[Résolu] Probleme svchost et popup

[zard]

Bonjour
Depuis quelques jours je me traine une cochonnerie dont je n'arrive pas a me débarrasser facilement. Plein de popup qui s'active avec un lien genre directrdr + des svchost dans c/windows/temp à gogo, bloqué et supprimé par mon Avast.
J'ai fais un coup de Combofix mais ça continue, voici le LOG du fichier généré il y a environ 10 jours:

ComboFix 10-01-04.01 - zard 06/01/2010 21:12:43.1.2 - x86
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6002.2.1252.33.1036.18.2046.986 [GMT 1:00]
Lancé depuis: c:\users\zard\Desktop\ComboFix.exe
AV: avast! antivirus 4.7.1098 [VPS 100106-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-7176682818-3606353687-614085080-9033
c:\users\zard\AppData\Local\Microsoft\Windows\Temporary Internet Files\f_jTMY_yI
c:\users\zard\AppData\Local\Microsoft\Windows\Temporary Internet Files\IXz-wol9Y-O_
c:\users\zard\AppData\Local\Microsoft\Windows\Temporary Internet Files\v98yK1-_xVS
c:\users\zard\AppData\Local\Microsoft\Windows\Temporary Internet Files\VTbMm-BU0
c:\users\zard\AppData\Local\Temp\ppcrlui_2560_2
c:\users\zard\AppData\Roaming\SystemProc
c:\windows\system32\~.inf
c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\ctd20x.dat
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPHW.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0246W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0355W.DAT
c:\windows\system32\Data\CTP0358W.DAT
c:\windows\system32\Data\CTP0359W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0460W.DAT
c:\windows\system32\Data\CTP0462W.DAT
c:\windows\system32\Data\CTP0463W.DAT
c:\windows\system32\Data\CTP0464W.DAT
c:\windows\system32\Data\CTP0465W.DAT
c:\windows\system32\Data\CTP0466W.DAT
c:\windows\system32\Data\CTP0468W.DAT
c:\windows\system32\Data\CTP0469W.DAT
c:\windows\system32\Data\CTP046AW.DAT
c:\windows\system32\Data\CTP046BW.DAT
c:\windows\system32\Data\CTP046CW.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0531L.DAT
c:\windows\system32\Data\CTP0531W.DAT
c:\windows\system32\Data\CTP0550W.DAT
c:\windows\system32\Data\CTP055AW.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0669W.DAT
c:\windows\system32\Data\CTP0678W.DAT
c:\windows\system32\Data\CTP0679W.DAT
c:\windows\system32\Data\CTP0730W.DAT
c:\windows\system32\Data\CTP073AW.DAT
c:\windows\system32\Data\CTP0760W.DAT
c:\windows\system32\Data\CTP0773W.DAT
c:\windows\system32\Data\CTP0930W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\Data\cts20x.dat
c:\windows\system32\Data\CTXFICBM.RFX
c:\windows\system32\Data\CTXFICM.RFX
c:\windows\system32\Data\CTXFIEM.RFX
c:\windows\system32\Data\CTXFIGM.RFX
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-12-06 au 2010-01-06 ))))))))))))))))))))))))))))))))))))
.

