ComboFix 15-07-16.01 - Administrateur 16/07/2015 15:40:11.1.2 - x86 Microsoft Windows XP Professionnel 5.1.2600.3.1256.212.1036.18.1015.442 [GMT 1:00] Running from: c:\documents and settings\Administrateur\Bureau\ComboFix.exe AV: ESET Smart Security 8.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: Pare-feu personnel d'ESET *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} * Created a new restore point . WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . . ((((((((((((((((((((((((( Files Created from 2015-06-16 to 2015-07-16 ))))))))))))))))))))))))))))))) . . 2015-07-15 09:58 . 2015-07-15 09:58 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2015-07-15 09:58 . 2015-07-15 09:58 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2015-07-13 00:56 . 2015-07-13 01:42 -------- d-----w- c:\program files\FX Solutions UK - MetaTrader 2015-07-12 03:28 . 2015-07-12 03:28 -------- d-----w- c:\program files\Fichiers communs\EZB Systems 2015-07-11 19:54 . 2015-07-11 19:55 -------- d-----w- c:\program files\CCleaner 2015-07-10 16:20 . 2015-07-10 16:24 -------- d-----w- c:\program files\FXDD Malta - MetaTrader 4 2015-07-08 18:38 . 2015-07-08 18:42 -------- d-----w- c:\program files\SuperTradingOnline MT4 2015-07-05 19:42 . 2015-07-08 16:19 -------- d-----w- c:\program files\OctaTrader 2015-07-04 17:01 . 2011-12-07 17:32 216064 ----a-w- c:\windows\system32\lagarith.dll 2015-07-04 17:01 . 2015-02-28 15:21 3591680 ----a-w- c:\windows\system32\x264vfw.dll 2015-07-04 17:01 . 2015-02-24 22:37 240128 ----a-w- c:\windows\system32\xvidvfw.dll 2015-07-04 17:01 . 2015-02-24 22:37 655872 ----a-w- c:\windows\system32\xvidcore.dll 2015-07-04 17:01 . 2012-07-21 10:54 122880 ----a-w- c:\windows\system32\ac3acm.acm 2015-07-04 17:00 . 2015-04-15 18:00 112128 ----a-w- c:\windows\system32\ff_vfw.dll 2015-07-04 17:00 . 2015-07-04 17:01 -------- d-----w- c:\program files\K-Lite Codec Pack 2015-07-04 16:56 . 2015-07-04 16:56 -------- d-----w- c:\documents and settings\Administrateur\Application Data\MPC-HC 2015-06-18 14:36 . 2015-06-18 14:55 -------- d-----w- c:\program files\FreeTime . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2015-06-18 00:22 . 2014-12-06 16:28 5011272 ----a-w- c:\windows\system32\MetaViewer.dll 2015-06-16 13:04 . 2015-06-12 16:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2015-06-16 13:03 . 2015-06-12 16:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe 2015-06-12 02:00 . 2015-03-26 13:50 128528 ----a-w- c:\windows\system32\drivers\idmtdi.sys 2015-05-10 13:08 . 2015-05-10 12:45 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2008-09-27 10:24 . 0F350F1870E65C510FFFF60D7EE14BA8 . 1504256 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll . [-] 2008-09-27 . 4BB6301D634C857A5089E8B24C5555E4 . 593408 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe . [-] 2008-09-27 . AAC42FD16A1976DE9A0773E740597644 . 693248 . . [5.82] . . c:\windows\system32\comctl32.dll [7] 2008-04-14 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll [7] 2008-04-14 . F92E6BEA9349D49341383F8403B4DFE5 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll . [-] 2008-09-27 . B6BC3773B01BF85B880F56C198EEA90B . 3774464 . . [7.00.6000.20861] . . c:\windows\system32\mshtml.dll . [-] 2008-09-27 . EF31A8266AF7996746392E4F45502536 . 517632 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll . [-] 2008-09-27 . 90B16FF3ACEC94B95BA95AA686442A47 . 879616 . . [7.00.6000.20861] . . c:\windows\system32\wininet.dll . [-] 2008-09-27 . BFBBBFE0913E6C9706F97598A6588B8F . 1573888 . . [6.00.2900.5634] . . c:\windows\explorer.exe . [-] 2008-04-14 . AAF8E9C2CF1DB93C3EE5C12BC6A7ACEA . 282624 . . [5.1.2600.5512] . . c:\windows\regedit.exe . [-] 2008-09-27 . B3D95BCB6D0B033BEBFB81FADDA8B8AC . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe . [-] 2008-09-27 . 36FA7DAFA6C2658D9F48C69FB812943B . 2165760 . . [5.1.2600.5586] . . c:\windows\system32\ntkrnlpa.exe . . [-] 2008-09-27 . 928F1D57DD79B2EDDE517B2FFEB570C9 . 