Rootkit.podnuha.NCB
Nova
-
Utilisateur anonyme -
Utilisateur anonyme -
Bonjour,
Il y a quelques temps,le pc ma sœur a été vérolé !! elle a eu toute sorte de virus, après avoir installé ad-aware et spywarefighter en plus de nod32, je pensais avoir réussi a tout supprimer... mais non !!
celui-ci donc vient d'apparaitre, ainsi que plusieurs tracking cookies...
J'ai déja utilisé combix, je dois avoir le resultat :
ComboFix 09-04-19.05 - Jérôme 19/04/2009 15:37.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.958.523 [GMT 2:00]
Lancé depuis: c:\documents and settings\Jérôme\Bureau\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
* Un nouveau point de restauration a été créé
* Resident AV is active
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\damopore.dll
c:\windows\system32\dezogewi.dll
c:\windows\system32\dujujewo.dll
c:\windows\system32\dutudari.dll
c:\windows\system32\guyewijo.dll
c:\windows\system32\hodisuto.dll
c:\windows\system32\magiduko.dll
c:\windows\system32\nogayeda.dll
c:\windows\system32\sakabuji.dll
c:\windows\system32\tigujefa.dll
c:\windows\system32\vagazodi.dll
c:\windows\system32\vikewami.dll
c:\windows\system32\vuranune.dll
c:\windows\system32\zolekare.dll
.
((((((((((((((((((((((((((((( Fichiers créés du 2009-03-19 au 2009-04-19 ))))))))))))))))))))))))))))))))))))
.
2009-04-19 13:37 . 2009-04-19 13:37 121 --sh--w c:\windows\system32\ijubakas.ini
2009-04-15 04:55 . 2009-03-27 06:54 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 04:55 . 2008-04-21 21:15 219136 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 04:54 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 04:54 . 2009-03-06 14:20 286720 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 04:54 . 2009-02-09 11:23 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 04:54 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 04:54 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 04:54 . 2009-02-09 10:53 735744 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 04:54 . 2009-02-09 10:53 739840 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 04:54 . 2009-02-09 10:53 685568 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 04:54 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 04:54 . 2008-12-16 12:31 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
2009-04-11 13:17 . 2009-04-11 13:17 -------- d-----w c:\program files\iPod
2009-04-11 13:17 . 2009-04-11 13:17 -------- d-----w c:\program files\iTunes
2009-04-11 13:17 . 2009-04-11 13:17 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-04 20:54 . 2009-04-04 20:54 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-04 20:51 . 2009-04-04 20:52 -------- d-----w c:\program files\QuickTime
2009-03-21 14:07 . 2009-03-21 14:07 1054720 -c----w c:\windows\system32\dllcache\kernel32.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 13:41 . 2006-10-18 18:24 -------- d-----w c:\program files\ESET
2009-04-19 08:59 . 2004-08-05 12:00 77038 ----a-w c:\windows\system32\perfc00C.dat
2009-04-19 08:59 . 2004-08-05 12:00 474316 ----a-w c:\windows\system32\perfh00C.dat
2009-04-19 08:56 . 2009-01-19 08:56 52224 --sha-w c:\windows\system32\vonowiya.exe
2009-04-18 20:08 . 2009-01-18 20:08 52224 --sha-w c:\windows\system32\nubamiko.exe
2009-04-18 08:08 . 2009-01-18 08:08 52224 --sha-w c:\windows\system32\ribemago.exe
2009-04-17 20:08 . 2009-01-17 20:08 52224 --sha-w c:\windows\yenejesa.exe
2009-04-11 13:17 . 2008-07-25 17:40 -------- d-----w c:\program files\Fichiers communs\Apple
2009-03-19 18:27 . 2007-01-27 10:52 -------- d-----w c:\program files\Lx_cats
2009-03-19 14:32 . 2008-01-29 10:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 21:56 . 2009-03-14 21:56 -------- d-----w c:\program files\Fichiers communs\DivX Shared
2009-03-06 14:20 . 2004-08-05 12:00 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:13 . 2004-08-05 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 14:52 . 2009-03-01 14:36 -------- d-----w c:\documents and settings\All Users\Application Data\KEDDS
