTimeToTimeFields, ExDeleteNPagedLookasideList, ExInitializeNPagedLookasideList, RtlLengthRequiredSid, RtlInitializeSid, RtlAddAccessAllowedAce, ObSetSecurityObjectByPointer, RtlValidSid, RtlCopySid, IoCreateDevice, IoDeleteDevice, KeReadStateEvent, KeWaitForSingleObject, KeQueryActiveProcessorCount, KeReleaseMutex, ObfDereferenceObject, ZwOpenEvent, ObReferenceObjectByHandle, ZwClose, IofCompleteRequest, IofCallDriver, IoWMIRegistrationControl, RtlCompareMemory, RtlInitUnicodeString, MmGetSystemRoutineAddress, ZwEnumerateKey, RtlQueryRegistryValues, RtlIpv4StringToAddressW, RtlSubAuthorityCountSid, RtlIntegerToUnicodeString, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, ZwQueryValueKey, RtlUnicodeStringToInteger, ZwOpenKey, RtlCompareUnicodeString, PsSetCreateProcessNotifyRoutineEx, SeLocateProcessImageName, ZwCreateFile, RtlDowncaseUnicodeString, ZwOpenProcess, KeStackAttachProcess, ZwDuplicateToken, KeUnstackDetachProcess, IoDeleteSymbolicLink, IoCreateSymbolicLink, KeQueryTimeIncrement, PsReferenceImpersonationToken, PsDereferencePrimaryToken, PsReferencePrimaryToken, PsDereferenceImpersonationToken, ObCloseHandle, VerSetConditionMask, RtlFindSetBits, RtlAreBitsClear, RtlFindClearBits, RtlClearBits, ExAcquireResourceSharedLite, RtlClearBit, RtlClearAllBits, SeOpenObjectAuditAlarmForNonObObject, RtlTestBit, RtlEqualSid, RtlIpv6StringToAddressW, memset, memcpy, ExAllocatePoolWithTag, IoWMIWriteEvent, SeQueryInformationToken, ExFreePoolWithTag > NETIO.SYS: FsbAllocateAtDpcLevel, RtlInitializeTimerWheelEntry, NetioShutdownWorkQueue, RtlComputeToeplitzHash, RtlLookupEntryHashTable, RtlGetNextEntryHashTable, RtlInsertEntryHashTable, RtlRemoveEntryHashTable, RtlCleanupTimerWheelEntry, RtlEndEnumerationHashTable, RtlEnumerateEntryHashTable, RtlInitEnumerationHashTable, RtlReturnTimerWheelEntry, RtlGetNextExpiredTimerWheelEntry, RtlDeleteElementGenericTableBasicAvl, NetioInitializeWorkQueue, RtlInsertElementGenericTableBasicAvl, FsbAllocate, NetioAdvanceToLocationInNetBuffer, RtlCopyMdlToMdlIndirect, RtlUpdateCurrentTimerWheelTick, RtlEndTimerWheelEnumeration, RtlEnumerateNextTimerWheelEntry, RtlInitializeTimerWheelEnumeration, RtlCleanupTimerWheel, RtlDeleteHashTable, RtlCreateHashTable, RtlInitializeTimerWheel, RtlContractHashTable, RtlExpandHashTable, NetioFreeOpaquePerProcessorContext, NetioAllocateOpaquePerProcessorContext, TlDefaultRequestQueryDispatchEndpoint, TlDefaultRequestMessage, TlDefaultRequestQueryDispatch, RtlEndWeakEnumerationHashTable, RtlWeaklyEnumerateEntryHashTable, RtlInitWeakEnumerationHashTable, NsiFreeTable, NsiAllocateAndGetTable, NsiSetAllParameters, RtlCopyMdlToBuffer, NetioFreeNetBufferAndNetBufferList, NetioAllocateAndReferenceNetBufferAndNetBufferList, RtlCopyBufferToMdl, NmrWaitForClientDeregisterComplete, NmrDeregisterClient, NmrClientDetachProviderComplete, NmrClientAttachProvider, NmrRegisterClient, NmrProviderDetachClientComplete, NmrRegisterProvider, NmrWaitForProviderDeregisterComplete, NmrDeregisterProvider, NetioRetreatNetBufferList, NetioAllocateAndReferenceCopyNetBufferListEx, NetioCompleteCopyNetBufferListChain, NetioFreeCopyNetBufferList, NetioInitializeNetBufferListContext, TlDefaultRequestCancel, TlDefaultRequestConnect, TlDefaultRequestListen, NetioReferenceNetBufferList, TlDefaultRequestIoControl, NetioDereferenceNetBufferListChain, NetioAllocateNetBufferMdlAndData, NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData, NetioDereferenceNetBufferList, NetioFreeNetBuffer, NetioExtendNetBuffer, NetioFreeNetBufferList, FsbFree, RtlIndicateTimerWheelEntryTimerStart, NetioFreeMdl, NetioFreeNetBufferListNetBufferMdlAndDataPool, NetioAllocateNetBufferMdlAndDataPool, NetioAllocateNetBufferListNetBufferMdlAndDataPool, NetioFreeNetBufferMdlAndDataPool, RtlCleanupToeplitzHash, RtlInitializeToeplitzHash, WfpStartStreamShim, NetioAllocateMdl, NetioInsertWorkQueue, WfpStreamInspectRemoteDisconnect, WfpStreamInspectReceive, WfpStreamInspectDisconnect, WfpStreamInspectSend, WfpStreamEndpointCleanupBegin, NetioInitializeNetBufferListAndFirstNetBufferContext, NsiEnumerateObjectsAllParameters, NsiReferenceDefaultObjectSecurity, NsiDeregisterChangeNotification, NsiRegisterChangeNotification, NetioCompleteNetBufferListChain, RtlCopyMdlToMdl, NetioAllocateAndReferenceFragmentNetBufferList, SetWfpDeviceObject, IoctlKfdBatchUpdate, IoctlKfdDeleteIndex, IoctlKfdAddIndex, IoctlKfdAddCache, IoctlKfdResetState, IoctlKfdQueryLayerStatistics, IoctlKfdAbortTransaction, IoctlKfdCommitTransaction, IoctlKfdDeleteCache, KfdIsActiveCallout, HfCreateFactory, HfDestroyFactory, NsiSetObjectSecurity, NetioAllocateNetBuffer, NetioAllocateAndReferenceNetBufferList, PtGetNumNodes, PtCreateTable, PtDestroyTable, PtDeleteEntry, PtInsertEntry, PtGetExactMatch, PtEnumOverTable, PtGetLongestMatch, PtGetNextShorterMatch, RtlCompute37Hash, PtGetKey, PtSetData, PtGetData, NsiSetParameter, NetioCompleteNetBufferAndNetBufferListChain, NetioQueryNetBufferListTrafficClass, NetioAllocateAndReferenceVacantNetBufferList, NetioAllocateAndReferenceCloneNetBufferListEx, NetioExpandNetBuffer, NetioUpdateNetBufferListContext, NetioAllocateAndReferenceCloneNetBufferList, NetioFreeCloneNetBufferList, NsiGetParameter, KfdCheckAcceptBypass, KfdCheckAndCacheAcceptBypass, KfdCheckConnectBypass, KfdCheckAndCacheConnectBypass, KfdGetLayerActionFromEnumTemplate, KfdEnumLayer, KfdGetNextFilter, KfdDerefFilterContext, KfdFreeEnumHandle, WfpScavangeLeastRecentlyUsedList, KfdAleInitializeFlowTable, WfpSetBucketsToEmptyLru, WfpExpireEntryLru, WfpInsertEntryLru, WfpDeleteEntryLru, WfpStreamIsFilterPresent, KfdToggleFilterActivation, NsiGetAllParameters, WfpInitializeLeastRecentlyUsedList, KfdAleNotifyFlowDeletion, FwppStreamDeleteDpcQueue, WfpUninitializeLeastRecentlyUsedList, KfdAleUninitializeFlowHandles, KfdAleInitializeFlowHandles, KfdGetOffloadEpoch, KfdIsLsoOffloadPossibleV6, KfdIsLsoOffloadPossibleV4, KfdIsV6InTransportFastEmpty, KfdIsV4InTransportFastEmpty, KfdIsV6OutTransportFastEmpty, KfdIsV4OutTransportFastEmpty, WfpRefreshEntryLru, NetioAdvanceNetBufferList, KfdCheckClassifyNeededAndUpdateEpoch, KfdAleAcquireFlowHandleForFlow, KfdClassify, KfdAleReleaseFlowHandleForFlow, KfdGetLayerCacheEpoch, KfdIsLayerEmpty, FwppStreamInject, FwppStreamContinue, FwppCopyStreamDataToBuffer, FwppAdvanceStreamDataPastOffset, FwppTruncateStreamDataAfterOffset, NetioUnRegisterProcessorAddCallback, NetioUnInitializeNetBufferListLibrary, NetioInitializeNetBufferListLibrary, NetioRegisterProcessorAddCallback, RtlInvokeStartRoutines, RtlInvokeStopRoutines, FsbDestroyPool, WfpStopStreamShim, FsbCreatePool, NsiGetParameterEx > NDIS.SYS: NdisDeregisterProtocolDriver, NdisRegisterProtocolDriver, NdisInitiateOffload, NdisInitializeTimer, NdisAcquireReadWriteLock, NdisGetSessionToCompartmentMappingEpochAndZero, NdisTerminateOffload, NdisUpdateOffload, NdisInvalidateOffload, NdisQueryOffloadState, NdisOidRequest, NdisDirectOidRequest, NdisCompleteNetPnPEvent, NdisCloseAdapterEx, NdisOpenAdapterEx, NdisSetTimer, NdisInitializeReadWriteLock, NdisCancelTimer, NdisCancelSendNetBufferLists, NdisSendNetBufferLists, NdisReleaseReadWriteLock, NdisReturnNetBufferLists, NdisOffloadTcpSend, NdisOffloadTcpReceive, NdisOffloadTcpReceiveReturn, NdisOffloadTcpDisconnect, NdisSetOptionalHandlers, NdisOffloadTcpForward, NdisGetDataBuffer, NetDmaRegisterClient, NetDmaDeregisterClient, NetDmaFreeChannel, NetDmaAllocateChannel, NdisGetProcessorInformation, NdisFreeNetBufferList, NetDmaNullTransfer, NetDmaIsDmaCopyComplete, NdisGetThreadObjectCompartmentId, NdisGetSessionCompartmentId, NdisAdjustNetBufferCurrentMdl, NdisAdvanceNetBufferDataStart, NdisRetreatNetBufferDataStart > FLTMGR.SYS: FltGetFileNameInformationUnsafe, FltReleaseFileNameInformation > fwpkclnt.sys: FwpsCalloutUnregisterByKey0, FwpmBfeStateSubscribeChangesWithoutDevice0, FwpmBfeStateUnsubscribeChanges0, FwpsClassifyOptionSet0, FwpmEngineClose0, FwpmEngineOpen0, FwpmSecureSocketDeleteByKeyAsync0, FwpmSecureSocketAddAsync0, FwpmEventProviderIsNetEventTypeEnabled0, FwpsRequestEndpointDeleteNotification0, FwppDispatchDevCtl0, IPsecDriverExpire, IPsecDriverInitiateAcquire, FwpmEventProviderFireNetEvent0, FwpsTcpIpDispatchTableClear0, FwpmEventProviderDestroy0, FwpmEventProviderCreate0, FwpsTcpIpDispatchTableSet0, FwpsCalloutRegisterWithoutDevice0 > HAL.dll: KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql, KfAcquireSpinLock, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, KeRaiseIrqlToDpcLevel, ExReleaseFastMutex, ExAcquireFastMutex, KfRaiseIrql, KeQueryPerformanceCounter > ksecdd.sys: BCryptDestroyHash, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptGetProperty, BCryptGenRandom, BCryptHashData, BCryptEncrypt, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptFinishHash, BCryptCreateHash > msrpc.sys: NdrMesTypeDecode2, MesHandleFree, I_RpcExceptionFilter, MesDecodeBufferHandleCreate ( 1 exports ) EQoSTestHook 
RDS...: NSRL Reference Data Set -
pdfid.: -
trid..: Win64 Executable Generic (87.2%) Win32 Executable Generic (8.6%) Generic Win/DOS Executable (2.0%) DOS Executable Generic (2.0%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck: -

