Tom's Guide > Forum > Sécurité - Virus > Security center alert win32.brontok

Security center alert win32.brontok

Forum Sécurité - Virus : Security center alert win32.brontok

TomsGuide.com : 800 000 inscrits répondent à toutes vos questions high-tech et informatique. Pour obtenir de l'aide, inscrivez-vous gratuitement !
Créer un nouveau sujet Répondre
Mot :    Pseudo :           
 
Pat181   02-05-2009 à 22:50:54

Bonjour,

Depuis hier, je recois ce message de security center alert disant que mon pc pourrait être infecté par win32.brontok.. j'ai scanné et rien trouvé. De plus, lorsque j'essais d'ouvrir IE, il se ferme immédiatement... je recois quelques fois un runtime error 216. Je ne sais pas si ces problèmes sont reliés, mais on ma laisser savoir que ce message de win32.brontok est un "fake" pour faire acheter un logiciel anti-virus...

Merci de votre aide!

Répondre
Liens sponsorisés
Inscrivez-vous ou connectez-vous pour masquer ceci.
Destrio5   02-05-2009 à 22:53:13
- 0 +

Bonjour,

XP ou Vista ?

Répondre à Destrio5
Destrio5   02-05-2009 à 23:25:43
- 0 +

/!\ Désactive tes protections résidentes (Antivirus, etc...) /!\

  • Télécharge ComboFix (sUBs) sur ton Bureau.
  • Double-clique sur ComboFix.exe (le .exe n'est pas forcément visible) afin de le lancer.
  • Il va te demander d'installer la console de récupération : accepte.
  • Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport (C:\Combofix.txt) dans ta prochaine réponse.


Pour t'aider : Un guide et un tutoriel sur l'utilisation de ComboFix

Répondre à Destrio5
Pat181   03-05-2009 à 00:24:08
- 0 +

Voilà le rapport, et merci pour ton aide!
---------------------------------------------------------------------------------
ComboFix 09-05-02.4 - Utilisateur 2009-05-02 18:15.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.2.1036.18.2047.1576 [GMT -4:00]
Lancé depuis: c:\documents and settings\Utilisateur\Bureau\ComboFix.exe
AV: Panda Antivirus 2008 *On-access scanning disabled* (Updated)

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Utilisateur\Application Data\Google\aestf16724249.exe
c:\documents and settings\Utilisateur\Application Data\Google\Shell32.dll
c:\program files\INSTALL.LOG
c:\windows\admintxt.txt
c:\windows\system32\drivers\svchost.exe
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-04-02 au 2009-05-02 ))))))))))))))))))))))))))))))))))))
.

