ComboFix 13-04-01.01 - SANO 02/04/2013 14:44:06.1.4 - x86 Microsoft Windows 7 Édition Intégrale 6.1.7601.1.1252.33.1036.18.3071.2010 [GMT 2:00] Lancé depuis: e:\users\SANO\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5} SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . . E:\setup.exe e:\users\SANO\AppData\Roaming\SANOlog.dat e:\windows\system32\pt e:\windows\system32\pt\AuthFWSnapIn.Resources.dll e:\windows\system32\pt\AuthFWWizFwk.Resources.dll e:\windows\system32\pt\Narrator.resources.dll . . ((((((((((((((((((((((((((((( Fichiers créés du 2013-03-02 au 2013-04-02 )))))))))))))))))))))))))))))))))))) . . 2013-04-02 12:54 . 2013-04-02 12:56 -------- d-----w- e:\users\SANO\AppData\Local\temp 2013-04-02 06:06 . 2013-03-15 07:21 7108640 ----a-w- e:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{44C8FE5B-08AB-4F57-9CCB-50C4D6200855}\mpengine.dll 2013-03-31 21:11 . 2013-03-15 07:21 7108640 ----a-w- e:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2013-03-29 18:46 . 2013-03-29 18:46 -------- d-----w- E:\6a416dfbaa714f1b32d667 2013-03-28 16:24 . 2013-03-28 16:24 40776 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys 2013-03-26 21:22 . 2013-03-19 04:50 7108640 ----a-w- e:\programdata\Microsoft\Windows Defender\Definition Updates\{BB6AFE85-37BA-4E40-9E6D-B29BA7CCAB9C}\mpengine.dll 2013-03-25 19:27 . 2013-03-25 19:27 -------- d-----w- E:\_OTL 2013-03-25 11:47 . 2013-03-25 11:47 512 ------w- E:\PhysicalMBR.bin 2013-03-23 22:51 . 2013-03-23 22:51 -------- d-----w- e:\program files\Microsoft Visual Studio 8 2013-03-23 22:37 . 2013-03-23 22:37 -------- d-----w- e:\program files\Microsoft Analysis Services 2013-03-23 16:20 . 2013-03-23 16:20 99592 ----a-w- e:\windows\PSEXESVC.EXE 2013-03-23 15:51 . 2013-03-23 15:51 -------- d-----w- e:\users\cedric test 2013-03-21 19:27 . 2012-10-23 05:04 740840 ------w- e:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{71289C59-B31F-45BC-B918-33DF22368CCE}\gapaengine.dll 2013-03-17 17:49 . 2013-03-17 17:49 -------- d-----w- e:\program files\Common Files\Skype 2013-03-16 21:44 . 2013-03-24 15:53 -------- d-----w- e:\windows\softwaredistribution.bak2 2013-03-15 20:40 . 2012-10-11 03:08 34432 ----a-w- e:\windows\system32\drivers\mcvidrv.sys 2013-03-14 06:59 . 2013-03-14 06:59 -------- d-----w- e:\users\SANO\AppData\Local\Shalsoft 2013-03-14 06:59 . 2013-03-14 06:59 -------- d-----w- e:\program files\GigaTribe 2013-03-11 15:05 . 2013-03-11 15:05 -------- d-----w- e:\windows\CheckSur 2013-03-10 16:04 . 2013-03-11 15:03 -------- d-----w- e:\windows\softwaredistribution.bak1 2013-03-10 15:51 . 2013-03-10 15:51 -------- d-----w- e:\windows\system32\catroot2.old 2013-03-07 17:42 . 2013-03-07 17:42 5664768 ----a-w- e:\programdata\Microsoft\BingDesktop\Updater\BingDesktop.msi 2013-03-04 07:50 . 2013-03-08 14:02 -------- d-----w- e:\windows\SoftwareDistribution.old . . . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2013-03-06 12:03 . 2012-04-06 06:29 691568 ----a-w- e:\windows\system32\FlashPlayerApp.exe 2013-03-06 12:03 . 2012-02-13 18:17 71024 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl 2013-01-31 09:50 . 2013-01-31 09:50 22656 ----a-w- e:\windows\system32\drivers\mcaudrv.sys 2013-01-30 10:53 . 2012-02-13 17:26 232336 ------w- e:\windows\system32\MpSigStub.exe 2013-01-25 09:34 . 2013-02-14 06:44 92184 ----a-w- e:\programdata\Microsoft\BingDesktop\Updater\BingDesktopRestarter.exe 2013-01-20 14:59 . 2013-01-20 14:59 195296 ----a-w- e:\windows\system32\drivers\MpFilter.sys 2013-01-20 14:59 . 2011-04-27 14:25 100328 ----a-w- e:\windows\system32\drivers\NisDrvWFP.sys 2013-01-04 10:45 . 2012-12-10 14:34 16400 ----a-w- e:\windows\system32\drivers\LNonPnP.sys 2013-02-16 00:34 . 2012-09-16 16:59 263064 ----a-w- e:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="e:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSC"="e:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152] "Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "APSDaemon"="e:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2011-09-27 19:03 66328 ----a-w- e:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\E:^Users^SANO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Facebook Messenger.lnk] backup=e:\windows\pss\Facebook Messenger.lnk.Startup backupExtension=.Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-12-03 07:35 946352 ----a-w- e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0] 2012-09-20 05:27 444904 ----a-w- e:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2013-01-28 12:08 59720 ----a-w- e:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BingDesktop] 2013-03-07 17:25 2387048 ----a-w- e:\program files\Microsoft\BingDesktop\BingDesktop.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamserviceExchange] 2011-09-07 09:43 3228968 ----a-w- e:\program files\Hercules\Dualpix Exchange\XtrCtrlEx.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EvtMgr6] 2011-10-07 09:40 1387288 ----a-w- e:\program files\Logitech\SetPointP\SetPoint.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update] 2012-07-11 22:36 138096 ----atw- e:\users\SANO\AppData\Local\Facebook\Update\FacebookUpdate.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail] 2013-01-23 14:43 367168 ----a-w- e:\program files\IncrediMail\Bin\IncMail.