par **Falkra** » 28 Mai 2010 21:46

Parfait.

Plus de symptômes, de ton côté ?

par **Azertybug** » 28 Mai 2010 21:48

C'est parfait.

Je te remercie beaucoup Falkra pour ton aide !!!

Ce fut un plaisir de suivre tes instructions. !!!

par **Falkra** » 28 Mai 2010 21:49

Ce n'est pas terminé.

Désinstalle combofix : entre combofix /uninstall dans la boite exécuter du menu démarrer.
=> combofix espace slasht uninstall
Après cela, efface ce dossier s'il existe encore :
C:\QooBox

Supprime RSIT, et le dossier c:\RSIT

par **Azertybug** » 28 Mai 2010 23:00

Finalement Falkra je suis désolé, mais le symptome principal est toujours là...

J'ai refait une analyse antivir et il m'a retrouvé le même rootkit.gen sur gkrmr.sys

Et même conclusion, j'ai essayé de le supprimer, il me demande de reboot, et la blue screen...

par **Falkra** » 29 Mai 2010 06:31

N'essaie pas de le supprimer toi-même, sinon dans mes rapports rien n'apparaît et ça aura l'air propre.

Télécharge MBR Rootkit Detector de gmer et enregistre-le sur le bureau.

Désactiver provisoirement les programmes de protection (antivirus, firewall,anti-spyware...)

Double-clique sur mbr.exe, une fenêtre d'invite de commande va s'ouvrir et se refermer,
- Un rapport sera généré : mbr.log.

Copie/colle le résultat de ce log dans ta réponse.

par **Azertybug** » 29 Mai 2010 09:41

Non mais j'ai pas essayé de le supprimer moi même, c'est avira qui m'a dit "Voulez vous le supprimer etc..."

Je te mets ce qu'avira me mets systématiquement après le reboot du pc.

Le fichier 'C:\Windows\System32\drivers\gkrmr.sys'
contenait un virus ou un programme indésirable 'TR/Rootkit.Gen' [trojan].
Action(s) exécutée(s) :
Erreur lors de la création d'une copie de sécurité du fichier. Le fichier n'a pas été supprimé. Code d'erreur : 26004.
Impossible de trouver le fichier source.
Tentative en cours d'exécuter l'action à l'aide de la bibliothèque ARK.
Erreur dans la bibliothèque ARK.
Impossible de repérer le fichier pour sa suppression après le redémarrage. Cause possible : Un périphérique attaché au système ne fonctionne pas correctement.
.

Sinon le log MBR :

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

par **Falkra** » 29 Mai 2010 13:34

Désactive Avira le temps de faire les manips.

Je vais te demander de faire une nouvelle passe avec Combofix, de la même manière qu'avant. Ensuite poste le rapport et attends les instructions sans prendre d'initiative.
Désactive Antivir pour qu'il ne perturbe pas les détections, même après le redémarrage de combofix, jusqu'à nouvel ordre.

par **Azertybug** » 29 Mai 2010 15:19

Yep, donc je viens de faire le combofix, en desactivant avira
Par contre toujours autant de blue screen, c'est affolant.

ComboFix 10-05-28.08 - Maxime 29/05/2010 15:51:18.2.2 - x86
6.0.6001.1.1252.33.1036.18.3036.1872 [GMT 2:00]
Lancé depuis: c:\users\Maxime\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-28 au 2010-05-29 ))))))))))))))))))))))))))))))))))))
.