2009-03-01 14:45 . 2009-03-01 14:34 -------- d-----w c:\documents and settings\Jérôme\Application Data\KEDDS
2009-03-01 14:37 . 2009-03-01 14:37 -------- d-----w c:\documents and settings\kodak\Application Data\KodakCredentialStore
2009-03-01 14:37 . 2009-02-21 08:39 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2009-03-01 14:36 . 2009-02-21 08:37 -------- d-----w c:\program files\Kodak
2009-02-22 10:45 . 2009-02-21 10:45 -------- d-----w c:\documents and settings\Jérôme\Application Data\ArcSoft
2009-02-21 14:37 . 2009-02-21 14:37 -------- d-----w c:\program files\Bonjour
2009-02-21 14:36 . 2006-09-06 09:37 -------- d-----w c:\program files\Messenger Plus! Live
2009-02-21 14:36 . 2006-08-22 19:43 -------- d-----w c:\program files\MSN Messenger
2009-02-21 10:57 . 2009-02-21 10:57 -------- d-----w c:\documents and settings\Jérôme\Application Data\KodakCredentialStore
2009-02-21 10:55 . 2009-02-21 10:55 -------- d-----w c:\documents and settings\Jérôme\Application Data\Skinux
2009-02-21 10:45 . 2006-08-22 14:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 10:45 . 2009-02-21 10:45 -------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2009-02-21 10:45 . 2009-02-21 10:44 -------- d-----w c:\program files\Fichiers communs\ArcSoft
2009-02-21 10:44 . 2009-02-21 10:44 -------- d-----w c:\program files\ArcSoft
2009-02-21 10:43 . 2009-02-21 08:38 -------- d-----w c:\program files\Fichiers communs\Kodak
2009-02-21 10:40 . 2009-02-21 08:41 36315 ----a-w C:\logfile
2009-02-21 08:39 . 2009-02-21 08:33 -------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-02-20 17:10 . 2004-08-05 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-15 10:27 . 2007-12-29 10:57 1082 ----a-w C:\lxbu.log
2009-02-15 10:10 . 2007-01-27 11:44 54523 ----a-w C:\lxbuscan.log
2009-02-10 17:06 . 2004-08-04 00:48 2068096 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:05 . 2004-08-05 12:00 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:24 . 2004-08-05 12:00 2191104 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2004-08-05 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-08-05 12:00 735744 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-05 12:00 739840 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2004-08-05 12:00 685568 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-05 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-06 10:39 . 2004-08-05 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-08-05 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-27 01:35 . 2009-03-14 21:56 129784 ------w c:\windows\system32\pxafs.dll
2009-01-27 01:35 . 2009-03-14 21:56 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-01-27 01:35 . 2009-03-14 21:56 118520 ------w c:\windows\system32\pxinsi64.exe
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2008-11-02 10:48 . 2006-09-08 12:51 48912 ----a-w c:\documents and settings\Jérôme\Application Data\GDIPFONTCACHEV1.DAT
2008-10-07 13:44 . 2006-08-22 20:12 48912 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-07 13:44 . 2006-08-22 20:12 48912 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-07 13:44 . 2006-08-22 20:12 48912 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-02-22 08:19 . 2007-02-22 08:19 129 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\fusioncache.dat
2007-02-22 08:19 . 2007-02-22 08:19 129 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\fusioncache.dat
2007-02-22 08:19 . 2007-02-22 08:19 129 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\fusioncache.dat
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-07-31 07:38 . 2008-07-31 07:38 24 --sh--w c:\windows\S3A99858A.tmp
2008-10-07 21:27 . 2008-10-07 21:27 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008100720081008\index.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"PMCRemote"="c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2007-07-04 253000]
"PMCLoader"="c:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe" [2007-07-26 105544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2004-11-22 299008]
"DNHelper32"="c:\windows\system32\DNHlp32.exe" [2005-10-20 45056]
"FLSDeviceControlPanel"="c:\windows\system32\FLSDEVCP.EXE" [2007-09-15 81920]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"PMCRemote"="c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2007-07-04 253000]
"ArcSoft Connection Service"="c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Lancement rapide d'Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logiciel Kodak EasyShare.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"FileZilla Server"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbuPSWX.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5019:TCP"= 5019:TCP:TCP Port 5019
"5000:TCP"= 5000:TCP:TCP Port 5000
"85:TCP"= 85:TCP:TCP Port 85
"15:UDP"= 15:UDP:UDP Port 15
"41952:UDP"= 41952:UDP:UDP Port 41952
"60000:TCP"= 60000:TCP:TCP Port 60000
"61000:UDP"= 61000:UDP:UDP Port 61000
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2007-02-06 13440]
S2 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\Drivers\dk2drv.sys [2005-11-22 42624]
S2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\System32\Drivers\fle5wnnt.sys [2007-09-15 33404]
S2 FLSIFACE;FLSIFACE;c:\windows\System32\Drivers\flsiface.sys [2007-09-15 13440]
S2 FLSPAR;FLSPAR;c:\windows\System32\Drivers\flspar.sys [2007-09-15 16314]
S2 FLSSER;FLSSER;c:\windows\System32\Drivers\flsser.sys [2007-09-15 8344]
S2 FLSVCOM;FLSVCOM;c:\windows\System32\Drivers\flsvcom.sys [2007-09-15 33402]
S2 KodakDigitalDisplayService;Kodak Digital Display Service;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [2008-08-14 98304]
S3 Ltn_stk7070P;PCTV based TV tuner device;c:\windows\system32\DRIVERS\Ltn_stk7070P.sys [2007-06-14 466048]
S3 Ltn_stkrc;PCTV Infrared Receiver;c:\windows\system32\DRIVERS\Ltn_stkrc.sys [2007-06-13 13440]
S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys [2005-12-14 794624]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51a9e682-2278-11dc-a778-00161771dada}]
\Shell\AutoRun\command - K:\InstallTomTomHOME.exe
.
Contenu du dossier 'Tâches planifiées'
2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:34]
.
- - - - ORPHELINS SUPPRIMES - - - -
BHO-{28a70b96-db83-49bf-8add-0e4b6390ca25} - c:\windows\system32\dezogewi.dll
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.club-internet.fr/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {F2C1BBCE-8C2C-4506-BCE3-1A393745B6F3} = 192.168.1.1,80.10.246.129
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan8/oscan8.cab
FF - ProfilePath - c:\documents and settings\Jérôme\Application Data\Mozilla\Firefox\Profiles\wyi5iiag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.fr
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 15:41
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\AMON]
"ImagePath"="\??\c:\windows\system32\drivers\amon.sys"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,ec,05,fe,be,ff,
97,b6,41,2e,e8,e1,00,eb,16,2b,de,91,aa,0d,73,6d,9f,68,96,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,2a,e8,7e,e9,92,
db,43,20,46,47,15,b0,92,4b,c7,ef,8f,7d,50,18,c7,7c,04,f8,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2e,f7,95,fb,f3,
3b,21,08,7a,45,05,fd,91,e8,6f,31,c2,ca,b9,b5,4c,c3,5c,4f,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,31,8c,70,95,36,
ca,44,5e,6b,65,49,6a,7e,99,74,f7,07,61,d2,87,4c,92,54,75,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,1d,13,4f,78,d1,
09,ae,46,e9,02,6c,fa,fb,1d,47,57,e1,92,0b,14,0d,04,e7,1c,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,07,13,f0,6a,c4,
e5,d3,c8,50,93,e5,ab,ec,6a,4e,ab,7d,42,ec,82,1a,36,62,79,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,fe,cd,b0,35,33,
3c,4a,ed,97,20,4e,9a,c7,f1,35,ee,aa,9f,14,96,65,5a,50,62,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ed,1c,d5,b9,6d,