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2013-02-20 11:35 152392 ----a-w- e:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2009-11-09 03:17 180224 ----a-w- e:\program files\PowerISO\PWRISOVM.EXE . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2012-10-25 02:12 421888 ----a-w- e:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2013-01-08 11:59 18705664 ----a-r- e:\program files\Skype\Phone\Skype.exe . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "PWRISOVM.EXE"=e:\program files\PowerISO\PWRISOVM.EXE "QuickTime Task"="e:\program files\QuickTime\QTTask.exe" -atboottime "NVRaidService"=e:\windows\system32\nvraidservice.exe "AdobeAAMUpdater-1.0"="e:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" . R2 SkypeUpdate;Skype Updater;e:\program files\Skype\Updater\Updater.exe [x] R3 MBAMSwissArmy;MBAMSwissArmy;e:\windows\system32\drivers\mbamswissarmy.sys [x] R3 Netaapl;Apple Mobile Device Ethernet Service;e:\windows\system32\DRIVERS\netaapl.sys [x] R3 NisDrv;Microsoft Network Inspection System;e:\windows\system32\DRIVERS\NisDrvWFP.sys [x] R3 NisSrv;Inspection du réseau Microsoft;e:\program files\Microsoft Security Client\NisSrv.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;e:\windows\system32\drivers\rdpvideominiport.sys [x] R3 Synth3dVsc;Synth3dVsc;e:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;e:\windows\system32\drivers\tsusbflt.sys [x] R3 tsusbhub;tsusbhub;e:\windows\system32\drivers\tsusbhub.sys [x] R3 VGPU;VGPU;e:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Service Windows Activation Technologies;e:\windows\system32\Wat\WatAdminSvc.exe [x] R4 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;e:\program files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [x] S2 Anti-Hacks Engine;Anti-Hacks Engine;e:\program files\Anti-Hacks\AntiHacksService.exe [x] S2 BingDesktopUpdate;Bing Desktop Update service;e:\program files\Microsoft\BingDesktop\BingDesktopUpdater.exe [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;e:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] S3 hxctlflt;hxctlflt;e:\windows\system32\Drivers\hxctlflt.sys [x] . . --- Autres Services/Pilotes en mémoire --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] GPSvcGroup REG_MULTI_SZ GPSvc . Contenu du dossier 'Tâches planifiées' . 2013-04-02 e:\windows\Tasks\Adobe Flash Player Updater.job - e:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 12:03] . 2013-03-29 e:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2298646391-757493722-2707815433-1001Core.job - e:\users\SANO\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-11 22:36] . 2013-04-02 e:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2298646391-757493722-2707815433-1001UA.job - e:\users\SANO\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-04-11 22:36] . 2013-04-02 e:\windows\Tasks\GlaryInitialize.job - e:\program files\Glary Utilities\initialize.exe [2012-02-13 23:26] . 2013-02-10 e:\windows\Tasks\GoogleUpdateTaskMachineCore1ce079fd0412d90.job - e:\program files\Google\Update\GoogleUpdate.exe [2012-10-13 15:53] . 2013-04-02 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job - e:\program files\Google\Update\GoogleUpdate.exe [2012-10-13 15:53] . 2013-02-17 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2298646391-757493722-2707815433-1001Core1ce0cfac8acacc0.job - e:\users\SANO\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-13 17:17] . 2013-04-02 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2298646391-757493722-2707815433-1001UA1cd08e73ac3de78.job - e:\users\SANO\AppData\Local\Google\Update\GoogleUpdate.exe [2012-02-13 17:17] . . ------- Examen supplémentaire ------- . uInternet Settings,ProxyOverride = *.local IE: E&xporter vers Microsoft Excel - e:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 212.27.40.240 212.27.40.241 FF - ProfilePath - e:\users\SANO\AppData\Roaming\Mozilla\Firefox\Profiles\dyl2922a.default\ . . --------------------- CLES DE REGISTRE BLOQUEES --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@e:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="e:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Autres processus actifs ------------------------ . e:\windows\system32\nvvsvc.exe e:\program files\Microsoft Security Client\MsMpEng.exe e:\program files\NVIDIA Corporation\Display\nvxdsync.exe e:\windows\system32\nvvsvc.exe e:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe e:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe e:\windows\system32\taskhost.exe e:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe e:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE e:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe e:\program files\NVIDIA Corporation\Display\nvtray.exe e:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe e:\windows\system32\conhost.exe e:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE e:\windows\system32\sppsvc.exe . ************************************************************************** . Heure de fin: 2013-04-02 15:06:13 - La machine a redémarré ComboFix-quarantined-files.txt 2013-04-02 13:06 . Avant-CF: 81 814 147 072 octets libres Après-CF: 81 244 418 048 octets libres . - - End Of File - - E3033D92324286D3ACF499E44A978DE7