2010-01-06 20:19 . 2010-01-06 20:20 -------- d-----w- c:\users\zard\AppData\Local\temp
2010-01-06 20:19 . 2010-01-06 20:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-29 14:09 . 2009-12-29 14:09 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-29 13:56 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-12-29 13:55 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-12-29 13:48 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-12-29 13:48 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-29 13:46 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-12-29 13:46 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-12-29 13:06 . 2009-12-29 13:06 -------- d-----w- c:\program files\Trend Micro
2009-12-29 08:38 . 2008-03-30 18:55 1213784 ----a-w- c:\users\zard\AppData\Roaming\HouseCall 6.6\vsapi32.dll
2009-12-29 08:38 . 2006-11-22 16:48 91744 ----a-w- c:\users\zard\AppData\Roaming\HouseCall 6.6\BPMNT.dll
2009-12-29 08:38 . 2007-12-24 16:37 138384 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 08:38 . 2007-12-24 16:37 138384 ----a-w- c:\users\zard\AppData\Roaming\HouseCall 6.6\tmcomm.sys
2009-12-29 08:37 . 2006-07-07 15:29 1197584 ----a-w- c:\users\zard\AppData\Roaming\HouseCall 6.6\ssapi32.dll
2009-12-29 08:37 . 2009-03-27 16:38 366344 ----a-w- c:\users\zard\AppData\Roaming\HouseCall 6.6\tsc.exe
2009-12-29 08:37 . 2009-12-29 08:38 -------- d-----w- c:\users\zard\AppData\Roaming\HouseCall 6.6
2009-12-29 08:37 . 2009-12-29 08:37 -------- d-----w- c:\windows\system32\HouseCall 6.6
2009-12-28 15:02 . 2009-12-28 15:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-28 15:02 . 2009-12-28 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-27 16:18 . 2009-12-27 16:18 -------- d-----w- c:\programdata\WindowsSearch
2009-12-08 19:13 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-08 19:13 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 19:13 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 19:11 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-08 19:09 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 14:28 . 2006-11-02 15:48 678718 ----a-w- c:\windows\system32\perfh00C.dat
2009-12-29 14:28 . 2006-11-02 15:48 127798 ----a-w- c:\windows\system32\perfc00C.dat
2009-12-29 14:09 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-29 14:09 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-29 14:09 . 2009-12-29 14:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-29 14:08 . 2009-12-29 14:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-29 17:03 . 2007-09-11 20:33 -------- d-----w- c:\users\zard\AppData\Roaming\FileZilla
2009-11-29 13:58 . 2008-03-31 20:18 -------- d-----w- c:\users\zard\AppData\Roaming\VSO
2009-11-22 20:43 . 2009-11-22 20:43 -------- d-----w- c:\program files\WinSCP
2009-11-21 06:40 . 2009-12-08 19:10 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 19:10 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-08 19:10 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-08 19:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-16 02:13 . 2009-11-16 02:13 216576 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-11-12 06:24 . 2009-11-12 06:24 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2009-11-02 19:42 . 2009-10-03 06:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 12:39 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 19:58 . 2009-10-28 19:58 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-08 21:08 . 2009-12-29 13:56 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-12-29 13:56 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\zard\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-18 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"CTHelper"="CTHELPER.EXE" [2007-12-12 23040]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-12-12 23552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ExifLauncher2.lnk
backup=c:\windows\pss\ExifLauncher2.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Outil de mise à jour Google.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Outil de mise à jour Google.lnk
backup=c:\windows\pss\Outil de mise à jour Google.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^zard^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\users\zard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 01:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):bc,7b,d6,d2,3d,3f,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1988917837-3249627806-823261537-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [29/04/2009 03:07 176128]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [13/08/2007 13:42 45648]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [28/12/2009 16:02 1153368]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [12/12/2007 17:35 98328]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\System32\drivers\CTEDSPIO.SYS [12/12/2007 17:37 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\System32\drivers\CTEDSPSY.SYS [12/12/2007 17:37 309784]
S3 COMMONFX;COMMONFX;c:\windows\System32\drivers\COMMONFX.SYS [12/12/2007 17:35 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [12/12/2007 17:36 171032]
S3 CT20XUT;CT20XUT;c:\windows\System32\drivers\CT20XUT.SYS [12/12/2007 17:36 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [12/12/2007 17:35 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\System32\drivers\CTAUDFX.SYS [12/12/2007 17:35 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\System32\drivers\CTEAPSFX.SYS [12/12/2007 17:36 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\System32\drivers\CTEAPSFX.SYS [12/12/2007 17:36 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\System32\drivers\CTEDSPFX.SYS [12/12/2007 17:36 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\System32\drivers\CTEDSPFX.SYS [12/12/2007 17:36 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\System32\drivers\CTEDSPIO.SYS [12/12/2007 17:37 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\System32\drivers\CTEDSPSY.SYS [12/12/2007 17:37 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [12/12/2007 17:36 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\System32\drivers\CTERFXFX.SYS [12/12/2007 17:36 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [12/12/2007 17:37 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\System32\drivers\CTEXFIFX.SYS [12/12/2007 17:37 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [12/12/2007 17:36 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\System32\drivers\CTHWIUT.SYS [12/12/2007 17:36 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [12/12/2007 17:36 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\System32\drivers\CTSBLFX.SYS [12/12/2007 17:36 534040]
S3 FontCache;Service de cache de police Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [02/06/2008 22:27 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contenu du dossier 'Tâches planifiées'

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1988917837-3249627806-823261537-1000Core.job
- c:\users\zard\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-18 06:40]

2010-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1988917837-3249627806-823261537-1000UA.job
- c:\users\zard\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-18 06:40]

2010-01-06 c:\windows\Tasks\User_Feed_Synchronization-{625052D3-507D-496F-81D1-A5EC9F428B2B}.job
- c:\windows\system32\msfeedssync.exe [2009-12-08 04:59]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\zard\AppData\Roaming\Mozilla\Firefox\Profiles\kdgnlle2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http://www.google.fr
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\zard\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHELINS SUPPRIMES - - - -

