Libellules.ch - forum d'informatique • Sites internets non demandés : Désinfections et demandes d'analyse

par **malkolm** » 28 Aoû 2009 09:27

Bonjour,

Depuis hier, lorsque je clique sur un lien qui m'intérresse, après une recherche google, je tombe de temps en temps sur un site bidon qui n'a rien a voir avec ce que j'ai demandé.

Par exemple je clique sur "comment ça marche.com" et je tombe sur des conneries, je reviens sur google, je re clique sur le lien et la ça fonctionne, bizar non???

De plus de puis hier quand ça a commencé à faire ça, j'ai eu deuyx écran bleu avec reboot, alors que ça ne m'arrive jamais.

Qu'en pensez vous?

Merci d'avance

par **Falkra** » 28 Aoû 2009 09:33

Bonjour,

Pour voir ce qui tourne sur ta machine et pouvoir nettoyer éventuellement les infections présentes, il nous faut faire quelques tests. Voici comment démarrer.
:arrow:

Poste un rapport Hijackthis (v2.0.2) dans ta prochaine réponse stp :
Voici un tuto avec les liens nécessaires :
Poster un rapport HijackThis

par **malkolm** » 28 Aoû 2009 09:46

Merci, voici le rapport.

Je trouve que mon ordi a ralenti aussi.

le rapport:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:24, on 28/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GerbMagic\gbxsvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\WINDOWS\Alt+Q Hotkey.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla thunderbird\thunderbird.exe
C:\Program Files\Safari\Safari.exe
D:\Home\jhautcoe\Bureau\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconf.univ-rennes1.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Netlogon] C:\Program Files\pGina\Netlogon.cmd
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [System Files Updater] C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKCU\..\Run: [SuperCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe
O4 - HKCU\..\Run: [RK Launcher] C:\Program Files\RK Launcher\RKLauncher.exe
O4 - HKCU\..\Run: [Alt+Q Hotkey Tool] C:\WINDOWS\Alt+Q Hotkey.exe
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [WinRoll] C:\Program Files\WinRoll\winroll.exe
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://portail.univ-rennes1.fr
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.6. ... ontrol.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gbxsvc - Unknown owner - C:\Program Files\GerbMagic\gbxsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: VNC Server (winvnc) - www.ultravnc.fr - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 8381 bytes

par **Falkra** » 28 Aoû 2009 09:53

Télécharge Malwarebytes' Anti-Malware (MBAM)
Si ça ne se télécharge pas, que tu es redirigé, ou que MBAM ne démarre pas, signale-le moi : c'est un symptôme.

Double clique sur le fichier téléchargé pour lancer le processus d'installation.
Dans l'onglet "Mise à jour", clique sur le bouton "Recherche de mise à jour": si le pare-feu demande l'autorisation à MBAM de se connecter, accepte.
Une fois la mise à jour terminée, rends-toi dans l'onglet "Recherche".
Sélectionne "Exécuter un examen rapide"
Clique sur "Rechercher"
L'analyse démarre.
A la fin de l'analyse (mais ce n'est pas fini), un message s'affiche :
L'examen s'est terminé normalement. Clique sur 'Afficher les résultats' pour afficher tous les objets trouvés.

Clique sur "Ok" pour poursuivre. Si MBAM n'a rien trouvé, il te le dira aussi. N'oublie pas la suite.
Ferme tes navigateurs.
Si des malwares ont été détectés, clique sur Afficher les résultats.
Sélectionne tout (ou laisse coché) et clique sur Supprimer la sélection, MBAM va détruire les fichiers et clés de registre et en mettre une copie dans la quarantaine.
MBAM va ouvrir le Bloc-notes et y copier le rapport d'analyse. Copie-colle ce rapport et poste-le dans ta prochaine réponse.

NB : Si MBAM te demande à redémarrer, fais-le.

par **malkolm** » 28 Aoû 2009 10:04

Voilà:

Malwarebytes' Anti-Malware 1.40
Version de la base de données: 2708
Windows 5.1.2600 Service Pack 2

28/08/2009 11:02:49
mbam-log-2009-08-28 (11-02-49).txt

Type de recherche: Examen rapide
Eléments examinés: 99545
Temps écoulé: 3 minute(s), 47 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 1
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (notepad.exe \"%1\") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\cmdow.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\Documents and Settings\jhautcoe\Application Data\RBXML550.dll (Trojan.Agent) -> Quarantined and deleted successfully.

par **Falkra** » 28 Aoû 2009 10:08

Est-ce que ce script est de toi ou sur le PC depuis toujours :

O4 - HKLM\..\Run: [Netlogon] C:\Program Files\pGina\Netlogon.cmd

par **malkolm** » 28 Aoû 2009 10:09

En fait c'est un PC de boulot et je crois que c'est pour me loger lorsque je démarre l'ordi

par **Falkra** » 28 Aoû 2009 10:11

Ok, ça c'est en effet typique d'un PC de boulot, pour accéder au réseaux (locaux et extérieurs) on n'y touche pas.

Télécharge Gmer.
Dézippe le dans un dossier ou sur ton bureau.

Double-clique sur Gmer.exe.

NB : Si une alerte de ton antivirus apparaît pour le fichier gmer.sys ou gmer.exe, laisse le s'exécuter.

Clique sur l'onglet rootkit/malware (déjà actif).
A droite, coche Processes, Files , Registry et Services uniquement.
Clique maintenant sur Scan.

Lorsque le scan est terminé, clique sur Copy.

Ouvre le Bloc-notes puis clique sur le Menu Edition / Coller.
Le rapport doit alors apparaître.
Enregistre le fichier sur ton bureau et copie/colle son contenu dans ta prochaine réponse.

par **malkolm** » 28 Aoû 2009 10:20

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-28 11:19:24
Windows 5.1.2600 Service Pack 2

---- Files - GMER 1.0.15 ----

File C:\AR300GD K82 (0).jpg 0 bytes
File C:\AR300GD K82 (1).jpg 0 bytes
File C:\AR300GD K82 (10).jpg 0 bytes
File C:\AR300GD K82 (11).jpg 0 bytes
File C:\AR300GD K82 (2).jpg 0 bytes
File C:\AR300GD K82 (3).jpg 0 bytes
File C:\AR300GD K82 (4).jpg 0 bytes
File C:\AR300GD K82 (5).jpg 0 bytes
File C:\AR300GD K82 (6).jpg 0 bytes
File C:\AR300GD K82 (7).jpg 0 bytes
File C:\AR300GD K82 (8).jpg 0 bytes
File C:\AR300GD K82 (9).jpg 0 bytes

---- EOF - GMER 1.0.15 ----

par **Falkra** » 28 Aoû 2009 10:22

Ca te le fait toujours, avec Google ?

par **malkolm** » 28 Aoû 2009 10:23

Mon disque est partitionné il y a mon C et aussi D et U, ça n'a pas été scanné c'est normal, ou je doit les scanné aussi?
C et U sont pour les données.

par **malkolm** » 28 Aoû 2009 10:24

oui ça vient de me le faire 2 fois en testant

par **Falkra** » 28 Aoû 2009 10:25

Ok, merci pour les précisions. :-D

Pas besoin de scanner les autres, pour ce truc là.

Le logiciel qui suit n'est à utiliser que prescrit par un helper qualifié et formé à l'outil.
Ne pas utiliser en dehors de ce cas de figure ou seul : dangereux. Suis bien les instructions : outil dangereux si mal utilisé.

Télécharge combofix.exe de sUBs et sauvegarde le sur ton bureau (et pas ailleurs).