2009-04-15 05:14 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 05:14 . 2009-03-06 14:20 286720 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 05:14 . 2009-02-09 11:23 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 05:14 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 05:14 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 05:14 . 2009-02-09 10:53 685568 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 05:14 . 2009-02-09 10:53 735744 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 05:14 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 05:14 . 2009-02-09 10:53 739840 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 05:13 . 2008-12-16 12:31 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
2009-04-15 05:13 . 2008-04-21 21:15 219136 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 22:18 . 2008-01-01 06:16 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 22:18 . 2008-01-01 20:25 330 ---ha-w c:\windows\Tasks\MP Scheduled Scan.job
2009-05-02 20:22 . 2009-03-08 16:40 189496 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-02 20:03 . 2009-03-08 16:41 139984 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-29 03:27 . 2009-02-24 13:54 16 ----a-w c:\windows\popcinfo.dat
2009-04-27 15:06 . 2008-12-24 02:35 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-04-15 07:14 . 2004-08-05 11:00 85022 ----a-w c:\windows\system32\perfc00C.dat
2009-04-15 07:14 . 2004-08-05 11:00 511066 ----a-w c:\windows\system32\perfh00C.dat
2009-04-10 19:50 . 2008-01-01 18:35 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-16 23:19 . 2009-03-08 16:41 22328 ----a-w c:\documents and settings\Utilisateur\Application Data\PnkBstrK.sys
2009-03-16 23:19 . 2009-03-08 16:40 682280 ----a-w c:\windows\system32\pbsvc.exe
2009-03-16 22:10 . 2009-03-06 23:00 -------- d-----w c:\program files\Activision
2009-03-16 21:47 . 2008-03-24 21:12 -------- d-----w c:\program files\Fichiers communs\Adobe
2009-03-09 22:55 . 2009-03-08 16:40 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-06 14:20 . 2004-08-05 11:00 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-06 02:27 . 2008-01-01 19:08 21128 ----a-w c:\documents and settings\Utilisateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-03 00:13 . 2007-01-04 13:55 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:10 . 2004-08-05 11:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 14:05 . 2007-04-11 06:46 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2007-02-28 16:02 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:23 . 2007-02-28 16:02 2147328 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2004-08-05 11:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2006-08-17 11:29 735744 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-05 11:00 739840 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2004-08-05 11:00 685568 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-05 11:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-06 10:39 . 2004-08-05 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-08-05 11:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 15:32 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"APVXDWIN"="c:\program files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" [2007-10-04 455984]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-08 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ISUSPM Startup"="c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\FICHIE~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-16 01:02 50736 ----a-w c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\UO\\client.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\NOUVEAU\\UT3\\Binaries\\UT3Demo.exe"=
"d:\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\WBGames\\Monolith Productions\\F.E.A.R. 2 SP Demo\\FEAR2SPDemo.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"d:\\Perfect World\\Program Files\\Perfect World Entertainment\\Perfect World International\\patcher\\patcher.exe"=

S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys [2008-02-07 38968]
S2 PavProc;Panda Process Protection Driver;c:\windows\system32\DRIVERS\PavProc.sys [2008-02-07 178872]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\atl01_xp.sys [2007-03-15 38656]

.
Contenu du dossier 'Tâches planifiées'

2009-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-05-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-realteks - c:\documents and settings\Utilisateur\Application Data\Google\aestf16724249.exe
Notify-AtiExtEvent - (no file)


.
------- Examen supplémentaire -------
.
uStart Page = hxxp://sympatico.msn.ca/?lang=fr-CA
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
LSP: c:\program files\Panda Security\Panda Antivirus 2008\pavlsp.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 18:18
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...


c:\windows\TEMP\TMP000000122F4F8B206C6CCC86 524288 bytes executable

Scan terminé avec succès
Fichiers cachés: 1

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\windows\system32\avldr.dll

- - - - - - - > 'explorer.exe'(5476)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Panda Security\Panda Antivirus 2008\PAVSRV51.EXE
c:\program files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
c:\windows\system32\rundll32.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Panda Security\Panda Antivirus 2008\PsCtrlS.exe
c:\program files\Fichiers communs\Panda Software\PavShld\PavPrSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Panda Security\Panda Antivirus 2008\WebProxy.exe
.
**************************************************************************
.
Heure de fin: 2009-05-02 18:20 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-05-02 22:20

Avant-CF: 127 593 971 712 octets libres
Après-CF: 128 771 760 128 octets libres

187 --- E O F --- 2009-05-01 10:16

EDIT: Le message du security center alert semble avoir disparu et je peux de nouveau ouvrir Interner Explorer!! Merci! :D


Message édité par Pat181 le 03-05-2009 à 00:26:45
Répondre à Pat181
Destrio5   03-05-2009 à 00:42:54
- 0 +

/!\ Seul Pat181 peut suivre cette procédure /!\

Désactive toute protection résidente (Antivirus...) !

---> Copie (CTRL+C) le texte se situant dans le cadre ci-dessous :

KillAll::

Folder::
c:\program files\AskBarDis

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-



---> Ouvre le Bloc Notes : Démarrer > Tous les programmes > Accessoires > Bloc notes

- Colle (CTRL+V) le texte dans le Bloc-notes.
- Enregistre ce fichier dans : Bureau
- Nom du fichier : CFScript
- Type du fichier : tous les fichiers !!
- Clique sur Enregistrer.
- Quitte le Bloc-notes.