2010-05-29 13:59 . 2010-05-29 13:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-29 13:59 . 2010-05-29 13:59 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-05-29 13:59 . 2010-05-29 13:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-28 19:55 . 2010-05-28 19:57 -------- d-----w- c:\program files\trend micro
2010-05-28 19:54 . 2010-05-28 19:57 -------- d-----w- C:\rsit
2010-05-28 18:43 . 2010-05-29 13:59 -------- d-----w- c:\users\Maxime\AppData\Local\temp
2010-05-27 19:12 . 2010-05-27 19:12 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-27 19:12 . 2010-05-29 08:36 -------- d-----w- c:\users\Maxime\AppData\Roaming\skypePM
2010-05-27 19:11 . 2010-05-29 13:49 -------- d-----w- c:\users\Maxime\AppData\Roaming\Skype
2010-05-27 19:10 . 2010-05-27 19:10 -------- d-----w- c:\program files\Common Files\Skype
2010-05-27 19:10 . 2010-05-27 19:11 -------- d-----r- c:\program files\Skype
2010-05-27 19:10 . 2010-05-27 19:10 -------- d-----w- c:\programdata\Skype
2010-05-27 02:29 . 2010-05-28 18:49 680 ----a-w- c:\users\Maxime\AppData\Local\d3d9caps.dat
2010-05-26 23:51 . 2010-05-26 23:51 -------- d-----w- c:\users\Maxime\AppData\Roaming\Malwarebytes
2010-05-26 23:44 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 23:44 . 2010-05-26 23:44 -------- d-----w- c:\programdata\Malwarebytes
2010-05-26 23:44 . 2010-05-26 23:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 23:44 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 08:53 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 16:59 . 2010-05-24 17:00 -------- d-----w- c:\program files\CodeBlocks
2010-05-24 16:31 . 2010-05-28 18:00 -------- d-----w- c:\users\Maxime\AppData\Roaming\codeblocks
2010-05-24 11:14 . 2010-05-12 09:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-23 17:57 . 2010-05-23 18:01 -------- d-----w- c:\windows\avxoscan
2010-05-23 17:53 . 2010-05-23 17:53 -------- d-----w- c:\program files\ToniArts
2010-05-23 14:31 . 2010-05-23 17:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-23 14:31 . 2010-05-23 14:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-23 13:56 . 2010-05-23 14:12 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-23 13:56 . 2009-03-30 08:32 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\programdata\Avira
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\program files\Avira
2010-05-22 05:58 . 2010-05-22 05:58 48388 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-13 16:36 . 2010-05-13 16:36 -------- d-----w- c:\users\Maxime\AppData\Local\Neuf
2010-05-13 16:35 . 2010-05-13 16:35 -------- d-----w- c:\program files\SFR
2010-05-12 11:48 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-08 10:13 . 2010-05-28 18:26 -------- d-----w- c:\users\Maxime\AppData\Roaming\mIRC
2010-05-08 10:13 . 2010-05-28 15:45 -------- d-----w- c:\program files\mIRC
2010-04-30 16:31 . 2010-05-22 05:58 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-04-30 16:31 . 2010-05-22 05:58 -------- d-----w- c:\program files\StarCraft II bêta
2010-04-30 16:31 . 2010-04-30 16:34 -------- d-----w- c:\users\Maxime\AppData\Local\Blizzard Entertainment
2010-04-30 13:58 . 2010-04-30 16:30 -------- d-----w- c:\users\Maxime\StarCraft II Beta frFR 13891 Installer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 13:45 . 2009-08-22 02:53 111866 ----a-w- c:\programdata\nvModes.dat
2010-05-29 09:20 . 2009-12-29 22:15 -------- d-----w- c:\program files\Full Tilt Poker
2010-05-27 22:52 . 2010-01-08 20:42 -------- d-----w- c:\users\Maxime\AppData\Roaming\vlc
2010-05-23 23:33 . 2008-01-21 02:23 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2010-05-23 18:15 . 2010-01-08 12:38 -------- d-----w- c:\program files\BitComet
2010-05-23 17:53 . 2009-08-21 12:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-23 14:17 . 2009-08-21 12:10 -------- d-----w- c:\programdata\McAfee
2010-05-22 05:58 . 2010-04-30 16:31 -------- d-----w- c:\program files\StarCraft II bêta
2010-05-19 11:00 . 2009-08-21 10:31 726808 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-19 11:00 . 2009-08-21 10:31 147276 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-16 02:49 . 2010-01-05 18:13 1 ----a-w- c:\users\Maxime\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-13 01:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 01:03 . 2009-12-25 01:08 -------- d-----w- c:\programdata\Microsoft Help
2010-05-01 15:24 . 2010-04-28 12:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-28 12:37 . 2010-04-28 12:37 -------- d-----w- c:\programdata\Blizzard
2010-04-28 01:03 . 2009-12-25 01:14 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-27 10:26 . 2009-12-25 01:14 104608 ----a-w- c:\users\Maxime\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-27 01:09 . 2009-12-25 01:12 -------- d-----w- c:\program files\Microsoft Works
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Microsoft
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Windows Live
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-23 11:12 . 2010-04-23 11:12 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-13 22:52 . 2010-04-13 22:51 -------- d-----w- c:\program files\Scid
2010-04-13 18:25 . 2010-04-13 18:25 -------- d-----w- c:\program files\Napoleon Total War
2010-04-13 04:54 . 2010-01-09 15:04 -------- d-----w- c:\program files\Electronic Arts
2010-04-13 04:54 . 2010-01-09 12:31 -------- d-----w- c:\programdata\Electronic Arts
2010-04-12 21:43 . 2010-04-12 21:43 -------- d-----w- c:\program files\AGEIA Technologies
2010-04-02 22:12 . 2010-04-02 22:12 0 ----a-w- c:\windows\nsreg.dat
2010-03-09 16:28 . 2010-03-31 09:17 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-31 09:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-31 09:17 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-06 11:55 . 2010-03-06 11:55 10134 ----a-r- c:\users\Maxime\AppData\Roaming\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2010-03-04 18:54 . 2010-04-14 10:36 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-29 20:43 . 2009-12-29 20:43 456 ----a-w- c:\program files\application.prefs
2009-11-24 16:33 . 2009-11-24 16:33 145831 ----a-w- c:\program files\uninstall.dat
2009-11-24 16:27 . 2009-11-24 16:27 52640 ----a-w- c:\program files\ab.dat
2009-11-24 16:11 . 2009-11-24 16:11 394 ----a-w- c:\program files\tpdef.dat
2009-11-24 16:11 . 2009-11-24 16:11 3696 ----a-w- c:\program files\bdef.dat
2009-11-24 16:11 . 2009-11-24 16:11 0 ----a-w- c:\program files\Aft.bin
2009-11-24 16:10 . 2009-11-24 16:10 44697 ----a-w- c:\program files\preferences.orig
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-21 39408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Neuf Media Center"="c:\program files\SFR\Media Center\MediaCenter.exe" [2008-10-10 726336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-09 13797920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-21 7420448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1049896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-11 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\users\Maxime\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Outil de d‚tection de support PMB.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-3-6 333088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3884614433-1468724993-2082915548-1000]
"EnableNotificationsRef"=dword:00000001

