ComboFix 10-11-24.04 - NEO 25/11/2010 22:07:26.1.1 - x86 Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.239.75 [GMT 1:00] Lancé depuis: c:\documents and settings\NEO\Mes documents\Downloads\Programs\ComboFix.exe FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Un nouveau point de restauration a été créé . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Pilotes/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ABP470N5 -------\Legacy_SSHNAS -------\Service_abp470n5 ((((((((((((((((((((((((((((( Fichiers créés du 2010-10-25 au 2010-11-25 )))))))))))))))))))))))))))))))))))) . 2010-11-21 12:48 . 2004-11-30 11:28 86094 ----a-w- c:\windows\system32\ImageDrive.cpl 2010-11-21 10:24 . 2010-11-21 10:24 -------- d-----w- c:\documents and settings\NEO\Application Data\Avira 2010-11-20 19:05 . 2010-11-20 19:28 -------- d-----w- c:\documents and settings\NEO\Application Data\QuickScan 2010-11-20 14:53 . 2010-11-20 14:53 282624 --sh--r- c:\windows\system32\quickt86.exe 2010-11-20 07:19 . 2010-11-20 07:19 -------- d-----w- c:\documents and settings\LocalService\Menu Démarrer 2010-11-19 22:52 . 2010-11-20 07:18 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-11-19 22:52 . 2010-11-20 07:18 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys 2010-11-19 22:52 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2010-11-19 22:52 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2010-11-19 22:51 . 2010-11-19 22:51 -------- d-----w- c:\program files\Avira 2010-11-19 16:16 . 2010-11-19 16:16 -------- d-----w- c:\documents and settings\NEO\Local Settings\Application Data\ZoneAlarm 2010-11-19 16:16 . 2010-11-19 16:16 -------- d-----w- c:\program files\ZoneAlarm 2010-11-19 14:19 . 2010-11-19 14:26 -------- d-----w- c:\windows\SxsCaPendDel 2010-11-11 19:26 . 2010-11-11 20:02 -------- d-----w- c:\program files\uTorrent 2010-11-11 19:25 . 2010-11-25 21:18 -------- d-----w- c:\documents and settings\NEO\Application Data\uTorrent 2010-11-06 10:37 . 2010-11-06 10:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll 2010-11-06 10:37 . 2010-11-06 10:37 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll 2010-11-01 22:36 . 2010-11-01 22:36 -------- d-----w- c:\documents and settings\NEO\Application Data\AVS4YOU 2010-11-01 22:30 . 2010-11-01 22:32 -------- d-----w- c:\program files\Fichiers communs\AVSMedia 2010-11-01 22:28 . 2008-08-13 10:22 974848 ----a-w- c:\windows\system32\mfc70.dll 2010-11-01 22:28 . 2008-08-13 10:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll 2010-11-01 22:28 . 2008-08-13 10:22 24576 ----a-w- c:\windows\system32\msxml3a.dll 2010-11-01 22:28 . 2010-11-19 14:16 -------- d-----w- c:\program files\AVS4YOU 2010-11-01 22:28 . 2010-11-01 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-15 03:50 . 2010-06-01 00:07 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-15 01:29 . 2010-10-16 23:53 73728 ----a-w- c:\windows\system32\javacpl.cpl . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088] [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] 2010-05-09 10:50 2517088 ----a-w- c:\program files\ZoneAlarm\tbZone.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\program files\ZoneAlarm\tbZone.dll" [2010-05-09 2517088] [HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-09-09 3118512] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-11-11 394616] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2010-05-09 155648] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "CAP3ON"="c:\windows\system32\spool\drivers\w32x86\3\CAP3ONN.EXE" [2002-07-30 22528] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-05-14 248552] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-05-26 1043968] "ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2010-05-26 730600] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-20 281768] "conime"="conime.exe" [2004-08-04 27648] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ Fenˆtre d'‚tat de Canon LASER SHOT LBP-1120.LNK - c:\windows\system32\spool\drivers\w32x86\3\CAP3LAK.EXE [2002-7-30 30720] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Documents and Settings\\NEO\\Application Data\\Thinstall\\Vidal CD\\4000002400003i\\java.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\WINDOWS\\system32\\dpnsvr.exe"= "c:\\WINDOWS\\system32\\dxdiag.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\WINDOWS\\system32\\quickt86.exe"= R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [23/03/2010 10:23 697328] R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [26/05/2010 14:35 26352] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [09/06/2010 01:01 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [09/06/2010 01:32 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [09/06/2010 01:32 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [09/06/2010 01:33 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [09/06/2010 01:33 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [09/06/2010 01:33 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [09/06/2010 01:33 97704] S4 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [19/11/2010 23:52 403624] S4 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [04/03/2010 21:48 133104] S4 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [26/05/2010 14:35 493032] . Contenu du dossier 'Tâches planifiées' 2010-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-04 20:48] 2010-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-04 20:48] . . ------- Examen supplémentaire ------- . IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Télécharger avec IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Télécharger le contenu de video FLV avec IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Télécharger tous les liens avec IDM - c:\program files\Internet Download Manager\IEGetAll.htm TCP: {7F7B2566-336E-4641-A1EE-88848A0377B6} = 208.67.222.222 208.67.220.220 FF - ProfilePath - c:\documents and settings\NEO\Application Data\Mozilla\Firefox\Profiles\ho3a8i5h.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:fr:official FF - component: c:\documents and settings\NEO\Application Data\Mozilla\Firefox\Profiles\ho3a8i5h.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll FF - plugin: c:\program files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll ---- PARAMETRES FIREFOX ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHELINS SUPPRIMES - - - - Notify-WgaLogon - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-25 22:20 Windows 5.1.2600 Service Pack 2 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1902ec02-b3c8-4faa-a8a3-c2ad5d7431d9}] @Denied: (Full) (Everyone) "Model"=dword:00000095 "Therad"=dword:00000015 "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) "scansk"=hex(0):94,fe,f8,d3,5c,04,46,80,ad,5c,2c,ef,13,ca,7d,94,03,a5,40,fc,93, da,3c,0e,70,d4,6b,b5,9f,82,78,69,12,ff,e6,4f,11,8d,4f,8a,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68f5f69f-6f53-4339-8117-6056275bbc9c}] @Denied: (Full) (Everyone) "Model"=dword:00000054 "Therad"=dword:00000017 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):b6,91,86,43,03,48,b6,7c,2d,84,cf,be,ae,5f,30,c1,03,b8,c3,6c,08, e7,7a,ea,07,cd,a9,a1,1d,d6,66,51,b1,93,99,55,ef,ff,95,ba,00,00,00,00,00,00,\ . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'explorer.exe'(2232) c:\program files\Windows Media Player\wmpband.dll c:\program files\Internet Download Manager\idmmkb.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Autres processus actifs ------------------------ . c:\windows\system32\CAP3RSK.EXE c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\Internet Download Manager\IEMonitor.exe . ************************************************************************** . Heure de fin: 2010-11-25 22:29:53 - La machine a redémarré ComboFix-quarantined-files.txt 2010-11-25 21:29 Avant-CF: 16 972 673 024 octets libres Après-CF: 17 005 719 552 octets libres WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect - - End Of File - - B09AB77EB21E01F09A1867B27A707894