---> Fais un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture :

http://membres.lycos.fr/wawaseb8/images/help/cfscript.gif

  • Cela va relancer Combofix : au message qui apparaît, accepte.
  • Patiente le temps du scan. Le Bureau va disparaître à plusieurs reprises : c'est normal !
  • Ne touche à rien tant que le scan n'est pas terminé.
  • Une fois le scan achevé, un rapport va s'afficher, copie/colle son contenu sur le forum.
  • Si le fichier ne s'ouvre pas, il se trouve ici : C:\ComboFix.txt


;)

Répondre à Destrio5
Valvar   30-07-2009 à 19:52:51
- 0 +

Bonjour Destrio5, j'ai le même problème que Pat181, peux-tu m'aider,stp?
Tu trouvera ci-dessous le rapport de combofix.

Merci


ComboFix 09-07-29.04 - utilisateur 30/07/2009 19:24.1.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.1022.508 [GMT 2:00]
Running from: c:\documents and settings\utilisateur\Bureau\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090729-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\utilisateur\Application Data\020000007ce9ab58579C.manifest
c:\documents and settings\utilisateur\Application Data\020000007ce9ab58579O.manifest
c:\documents and settings\utilisateur\Application Data\020000007ce9ab58579P.manifest
c:\documents and settings\utilisateur\Application Data\020000007ce9ab58579S.manifest
c:\documents and settings\utilisateur\Application Data\FunWebProducts
c:\documents and settings\utilisateur\Application Data\FunWebProducts\Data\utilisateur\avatar.dat
c:\documents and settings\utilisateur\Application Data\FunWebProducts\Data\utilisateur\zbucks.dat
c:\documents and settings\utilisateur\Application Data\Google\cqvgl19623160.exe
c:\documents and settings\utilisateur\Application Data\Google\Shell32.dll
c:\documents and settings\utilisateur\Local Settings\Application Data\ogaaw.dat
c:\documents and settings\utilisateur\Local Settings\Application Data\ogaaw.exe
c:\documents and settings\utilisateur\Local Settings\Application Data\ogaaw_nav.dat
c:\documents and settings\utilisateur\Local Settings\Application Data\ogaaw_navps.dat
c:\documents and settings\utilisateur\RavMonLog
c:\documents and settings\Val\RavMonLog
c:\program files\AntiSpyware Pro
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\GamesBar\oberontb.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
c:\program files\MyWebSearch\bar\Cache\00407901.bin
c:\program files\MyWebSearch\bar\Cache\00407AA7.bin
c:\program files\MyWebSearch\bar\Cache\00407C0E.bin
c:\program files\MyWebSearch\bar\Cache\00407EAE
c:\program files\MyWebSearch\bar\Cache\01031CD3.bin
c:\program files\MyWebSearch\bar\Cache\01031E3A.bin
c:\program files\MyWebSearch\bar\Cache\038700B3
c:\program files\MyWebSearch\bar\Cache\03870288.bin
c:\program files\MyWebSearch\bar\Cache\038705D4.bin
c:\program files\MyWebSearch\bar\Cache\03870789.bin
c:\program files\MyWebSearch\bar\Cache\0387097D.bin
c:\program files\MyWebSearch\bar\Cache\03870B42.bin
c:\program files\MyWebSearch\bar\Cache\1A37CD7F
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\webmediaplayer
c:\program files\webmediaplayer\resources\languages_v2.xml
c:\program files\webmediaplayer\resources\webmedias
c:\program files\webmediaplayer\skins\classic.skn
c:\program files\webmediaplayer\sqlite3.dll
c:\program files\webmediaplayer\uninst.exe
c:\windows\GnuHashes.ini
c:\windows\LClock.exe
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\msconfig.exe
c:\windows\system32\ntoskrnl.bak2
c:\windows\system32\nvs2.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_Boonty Games
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-30 17:09 . 2009-07-30 17:09 -------- d-----w- c:\documents and settings\utilisateur\Application Data\Malwarebytes
2009-07-30 17:09 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-30 17:09 . 2009-07-30 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-30 17:09 . 2009-07-30 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 17:09 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 17:02 . 2009-07-30 17:02 -------- d-----w- c:\program files\Trend Micro