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-08 691696]
R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 135664]
S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-05-23 108289]
S2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\DRIVERS\kmdfmemio.sys [2006-11-14 13312]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2009-03-13 65536]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

--- Autres Services/Pilotes en mémoire ---

*Deregistered* - gkrmr
.
Contenu du dossier 'Tâches planifiées'

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:42]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:42]

2010-05-29 c:\windows\Tasks\User_Feed_Synchronization-{553C56B5-FB09-421E-A5CA-F9DF20FEC0C6}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Tout télécharger avec BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Télécharger avec BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Télécharger toutes les vidéos avec BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TCP: {B5346DE7-1B33-4394-9FFA-81A0075B4611} = 91.188.60.223,8.8.8.8
FF - ProfilePath - c:\users\Maxime\AppData\Roaming\Mozilla\Firefox\Profiles\cv54or57.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{6D617C60-5C47-4CE1-9795-2712AE49AF88} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 15:59
Windows 6.0.6001 Service Pack 1 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gkrmr]

.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
Heure de fin: 2010-05-29 16:03:31
ComboFix-quarantined-files.txt 2010-05-29 14:03
ComboFix2.txt 2010-05-28 18:56

Avant-CF: 3 142 594 560 octets libres
Après-CF: 2 900 398 080 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 1DD4FAC22E690FEE41D51097C8225116

par **Falkra** » 29 Mai 2010 15:23

Ce qui suit n'est que pour cette machine, et cette machine seulement.
Ne surtout pas utiliser sur une autre machine : dangereux.

Télécharge le fichier CFscript.txt depuis ce site :
http://senduit.com/5dcb89
Place-le sur le bureau, près de l'icône de combofix.
Fais un glisser/déposer de ce fichier CFscript sur le fichier ComboFix.exe comme sur cet exemple

Patiente le temps du scan. Le bureau va disparaître à plusieurs reprises: c'est normal ! Ne touche à rien tant que le scan n'est pas terminé.
Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt

par **Azertybug** » 29 Mai 2010 16:13

Pas de blue screen au reboot, j'envoie le rapport :

ComboFix 10-05-28.08 - Maxime 29/05/2010 16:49:04.3.2 - x86
6.0.6001.1.1252.33.1036.18.3036.1856 [GMT 2:00]
Lancé depuis: c:\users\Maxime\Desktop\ComboFix.exe
Commutateurs utilisés :: c:\users\Maxime\Desktop\CFscript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\Drivers\gkrmr.sys"
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\gkrmr.sys

.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GKRMR
-------\Service_gkrmr

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-28 au 2010-05-29 ))))))))))))))))))))))))))))))))))))
.