MSConfigStartUp-12CFG214-K641-12SF-N85P - c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
MSConfigStartUp-J8RPLTROBQ - c:\users\zard\AppData\Local\Temp\c.exe
MSConfigStartUp-LosAlamos - c:\windows\system32\sshnas.dll
MSConfigStartUp-net - c:\windows\system32\net.net
MSConfigStartUp-NvMediaCenter - c:\windows\system32\NvMcTray.dll
MSConfigStartUp-NvSvc - c:\windows\system32\nvsvc.dll
MSConfigStartUp-ygua8e7yhuiesfha876yfauy8fe - c:\users\zard\AppData\Local\Temp\jt5vw342.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-06 21:20
Windows 6.0.6002 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

Recherche de fichiers cachés ...


c:\users\zard\AppData\Local\Temp\catchme.dll 53248 bytes executable

Scan terminé avec succès
Fichiers cachés: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85000618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82fa0d24
\Driver\ACPI -> acpi.sys @ 0x80699d68
\Driver\atapi -> ataport.SYS @ 0x807a8a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
Heure de fin: 2010-01-06 21:23:45
ComboFix-quarantined-files.txt 2010-01-06 20:23

Avant-CF: 22 466 027 520 octets libres
Après-CF: 22 505 406 464 octets libres

- - End Of File - - C345441046E003FB3092726A62360276

[Malekal_morte]

Salut,

Télécharge GMER à partir de ce lien : http://www.gmer.net/files.php - clic sur "Download EXE" et télécharge le fichier sur ton bureau.
Voir le tutorial GMER, ça peut peut-être t'aider : https://www.malekal.com/tutorial_GMER.php

Désactive tes logiciels de protection (antivirus, antispyware etc) et ferme tous les programmes ouverts.
Double-clic sur le fichier GMER téléchargé.
IMPORTANT: Si une alerte de ton antivirus apparaît pour le fichier gmer.sys ou gmer.exe, laisse le s'executer.
Clic sur l'onglet "rootkit"
Laisse tout coché.
Clic sur Scan
Lorsque le scan est terminé, clic sur "Copy"

Ouvre le bloc-note et clic sur le Menu Edition / Coller
Le rapport doit alors apparaître.
Enregistre le fichier sur ton bureau et copie/colle le contenu ici.

[zard]

Salut
Merci pour ton aide, voici le rapport GMER :

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 18:22:03
Windows 6.0.6002 Service Pack 2
Running: 2mwcjq3b.exe; Driver: C:\Users\zard\AppData\Local\Temp\kwldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x807A3024]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8BC01000, 0x263A88, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[752] ole32.dll!CoCreateInstance 77179EA6 5 Bytes JMP 0061000A
.text C:\Windows\Explorer.EXE[1788] SHELL32.dll!SHFileOperationW 75F468D0 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!SetWindowsHookExW 772787AD 5 Bytes JMP 716A97FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!CallNextHookEx 77278E3B 5 Bytes JMP 7169CE81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!UnhookWindowsHookEx 772798DB 5 Bytes JMP 71614620 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!CreateWindowExW 77281305 5 Bytes JMP 716AD684 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxParamW 772A10B0 5 Bytes JMP 715D541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxIndirectParamW 772A2EF5 5 Bytes JMP 717A43FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxParamA 772B8152 5 Bytes JMP 717A439C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!DialogBoxIndirectParamA 772B847D 5 Bytes JMP 717A4462 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxIndirectA 772CD4D9 5 Bytes JMP 717A4331 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxIndirectW 772CD5D3 5 Bytes JMP 717A42C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxExA 772CD639 5 Bytes JMP 717A4264 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] USER32.dll!MessageBoxExW 772CD65D 5 Bytes JMP 717A4202 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] ole32.dll!OleLoadFromStream 77141E12 5 Bytes JMP 717A4780 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4056] ole32.dll!CoCreateInstance 77179EA6 5 Bytes JMP 716AD6E0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!CreateWindowExW 77281305 5 Bytes JMP 716AD684 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxParamW 772A10B0 5 Bytes JMP 715D541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxIndirectParamW 772A2EF5 5 Bytes JMP 717A43FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxParamA 772B8152 5 Bytes JMP 717A439C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!DialogBoxIndirectParamA 772B847D 5 Bytes JMP 717A4462 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxIndirectA 772CD4D9 5 Bytes JMP 717A4331 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxIndirectW 772CD5D3 5 Bytes JMP 717A42C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxExA 772CD639 5 Bytes JMP 717A4264 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4428] USER32.dll!MessageBoxExW 772CD65D 5 Bytes JMP 717A4202 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74887817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [748DA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7488BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7487F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7487E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [748B8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7488DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7487FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7487FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [748771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7490CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [748AC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7487D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74876853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7487687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1788] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74882AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85000618