2009-07-29 13:11 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-29 13:11 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-29 13:11 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-29 13:11 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-29 13:11 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-29 13:11 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-29 13:11 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-29 13:11 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-29 13:10 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-29 12:38 . 2009-07-29 12:38 4956408 ----a-w- c:\documents and settings\utilisateur\Application Data\pdinstall.exe
2009-07-28 21:40 . 2009-03-24 14:07 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-28 19:48 . 2009-07-28 19:48 422 ----a-w- c:\documents and settings\utilisateur\Application Data\AdSigner\mario.exe
2009-07-28 19:48 . 2009-07-28 19:48 16141 ----a-w- c:\documents and settings\utilisateur\Application Data\Canneverbe_Limited\flamiks32.exe
2009-07-28 19:48 . 2009-07-28 19:48 145131 ----a-w- c:\documents and settings\utilisateur\Application Data\Apple Computer\pingo.dll
2009-07-28 19:48 . 2009-07-28 19:48 13221 ----a-w- c:\documents and settings\utilisateur\Application Data\Adobe\xl12.exe
2009-07-28 19:48 . 2009-07-28 19:48 11232 ----a-w- c:\documents and settings\utilisateur\Application Data\.trackballs\norigami.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 17:32 . 2009-06-07 16:42 -------- d-----w- c:\program files\GamesBar
2009-07-30 16:05 . 2007-04-22 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-29 12:44 . 2008-09-29 20:57 -------- d-----w- c:\program files\LimeWire
2009-07-28 23:05 . 2007-11-28 11:06 -------- d-----w- c:\program files\Sony Ericsson
2009-07-28 23:03 . 2007-03-31 17:10 -------- d-----w- c:\program files\eMule
2009-07-26 22:39 . 2008-08-20 09:21 -------- d-----w- c:\documents and settings\utilisateur\Application Data\EoRezo
2009-07-20 18:40 . 2009-06-07 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\GamesBar
2009-06-26 16:18 . 2004-08-19 18:09 663552 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-19 18:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-23 16:05 . 2009-06-23 16:05 -------- d-----w- c:\program files\Microids
2009-06-16 14:54 . 2004-08-19 18:09 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:54 . 2001-08-28 16:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 10:22 . 2009-06-10 10:22 -------- d-----w- c:\documents and settings\utilisateur\Application Data\AdSigner
2009-06-09 06:22 . 2007-03-30 10:49 76776 ----a-w- c:\documents and settings\utilisateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 15:01 . 2007-03-27 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-08 15:00 . 2007-03-27 20:21 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 14:17 . 2007-03-29 22:08 -------- d-----w- c:\program files\Everest Poker
2009-06-08 11:33 . 2009-06-08 11:33 1878984 ----a-w- c:\documents and settings\utilisateur\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-07 16:41 . 2009-06-07 16:41 -------- d-----w- c:\program files\Oberon Media
2009-06-07 16:41 . 2009-06-07 16:41 -------- d-----w- c:\program files\Fichiers communs\Oberon Media
2009-06-07 16:41 . 2009-06-07 16:41 -------- d-----w- c:\program files\orange
2009-06-03 19:27 . 2004-08-19 18:09 1296896 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 00:28 . 2007-05-06 09:16 -------- d-----w- c:\program files\lbreakout2
2009-05-07 15:43 . 2004-08-19 18:09 347136 ----a-w- c:\windows\system32\localspl.dll
2008-10-22 13:19 . 2008-10-22 13:01 3037 ----a-w- c:\program files\Infos65.is
2009-04-15 18:36 . 2007-03-27 20:55 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-04-15 18:36 . 2007-03-27 20:55 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-04-15 18:36 . 2007-03-27 20:55 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-04-15 18:36 . 2007-03-27 20:55 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-04-15 18:36 . 2007-03-27 20:55 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-07-14 16:47 . 2007-07-14 16:47 8192 --sha-w- c:\windows\o2cLicStore.bin
.