2010-05-29 14:57 . 2010-05-29 14:57 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-29 14:57 . 2010-05-29 14:57 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-05-29 14:57 . 2010-05-29 14:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-28 19:55 . 2010-05-28 19:57 -------- d-----w- c:\program files\trend micro
2010-05-28 19:54 . 2010-05-28 19:57 -------- d-----w- C:\rsit
2010-05-28 18:43 . 2010-05-29 14:59 -------- d-----w- c:\users\Maxime\AppData\Local\temp
2010-05-27 19:12 . 2010-05-27 19:12 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-27 19:12 . 2010-05-29 14:18 -------- d-----w- c:\users\Maxime\AppData\Roaming\skypePM
2010-05-27 19:11 . 2010-05-29 14:58 -------- d-----w- c:\users\Maxime\AppData\Roaming\Skype
2010-05-27 19:10 . 2010-05-27 19:10 -------- d-----w- c:\program files\Common Files\Skype
2010-05-27 19:10 . 2010-05-27 19:11 -------- d-----r- c:\program files\Skype
2010-05-27 19:10 . 2010-05-27 19:10 -------- d-----w- c:\programdata\Skype
2010-05-27 02:29 . 2010-05-29 14:11 680 ----a-w- c:\users\Maxime\AppData\Local\d3d9caps.dat
2010-05-26 23:51 . 2010-05-26 23:51 -------- d-----w- c:\users\Maxime\AppData\Roaming\Malwarebytes
2010-05-26 23:44 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 23:44 . 2010-05-26 23:44 -------- d-----w- c:\programdata\Malwarebytes
2010-05-26 23:44 . 2010-05-26 23:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 23:44 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 08:53 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 16:59 . 2010-05-24 17:00 -------- d-----w- c:\program files\CodeBlocks
2010-05-24 16:31 . 2010-05-28 18:00 -------- d-----w- c:\users\Maxime\AppData\Roaming\codeblocks
2010-05-24 11:14 . 2010-05-12 09:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-23 17:57 . 2010-05-23 18:01 -------- d-----w- c:\windows\avxoscan
2010-05-23 17:53 . 2010-05-23 17:53 -------- d-----w- c:\program files\ToniArts
2010-05-23 14:31 . 2010-05-23 17:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-23 14:31 . 2010-05-23 14:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-23 13:56 . 2010-05-23 14:12 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-23 13:56 . 2009-03-30 08:32 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\programdata\Avira
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\program files\Avira
2010-05-13 16:36 . 2010-05-13 16:36 -------- d-----w- c:\users\Maxime\AppData\Local\Neuf
2010-05-13 16:35 . 2010-05-13 16:35 -------- d-----w- c:\program files\SFR
2010-05-12 11:48 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-08 10:13 . 2010-05-28 18:26 -------- d-----w- c:\users\Maxime\AppData\Roaming\mIRC
2010-05-08 10:13 . 2010-05-28 15:45 -------- d-----w- c:\program files\mIRC
2010-04-30 16:31 . 2010-05-22 05:58 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-04-30 16:31 . 2010-05-22 05:58 -------- d-----w- c:\program files\StarCraft II bêta
2010-04-30 16:31 . 2010-04-30 16:34 -------- d-----w- c:\users\Maxime\AppData\Local\Blizzard Entertainment
2010-04-30 13:58 . 2010-04-30 16:30 -------- d-----w- c:\users\Maxime\StarCraft II Beta frFR 13891 Installer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 14:59 . 2009-08-22 02:53 111866 ----a-w- c:\programdata\nvModes.dat
2010-05-29 09:20 . 2009-12-29 22:15 -------- d-----w- c:\program files\Full Tilt Poker
2010-05-27 22:52 . 2010-01-08 20:42 -------- d-----w- c:\users\Maxime\AppData\Roaming\vlc
2010-05-23 23:33 . 2008-01-21 02:23 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2010-05-23 18:15 . 2010-01-08 12:38 -------- d-----w- c:\program files\BitComet
2010-05-23 17:53 . 2009-08-21 12:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-23 14:17 . 2009-08-21 12:10 -------- d-----w- c:\programdata\McAfee
2010-05-22 05:58 . 2010-05-22 05:58 48388 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-22 05:58 . 2010-04-30 16:31 -------- d-----w- c:\program files\StarCraft II bêta
2010-05-19 11:00 . 2009-08-21 10:31 726808 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-19 11:00 . 2009-08-21 10:31 147276 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-16 02:49 . 2010-01-05 18:13 1 ----a-w- c:\users\Maxime\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-13 01:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 01:03 . 2009-12-25 01:08 -------- d-----w- c:\programdata\Microsoft Help
2010-05-01 15:24 . 2010-04-28 12:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-28 12:37 . 2010-04-28 12:37 -------- d-----w- c:\programdata\Blizzard
2010-04-28 01:03 . 2009-12-25 01:14 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-27 10:26 . 2009-12-25 01:14 104608 ----a-w- c:\users\Maxime\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-27 01:09 . 2009-12-25 01:12 -------- d-----w- c:\program files\Microsoft Works
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Microsoft
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Windows Live
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-23 11:12 . 2010-04-23 11:12 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-13 22:52 . 2010-04-13 22:51 -------- d-----w- c:\program files\Scid
2010-04-13 18:25 . 2010-04-13 18:25 -------- d-----w- c:\program files\Napoleon Total War
2010-04-13 04:54 . 2010-01-09 15:04 -------- d-----w- c:\program files\Electronic Arts
2010-04-13 04:54 . 2010-01-09 12:31 -------- d-----w- c:\programdata\Electronic Arts
2010-04-12 21:43 . 2010-04-12 21:43 -------- d-----w- c:\program files\AGEIA Technologies
2010-04-02 22:12 . 2010-04-02 22:12 0 ----a-w- c:\windows\nsreg.dat
2010-03-09 16:28 . 2010-03-31 09:17 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-31 09:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-31 09:17 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-06 11:55 . 2010-03-06 11:55 10134 ----a-r- c:\users\Maxime\AppData\Roaming\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2010-03-04 18:54 . 2010-04-14 10:36 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-29 20:43 . 2009-12-29 20:43 456 ----a-w- c:\program files\application.prefs
2009-11-24 16:33 . 2009-11-24 16:33 145831 ----a-w- c:\program files\uninstall.dat
2009-11-24 16:27 . 2009-11-24 16:27 52640 ----a-w- c:\program files\ab.dat
2009-11-24 16:11 . 2009-11-24 16:11 394 ----a-w- c:\program files\tpdef.dat
2009-11-24 16:11 . 2009-11-24 16:11 3696 ----a-w- c:\program files\bdef.dat
2009-11-24 16:11 . 2009-11-24 16:11 0 ----a-w- c:\program files\Aft.bin
2009-11-24 16:10 . 2009-11-24 16:10 44697 ----a-w- c:\program files\preferences.orig
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-21 39408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Neuf Media Center"="c:\program files\SFR\Media Center\MediaCenter.exe" [2008-10-10 726336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-09 13797920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-21 7420448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1049896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-11 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\users\Maxime\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Outil de d‚tection de support PMB.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-3-6 333088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3884614433-1468724993-2082915548-1000]
"EnableNotificationsRef"=dword:00000001

S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-05-23 108289]

.
Contenu du dossier 'Tâches planifiées'

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:42]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:42]

2010-05-29 c:\windows\Tasks\User_Feed_Synchronization-{553C56B5-FB09-421E-A5CA-F9DF20FEC0C6}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Tout télécharger avec BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Télécharger avec BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Télécharger toutes les vidéos avec BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TCP: {B5346DE7-1B33-4394-9FFA-81A0075B4611} = 91.188.60.223,8.8.8.8
FF - ProfilePath - c:\users\Maxime\AppData\Roaming\Mozilla\Firefox\Profiles\cv54or57.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{6D617C60-5C47-4CE1-9795-2712AE49AF88} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 17:01
Windows 6.0.6001 Service Pack 1 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys spau.sys hal.dll >>UNKNOWN [0x857A4938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8ab15322
\Driver\ACPI -> acpi.sys @ 0x8335ed4c
\Driver\atapi -> 0x857ed1f8
\Driver\iaStor -> iaStor.sys @ 0x8a60f0b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe
c:\windows\system32\conime.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Heure de fin: 2010-05-29 17:08:58 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-05-29 15:08
ComboFix2.txt 2010-05-29 14:03
ComboFix3.txt 2010-05-28 18:56

Avant-CF: 1 518 100 480 octets libres
Après-CF: 1 266 622 464 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 2748BA7D3D408B2E99A98CC8E3F3B6B3

par **Falkra** » 29 Mai 2010 16:23

Ok, je te donne un autre script pour finir.

http://senduit.com/b633ad

par **Azertybug** » 29 Mai 2010 17:01

Voila :
Par contre il m'a mis un message d'erreur, et tout de suite il a reboot & lancer l'analyse combofix, donc je sais pas si ça a bien pris le script en compte, en tout cas, j'ai fais comme tu m'as dit :

ComboFix 10-05-28.08 - Maxime 29/05/2010 17:40:43.4.2 - x86
6.0.6001.1.1252.33.1036.18.3036.2216 [GMT 2:00]
Lancé depuis: c:\users\Maxime\Desktop\ComboFix.exe
Commutateurs utilisés :: c:\users\Maxime\Desktop\CFscript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\Drivers\gkrmr.sys"
.