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[Malekal_morte]

wow t'enchaînes les malwares avec une facilité toi :\

~~

Juste pour info, ça va peut-être te réveiller et tu vas commencer à un peu sécuriser ton PC et surtout faire plus attention dorénavant

Ce que t'as viré Combo :

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

C'est du Zbot/Zeus, c'est un stealer, ça vole tout ce que ça peux qui se trouve (ou passe) par ton PC : mot de passe, num tel, numéro CB etc.
Voir : http://forum.malekal.com/zbot-zeus-troj ... 21390.html

ensuite GMER montre un patch du fichier atapi.sys (Trojan.TDSS voir http://forum.malekal.com/rootkit-tdss-t ... 22604.html )
Tu dois avoir des redirections lors des recherches Google :\

~~



• Télécharger SystemLook à partir d'un des liens ci dessous sur ton Bureau.
Download Mirror:: http://jpshortstuff.247fixes.com/SystemLook.exe
Download Mirror #2:: http://images.malwareremoval.com/jpshor ... emLook.exe

* Double-click SystemLook.exe pour le lançer.(clic droit executer en tant qu'administrateur sous vista)
* Clic droit|copier le contenu du cadre ci dessous ,et clic droit|coller dans le cadre blanc de SystemLook:

Code : Tout sélectionner

:filefind
atapi.sys

* Click le bouton Look pour commencer le scan.
* Copie-colle dans ta prochaine réponse le rapport\contenu du fichier texte qui s'affiche

Note: Le rapport peut aussi être trouvé sur ton Bureau nommé SystemLook.txt

[zard]

Salut
ça fais flipper ce que tu me dis je pensais être bien protéger avant !
Je vais donc davantage renforcer mes protections

Ci joint le log de systemlook :

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:35 on 16/01/2010 by zard (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [20:22 06/01/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [13:25 07/06/2008] [05:06 19/01/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [06:08 17/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [21:27 02/06/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [06:08 17/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [13:25 07/06/2008] [05:06 19/01/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [13:25 07/06/2008] [04:33 19/01/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [21:27 02/06/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [06:08 17/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

-=End Of File=-

[Malekal_morte]

Allez on tente ça :


Telecharge:: http://swandog46.geekstogo.com/avenger2/download.php
http://swandog46.geekstogo.com/avenger2/avenger.zip

Dezippe le fichier ,Lance Avenger.exe , sous vista clic droit executer en tant qu'administrateur

•

Dans le cadre , sous input script here , copie_colle le contenu du cadre ci dessous et clic execute:

Begin copying here:
Files to move:
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys | C:\Windows\System32\drivers\atapi.sys

*Après le re-démarrage, il crée un fichier log qui s'ouvrira, faisant apparaitre les actions exécutées par The Avenger. Ce fichier log se trouve ici : C:\avenger.txt
poste le contenu du rapport

» refait un nouveau scan GMER

[zard]

Ouah ! bel ecran bleu avant reboot, j'ai un cleanup.exe et un zip.exe sous C: qui sont apparu

Le rapport Avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys"
File move operation "C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys|C:\Windows\System32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

[Malekal_morte]

T'as le DVD de Vista ?



~~


» Ouvre ton bloc note[executer--notepad] et copies/colles le contenu du cadre ci dessous:

Killall::
FCOPY::
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys | C:\Windows\System32\drivers\atapi.sys

[*]Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>
[*]Choisis "Enregistrer sous" et choisis "Bureau"
[*]Dans le champs "Nom du fichier" en bas de page donne le nom suivant:CFScript
[*]Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"
[*]Quitte le Bloc Notes.
[*]Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture





* suis les instructions
* Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!
Ne touche à rien tant que le scan n'est pas terminé.
* Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

[zard]

Merci pour la réponse !
Oui oui j'ai le DVD de Vista ! il faut que je le mette pour la manip ?
Je vais faire la manip et je te tiens au jus

[Malekal_morte]

Nan c'est pour éventuellement utiliser une autre méthode si avec Combofix ça passe pas.