Assure toi que tous les programmes sont fermés avant de commencer.
Désactive l'antivirus, sinon combofix va te mettre un message (sinon, dis ok au message).
Double-clique combofix.exe afin de l'exécuter.
Clique sur "Oui" au message de Limitation de Garantie qui s'affiche.
Si on te propose de redémarrer parc qu'un rootkit a été trouvé, fais-le.
On va te proposer de télécharger et installer la console de récupération, clique sur "Oui" au message, autorise le téléchargement dans ton firewall si demandé, puis accepte le message de contrat utilisateur final.
Le bureau disparaît, c'est normal, et il va revenir.
Ne ferme pas la fenêtre qui s'ouvre, tu te retrouverais avec un bureau vide.
Lorsque l'analyse sera terminée, un rapport apparaîtra.
Copie-colle ce rapport dans ta prochaine réponse.
Le rapport se trouve dans : C:\Combofix.txt (si jamais).

par **malkolm** » 28 Aoû 2009 10:29

je ferme safari pour faire ça?

Je vais coller les instructions dans le bloc note je peux le laisser ouvert?

par **Falkra** » 28 Aoû 2009 10:30

Tu peux te faire un petit bloc-notes, mais il sera fermé tout seul au bout d'un moment.

Ferme le navigateur oui, et désactive l'antivirus. Combofix redémarrera la machine, de toute façon.

par **malkolm** » 28 Aoû 2009 10:32

Je n'arrive pas a fermé l'antivirus, Mc Afee entreprise, je le laisse?

par **Falkra** » 28 Aoû 2009 10:54

Il faut juste le désactiver, ça doit se trouver au menu du clic droit sur son icône près de l'horloge.

par **malkolm** » 28 Aoû 2009 11:17

Voilà

ComboFix 09-08-27.A0 - jhautcoe 28/08/2009 12:01.2.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.990.669 [GMT 2:00]
Running from: d:\home\jhautcoe\Bureau\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Installer\PhotoFiltre.msi
c:\windows\Readme.txt
c:\windows\system32\blat.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\kbiwkmxrmlakoe.sys
c:\windows\system32\kbiwkmgybobloy.dll
c:\windows\system32\kbiwkmhylkiese.dll
c:\windows\system32\kbiwkmosswexum.dat
c:\windows\system32\kbiwkmxrgvxvjl.dat

----- BITS: Possible infected sites -----

hxxp://wsus.univ-rennes1.fr
Infected copy of c:\windows\system32\ntkrnlpa.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntkrpamp.exe

Infected copy of c:\windows\system32\ntoskrnl.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntkrnlmp.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmqbuyagdq
-------\Legacy_kbiwkmqbuyagdq

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-28 08:57 . 2009-08-28 08:57 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\Malwarebytes
2009-08-28 08:57 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 08:57 . 2009-08-28 08:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 08:57 . 2009-08-28 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-28 08:57 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-25 12:42 . 2009-08-25 13:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 12:42 . 2009-08-25 12:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-23 23:08 . 2009-08-23 23:08 -------- d-----w- c:\windows\ServicePackFiles
2009-08-02 08:55 . 2009-08-02 08:56 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-02 08:55 . 2009-08-02 15:27 -------- d-----w- c:\program files\NOS
2009-08-02 08:55 . 2009-08-02 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 09:59 . 2008-07-07 14:06 -------- d-----w- c:\program files\SuperCopier2
2009-08-28 09:46 . 2008-06-25 10:12 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-25 20:01 . 2009-03-14 13:28 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\uTorrent
2009-08-25 13:05 . 2008-07-16 13:07 -------- d-----w- c:\program files\CCleaner
2009-08-18 08:08 . 2008-07-17 15:03 -------- d-----w- c:\program files\Tiger System Preferences v2
2009-08-17 15:39 . 2008-06-25 11:59 60548 -c--a-w- c:\windows\system32\nvModes.dat
2009-08-15 18:50 . 2008-10-09 14:31 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\dvdcss
2009-08-14 17:20 . 2008-12-10 16:10 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\FileZilla
2009-08-05 09:06 . 1980-01-01 00:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 15:09 . 2008-08-23 19:58 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-17 18:56 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 12:07 . 2008-07-08 07:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-16 12:06 . 2008-07-08 07:48 -------- d-----w- c:\program files\Ansoft
2009-07-14 19:03 . 2009-07-14 19:03 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\GARMIN
2009-07-13 00:18 . 1980-01-01 00:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 14:51 . 2009-07-08 14:51 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\gtk-2.0
2009-07-08 14:51 . 2009-07-08 14:51 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\Inkscape
2009-07-07 11:33 . 2009-07-06 15:00 -------- d-----w- c:\program files\MediaCoder
2009-07-02 17:13 . 2008-07-10 16:39 39252 -c-ha-w- c:\windows\system32\mlfcache.dat
2009-07-02 17:13 . 2008-07-07 13:04 52040 -c--a-w- c:\documents and settings\jhautcoe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-02 14:27 . 2009-07-02 14:27 -------- d-----w- c:\documents and settings\jhautcoe\Application Data\Design Science
2009-07-02 14:27 . 2009-07-02 14:27 -------- d-----w- c:\program files\MathType
2009-06-29 15:57 . 1980-01-01 00:00 804864 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:57 . 1980-01-01 00:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:57 . 1980-01-01 00:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 18:36 . 1980-01-01 00:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 1980-01-01 00:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 1980-01-01 00:00 653312 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 1980-01-01 00:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 1980-01-01 00:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 1980-01-01 00:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 1980-01-01 00:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 1980-01-01 00:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 18:36 . 1980-01-01 00:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 1980-01-01 00:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 1980-01-01 00:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 1980-01-01 00:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 08:44 . 1980-01-01 00:00 731136 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 1980-01-01 00:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 1980-01-01 00:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 1980-01-01 00:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 1980-01-01 00:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:44 . 1980-01-01 00:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-22 11:49 . 1980-01-01 00:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 1980-01-01 00:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 1980-01-01 00:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 1980-01-01 00:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 1980-01-01 00:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 18:24 . 1980-01-01 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:54 . 1980-01-01 00:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 11:27 . 1980-01-01 00:00 82944 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-15 11:27 . 1980-01-01 00:00 95744 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:23 . 1980-01-01 00:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:30 . 1980-01-01 00:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:46 . 2008-06-25 10:00 647680 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 1980-01-01 00:00 1296896 ----a-w- c:\windows\system32\quartz.dll
2006-05-03 10:06 . 2009-03-19 13:19 163328 -csh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-19 13:19 31232 -csh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-19 13:19 216064 -csh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[7] 2005-03-02 18:20 578048 C34920EB988CE98910BD6B0417F334EB c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[7] 2007-03-08 15:50 579072 4D88AAF39ADABFE45958EA1384E2C4FF c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[7] 2007-03-08 15:37 578560 753354F594809A9B96F73999B435A533 c:\windows\FlyakiteOSX\Backup\user32.dll
[-] 2007-03-08 15:37 578560 2ED0A71B1A374BAF75D2301637307278 c:\windows\system32\user32.dll
[-] 2007-03-08 15:37 578560 2ED0A71B1A374BAF75D2301637307278 c:\windows\system32\dllcache\user32.dll