((((((((((((((((((((((((((((( Fichiers créés du 2010-04-28 au 2010-05-29 ))))))))))))))))))))))))))))))))))))
.

2010-05-29 15:49 . 2010-05-29 15:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-29 15:49 . 2010-05-29 15:49 -------- d-----w- c:\users\postgres\AppData\Local\temp
2010-05-29 15:49 . 2010-05-29 15:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-28 19:55 . 2010-05-28 19:57 -------- d-----w- c:\program files\trend micro
2010-05-28 19:54 . 2010-05-28 19:57 -------- d-----w- C:\rsit
2010-05-28 18:43 . 2010-05-29 15:51 -------- d-----w- c:\users\Maxime\AppData\Local\temp
2010-05-27 19:12 . 2010-05-27 19:12 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-05-27 19:12 . 2010-05-29 14:18 -------- d-----w- c:\users\Maxime\AppData\Roaming\skypePM
2010-05-27 19:11 . 2010-05-29 15:49 -------- d-----w- c:\users\Maxime\AppData\Roaming\Skype
2010-05-27 19:10 . 2010-05-27 19:10 -------- d-----w- c:\program files\Common Files\Skype
2010-05-27 19:10 . 2010-05-27 19:11 -------- d-----r- c:\program files\Skype
2010-05-27 19:10 . 2010-05-27 19:10 -------- d-----w- c:\programdata\Skype
2010-05-27 02:29 . 2010-05-29 14:11 680 ----a-w- c:\users\Maxime\AppData\Local\d3d9caps.dat
2010-05-26 23:51 . 2010-05-26 23:51 -------- d-----w- c:\users\Maxime\AppData\Roaming\Malwarebytes
2010-05-26 23:44 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-26 23:44 . 2010-05-26 23:44 -------- d-----w- c:\programdata\Malwarebytes
2010-05-26 23:44 . 2010-05-26 23:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 23:44 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 08:53 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 16:59 . 2010-05-24 17:00 -------- d-----w- c:\program files\CodeBlocks
2010-05-24 16:31 . 2010-05-28 18:00 -------- d-----w- c:\users\Maxime\AppData\Roaming\codeblocks
2010-05-24 11:14 . 2010-05-12 09:21 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-23 17:57 . 2010-05-23 18:01 -------- d-----w- c:\windows\avxoscan
2010-05-23 17:53 . 2010-05-23 17:53 -------- d-----w- c:\program files\ToniArts
2010-05-23 14:31 . 2010-05-23 17:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-23 14:31 . 2010-05-23 14:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-23 13:56 . 2010-05-23 14:12 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-23 13:56 . 2009-03-30 08:32 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\programdata\Avira
2010-05-23 13:55 . 2010-05-23 13:55 -------- d-----w- c:\program files\Avira
2010-05-13 16:36 . 2010-05-13 16:36 -------- d-----w- c:\users\Maxime\AppData\Local\Neuf
2010-05-13 16:35 . 2010-05-13 16:35 -------- d-----w- c:\program files\SFR
2010-05-12 11:48 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-08 10:13 . 2010-05-28 18:26 -------- d-----w- c:\users\Maxime\AppData\Roaming\mIRC
2010-05-08 10:13 . 2010-05-28 15:45 -------- d-----w- c:\program files\mIRC
2010-04-30 16:31 . 2010-05-22 05:58 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-04-30 16:31 . 2010-05-22 05:58 -------- d-----w- c:\program files\StarCraft II bêta
2010-04-30 16:31 . 2010-04-30 16:34 -------- d-----w- c:\users\Maxime\AppData\Local\Blizzard Entertainment
2010-04-30 13:58 . 2010-04-30 16:30 -------- d-----w- c:\users\Maxime\StarCraft II Beta frFR 13891 Installer