2287104 . . [5.1.2600.5586] . . c:\windows\system32\ntoskrnl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2015-07-08 3907152] "CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2015-06-01 6405912] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072] "RTHDCPL"="RTHDCPL.EXE" [2013-10-04 20145368] "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2015-01-28 5088456] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "JkDefrag"="advpack.dll" [2008-08-28 124928] "SweetRegistry"="advpack.dll" [2008-08-28 124928] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "HideRunAsVerb"= 1 (0x1) "NoNetConnectDisconnect"= 1 (0x1) "NoResolveTrack"= 1 (0x1) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoSMBalloonTip"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoStrCmpLogical"= 0 (0x0) "NoWelcomeScreen"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoSMBalloonTip"= 1 (0x1) "NoSMConfigurePrograms"= 1 (0x1) "NoStrCmpLogical"= 0 (0x0) "NoWelcomeScreen"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring] 2015-06-01 18:27 6405912 ----a-w- c:\program files\CCleaner\CCleaner.exe . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 "8298:TCP"= 8298:TCP:TechSmith Snagit "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot "53:UDP"= 53:UDP:Realtek AP UDP Prot . R1 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [10/03/2015 16:24 193464] R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [10/03/2015 16:24 135808] R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [26/03/2015 14:50 128528] R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [28/01/2015 13:08 1349576] R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [20/12/2014 17:03 66944] S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys --> c:\windows\system32\DRIVERS\EAPPkt.sys [?] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [16/05/2015 14:55 1691480] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\MBAMSwissArmy.sys --> c:\windows\system32\drivers\MBAMSwissArmy.sys [?] S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [16/06/2015 14:55 332928] . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}] 2008-08-28 14:35 124928 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2015-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-15 09:58] . 2015-04-27 c:\windows\Tasks\TechSmith Updater.job - c:\program files\Fichiers communs\TechSmith Shared\Updater\TSCUpdClt.exe [2013-10-04 14:17] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com/ ucustomizesearch = hxxp://www.google.com/ie usearchassistant = hxxp://www.google.com/ie IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Télécharger avec IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Télécharger tous les liens avec Internet Download Manager - c:\program files\Internet Download Manager\IEGetAll.htm FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\ror2v97n.default-1431934170218\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2015-07-16 15:44 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) @Allowed: (Read) (S-1-5-32) @SACL= "scansk"=hex(0):33,4d,fd,01,9b,e0,79,e0,ac,bb,03,ea,42,99,ae,17,ea,04,f6,0a,26, 02,b1,9e,8c,a2,13,e4,e5,8d,59,fa,c1,b8,10,ba,30,e5,ea,e2,00,00,00,00,00,00,\ . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9411b2fb-2e69-433e-8e09-6fb88ac5126a}] @Denied: (Full) (Everyone) "Model"=dword:00000167 "Therad"=dword:0000001b . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9bec1ef8-579d-435d-9070-692f42f0b9c3}] @Denied: (Full) (Everyone) "Model"=dword:00000037 "Therad"=dword:00000007 "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1728) c:\windows\system32\SETUPAPI.dll c:\windows\system32\COMRes.dll c:\windows\system32\cscui.dll . - - - - - - - > 'lsass.exe'(2012) c:\windows\system32\setupapi.dll c:\windows\system32\scecli.dll . - - - - - - - > 'explorer.exe'(1096) c:\windows\system32\SHDOCVW.dll c:\windows\system32\COMRes.dll c:\windows\System32\cscui.dll c:\program files\Windows Media Player\wmpband.dll c:\windows\system32\msi.dll c:\windows\system32\SETUPAPI.dll c:\windows\system32\NETSHELL.dll c:\windows\system32\credui.dll c:\windows\system32\MSVCP60.dll c:\windows\system32\eappprxy.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2015-07-16 15:47:20 ComboFix-quarantined-files.txt 2015-07-16 14:47 . Pre-Run: 17 592 082 432 octets libres Post-Run: 17 547 214 848 octets libres . - - End Of File - - F691EF293E2A67B5DAD7EA3F551A8E68 C99C3199CFAA4CBDCD91493F6D113A50