[7] 2005-01-27 17:12 662016 66A10B98F18FD804236AB2D90301DE04 c:\windows\$hf_mig$\KB867282\SP2QFE\wininet.dll
[7] 2007-01-04 14:02 669184 114342601AC7EA73B0D2A0ED8505B8B9 c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[7] 2008-04-21 06:57 670720 F2F343D7ED0223645BA773B840EB4993 c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[7] 2008-04-21 06:43 670208 7AF7D7D178F2863E7E7C880B55C88B76 c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[7] 2008-04-21 06:30 670720 82B3264706B9921C67B196319FDA51DE c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[7] 2008-04-23 07:19 827392 78D3D2B0BE6AD3E6D82CCB115CF74310 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 19:33 827904 37D1A1BFE3D9904F2C3D11592456F9C0 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:47 827904 4E192082A5FCE9EF19198A24CDEA3442 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:15 828416 39F71B559A97ED722F939A0EA7235323 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:37 828928 754097815B575A721AB58B1C55476805 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2009-06-29 16:13 828928 71333B8101B10CDEC4D58D949C97D3BA c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\wininet.dll
[7] 2007-01-04 13:55 663040 25D38FFA2B441E326850AE4CB67D1A91 c:\windows\$NtUninstallKB950759$\wininet.dll
[7] 2009-06-29 15:57 827392 9620CC3780D7279A48D3556860813587 c:\windows\FlyakiteOSX\Backup\wininet.dll
[7] 2008-04-21 07:02 663552 355A69CC05045428CE6B9E6BFBD4B74B c:\windows\ie7\wininet.dll
[-] 2007-08-13 16:54 796160 A5D8EDCB248F693C98CBD8B8E751B53D c:\windows\ie7updates\KB950759-IE7\wininet.dll
[-] 2008-04-23 04:16 803840 8B4159AC94CF3CE4CB84050E99E31ABA c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2008-10-16 20:18 803840 90F5566D91F5C03F68FC7D52285CDB24 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2008-12-20 22:47 803840 2361337ECA88195727A9F4BBE35F3871 c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2009-03-03 00:13 803840 1D724723AD8369A93595EA33F74EBA8D c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2009-04-29 04:45 804864 742CD66E7457A3902077516AF3D730D2 c:\windows\ie7updates\KB972260-IE7\wininet.dll
[7] 2009-06-29 15:57 827392 9620CC3780D7279A48D3556860813587 c:\windows\SoftwareDistribution\Download\0be3474a722486e9050d650f16addaad\SP3GDR\wininet.dll
[7] 2009-06-29 16:13 828928 71333B8101B10CDEC4D58D949C97D3BA c:\windows\SoftwareDistribution\Download\0be3474a722486e9050d650f16addaad\SP3QFE\wininet.dll
[-] 2009-06-29 15:57 804864 3DD3E16E9A612AB61DB85358B629259F c:\windows\system32\wininet.dll
[-] 2009-06-29 15:57 804864 3DD3E16E9A612AB61DB85358B629259F c:\windows\system32\dllcache\wininet.dll

[-] 2007-06-13 13:22 1370112 156EF4C52B6F6BDA067945215EEA7A5C c:\windows\explorer.exe
[7] 2007-06-13 13:10 1037312 B795475444D6D57A572C14B9E1A29839 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-19 16:09 1036288 2A7BD330924252A2FD80344FC949BB72 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2007-06-13 13:22 1037312 D0288319660EDCFED07C7E74C4EA38A5 c:\windows\FlyakiteOSX\Backup\explorer.exe
[-] 2007-06-13 13:22 1370112 156EF4C52B6F6BDA067945215EEA7A5C c:\windows\system32\dllcache\explorer.exe

[7] 2005-01-27 07:12 3008000 2003C448DA234D22A9A5F676D9BC6D13 c:\windows\$hf_mig$\KB867282\SP2QFE\mshtml.dll
[7] 2007-01-04 04:02 3083264 1703F708C9D604CDD3D8C199861DC2E4 c:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[7] 2008-04-21 06:57 3087872 57BC3BE475F34AE089878A016C2CA46E c:\windows\$hf_mig$\KB950759\SP2QFE\mshtml.dll
[7] 2008-04-21 06:43 3087872 840E79E91BCCD80B2FC3CCAD2C60B35A c:\windows\$hf_mig$\KB950759\SP3GDR\mshtml.dll
[7] 2008-04-21 06:30 3088384 B3CD09A5DBD2A569ADFA8654E3C8879D c:\windows\$hf_mig$\KB950759\SP3QFE\mshtml.dll
[7] 2008-04-23 07:19 3593728 EBF0440323874DDF97EF0CEC2D6DC9F4 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll
[7] 2008-10-16 19:33 3595264 EB75C0C66C633D0EFD0176450F8857F8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\mshtml.dll
[7] 2008-12-13 06:27 3594752 CB7922B3AD4BC5BBEDA130F6C9E0656A c:\windows\$hf_mig$\KB960714-IE7\SP2QFE\mshtml.dll
[7] 2009-01-16 16:20 3596288 F386435C5E0A5D86E9F90B659D4F6075 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[7] 2009-02-21 06:48 3596800 D79AEC545A98057155099FB69BB3C4D3 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\mshtml.dll
[7] 2009-04-29 08:07 3598336 246F148CD2E4F5AE164C1890D0A06420 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\mshtml.dll
[7] 2009-07-19 13:21 3600384 73FFE289F14EDFBB22429E88ACF17016 c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\mshtml.dll
[7] 2007-01-04 13:55 3077632 3B65C31DD93571252D99E33D042A97C7 c:\windows\$NtUninstallKB950759$\mshtml.dll
[7] 2009-07-19 16:59 3597824 0E396FC8AED9D3D550DB38152F6A4FC7 c:\windows\FlyakiteOSX\Backup\mshtml.dll
[7] 2008-04-21 07:02 3080704 FEACD6E84244125550219C6795348FDE c:\windows\ie7\mshtml.dll
[-] 2007-08-13 16:54 3488768 010D490112C3995B3350AA74C18F2083 c:\windows\ie7updates\KB950759-IE7\mshtml.dll
[-] 2008-04-23 20:16 3502080 85773D342513FAE821020573EEB7B54B c:\windows\ie7updates\KB960714-IE7\mshtml.dll
[-] 2008-12-13 06:37 3503616 B26944EA444903F09C28A30B660ADD6A c:\windows\ie7updates\KB961260-IE7\mshtml.dll
[-] 2009-01-16 20:15 3505152 5BE348EDB73A0FB7FAF71943999ADA6F c:\windows\ie7updates\KB963027-IE7\mshtml.dll
[-] 2009-02-20 17:10 3505664 4ADF9CE33223EFB0581B07FE7BE891FB c:\windows\ie7updates\KB969897-IE7\mshtml.dll
[-] 2009-04-29 04:45 3506688 AB50DED205DA6D459043014165A77F4F c:\windows\ie7updates\KB972260-IE7\mshtml.dll
[7] 2009-07-19 16:59 3597824 0E396FC8AED9D3D550DB38152F6A4FC7 c:\windows\SoftwareDistribution\Download\0be3474a722486e9050d650f16addaad\SP3GDR\mshtml.dll
[7] 2009-07-19 13:21 3600384 73FFE289F14EDFBB22429E88ACF17016 c:\windows\SoftwareDistribution\Download\0be3474a722486e9050d650f16addaad\SP3QFE\mshtml.dll
[-] 2009-07-19 16:59 3508224 511FB9E84FEDBFB051557940A5503CC7 c:\windows\system32\mshtml.dll
[-] 2009-07-19 16:59 3508224 511FB9E84FEDBFB051557940A5503CC7 c:\windows\system32\dllcache\mshtml.dll