[zard]

Voici le rapport combofix tout chaud :
ComboFix 10-01-16.01 - zard 16/01/2010 18:14:30.2.2 - x86
Microsoft® Windows Vista™ Édition Familiale Premium 6.0.6002.2.1252.33.1036.18.2046.1169 [GMT 1:00]
Lancé depuis: c:\users\zard\Desktop\ComboFix.exe
Commutateurs utilisés :: c:\users\zard\Desktop\CFScript.txt
AV: avast! antivirus 4.7.1098 [VPS 100116-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data
c:\windows\system32\Data\CT0060W.DAT
c:\windows\system32\Data\ctd20x.dat
c:\windows\system32\Data\CTEAPSW.DAT
c:\windows\system32\Data\CTEDSP2W.DAT
c:\windows\system32\Data\CTEDSPHW.DAT
c:\windows\system32\Data\CTEDSPKW.DAT
c:\windows\system32\Data\CTEDSPLW.DAT
c:\windows\system32\Data\CTEDSPPW.DAT
c:\windows\system32\Data\CTEDSPTW.DAT
c:\windows\system32\Data\CTEDSPUW.DAT
c:\windows\system32\Data\CTEDSPW.DAT
c:\windows\system32\Data\CTP0060W.DAT
c:\windows\system32\Data\CTP0061W.DAT
c:\windows\system32\Data\CTP0070W.DAT
c:\windows\system32\Data\CTP0073W.DAT
c:\windows\system32\Data\CTP0090W.DAT
c:\windows\system32\Data\CTP0091W.DAT
c:\windows\system32\Data\CTP0092W.DAT
c:\windows\system32\Data\CTP0095W.DAT
c:\windows\system32\Data\CTP0100W.DAT
c:\windows\system32\Data\CTP0101W.DAT
c:\windows\system32\Data\CTP0102W.DAT
c:\windows\system32\Data\CTP0103W.DAT
c:\windows\system32\Data\CTP0105W.DAT
c:\windows\system32\Data\CTP0150W.DAT
c:\windows\system32\Data\CTP0161W.DAT
c:\windows\system32\Data\CTP0162W.DAT
c:\windows\system32\Data\CTP0170W.DAT
c:\windows\system32\Data\CTP017AW.DAT
c:\windows\system32\Data\CTP017BW.DAT
c:\windows\system32\Data\CTP017CW.DAT
c:\windows\system32\Data\CTP017DW.DAT
c:\windows\system32\Data\CTP017EW.DAT
c:\windows\system32\Data\CTP017FW.DAT
c:\windows\system32\Data\CTP017GW.DAT
c:\windows\system32\Data\CTP017HW.DAT
c:\windows\system32\Data\CTP0191W.DAT
c:\windows\system32\Data\CTP0192W.DAT
c:\windows\system32\Data\CTP0221W.DAT
c:\windows\system32\Data\CTP0222W.DAT
c:\windows\system32\Data\CTP0230W.DAT
c:\windows\system32\Data\CTP0231W.DAT
c:\windows\system32\Data\CTP0232W.DAT
c:\windows\system32\Data\CTP0238W.DAT
c:\windows\system32\Data\CTP0240W.DAT
c:\windows\system32\Data\CTP0242W.DAT
c:\windows\system32\Data\CTP0243W.DAT
c:\windows\system32\Data\CTP0244W.DAT
c:\windows\system32\Data\CTP0245W.DAT
c:\windows\system32\Data\CTP0246W.DAT
c:\windows\system32\Data\CTP0249W.DAT
c:\windows\system32\Data\CTP0280W.DAT
c:\windows\system32\Data\CTP0320W.DAT
c:\windows\system32\Data\CTP0350W.DAT
c:\windows\system32\Data\CTP0352W.DAT
c:\windows\system32\Data\CTP0355W.DAT
c:\windows\system32\Data\CTP0358W.DAT
c:\windows\system32\Data\CTP0359W.DAT
c:\windows\system32\Data\CTP0360W.DAT
c:\windows\system32\Data\CTP0380W.DAT
c:\windows\system32\Data\CTP0400W.DAT
c:\windows\system32\Data\CTP0460W.DAT
c:\windows\system32\Data\CTP0462W.DAT
c:\windows\system32\Data\CTP0463W.DAT
c:\windows\system32\Data\CTP0464W.DAT
c:\windows\system32\Data\CTP0465W.DAT
c:\windows\system32\Data\CTP0466W.DAT
c:\windows\system32\Data\CTP0468W.DAT
c:\windows\system32\Data\CTP0469W.DAT
c:\windows\system32\Data\CTP046AW.DAT
c:\windows\system32\Data\CTP046BW.DAT
c:\windows\system32\Data\CTP046CW.DAT
c:\windows\system32\Data\CTP0530L.DAT
c:\windows\system32\Data\CTP0530W.DAT
c:\windows\system32\Data\CTP0531L.DAT
c:\windows\system32\Data\CTP0531W.DAT
c:\windows\system32\Data\CTP0550W.DAT
c:\windows\system32\Data\CTP055AW.DAT
c:\windows\system32\Data\CTP0600W.DAT
c:\windows\system32\Data\CTP0610W.DAT
c:\windows\system32\Data\CTP0669W.DAT
c:\windows\system32\Data\CTP0678W.DAT
c:\windows\system32\Data\CTP0679W.DAT
c:\windows\system32\Data\CTP0730W.DAT
c:\windows\system32\Data\CTP073AW.DAT
c:\windows\system32\Data\CTP0760W.DAT
c:\windows\system32\Data\CTP0773W.DAT
c:\windows\system32\Data\CTP0930W.DAT
c:\windows\system32\Data\CTP1140W.DAT
c:\windows\system32\Data\CTP4620W.DAT
c:\windows\system32\Data\CTP4670W.DAT
c:\windows\system32\Data\CTP4760W.DAT
c:\windows\system32\Data\CTP4780W.DAT
c:\windows\system32\Data\CTP4790W.DAT
c:\windows\system32\Data\CTP4820W.DAT
c:\windows\system32\Data\CTP4830W.DAT
c:\windows\system32\Data\CTP4831W.DAT
c:\windows\system32\Data\CTP4832W.DAT
c:\windows\system32\Data\CTP4840W.DAT
c:\windows\system32\Data\CTP4850W.DAT
c:\windows\system32\Data\CTP4870W.DAT
c:\windows\system32\Data\CTP4871W.DAT
c:\windows\system32\Data\CTP4872W.DAT
c:\windows\system32\Data\CTP4875W.DAT
c:\windows\system32\Data\CTP4890W.DAT
c:\windows\system32\Data\CTP4891W.DAT
c:\windows\system32\Data\CTP4893W.DAT
c:\windows\system32\Data\CTPDXW.DAT
c:\windows\system32\Data\CTPM002W.DAT
c:\windows\system32\Data\cts20x.dat
c:\windows\system32\Data\CTXFICBM.RFX
c:\windows\system32\Data\CTXFICM.RFX
c:\windows\system32\Data\CTXFIEM.RFX
c:\windows\system32\Data\CTXFIGM.RFX
c:\windows\system32\oubfubz.dll