------- Sigcheck -------

[-] 2005-06-15 21:01 1036288 CC5B99AF6247175A151B0CC4E71C7F58 c:\windows\explorer.exe
[-] 2008-04-14 02:34 1037824 F2317622D29F9FF0F88AEECD5F60F0DD c:\windows\SoftwareDistribution\Download\44b6174a4a693136d02d4a7ecd7cbd54\explorer.exe

[-] 2008-04-14 02:33 1571840 E17C85D5B5CF477638433B851A98499E c:\windows\SoftwareDistribution\Download\44b6174a4a693136d02d4a7ecd7cbd54\sfcfiles.dll
[-] 2004-11-28 16:36 8704 AB3D62010AF342203FFA60C2D94DBC68 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DigiClock"="none" [X]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-22 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1211176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"Ai Quicker Help"="c:\program files\ASUS\ASUS DH Remote\AsRc.exe" [2006-10-30 3166720]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-28 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"LSD_III"="c:\windows\LSD\end.cmd" [2005-07-14 2310]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-19 44544]

c:\documents and settings\utilisateur\Menu D‚marrer\Programmes\D‚marrage\
.security [2009-4-22 0]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
.security [2009-4-22 0]
D‚marrage rapide du logiciel HP Image Zone.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Freeplayer\\vlc\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\World of Warcraft\\Launcher.exe"=
"c:\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-frFR-downloader.exe"=
"c:\\World of Warcraft\\WoW-3.1.1.9806-to-3.1.1.9835-frFR-downloader.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16065:TCP"= 16065:TCP:NortonAV
"15960:TCP"= 15960:TCP:NortonAV
"17576:TCP"= 17576:TCP:NortonAV
"17304:TCP"= 17304:TCP:NortonAV
"16055:TCP"= 16055:TCP:NortonAV
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"13568:TCP"= 13568:TCP:NortonAV
"16675:TCP"= 16675:TCP:NortonAV
"13258:TCP"= 13258:TCP:NortonAV
"13727:TCP"= 13727:TCP:NortonAV
"13628:TCP"= 13628:TCP:NortonAV
"12452:TCP"= 12452:TCP:NortonAV
"16774:TCP"= 16774:TCP:NortonAV
"14178:TCP"= 14178:TCP:NortonAV
"14333:TCP"= 14333:TCP:NortonAV
"14096:TCP"= 14096:TCP:NortonAV
"15374:TCP"= 15374:TCP:NortonAV
"17333:TCP"= 17333:TCP:NortonAV
"12555:TCP"= 12555:TCP:NortonAV
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [27/03/2007 21:42 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [29/07/2009 15:11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [29/07/2009 15:11 20560]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [30/11/2007 19:28 13352]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys --> c:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S4 mchInjDrv;mchInjDrv; [x]
.
Contents of the 'Scheduled Tasks' folder

2008-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:57]

2009-07-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-22 14:33]

2007-11-28 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-19 21:42]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
HKCU-Run-SuperCopier2.exe - c:\program files\SuperCopier2\SuperCopier2.exe
HKCU-Run-ogaaw - c:\documents and settings\utilisateur\local settings\application data\ogaaw.exe
HKCU-Run-LClock - lclock.exe
HKLM-Run-realteks - c:\documents and settings\utilisateur\Application Data\Google\cqvgl19623160.exe
Notify-2c86972a579 - c:\windows\System32\hppldcoi32.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://lo.st
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Search - http://edits.mywebsearch.com/toolb [...] p=ZJfox000
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\utilisateur\Menu Démarrer\Programmes\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\utilisateur\Application Data\Mozilla\Firefox\Profiles\57yjdxja.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://lo.st/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=w__EaFZA3IXSKGSdmajJxA&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 19:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-1958367476-839522115-1003\SOFTWARE\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ad,27,21,61,3c,4f,30,db,b1,a5,fc,fb,b2,be,43,8d,45,0b,52,63,67,17,b1,
98,91,36,4c,f9,4f,1f,86,da,ce,09,93,aa,de,c6,e0,e8,03,58,c8,4d,aa,91,b5,56,\
"??"=hex:0d,0d,44,2c,3a,73,8c,22,31,3e,58,78,41,13,07,21
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\imapi.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\HP\digital imaging\bin\hpqgalry.exe
c:\program files\ASUS\ASUS DH Remote\AsDHRemote.exe
.
**************************************************************************
.
Completion time: 2009-07-30 19:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 17:42

