ComboFix 16-04-06.01 - nadia1 08/04/2016 17:16:14.1.2 - x86 Microsoft Windows XP Professionnel 5.1.2600.3.1256.212.1036.18.1015.523 [GMT 0:00] Running from: c:\documents and settings\nadia1\Bureau\ComboFix.exe AV: ESET Smart Security 9.0.375.1 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: Pare-feu personnel d'ESET *Enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((( Files Created from 2016-03-08 to 2016-04-08 ))))))))))))))))))))))))))))))) . . 2016-04-08 17:06 . 2016-04-08 17:06 -------- d-----w- c:\program files\CCleaner 2016-04-08 17:04 . 2016-04-08 17:04 797376 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2016-04-08 17:04 . 2016-04-08 17:04 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2016-04-08 16:40 . 2016-04-08 16:42 -------- d-----w- c:\documents and settings\nadia1\Application Data\ZHP 2016-04-02 13:16 . 2016-04-02 13:16 -------- d-----w- c:\documents and settings\nadia1\Application Data\Mael 2016-03-29 14:25 . 2016-04-08 16:29 -------- d-----w- c:\documents and settings\nadia1\Local Settings\Application Data\Google 2016-03-14 09:47 . 2016-03-14 09:47 -------- d-----w- c:\documents and settings\All Users\Application Data\MetaQuotes 2016-03-14 09:42 . 2016-03-14 09:47 -------- d-----w- c:\documents and settings\nadia1\Application Data\MetaQuotes 2016-03-10 19:38 . 2016-04-08 16:29 -------- d-----w- c:\program files\Google . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2016-02-23 15:25 . 2016-02-23 15:25 69816 ----a-w- c:\windows\system32\drivers\epfwtdi.sys 2016-02-23 15:25 . 2016-02-23 15:25 47168 ----a-w- c:\windows\system32\drivers\epfwndis.sys 2016-02-23 15:25 . 2016-02-23 15:25 206312 ----a-w- c:\windows\system32\drivers\eamonm.sys 2016-02-23 15:25 . 2016-02-23 15:25 152728 ----a-w- c:\windows\system32\drivers\epfw.sys 2016-02-23 15:25 . 2016-02-23 15:25 146024 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2016-02-23 15:25 . 2016-02-23 15:25 111040 ----a-w- c:\windows\system32\drivers\ekbdflt.sys 2016-01-28 09:20 . 2016-02-11 14:26 138864 ----a-w- c:\windows\system32\drivers\idmtdi.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ IDM Shell Extension] @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}" [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}] 2015-08-14 12:52 23520 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2016-04-02 3933392] "CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2016-03-11 6667992] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072] "RTHDCPL"="RTHDCPL.EXE" [2013-10-04 20145368] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= . R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [23/02/2016 15:25 206312] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [23/02/2016 15:25 146024] R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [11/02/2016 14:26 138864] R2 ekbdflt;ekbdflt;c:\windows\system32\drivers\ekbdflt.sys [23/02/2016 15:25 111040] R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [23/02/2016 14:20 1982752] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/03/2016 23:31 1691480] S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [03/03/2016 22:59 332928] . Contents of the 'Scheduled Tasks' folder . 2016-04-08 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-04-08 17:04] . . ------- Supplementary Scan ------- . IE: Télécharger avec IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Télécharger tous les liens avec Internet Download Manager - c:\program files\Internet Download Manager\IEGetAll.htm Trusted Zone: eset.com\help FF - ProfilePath - c:\documents and settings\nadia1\Application Data\Mozilla\Firefox\Profiles\qozuhbnj.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2016-04-08 17:19 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) "scansk"=hex(0):de,be,3e,c5,46,e0,a5,ec,d4,ca,ba,0f,c3,7d,84,50,8c,cf,8b,d2,7a, 29,d9,e3,c6,33,e7,90,47,48,48,3b,33,82,65,5e,e5,eb,7a,29,00,00,00,00,00,00,\ . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{fe350300-0fa4-40ac-8ba6-ef6e693da6c4}] @Denied: (Full) (Everyone) "Model"=dword:0000005b "Therad"=dword:0000001e "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,1e,db,c6,8d,40,2a,1f,2c,24,b2,db,9a,e3,66,45,b8,ea,cb,06,59,b5,6c,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(492) c:\program files\Internet Download Manager\IDMShellExt.dll c:\program files\Internet Download Manager\IDMNetMon.DLL c:\windows\system32\eappprxy.dll . Completion time: 2016-04-08 17:21:10 ComboFix-quarantined-files.txt 2016-04-08 17:21 . Pre-Run: 35 773 120 512 octets libres Post-Run: 35 736 481 792 octets libres . - - End Of File - - 9356814DC45514C085B52C75BFD411DD C99C3199CFAA4CBDCD91493F6D113A50