.
--------------- FCopy ---------------

c:\windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --> c:\windows\System32\drivers\atapi.sys
.
((((((((((((((((((((((((((((( Fichiers créés du 2009-12-16 au 2010-01-16 ))))))))))))))))))))))))))))))))))))
.

2010-01-16 17:22 . 2010-01-16 17:25 -------- d-----w- c:\users\zard\AppData\Local\temp
2010-01-16 17:22 . 2010-01-16 17:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-16 17:22 . 2010-01-16 17:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-15 14:16 . 2010-01-15 14:16 -------- d-----w- c:\users\zard\AppData\Roaming\Malwarebytes
2010-01-15 14:16 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 14:16 . 2010-01-15 14:16 -------- d-----w- c:\programdata\Malwarebytes
2010-01-15 14:16 . 2010-01-15 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 14:16 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 08:04 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 08:04 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-12-29 14:09 . 2009-12-29 14:09 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-29 13:56 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-12-29 13:55 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-12-29 13:48 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-12-29 13:48 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-29 13:46 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-12-29 13:46 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-12-29 13:06 . 2009-12-29 13:06 -------- d-----w- c:\program files\Trend Micro
2009-12-29 08:38 . 2007-12-24 16:37 138384 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-12-29 08:37 . 2009-12-29 08:38 -------- d-----w- c:\users\zard\AppData\Roaming\HouseCall 6.6
2009-12-29 08:37 . 2009-12-29 08:37 -------- d-----w- c:\windows\system32\HouseCall 6.6
2009-12-28 15:02 . 2009-12-28 15:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-28 15:02 . 2009-12-28 15:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-27 16:18 . 2009-12-27 16:18 -------- d-----w- c:\programdata\WindowsSearch