Pre-Run: 72 529 915 904 octets libres
Post-Run: 73 187 958 784 octets libres

379 --- E O F --- 2009-07-29 19:01

Répondre à Valvar
Destrio5   30-07-2009 à 20:41:12
- 0 +

Bonjour Valvar,

Comme l'auteur du topic n'a pas donné de nouvelle, je vais t'aider sur ce topic.

/!\ Seul Valvar peut suivre cette procédure /!\

Désactive toute protection résidente (Antivirus...) !

---> Copie (CTRL+C) le texte se situant dans le cadre ci-dessous :

KillAll::

File::
c:\documents and settings\utilisateur\Application Data\AdSigner\mario.exe
c:\documents and settings\utilisateur\Application Data\Canneverbe_Limited\flamiks32.exe
c:\documents and settings\utilisateur\Application Data\Apple Computer\pingo.dll
c:\documents and settings\utilisateur\Application Data\Adobe\xl12.exe
c:\documents and settings\utilisateur\Application Data\.trackballs\norigami.dll
c:\documents and settings\utilisateur\Menu Démarrer\Programmes\Démarrage\.security
c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\.security

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-


---> Ouvre le Bloc-notes : Démarrer > Tous les programmes > Accessoires > Bloc-notes

- Colle (CTRL+V) le texte dans le Bloc-notes.
- Enregistre ce fichier dans : Bureau
- Nom du fichier : CFScript
- Type du fichier : tous les fichiers !!
- Clique sur Enregistrer.
- Quitte le Bloc-notes.

---> Fais un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture :

http://membres.lycos.fr/wawaseb8/images/help/cfscript.gif

  • Cela va relancer Combofix : au message qui apparaît, accepte.
  • Patiente le temps du scan. Le Bureau va disparaître à plusieurs reprises : c'est normal !
  • Ne touche à rien tant que le scan n'est pas terminé.
  • Une fois le scan achevé, un rapport va s'afficher, copie/colle son contenu sur le forum.
  • Si le fichier ne s'ouvre pas, il se trouve ici : C:\ComboFix.txt


;)

Répondre à Destrio5
zayok   31-07-2009 à 23:34:47
- 0 +

bonjour destrio5, pourrais tu m'aider également?
j'ai également ce virus sur windows XP et voici mon rapport:

ComboFix 09-07-31.02 - ACAdmin 31/07/2009 23:15.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.33.1033.18.2039.1506 [GMT 2:00]
Running from: d:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eksplorasi.exe
c:\windows\system32\Drivers\svchost.exe
c:\windows\Sysvxd.exe
d:\documents and settings\Administrator\Application Data\Google\ocprg23017248.exe
d:\documents and settings\Administrator\Application Data\Google\Shell32.dll
d:\documents and settings\Administrator\Local Settings\Application Data\csrss.exe
d:\documents and settings\Administrator\Local Settings\Application Data\inetinfo.exe
d:\documents and settings\Administrator\Local Settings\Application Data\lsass.exe
d:\documents and settings\Administrator\Local Settings\Application Data\services.exe
d:\documents and settings\Administrator\Local Settings\Application Data\smss.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-26 18:36 . 2009-07-26 18:36 -------- d-----w- C:\Downloads
2009-07-26 18:36 . 2009-07-26 18:36 -------- d-----w- C:\Bases
2009-07-26 18:29 . 2009-07-26 18:29 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-24 23:01 . 2009-07-25 13:39 4956408 ----a-w- d:\documents and settings\Administrator\Application Data\pdinstall.exe
2009-07-24 22:54 . 2009-07-24 22:54 422 ----a-w- d:\documents and settings\Administrator\Application Data\Sonic\mario.exe
2009-07-24 22:54 . 2009-07-24 22:54 16141 ----a-w- d:\documents and settings\Administrator\Application Data\Macromedia\flamiks32.exe
2009-07-24 22:54 . 2009-07-24 22:54 145131 ----a-w- d:\documents and settings\Administrator\Application Data\Leadertech\pingo.dll
2009-07-24 22:54 . 2009-07-24 22:54 13221 ----a-w- d:\documents and settings\Administrator\Application Data\InstallShield\xl12.exe
2009-07-24 22:54 . 2009-07-24 22:54 11232 ----a-w- d:\documents and settings\Administrator\Application Data\Identities\norigami.dll
2009-07-14 15:13 . 2009-07-14 15:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-14 15:12 . 2009-07-14 15:12 152576 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-09-12 13:21 . 2006-09-13 13:47 319 ----a-w- c:\program files\VersionMarker.dat
2009-06-16 22:00 . 2009-06-15 23:29 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-08-26 19:38 . 2008-08-20 12:02 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-05-03 10:06 . 2009-04-04 16:27 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-04-04 16:27 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-04 16:27 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"MSMSGS"="c:\progra~1\MESSEN~1\Msmsgs.exe" [2005-08-31 1658592]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 85744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-02 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-02 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-02 138008]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 159744]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-05-01 404248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-14 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-26 29744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"64213:TCP"= 64213:TCP:eMule_TCP
"64092:UDP"= 64092:UDP:eMule_UDP
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [1/15/2008 4:44 PM 1489688]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [9/13/2006 10:06 PM 101936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [9/12/2007 4:57 PM 36608]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [10/5/2007 11:42 AM 47616]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/20/2008 2:02 PM 29744]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/27/2006 3:06 PM 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmactedp.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder

2008-04-01 c:\windows\Tasks\At1.job
- c:\program files\ACMT\ACMT.exe [2006-09-13 10:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-realteks - d:\documents and settings\Administrator\Application Data\Google\ocprg23017248.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.wanadoo.fr/
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2pmy3gf3.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 23:20
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\xpsp3res.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\BLUETOOTH SOFTWARE\BIN\BTWDINS.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
c:\windows\SYSTEM32\SCARDSVR.EXE
c:\program files\SYMANTEC ANTIVIRUS\VPTRAY.EXE
c:\windows\SYSTEM32\IGFXSRVC.EXE
c:\program files\INTEL\AMT\ATCHKSRV.EXE
c:\program files\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\program files\INTEL\INTEL MATRIX STORAGE MANAGER\IAANTMON.EXE
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\INTEL\AMT\LMS.EXE
c:\program files\MESSENGER\MSMSGS.EXE
c:\program files\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
c:\program files\HEWLETT-PACKARD\SHARED\HPQWMIEX.EXE
.
**************************************************************************
.
Completion time: 2009-07-31 23:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 21:22

Pre-Run: 8 469 430 272 bytes free
Post-Run: 8 504 852 480 bytes free

170

Répondre à zayok
Destrio5   31-07-2009 à 23:57:26
- 0 +

Chacun son topic merci ;)

Répondre à Destrio5
zayok   01-08-2009 à 00:07:39
- 0 +

okapi pas de problème :-)

Répondre à zayok
Créer un nouveau sujet Répondre
Tom's Guide > Forum > Sécurité - Virus > Security center alert win32.brontok
Aller à :

Il y a 1318 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.

Plan du forum
Forum Bestofmedia ©
2000-2009 Bestofmedia Group
Page générée en 0,572 secondes
Liens