ComboFix 08-06-20.4 - vchhuo 2008-06-21 19:49:26.2 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1346 [GMT 2:00] Endroit: C:\Documents and Settings\utilisateur2\Bureau\ComboFix.exe Command switches used :: C:\Documents and Settings\utilisateur2\Bureau\CFScript.txt * Création d'un nouveau point de restauration FILE :: C:\23990098.$$$ C:\Documents and Settings\All Users\Application Data\TUR.sys C:\Documents and Settings\All Users\Application Data\TVJUR.sys C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\23990098.$$$ C:\Documents and Settings\All Users\Application Data\TUR.sys C:\Documents and Settings\All Users\Application Data\TVJUR.sys C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe . ((((((((((((((((((((((((((((( Fichiers créés 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))))))) . 2008-06-21 15:52 . 2008-06-21 15:52 d-------- C:\Program Files\Java 2008-06-21 15:52 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-06-21 15:51 . 2008-06-21 15:51 d-------- C:\Program Files\Fichiers communs\Java 2008-06-20 15:03 . 2008-06-20 15:03 d-------- C:\Deckard 2008-06-15 12:02 . 2008-06-15 12:02 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-15 12:02 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-15 12:02 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-14 20:03 . 2008-06-14 20:03 d-------- C:\Program Files\Trend Micro 2008-06-14 16:21 . 2008-06-14 16:21 d-------- C:\Documents and Settings\utilisateur2\Application Data\Leadertech 2008-06-10 16:06 . 2008-06-10 16:06 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-10 16:05 . 2008-06-18 15:00 d-------- C:\Program Files\SUPERAntiSpyware 2008-06-10 16:05 . 2008-06-15 12:04 d-------- C:\Documents and Settings\utilisateur2\Application Data\SUPERAntiSpyware.com 2008-06-10 15:52 . 2008-06-10 15:52 d-------- C:\Documents and Settings\utilisateur2\Application Data\Malwarebytes 2008-06-10 15:52 . 2008-06-10 15:52 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-30 19:25 . 2008-06-11 06:01 d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-05-28 13:41 . 2008-05-28 13:42 1,905 --a------ C:\WINDOWS\diagwrn.xml 2008-05-28 13:41 . 2008-05-28 13:42 1,905 --a------ C:\WINDOWS\diagerr.xml 2008-05-24 20:46 . 2008-05-24 20:46 d-------- C:\Program Files\VoipStunt.com 2008-05-24 20:46 . 2008-05-25 04:11 d-------- C:\Documents and Settings\utilisateur2\Application Data\VoipStunt 2008-05-24 20:40 . 2008-05-24 20:40 d-------- C:\Kaspersky . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-21 17:43 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-06-15 10:03 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard 2008-05-31 03:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-28 06:57 --------- d-----w C:\Program Files\Burn4Free 2008-05-19 12:11 --------- d-----w C:\Documents and Settings\utilisateur2\Application Data\AdobeUM 2008-05-11 12:27 --------- d-----w C:\Program Files\Alwil Software 2008-05-05 04:31 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-05-05 04:31 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf 2008-05-05 04:21 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-05 04:21 --------- d-----w C:\Program Files\Logitech 2008-05-05 04:21 --------- d-----w C:\Program Files\Fichiers communs\LogiShared 2008-05-05 04:18 --------- d-----w C:\Documents and Settings\utilisateur2\Application Data\Logitech 2008-05-05 04:16 --------- d-----w C:\Program Files\Fichiers communs\Logitech 2008-05-05 04:16 --------- d-----w C:\Program Files\Fichiers communs\LogiShrd 2008-05-05 04:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech 2008-05-05 04:15 --------- d-----w C:\Documents and Settings\utilisateur2\Application Data\InstallShield 2008-05-05 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd 2008-05-05 04:05 --------- d-----w C:\Program Files\TOSHIBA . ((((((((((((((((((((((((((((( snapshot@2008-06-21_16.16.37.51 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-21 13:55:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-21 17:43:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 18:43 4670704] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 14:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 14:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 14:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 14:00 455168] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056] "THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 14:02 352256] "ThpSrv"="c:\WINDOWS\system32\thpsrv" [ ] "TMESRV.EXE"="C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" [2005-04-05 09:27 118784] "TMERzCtl.EXE"="C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" [2005-04-05 09:26 77824] "TPSMain"="TPSMain.exe" [2005-08-03 16:09 266240 C:\WINDOWS\system32\TPSMain.exe] "RTHDCPL"="RTHDCPL.EXE" [2005-12-09 16:49 15691264 C:\WINDOWS\RTHDCPL.