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 17:14 . 2009-09-17 06:08 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 21:59 . 2007-08-13 12:32 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2010-01-07 21:59 . 2007-08-13 12:32 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-29 14:28 . 2006-11-02 15:48 678718 ----a-w- c:\windows\system32\perfh00C.dat
2009-12-29 14:28 . 2006-11-02 15:48 127798 ----a-w- c:\windows\system32\perfc00C.dat
2009-12-29 14:09 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-29 14:09 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-29 14:09 . 2009-12-29 14:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-29 14:08 . 2009-12-29 14:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-29 17:03 . 2007-09-11 20:33 -------- d-----w- c:\users\zard\AppData\Roaming\FileZilla
2009-11-29 13:58 . 2008-03-31 20:18 -------- d-----w- c:\users\zard\AppData\Roaming\VSO
2009-11-22 20:43 . 2009-11-22 20:43 -------- d-----w- c:\program files\WinSCP
2009-11-21 06:40 . 2009-12-08 19:10 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 19:10 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-08 19:10 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-08 19:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-16 02:13 . 2009-11-16 02:13 216576 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-11-12 06:24 . 2009-11-12 06:24 94208 ----a-w- c:\windows\system32\RTNUninst32.dll
2009-11-09 12:31 . 2009-12-08 19:13 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-08 19:13 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-08 19:13 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 19:42 . 2009-10-03 06:20 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 12:39 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 19:58 . 2009-10-28 19:58 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 79224]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-03 136600]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"CTHelper"="CTHELPER.EXE" [2008-03-20 23040]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 23552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ExifLauncher2.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ExifLauncher2.lnk
backup=c:\windows\pss\ExifLauncher2.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Outil de mise à jour Google.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Outil de mise à jour Google.lnk
backup=c:\windows\pss\Outil de mise à jour Google.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^zard^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\users\zard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 01:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-04-18 06:40 133104 ----atw- c:\users\zard\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):bc,7b,d6,d2,3d,3f,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1988917837-3249627806-823261537-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [29/04/2009 03:07 176128]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [13/08/2007 13:42 45648]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [28/12/2009 16:02 1153368]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [20/03/2008 17:23 98328]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [20/03/2008 17:23 528920]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\System32\drivers\CTEDSPIO.SYS [20/03/2008 17:38 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\System32\drivers\CTEDSPSY.SYS [20/03/2008 17:37 309784]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [20/03/2008 17:25 534040]
S2 vzpxqknv;Brother USB Mass-Storage Upper Filter Helper;c:\windows\System32\svchost.exe -k netsvcs [02/06/2008 22:27 21504]
S3 COMMONFX;COMMONFX;c:\windows\System32\drivers\COMMONFX.SYS [20/03/2008 17:23 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [20/03/2008 17:36 171032]
S3 CT20XUT;CT20XUT;c:\windows\System32\drivers\CT20XUT.SYS [20/03/2008 17:36 171032]
S3 CTAUDFX;CTAUDFX;c:\windows\System32\drivers\CTAUDFX.SYS [20/03/2008 17:23 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\System32\drivers\CTEAPSFX.SYS [20/03/2008 17:26 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\System32\drivers\CTEAPSFX.SYS [20/03/2008 17:26 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\System32\drivers\CTEDSPFX.SYS [20/03/2008 17:32 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\System32\drivers\CTEDSPFX.SYS [20/03/2008 17:32 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\System32\drivers\CTEDSPIO.SYS [20/03/2008 17:38 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\System32\drivers\CTEDSPSY.SYS [20/03/2008 17:37 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [20/03/2008 17:36 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\System32\drivers\CTERFXFX.SYS [20/03/2008 17:36 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [20/03/2008 17:40 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\System32\drivers\CTEXFIFX.SYS [20/03/2008 17:40 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [20/03/2008 17:37 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\System32\drivers\CTHWIUT.SYS [20/03/2008 17:37 72728]
S3 CTSBLFX;CTSBLFX;c:\windows\System32\drivers\CTSBLFX.SYS [20/03/2008 17:25 534040]
S3 FontCache;Service de cache de police Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [02/06/2008 22:27 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vzpxqknv
.
Contenu du dossier 'Tâches planifiées'

2010-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1988917837-3249627806-823261537-1000Core.job
- c:\users\zard\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-18 06:40]

2010-01-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1988917837-3249627806-823261537-1000UA.job
- c:\users\zard\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-18 06:40]