[7] 2004-08-19 16:09 851968 E2F47BBB69D1E4E5ED1AF720893B4460 c:\windows\FlyakiteOSX\Backup\comres.dll
[-] 2004-08-19 16:09 889344 4CCEAAB2D9462D0DD4CDCB6725B472C0 c:\windows\system32\comres.dll
[-] 2004-08-19 16:09 889344 4CCEAAB2D9462D0DD4CDCB6725B472C0 c:\windows\system32\dllcache\comres.dll

[7] 2006-08-25 15:51 617472 5BBCD65CFD7610F36BCA96B72BBAED4B c:\windows\FlyakiteOSX\Backup\comctl32.dll
[-] 2006-08-25 15:51 629760 F8F8E4D36532B9124673DA014C196089 c:\windows\system32\comctl32.dll
[-] 2006-08-25 15:51 629760 F8F8E4D36532B9124673DA014C196089 c:\windows\system32\dllcache\comctl32.dll
[-] 2001-09-28 14:00 919552 3DB20630FBA2A7B03CA25105B0149129 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2004-08-19 16:07 1048576 0D49E245BF1D4D65DBD8322FC384A745 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[7] 2006-08-25 06:51 1054208 47ABF878B9AEC81B23BA5F89DE597B3A c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="c:\program files\SuperCopier2\SuperCopier2.exe" [2006-07-07 1052672]
"RK Launcher"="c:\program files\RK Launcher\RKLauncher.exe" [2005-10-19 393216]
"Alt+Q Hotkey Tool"="c:\windows\Alt+Q Hotkey.exe" [2005-12-18 27648]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2006-02-24 188416]
"WinRoll"="c:\program files\WinRoll\winroll.exe" [2006-01-01 15872]
"Yz Shadow"="c:\program files\YzShadow\YzShadow.exe" [2006-02-24 172032]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-06-25 1578736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-28 94208]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Netlogon"="c:\program files\pGina\Netlogon.cmd" [2006-05-31 140]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"System Files Updater"="c:\windows\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 118485]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-05-27 413696]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-11 339968]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-04-28 67584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\Raccourci vers CCleaner.exe.lnk]
path=Raccourci vers CCleaner.exe.lnk
backup=c:\windows\pss\Raccourci vers CCleaner.exe.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:LocalSubNet,129.20.10.0/255.255.255.0,129.20.129.0/255.255.255.0,129.20.166.0/255.255.255.0,129.20.184.0/255.255.255.0:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:LocalSubNet,129.20.10.0/255.255.255.0,129.20.129.0/255.255.255.0,129.20.166.0/255.255.255.0,129.20.184.0/255.255.255.0:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:LocalSubNet,129.20.10.0/255.255.255.0,129.20.129.0/255.255.255.0,129.20.166.0/255.255.255.0,129.20.184.0/255.255.255.0:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet,129.20.10.0/255.255.255.0,129.20.129.0/255.255.255.0,129.20.166.0/255.255.255.0,129.20.184.0/255.255.255.0:Enabled:@xpsp2res.dll,-22002
"23:TCP"= 23:TCP:129.20.10.0/255.255.255.0,129.20.129.0/255.255.255.0,129.20.166.0/255.255.255.0,129.20.184.0/255.255.255.0:Enabled:telnet
"3389:TCP"= 3389:TCP:129.20.10.0/255.255.255.0,129.20.129.0/255.255.255.0,129.20.166.0/255.255.255.0,129.20.184.0/255.255.255.0:Enabled:@xpsp2res.dll,-22009
"5800:TCP"= 5800:TCP:vnc
"5900:TCP"= 5900:TCP:vnc
"5901:TCP"= 5901:TCP:vnc

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\RemoteAdminSettings]
"RemoteAddresses"= 129.20.10.0/255.255.255.0,129.20.129.0/255.255.255.0,129.20.166.0/255.255.255.0,129.20.184.0/255.255.255.0
"Enabled"= 1 (0x1)

R2 gbxsvc;gbxsvc;c:\program files\GerbMagic\gbxsvc.exe [22/07/2008 11:23 28672]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [25/06/2008 12:15 6016]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [27/12/2006 16:47 9006]
S3 adm851x;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ADM851X.SYS --> c:\windows\system32\DRIVERS\ADM851X.SYS [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AclDhome.job
- c:\windows\system32\acldhome.cmd [2008-06-25 08:27]

2009-08-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-29 20:18]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.fr/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6. ... ontrol.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 12:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\ntoskrnl.exe.FlyakiteOSX 2096128 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\jhautcoe\LOCALS~1\Temp\mc25.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,6c,f0,89,c3,25,
07,7f,58,c8,28,51,af,b0,29,a3,98,cc,97,e4,22,dd,15,db,8e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,8a,68,e4,23,6f,
78,db,fd,71,3b,04,66,8b,46,0d,96,68,5d,ce,25,72,72,5c,a5,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,1a,f2,f1,c7,05,
b8,4e,c3,25,da,ec,7e,55,20,c9,26,ea,82,54,12,2d,f8,8f,7d,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,cd,fd,50,90,f6,
62,61,5b,3e,1e,9e,e0,57,5a,93,61,14,5c,dc,84,23,8d,5e,90,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,1c,da,83,7b,78,
38,27,b1,cd,44,cd,b9,a6,33,6c,cd,50,3f,44,dd,ee,a3,25,ec,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8f,13,2b,0e,32,
c2,6c,f8,b0,18,ed,a7,3f,8d,37,a4,5b,56,ef,76,d4,12,87,ae,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,ff,2f,f1,0e,df,
bf,44,ee,31,77,e1,ba,b1,f8,68,02,e8,0e,95,e2,75,af,07,9f,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,f7,ed,b1,ee,6e,
78,02,52,83,6c,56,8b,a0,85,96,ab,74,bf,da,0d,d0,ca,ec,b3,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,11,62,ed,44,e3,
4d,7f,0b,51,fa,6e,91,28,9e,14,cc,1b,6b,2c,68,7a,3e,b8,12,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,b9,df,33,05,ea,
45,44,5c,b1,cd,45,5a,a8,c4,f8,b9,2e,92,80,0f,e5,be,72,0e,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,72,59,46,59,11,
b8,15,fd,e3,0e,66,d5,eb,bc,2f,6b,91,75,61,69,be,9a,3a,32,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,54,38,14,a7,c3,
1c,f9,ba,fa,ea,66,7f,d4,3b,6b,70,92,82,ec,cb,e5,d5,ed,0a,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\program files\pGina\pGina.dll
c:\windows\system32\LIBCURL.dll
c:\program files\pGina\plugins\ldapauth\ldapauth_plus.dll
c:\windows\system32\MSVCR71.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2644)
c:\program files\SuperCopier2\SC2Hook.dll
c:\program files\RK Launcher\RKLauncher.dll
c:\program files\YzShadow\YzShadow.dll
c:\program files\UberIcon\UberIcon.dll
c:\windows\System32\cscui.dll
c:\program files\WinRoll\winroll.dll
c:\windows\system32\credui.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Fichiers communs\Microsoft Shared\OFFICE11\MSOXEV.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\STACSV.EXE
c:\windows\system32\tlntsvr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\DellTPad\hidfind.exe
c:\windows\system32\SetACL.exe
.
**************************************************************************
.
Completion time: 2009-08-28 12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 10:14

Pre-Run: 5 696 040 960 octets libres
Post-Run: 5 654 609 920 octets libres

395 --- E O F --- 2009-08-23 23:10

par **Falkra** » 28 Aoû 2009 11:24

Tu as bien fait les manips. :supers:

Garde combofix sous le coude, n'y touche pas, même le supprimer nécessite une procédure spéciale. :mrgreen:

Rends toi sur ce lien : [url="http://www.virustotal.com/fr/"][color="blue"]Virus Total[/color][/url]

Clique sur le bouton Parcourir...
Copie colle ce chemin dans la boite de dialogue qui s'ouvre, ou parcours tes dossiers jusque à ce fichier, si tu le trouves :

user32.dll

Clique sur Envoyer le fichier, et si VirusTotal dit que le fichier a déjà été analysé, clique sur le bouton Reanalyse le fichier maintenant.
Laisse le site travailler tant que "Situation actuelle : en cours d'analyse" est affiché.
Il est possible que le fichier soit mis en file d'attente en raison d'un grand nombre de demandes d'analyses. Dans ce cas, il te faudra patienter sans réactualiser la page.
Lorsque l'analyse est terminée ("Situation actuelle: terminé"), clique sur Formaté (en haut à gauche)
Une nouvelle fenêtre de ton navigateur va apparaître
Clique alors sur cette image :
Fais un clic droit sur la page, et choisis Sélectionner tout, puis copier
Enfin colle le résultat dans ta prochaine réponse.
NB : Peu importe le résultat, il est important de me communiquer le résultat de toute l'analyse.

Il est possible que tes outils de sécurité réagissent à l'envoi du fichier, auquel cas il faudra leur faire ignorer les alertes.

Tu peux avoir besoin d'afficher les fichiers cachés et masqués du système, temporairement.

Fais ça aussi avec
c:\windows\explorer.exe
et
c:\windows\system32\wininet.dll

Tu peux faire 3 posts d'affilée, pas de problème.

@ toute

par **malkolm** » 28 Aoû 2009 11:31

Fichier user32.dll reçu le 2009.08.28 10:26:37 (UTC)
Antivirus Version Dernière mise à jour Résultat
a-squared 4.5.0.24 2009.08.28 -
AhnLab-V3 5.0.0.2 2009.08.27 -
AntiVir 7.9.1.7 2009.08.28 -
Antiy-AVL 2.0.3.7 2009.08.24 -
Authentium 5.1.2.4 2009.08.28 -
Avast 4.8.1335.0 2009.08.27 -
AVG 8.5.0.406 2009.08.28 -
BitDefender 7.2 2009.08.28 -
CAT-QuickHeal 10.00 2009.08.28 -
ClamAV 0.94.1 2009.08.28 -
Comodo 2115 2009.08.28 -
DrWeb 5.0.0.12182 2009.08.28 -
eSafe 7.0.17.0 2009.08.27 -
eTrust-Vet 31.6.6706 2009.08.28 -
F-Prot 4.5.1.85 2009.08.27 -
F-Secure 8.0.14470.0 2009.08.28 -
Fortinet 3.120.0.0 2009.08.28 -
GData 19 2009.08.28 -
Ikarus T3.1.1.68.0 2009.08.28 -
Jiangmin 11.0.800 2009.08.28 -
K7AntiVirus 7.10.829 2009.08.27 -
Kaspersky 7.0.0.125 2009.08.28 -
McAfee 5722 2009.08.27 -
McAfee+Artemis 5722 2009.08.27 -
McAfee-GW-Edition 6.8.5 2009.08.28 -
Microsoft 1.5005 2009.08.28 -
NOD32 4376 2009.08.28 -
Norman 2009.08.27 -
nProtect 2009.1.8.0 2009.08.28 -
Panda 10.0.2.2 2009.08.28 -
Prevx 3.0 2009.08.28 -
Rising 21.44.40.00 2009.08.28 -
Sophos 4.45.0 2009.08.28 -
Sunbelt 3.2.1858.2 2009.08.27 -
Symantec 1.4.4.12 2009.08.28 -
TheHacker 6.3.4.3.389 2009.08.27 -
TrendMicro 8.950.0.1094 2009.08.28 -
VBA32 3.12.10.10 2009.08.28 -
ViRobot 2009.8.28.1906 2009.08.28 -
VirusBuster 4.6.5.0 2009.08.28 -