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 17:32 761945] "PWRESET"="C:\Program Files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2001-10-24 10:36 45056] "ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-03-24 18:14 53408] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-08-01 10:58 125072] "Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 02:08 483328] "BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" [] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-06-12 13:03 56080 C:\WINDOWS\KHALMNPR.Exe] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360] C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ Acc‚l‚rateur de d‚marrage AutoCAD.lnk - C:\Program Files\Fichiers communs\Autodesk Shared\acstart17.exe [2006-03-05 15:43:54 11000] Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872] Ask Harrap's Shorter.lnk - C:\Program Files\Harrap's Multim‚dia\Shorter\bin\HiHarrapsTray.exe [2007-05-02 14:53:18 122880] Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 20:42:30 45056] Gestion du client de pare-feu Microsoft.lnk - C:\WINDOWS\Installer\{199B7F78-69B7-47C5-8D4B-A3ED1391FB6B}\NewShortcut1_8C7A59A89ABE459A9A9308C281A4A264.exe [2006-05-23 13:40:12 53248] Lancement rapide d'Adobe Acrobat.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-BA7E-100000000002}\SC_Acrobat.exe [2007-05-02 15:28:58 25214] Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048] Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-05-05 06:21:30 67128] Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-05 06:20:21 768528] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] c:\program files\fichiers communs\logishrd\bluetooth\LBTWlgn.dll 2007-07-13 18:30 72208 c:\Program Files\Fichiers communs\LogiShrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3codec"= l3codecp.acm "vidc.yv12"= yv12vfw.dll "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\WINDOWS\\system32\\dllhost.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Avaya\\Avaya IP Softphone\\ipsoftphone.exe"= "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\\Program Files\\VoipStunt.com\\VoipStunt\\VoipStunt.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 Thpdrv;TOSHIBA HDD Protection Driver;C:\WINDOWS\system32\DRIVERS\thpdrv.sys [2004-12-27 23:31] R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;C:\WINDOWS\system32\DRIVERS\Thpevm.SYS [2004-11-13 12:24] R1 TMEI3E;TMEI3E;C:\WINDOWS\system32\Drivers\TMEI3E.SYS [2004-06-16 11:08] R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2004-08-04 03:05] R2 FwcAgent;Agent du client de pare-feu;"C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe" [2004-06-10 02:00] R2 Machnm32;Machnm32 Driver;C:\WINDOWS\System32\Machnm32.sys [2003-08-13 00:27] R3 urvpndrv;F5 Networks VPN Adapter;C:\WINDOWS\system32\DRIVERS\urvpndrv.sys [2007-10-01 23:49] S3 AKSUP;AKSUP;C:\WINDOWS\system32\drivers\aksup.sys [2006-01-22 11:41] S3 el575nd5;Pilote de carte réseau PC Card 3Com Megahertz 10/100 CardBus;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 20:10] S3 f5ipfw;F5 Networks StoneWall Filter;C:\WINDOWS\system32\drivers\urfltw2k.sys [2007-10-01 23:49] S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2004-06-27 02:50] S3 USB28xxBGA;Cinergy T USB XS;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2005-09-14 17:45] S3 USB28xxOEM;Cinergy T USB XS Custom Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2005-09-14 17:45] . Contenu du dossier 'Scheduled Tasks/Tâches planifiées' "2008-04-06 16:11:00 C:\WINDOWS\Tasks\Ask Harrap's Shorter.job" - C:\PROGRA~1\HARRAP~1\Shorter\bin\HIHARR~2.EXE . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-21 19:51:14 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 2008-06-21 19:52:13 ComboFix-quarantined-files.txt 2008-06-21 17:52:08 ComboFix2.txt 2008-06-21 14:16:57 Pre-Run: 17,472,212,992 octets libres Post-Run: 17,459,351,552 octets libres 169