2010-01-16 c:\windows\Tasks\User_Feed_Synchronization-{625052D3-507D-496F-81D1-A5EC9F428B2B}.job
- c:\windows\system32\msfeedssync.exe [2009-12-08 04:59]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\zard\AppData\Roaming\Mozilla\Firefox\Profiles\kdgnlle2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.fr
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\zard\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{D0204AA3-BE6B-4521-B638-DCD5DED24D5A} - unknown
Notify-dbfzajft - unknown
AddRemove-Steinberg Cubase SX v2.2.0.33 - c:\progra~1\STEINB~1\CUBASE~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-16 18:24
Windows 6.0.6002 Service Pack 2 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85000618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82f9ed24
\Driver\ACPI -> acpi.sys @ 0x80695d68
\Driver\atapi -> ataport.SYS @ 0x807a4a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vzpxqknv]
"ServiceDll"="unknown"
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'Explorer.exe'(2360)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\conime.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Heure de fin: 2010-01-16 18:32:02 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-01-16 17:31
ComboFix2.txt 2010-01-06 20:23

Avant-CF: 21 817 307 136 octets libres
Après-CF: 21 705 089 024 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 0BF9BC7A0681161ADE26465B9E8A3079

[Malekal_morte]

humm pas l'air d'avoir changé qq chose.

Refais un scan GMER pour voir.

[zard]

Voici le nouveau scan, maus j'avais oublié de désactiver avast avant ... faut il le refaire ??

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 22:04:55
Windows 6.0.6002 Service Pack 2
Running: 2mwcjq3b.exe; Driver: C:\Users\zard\AppData\Local\Temp\kwldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x8079E024]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8BA0E000, 0x263A88, 0xE8000020]
? C:\ComboFix\catchme.sys Le fichier spécifié est introuvable. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS Le fichier spécifié est introuvable. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[836] ole32.dll!CoCreateInstance 75AC9EA6 5 Bytes JMP 008D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!CreateWindowExW 759E1305 5 Bytes JMP 7036D684 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!DialogBoxParamW 75A010B0 5 Bytes JMP 7029541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!DialogBoxIndirectParamW 75A02EF5 5 Bytes JMP 704643FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!DialogBoxParamA 75A18152 5 Bytes JMP 7046439C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!DialogBoxIndirectParamA 75A1847D 5 Bytes JMP 70464462 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!MessageBoxIndirectA 75A2D4D9 5 Bytes JMP 70464331 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!MessageBoxIndirectW 75A2D5D3 5 Bytes JMP 704642C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!MessageBoxExA 75A2D639 5 Bytes JMP 70464264 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1612] USER32.dll!MessageBoxExW 75A2D65D 5 Bytes JMP 70464202 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!SetWindowsHookExW 759D87AD 5 Bytes JMP 703697FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!CallNextHookEx 759D8E3B 5 Bytes JMP 7035CE81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!UnhookWindowsHookEx 759D98DB 5 Bytes JMP 702D4620 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!CreateWindowExW 759E1305 5 Bytes JMP 7036D684 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxParamW 75A010B0 5 Bytes JMP 7029541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxIndirectParamW 75A02EF5 5 Bytes JMP 704643FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxParamA 75A18152 5 Bytes JMP 7046439C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxIndirectParamA 75A1847D 5 Bytes JMP 70464462 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxIndirectA 75A2D4D9 5 Bytes JMP 70464331 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxIndirectW 75A2D5D3 5 Bytes JMP 704642C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxExA 75A2D639 5 Bytes JMP 70464264 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxExW 75A2D65D 5 Bytes JMP 70464202 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] ole32.dll!OleLoadFromStream 75A91E12 5 Bytes JMP 70464780 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3112] ole32.dll!CoCreateInstance 75AC9EA6 5 Bytes JMP 7036D6E0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [743E7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [7443A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [743EBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [743DF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [743E75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [743DE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74418395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [743EDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [743DFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [743DFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [743D71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7446CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [7440C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [743DD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [743D6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [743D687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[2360] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [743E2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85000618

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[Malekal_morte]

Tu prends ton DVD Vista et tu démarres dessus et tu vas dans l'invite de commandes : http://forum.malekal.com/windows-recupe ... ml#p166847

Une fois dedans, tu tapes la commandes :
copy C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys c:\windows\system32\drivers

si ça va bien ça va te dire que le fichier existe déjà et ça va te demander de le remplacer.
Note bien la commande.

Dans la mesure du possible, sauvegarde tes données avant.
Si ça démarre plus tu fais "restaurer le système".

Tu refais un scan GMER et poste le rapport ici.

[zard]

Hello
Je n'arrive pas a faire passer la commande, ça me mets toujours "le chemin spécifié n'existe pas"
J'ai retenté et verifier plusieur fois mais rien a faire

L'invite de commande se positionne au demarrage sur X: + un nom de dossier, peut être faut-il changer ce préfixe ??