Information additionnelle
File size: 578560 bytes
MD5...: 2ed0a71b1a374baf75d2301637307278
SHA1..: 36403f98ab9b3623d6def32c5075f3b9f6843744
SHA256: e63cec9708603fbde764d49bb425b4b9eba2b35e228dd24427e80c04cdcd0962
ssdeep: 12288:+/rjTzP3Y8ACIs9Cj1IuskGuatBHLOlL:Kn//A10XuavL 
PEiD..: -
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1e966 timedatestamp.....: 0x45f02dce (Thu Mar 08 15:37:50 2007) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x5efe7 0x5f000 6.64 8440a40b5d11878e10f357dc1e587d8d .data 0x60000 0x1180 0xc00 2.39 42b206dcbfd6b51646502b9fa345eb17 .rsrc 0x62000 0x2a48c 0x2a600 3.82 a98abbd8f2a23edc24c51a9fe3efb614 .reloc 0x8d000 0x2de8 0x2e00 6.78 29147feab00159bf20d090a34b6e2b09 ( 3 imports ) > GDI32.dll: GetClipRgn, ExtSelectClipRgn, GetHFONT, GetMapMode, SetGraphicsMode, GetClipBox, CreateRectRgn, CreateRectRgnIndirect, SetLayout, GetBoundsRect, ExcludeClipRect, PlayEnhMetaFile, CreatePen, Ellipse, CreateEllipticRgn, GdiFixUpHandle, GetTextCharacterExtra, SetTextCharacterExtra, GetCurrentObject, GetViewportOrgEx, SetViewportOrgEx, PolyPatBlt, CreateBrushIndirect, SetBoundsRect, CopyEnhMetaFileW, CopyMetaFileW, GetPaletteEntries, CreatePalette, SetPaletteEntries, bInitSystemAndFontsDirectoriesW, bMakePathNameW, cGetTTFFromFOT, GetPixel, ExtTextOutA, GetTextCharsetInfo, QueryFontAssocStatus, GetCharWidthInfo, GetCharWidthA, GetTextFaceW, GetCharABCWidthsA, GetCharABCWidthsW, SetBrushOrgEx, CreateFontIndirectW, EnumFontsW, GetTextFaceAliasW, GetTextMetricsW, GetTextColor, GetBkMode, GetViewportExtEx, GetWindowExtEx, GdiGetCharDimensions, GdiGetCodePage, GetTextCharset, GdiPrinterThunk, GdiAddFontResourceW, TranslateCharsetInfo, SaveDC, OffsetWindowOrgEx, RestoreDC, ExtTextOutW, GetObjectType, GetDIBits, CreateDIBSection, SetStretchBltMode, SelectPalette, RealizePalette, SetDIBits, CreateDCW, CreateDIBitmap, CreateCompatibleBitmap, SetBitmapBits, DeleteDC, GdiValidateHandle, GdiProcessSetup, CreateSolidBrush, GetStockObject, CreateCompatibleDC, GdiConvertBitmapV5, GdiCreateLocalEnhMetaFile, GdiCreateLocalMetaFilePict, GetRgnBox, CombineRgn, OffsetRgn, MirrorRgn, EnableEUDC, GdiConvertToDevmodeW, GetTextExtentPointA, GetTextExtentPointW, CreateBitmap, SetLayoutWidth, PatBlt, TextOutA, TextOutW, BitBlt, GdiConvertAndCheckDC, StretchBlt, SetRectRgn, GdiReleaseDC, GdiConvertEnhMetaFile, GdiConvertMetaFilePict, DeleteEnhMetaFile, DeleteMetaFile, DeleteObject, GetDIBColorTable, GetDeviceCaps, StretchDIBits, GetLayout, SetBkColor, SetTextColor, GetObjectW, GetBkColor, SetBkMode, SelectObject, IntersectClipRect, GetTextAlign, SetTextAlign, GdiDllInitialize > KERNEL32.dll: LocalSize, LocalUnlock, SizeofResource, LoadResource, FindResourceExW, FindResourceExA, GetModuleHandleW, DisableThreadLibraryCalls, GetCurrentThreadId, IsDBCSLeadByteEx, SearchPathW, ExpandEnvironmentStringsW, LoadLibraryExW, GlobalAddAtomW, GetSystemDirectoryW, GetComputerNameW, GetCurrentProcess, GetCurrentThread, ExitThread, GetExitCodeThread, CreateThread, HeapReAlloc, GlobalHandle, FoldStringW, Sleep, GetStringTypeW, GetStringTypeA, GetCPInfo, HeapSize, CloseHandle, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, GetFileSize, ReadFile, SetFileTime, GetFileTime, GetSystemWindowsDirectoryW, CopyFileW, MoveFileW, DeleteFileW, CreateProcessW, AddAtomA, AddAtomW, GetAtomNameW, GetAtomNameA, IsValidLocale, ConvertDefaultLocale, CompareStringW, GetCurrentDirectoryW, SetCurrentDirectoryW, lstrlenW, GetLogicalDrives, FindClose, FindNextFileW, FindFirstFileW, GetThreadLocale, VirtualFree, ProcessIdToSessionId, GetCurrentProcessId, InterlockedCompareExchange, IsDBCSLeadByte, LCMapStringW, QueryPerformanceCounter, QueryPerformanceFrequency, GetTickCount, lstrlenA, GlobalFindAtomA, GetModuleFileNameA, GetModuleHandleA, GlobalAddAtomA, DelayLoadFailureHook, LoadLibraryA, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LocalLock, LocalReAlloc, GetACP, GetOEMCP, InterlockedIncrement, InterlockedDecrement, SetLastError, GlobalFindAtomW, GlobalAlloc, MultiByteToWideChar, GlobalReAlloc, GetLastError, GetProcAddress, LoadLibraryW, FreeLibrary, lstrcpynW, CreateFileW, WritePrivateProfileStringW, lstrcmpiW, SetEvent, WaitForMultipleObjectsEx, WideCharToMultiByte, GlobalFlags, GetLocaleInfoW, GlobalFree, GetModuleFileNameW, GlobalGetAtomNameW, GlobalGetAtomNameA, InterlockedExchange, DeleteAtom, LocalAlloc, GlobalDeleteAtom, LocalFree, GlobalSize, GlobalLock, GlobalUnlock, GetUserDefaultLCID, HeapAlloc, HeapFree, lstrcpyW, lstrcatW, GetPrivateProfileStringW, RegisterWaitForInputIdle > ntdll.dll: NtQueryVirtualMemory, RtlUnwind, RtlNtStatusToDosError, NlsAnsiCodePage, RtlAllocateHeap, qsort, RtlMultiByteToUnicodeSize, LdrFlushAlternateResourceModules, RtlPcToFileHeader, wcsrchr, NtRaiseHardError, RtlIsNameLegalDOS8Dot3, strrchr, sscanf, NtQueryKey, NtEnumerateValueKey, RtlRunEncodeUnicodeString, RtlRunDecodeUnicodeString, _wcsicmp, CsrAllocateCaptureBuffer, CsrCaptureMessageBuffer, CsrFreeCaptureBuffer, NtOpenThreadToken, NtOpenProcessToken, NtQueryInformationToken, CsrClientCallServer, memmove, NtCallbackReturn, RtlUnicodeToMultiByteSize, RtlActivateActivationContextUnsafeFast, RtlDeactivateActivationContextUnsafeFast, RtlInitializeCriticalSection, NtQuerySystemInformation, swprintf, RtlDeleteCriticalSection, RtlImageNtHeader, CsrClientConnectToServer, NtYieldExecution, NtCreateKey, NtSetValueKey, NtDeleteValueKey, RtlQueryInformationActiveActivationContext, RtlReleaseActivationContext, RtlFreeHeap, wcsncpy, wcscmp, wcstoul, wcscat, RtlInitAnsiString, RtlAnsiStringToUnicodeString, RtlCreateUnicodeStringFromAsciiz, RtlFreeUnicodeString, NtOpenDirectoryObject, _chkstk, wcscpy, wcsncat, NtSetSecurityObject, NtQuerySecurityObject, NtQueryInformationProcess, wcstol, wcslen, RtlFindActivationContextSectionString, RtlMultiByteToUnicodeN, RtlUnicodeToMultiByteN, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlOpenCurrentUser, NtEnumerateKey, NtOpenKey, NtClose, NtQueryValueKey, RtlInitUnicodeString, RtlUnicodeStringToInteger ( 732 exports ) ActivateKeyboardLayout, AdjustWindowRect, AdjustWindowRectEx, AlignRects, AllowForegroundActivation, AllowSetForegroundWindow, AnimateWindow, AnyPopup, AppendMenuA, AppendMenuW, ArrangeIconicWindows, AttachThreadInput, BeginDeferWindowPos, BeginPaint, BlockInput, BringWindowToTop, BroadcastSystemMessage, BroadcastSystemMessageA, BroadcastSystemMessageExA, BroadcastSystemMessageExW, BroadcastSystemMessageW, BuildReasonArray, CalcMenuBar, CallMsgFilter, CallMsgFilterA, CallMsgFilterW, CallNextHookEx, CallWindowProcA, CallWindowProcW, CascadeChildWindows, CascadeWindows, ChangeClipboardChain, ChangeDisplaySettingsA, ChangeDisplaySettingsExA, ChangeDisplaySettingsExW, ChangeDisplaySettingsW, ChangeMenuA, ChangeMenuW, CharLowerA, CharLowerBuffA, CharLowerBuffW, CharLowerW, CharNextA, CharNextExA, CharNextW, CharPrevA, CharPrevExA, CharPrevW, CharToOemA, CharToOemBuffA, CharToOemBuffW, CharToOemW, CharUpperA, CharUpperBuffA, CharUpperBuffW, CharUpperW, CheckDlgButton, CheckMenuItem, CheckMenuRadioItem, CheckRadioButton, ChildWindowFromPoint, ChildWindowFromPointEx, CliImmSetHotKey, ClientThreadSetup, ClientToScreen, ClipCursor, CloseClipboard, CloseDesktop, CloseWindow, CloseWindowStation, CopyAcceleratorTableA, CopyAcceleratorTableW, CopyIcon, CopyImage, CopyRect, CountClipboardFormats, CreateAcceleratorTableA, CreateAcceleratorTableW, CreateCaret, CreateCursor, CreateDesktopA, CreateDesktopW, CreateDialogIndirectParamA, CreateDialogIndirectParamAorW, CreateDialogIndirectParamW, CreateDialogParamA, CreateDialogParamW, CreateIcon, CreateIconFromResource, CreateIconFromResourceEx, CreateIconIndirect, CreateMDIWindowA, CreateMDIWindowW, CreateMenu, CreatePopupMenu, CreateSystemThreads, CreateWindowExA, CreateWindowExW, CreateWindowStationA, CreateWindowStationW, CsrBroadcastSystemMessageExW, CtxInitUser32, DdeAbandonTransaction, DdeAccessData, DdeAddData, DdeClientTransaction, DdeCmpStringHandles, DdeConnect, DdeConnectList, DdeCreateDataHandle, DdeCreateStringHandleA, DdeCreateStringHandleW, DdeDisconnect, DdeDisconnectList, DdeEnableCallback, DdeFreeDataHandle, DdeFreeStringHandle, DdeGetData, DdeGetLastError, DdeGetQualityOfService, DdeImpersonateClient, DdeInitializeA, DdeInitializeW, DdeKeepStringHandle, DdeNameService, DdePostAdvise, DdeQueryConvInfo, DdeQueryNextServer, DdeQueryStringA, DdeQueryStringW, DdeReconnect, DdeSetQualityOfService, DdeSetUserHandle, DdeUnaccessData, DdeUninitialize, DefDlgProcA, DefDlgProcW, DefFrameProcA, DefFrameProcW, DefMDIChildProcA, DefMDIChildProcW, DefRawInputProc, DefWindowProcA, DefWindowProcW, DeferWindowPos, DeleteMenu, DeregisterShellHookWindow, DestroyAcceleratorTable, DestroyCaret, DestroyCursor, DestroyIcon, DestroyMenu, DestroyReasons, DestroyWindow, DeviceEventWorker, DialogBoxIndirectParamA, DialogBoxIndirectParamAorW, DialogBoxIndirectParamW, DialogBoxParamA, DialogBoxParamW, DisableProcessWindowsGhosting, DispatchMessageA, DispatchMessageW, DisplayExitWindowsWarnings, DlgDirListA, DlgDirListComboBoxA, DlgDirListComboBoxW, DlgDirListW, DlgDirSelectComboBoxExA, DlgDirSelectComboBoxExW, DlgDirSelectExA, DlgDirSelectExW, DragDetect, DragObject, DrawAnimatedRects, DrawCaption, DrawCaptionTempA, DrawCaptionTempW, DrawEdge, DrawFocusRect, DrawFrame, DrawFrameControl, DrawIcon, DrawIconEx, DrawMenuBar, DrawMenuBarTemp, DrawStateA, DrawStateW, DrawTextA, DrawTextExA, DrawTextExW, DrawTextW, EditWndProc, EmptyClipboard, EnableMenuItem, EnableScrollBar, EnableWindow, EndDeferWindowPos, EndDialog, EndMenu, EndPaint, EndTask, EnterReaderModeHelper, EnumChildWindows, EnumClipboardFormats, EnumDesktopWindows, EnumDesktopsA, EnumDesktopsW, EnumDisplayDevicesA, EnumDisplayDevicesW, EnumDisplayMonitors, EnumDisplaySettingsA, EnumDisplaySettingsExA, EnumDisplaySettingsExW, EnumDisplaySettingsW, EnumPropsA, EnumPropsExA, EnumPropsExW, EnumPropsW, EnumThreadWindows, EnumWindowStationsA, EnumWindowStationsW, EnumWindows, EqualRect, ExcludeUpdateRgn, ExitWindowsEx, FillRect, FindWindowA, FindWindowExA, FindWindowExW, FindWindowW, FlashWindow, FlashWindowEx, FrameRect, FreeDDElParam, GetActiveWindow, GetAltTabInfo, GetAltTabInfoA, GetAltTabInfoW, GetAncestor, GetAppCompatFlags, GetAppCompatFlags2, GetAsyncKeyState, GetCapture, GetCaretBlinkTime, GetCaretPos, GetClassInfoA, GetClassInfoExA, GetClassInfoExW, GetClassInfoW, GetClassLongA, GetClassLongW, GetClassNameA, GetClassNameW, GetClassWord, GetClientRect, GetClipCursor, GetClipboardData, GetClipboardFormatNameA, GetClipboardFormatNameW, GetClipboardOwner, GetClipboardSequenceNumber, GetClipboardViewer, GetComboBoxInfo, GetCursor, GetCursorFrameInfo, GetCursorInfo, GetCursorPos, GetDC, GetDCEx, GetDesktopWindow, GetDialogBaseUnits, GetDlgCtrlID, GetDlgItem, GetDlgItemInt, GetDlgItemTextA, GetDlgItemTextW, GetDoubleClickTime, GetFocus, GetForegroundWindow, GetGUIThreadInfo, GetGuiResources, GetIconInfo, GetInputDesktop, GetInputState, GetInternalWindowPos, GetKBCodePage, GetKeyNameTextA, GetKeyNameTextW, GetKeyState, GetKeyboardLayout, GetKeyboardLayoutList, GetKeyboardLayoutNameA, GetKeyboardLayoutNameW, GetKeyboardState, GetKeyboardType, GetLastActivePopup, GetLastInputInfo, GetLayeredWindowAttributes, GetListBoxInfo, GetMenu, GetMenuBarInfo, GetMenuCheckMarkDimensions, GetMenuContextHelpId, GetMenuDefaultItem, GetMenuInfo, GetMenuItemCount, GetMenuItemID, GetMenuItemInfoA, GetMenuItemInfoW, GetMenuItemRect, GetMenuState, GetMenuStringA, GetMenuStringW, GetMessageA, GetMessageExtraInfo, GetMessagePos, GetMessageTime, GetMessageW, GetMonitorInfoA, GetMonitorInfoW, GetMouseMovePointsEx, GetNextDlgGroupItem, GetNextDlgTabItem, GetOpenClipboardWindow, GetParent, GetPriorityClipboardFormat, GetProcessDefaultLayout, GetProcessWindowStation, GetProgmanWindow, GetPropA, GetPropW, GetQueueStatus, GetRawInputBuffer, GetRawInputData, GetRawInputDeviceInfoA, GetRawInputDeviceInfoW, GetRawInputDeviceList, GetReasonTitleFromReasonCode, GetRegisteredRawInputDevices, GetScrollBarInfo, GetScrollInfo, GetScrollPos, GetScrollRange, GetShellWindow, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetSystemMetrics, GetTabbedTextExtentA, GetTabbedTextExtentW, GetTaskmanWindow, GetThreadDesktop, GetTitleBarInfo, GetTopWindow, GetUpdateRect, GetUpdateRgn, GetUserObjectInformationA, GetUserObjectInformationW, GetUserObjectSecurity, GetWinStationInfo, GetWindow, GetWindowContextHelpId, GetWindowDC, GetWindowInfo, GetWindowLongA, GetWindowLongW, GetWindowModuleFileName, GetWindowModuleFileNameA, GetWindowModuleFileNameW, GetWindowPlacement, GetWindowRect, GetWindowRgn, GetWindowRgnBox, GetWindowTextA, GetWindowTextLengthA, GetWindowTextLengthW, GetWindowTextW, GetWindowThreadProcessId, GetWindowWord, GrayStringA, GrayStringW, HideCaret, HiliteMenuItem, IMPGetIMEA, IMPGetIMEW, IMPQueryIMEA, IMPQueryIMEW, IMPSetIMEA, IMPSetIMEW, ImpersonateDdeClientWindow, InSendMessage, InSendMessageEx, InflateRect, InitializeLpkHooks, InitializeWin32EntryTable, InsertMenuA, InsertMenuItemA, InsertMenuItemW, InsertMenuW, InternalGetWindowText, IntersectRect, InvalidateRect, InvalidateRgn, InvertRect, IsCharAlphaA, IsCharAlphaNumericA, IsCharAlphaNumericW, IsCharAlphaW, IsCharLowerA, IsCharLowerW, IsCharUpperA, IsCharUpperW, IsChild, IsClipboardFormatAvailable, IsDialogMessage, IsDialogMessageA, IsDialogMessageW, IsDlgButtonChecked, IsGUIThread, IsHungAppWindow, IsIconic, IsMenu, IsRectEmpty, IsServerSideWindow, IsWinEventHookInstalled, IsWindow, IsWindowEnabled, IsWindowInDestroy, IsWindowUnicode, IsWindowVisible, IsZoomed, KillSystemTimer, KillTimer, LoadAcceleratorsA, LoadAcceleratorsW, LoadBitmapA, LoadBitmapW, LoadCursorA, LoadCursorFromFileA, LoadCursorFromFileW, LoadCursorW, LoadIconA, LoadIconW, LoadImageA, LoadImageW, LoadKeyboardLayoutA, LoadKeyboardLayoutEx, LoadKeyboardLayoutW, LoadLocalFonts, LoadMenuA, LoadMenuIndirectA, LoadMenuIndirectW, LoadMenuW, LoadRemoteFonts, LoadStringA, LoadStringW, LockSetForegroundWindow, LockWindowStation, LockWindowUpdate, LockWorkStation, LookupIconIdFromDirectory, LookupIconIdFromDirectoryEx, MBToWCSEx, MB_GetString, MapDialogRect, MapVirtualKeyA, MapVirtualKeyExA, MapVirtualKeyExW, MapVirtualKeyW, MapWindowPoints, MenuItemFromPoint, MenuWindowProcA, MenuWindowProcW, MessageBeep, MessageBoxA, MessageBoxExA, MessageBoxExW, MessageBoxIndirectA, MessageBoxIndirectW, MessageBoxTimeoutA, MessageBoxTimeoutW, MessageBoxW, ModifyMenuA, ModifyMenuW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow, MoveWindow, MsgWaitForMultipleObjects, MsgWaitForMultipleObjectsEx, NotifyWinEvent, OemKeyScan, OemToCharA, OemToCharBuffA, OemToCharBuffW, OemToCharW, OffsetRect, OpenClipboard, OpenDesktopA, OpenDesktopW, OpenIcon, OpenInputDesktop, OpenWindowStationA, OpenWindowStationW, PackDDElParam, PaintDesktop, PaintMenuBar, PeekMessageA, PeekMessageW, PostMessageA, PostMessageW, PostQuitMessage, PostThreadMessageA, PostThreadMessageW, PrintWindow, PrivateExtractIconExA, PrivateExtractIconExW, PrivateExtractIconsA, PrivateExtractIconsW, PrivateSetDbgTag, PrivateSetRipFlags, PtInRect, QuerySendMessage, QueryUserCounters, RealChildWindowFromPoint, RealGetWindowClass, RealGetWindowClassA, RealGetWindowClassW, ReasonCodeNeedsBugID, ReasonCodeNeedsComment, RecordShutdownReason, RedrawWindow, RegisterClassA, RegisterClassExA, RegisterClassExW, RegisterClassW, RegisterClipboardFormatA, RegisterClipboardFormatW, RegisterDeviceNotificationA, RegisterDeviceNotificationW, RegisterHotKey, RegisterLogonProcess, RegisterMessagePumpHook, RegisterRawInputDevices, RegisterServicesProcess, RegisterShellHookWindow, RegisterSystemThread, RegisterTasklist, RegisterUserApiHook, RegisterWindowMessageA, RegisterWindowMessageW, ReleaseCapture, ReleaseDC, RemoveMenu, RemovePropA, RemovePropW, ReplyMessage, ResolveDesktopForWOW, ReuseDDElParam, ScreenToClient, ScrollChildren, ScrollDC, ScrollWindow, ScrollWindowEx, SendDlgItemMessageA, SendDlgItemMessageW, SendIMEMessageExA, SendIMEMessageExW, SendInput, SendMessageA, SendMessageCallbackA, SendMessageCallbackW, SendMessageTimeoutA, SendMessageTimeoutW, SendMessageW, SendNotifyMessageA, SendNotifyMessageW, SetActiveWindow, SetCapture, SetCaretBlinkTime, SetCaretPos, SetClassLongA, SetClassLongW, SetClassWord, SetClipboardData, SetClipboardViewer, SetConsoleReserveKeys, SetCursor, SetCursorContents, SetCursorPos, SetDebugErrorLevel, SetDeskWallpaper, SetDlgItemInt, SetDlgItemTextA, SetDlgItemTextW, SetDoubleClickTime, SetFocus, SetForegroundWindow, SetInternalWindowPos, SetKeyboardState, SetLastErrorEx, SetLayeredWindowAttributes, SetLogonNotifyWindow, SetMenu, SetMenuContextHelpId, SetMenuDefaultItem, SetMenuInfo, SetMenuItemBitmaps, SetMenuItemInfoA, SetMenuItemInfoW, SetMessageExtraInfo, SetMessageQueue, SetParent, SetProcessDefaultLayout, SetProcessWindowStation, SetProgmanWindow, SetPropA, SetPropW, SetRect, SetRectEmpty, SetScrollInfo, SetScrollPos, SetScrollRange, SetShellWindow, SetShellWindowEx, SetSysColors, SetSysColorsTemp, SetSystemCursor, SetSystemMenu, SetSystemTimer, SetTaskmanWindow, SetThreadDesktop, SetTimer, SetUserObjectInformationA, SetUserObjectInformationW, SetUserObjectSecurity, SetWinEventHook, SetWindowContextHelpId, SetWindowLongA, SetWindowLongW, SetWindowPlacement, SetWindowPos, SetWindowRgn, SetWindowStationUser, SetWindowTextA, SetWindowTextW, SetWindowWord, SetWindowsHookA, SetWindowsHookExA, SetWindowsHookExW, SetWindowsHookW, ShowCaret, ShowCursor, ShowOwnedPopups, ShowScrollBar, ShowStartGlass, ShowWindow, ShowWindowAsync, SoftModalMessageBox, SubtractRect, SwapMouseButton, SwitchDesktop, SwitchToThisWindow, SystemParametersInfoA, SystemParametersInfoW, TabbedTextOutA, TabbedTextOutW, TileChildWindows, TileWindows, ToAscii, ToAsciiEx, ToUnicode, ToUnicodeEx, TrackMouseEvent, TrackPopupMenu, TrackPopupMenuEx, TranslateAccelerator, TranslateAcceleratorA, TranslateAcceleratorW, TranslateMDISysAccel, TranslateMessage, TranslateMessageEx, UnhookWinEvent, UnhookWindowsHook, UnhookWindowsHookEx, UnionRect, UnloadKeyboardLayout, UnlockWindowStation, UnpackDDElParam, UnregisterClassA, UnregisterClassW, UnregisterDeviceNotification, UnregisterHotKey, UnregisterMessagePumpHook, UnregisterUserApiHook, UpdateLayeredWindow, UpdatePerUserSystemParameters, UpdateWindow, User32InitializeImmEntryTable, UserClientDllInitialize, UserHandleGrantAccess, UserLpkPSMTextOut, UserLpkTabbedTextOut, UserRealizePalette, UserRegisterWowHandlers, VRipOutput, VTagOutput, ValidateRect, ValidateRgn, VkKeyScanA, VkKeyScanExA, VkKeyScanExW, VkKeyScanW, WCSToMBEx, WINNLSEnableIME, WINNLSGetEnableStatus, WINNLSGetIMEHotkey, WaitForInputIdle, WaitMessage, Win32PoolAllocationStats, WinHelpA, WinHelpW, WindowFromDC, WindowFromPoint, keybd_event, mouse_event, wsprintfA, wsprintfW, wvsprintfA, wvsprintfW 
RDS...: NSRL Reference Data Set -
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%)

Sites internets non demandés

Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Re: Sites internets non demandés

Qui est en ligne