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 15:50 . 2009-08-22 02:53 111866 ----a-w- c:\programdata\nvModes.dat
2010-05-29 09:20 . 2009-12-29 22:15 -------- d-----w- c:\program files\Full Tilt Poker
2010-05-27 22:52 . 2010-01-08 20:42 -------- d-----w- c:\users\Maxime\AppData\Roaming\vlc
2010-05-23 23:33 . 2008-01-21 02:23 57400 ----a-w- c:\windows\system32\drivers\mountmgr.sys
2010-05-23 18:15 . 2010-01-08 12:38 -------- d-----w- c:\program files\BitComet
2010-05-23 17:53 . 2009-08-21 12:01 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-23 14:17 . 2009-08-21 12:10 -------- d-----w- c:\programdata\McAfee
2010-05-22 05:58 . 2010-05-22 05:58 48388 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-22 05:58 . 2010-04-30 16:31 -------- d-----w- c:\program files\StarCraft II bêta
2010-05-19 11:00 . 2009-08-21 10:31 726808 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-19 11:00 . 2009-08-21 10:31 147276 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-16 02:49 . 2010-01-05 18:13 1 ----a-w- c:\users\Maxime\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-13 01:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-13 01:03 . 2009-12-25 01:08 -------- d-----w- c:\programdata\Microsoft Help
2010-05-01 15:24 . 2010-04-28 12:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-28 12:37 . 2010-04-28 12:37 -------- d-----w- c:\programdata\Blizzard
2010-04-28 01:03 . 2009-12-25 01:14 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-27 10:26 . 2009-12-25 01:14 104608 ----a-w- c:\users\Maxime\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-27 01:09 . 2009-12-25 01:12 -------- d-----w- c:\program files\Microsoft Works
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Microsoft
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Windows Live
2010-04-23 11:16 . 2010-04-23 11:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-04-23 11:12 . 2010-04-23 11:12 -------- d-----w- c:\program files\Common Files\Windows Live
2010-04-13 22:52 . 2010-04-13 22:51 -------- d-----w- c:\program files\Scid
2010-04-13 18:25 . 2010-04-13 18:25 -------- d-----w- c:\program files\Napoleon Total War
2010-04-13 04:54 . 2010-01-09 15:04 -------- d-----w- c:\program files\Electronic Arts
2010-04-13 04:54 . 2010-01-09 12:31 -------- d-----w- c:\programdata\Electronic Arts
2010-04-12 21:43 . 2010-04-12 21:43 -------- d-----w- c:\program files\AGEIA Technologies
2010-04-02 22:12 . 2010-04-02 22:12 0 ----a-w- c:\windows\nsreg.dat
2010-03-09 16:28 . 2010-03-31 09:17 833024 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:25 . 2010-03-31 09:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 14:01 . 2010-03-31 09:17 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-06 11:55 . 2010-03-06 11:55 10134 ----a-r- c:\users\Maxime\AppData\Roaming\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2010-03-04 18:54 . 2010-04-14 10:36 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-12-29 20:43 . 2009-12-29 20:43 456 ----a-w- c:\program files\application.prefs
2009-11-24 16:33 . 2009-11-24 16:33 145831 ----a-w- c:\program files\uninstall.dat
2009-11-24 16:27 . 2009-11-24 16:27 52640 ----a-w- c:\program files\ab.dat
2009-11-24 16:11 . 2009-11-24 16:11 394 ----a-w- c:\program files\tpdef.dat
2009-11-24 16:11 . 2009-11-24 16:11 3696 ----a-w- c:\program files\bdef.dat
2009-11-24 16:11 . 2009-11-24 16:11 0 ----a-w- c:\program files\Aft.bin
2009-11-24 16:10 . 2009-11-24 16:10 44697 ----a-w- c:\program files\preferences.orig
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-21 39408]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Neuf Media Center"="c:\program files\SFR\Media Center\MediaCenter.exe" [2008-10-10 726336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-09 13797920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-21 7420448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1049896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-11 148888]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\users\Maxime\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
Outil de d‚tection de support PMB.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2010-3-6 333088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3884614433-1468724993-2082915548-1000]
"EnableNotificationsRef"=dword:00000001

R2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 135664]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2009-03-13 65536]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-08 691696]
S2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-05-23 108289]
S2 KMDFMEMIO;SAMSUNG Kernel Driver;c:\windows\system32\DRIVERS\kmdfmemio.sys [2006-11-14 13312]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

.
Contenu du dossier 'Tâches planifiées'

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:42]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 22:42]

2010-05-29 c:\windows\Tasks\User_Feed_Synchronization-{553C56B5-FB09-421E-A5CA-F9DF20FEC0C6}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Tout télécharger avec BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Télécharger avec BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: Télécharger toutes les vidéos avec BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
TCP: {B5346DE7-1B33-4394-9FFA-81A0075B4611} = 91.188.60.223,8.8.8.8
FF - ProfilePath - c:\users\Maxime\AppData\Roaming\Mozilla\Firefox\Profiles\cv54or57.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{6D617C60-5C47-4CE1-9795-2712AE49AF88} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 17:50
Windows 6.0.6001 Service Pack 1 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys speh.sys hal.dll >>UNKNOWN [0x853A7938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a5a5322
\Driver\ACPI -> acpi.sys @ 0x82f64d4c
\Driver\atapi -> 0x853f01f8
\Driver\iaStor -> iaStor.sys @ 0x8a0af0b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Samsung\Samsung Update Plus\SUPBackground.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\conime.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Skype\Toolbars\Shared\SkypeNames2.exe
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Heure de fin: 2010-05-29 18:00:25 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-05-29 16:00
ComboFix2.txt 2010-05-29 15:08
ComboFix3.txt 2010-05-29 14:03
ComboFix4.txt 2010-05-28 18:56

Avant-CF: 1 191 407 616 octets libres
Après-CF: 1 164 296 192 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A53AB8A687996EBF356AC5C38DEBFD01

par **Falkra** » 29 Mai 2010 17:07

Ca a l'air ok là.
Télécharge MBR Rootkit Detector de gmer et enregistre-le sur le bureau.

Désactiver provisoirement les programmes de protection (antivirus, firewall,anti-spyware...)

Double-clique sur mbr.exe, une fenêtre d'invite de commande va s'ouvrir et se refermer,
- Un rapport sera généré : mbr.log.

Copie/colle le résultat de ce log dans ta réponse.

par **Azertybug** » 29 Mai 2010 17:29

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

J'ai pas eu de blue screen au dernier reboot, je te tiens au courant.

J'espère que c'est bon, en tout cas merci beaucoup pour tout.

par **Falkra** » 29 Mai 2010 20:50

Ok, là ça va, et ça ne devrait pas revenir, réactive l'antivirus comme avant, tout ça tout ça.
Au pire ça peut bipper sur la restauration système ou la quarantaine de combofix, ce qui serait logique et pas inquiétant.

Attends un peu et surveille, pour voir si ça reste stable.

par **Azertybug** » 30 Mai 2010 09:32

Ok, je vais surveiller merci beaucoup.

Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Re: Pc infecté, blue screen

Qui est en ligne