56,e5,d9,aa,52,c6,00,84,3c,26,64,06,18,ef,c7,a9,96,d4,0a,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,c6,96,8f,c7,9c,
72,87,49,b2,46,9a,e2,1b,fe,1b,94,0a,0e,7e,e3,3a,bb,dc,ec,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,b1,88,fe,d2,7b,
5c,90,ed,37,a4,aa,c3,a6,15,56,0a,c8,61,4d,15,f2,c0,cd,93,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,36,7f,31,4d,76,
bd,2c,b4,f8,31,0f,a9,5f,a0,ec,fb,b5,a8,38,57,60,7f,c6,52,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,32,35,93,38,69,
20,96,f7,05,73,21,dd,54,d8,4a,c5,51,08,17,1c,42,a1,bb,9b,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'explorer.exe'(3004)
c:\program files\Logitech\iTouch\iTchHk.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Fichiers communs\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Heure de fin: 2009-04-19 15:44 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-04-19 13:44
Avant-CF: 18 145 280 000 octets libres
Après-CF: 18 219 782 144 octets libres
WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect
342 --- E O F --- 2009-04-15 22:08
Il y a quelques temps,le pc ma sœur a été vérolé !! elle a eu toute sorte de virus, après avoir installé ad-aware et spywarefighter en plus de nod32, je pensais avoir réussi a tout supprimer... mais non !!
celui-ci donc vient d'apparaitre, ainsi que plusieurs tracking cookies...
J'ai déja utilisé combix, je dois avoir le resultat :
ComboFix 09-04-19.05 - Jérôme 19/04/2009 15:37.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.958.523 [GMT 2:00]
Lancé depuis: c:\documents and settings\Jérôme\Bureau\ComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)
* Un nouveau point de restauration a été créé
* Resident AV is active
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\damopore.dll
c:\windows\system32\dezogewi.dll
c:\windows\system32\dujujewo.dll
c:\windows\system32\dutudari.dll
c:\windows\system32\guyewijo.dll
c:\windows\system32\hodisuto.dll
c:\windows\system32\magiduko.dll
c:\windows\system32\nogayeda.dll
c:\windows\system32\sakabuji.dll
c:\windows\system32\tigujefa.dll
c:\windows\system32\vagazodi.dll
c:\windows\system32\vikewami.dll
c:\windows\system32\vuranune.dll
c:\windows\system32\zolekare.dll
.
((((((((((((((((((((((((((((( Fichiers créés du 2009-03-19 au 2009-04-19 ))))))))))))))))))))))))))))))))))))
.
2009-04-19 13:37 . 2009-04-19 13:37 121 --sh--w c:\windows\system32\ijubakas.ini
2009-04-15 04:55 . 2009-03-27 06:54 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 04:55 . 2008-04-21 21:15 219136 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 04:54 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 04:54 . 2009-03-06 14:20 286720 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 04:54 . 2009-02-09 11:23 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 04:54 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 04:54 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 04:54 . 2009-02-09 10:53 735744 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 04:54 . 2009-02-09 10:53 739840 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 04:54 . 2009-02-09 10:53 685568 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 04:54 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 04:54 . 2008-12-16 12:31 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
2009-04-11 13:17 . 2009-04-11 13:17 -------- d-----w c:\program files\iPod
2009-04-11 13:17 . 2009-04-11 13:17 -------- d-----w c:\program files\iTunes
2009-04-11 13:17 . 2009-04-11 13:17 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-04 20:54 . 2009-04-04 20:54 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-04 20:51 . 2009-04-04 20:52 -------- d-----w c:\program files\QuickTime
2009-03-21 14:07 . 2009-03-21 14:07 1054720 -c----w c:\windows\system32\dllcache\kernel32.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 13:41 . 2006-10-18 18:24 -------- d-----w c:\program files\ESET
2009-04-19 08:59 . 2004-08-05 12:00 77038 ----a-w c:\windows\system32\perfc00C.dat
2009-04-19 08:59 . 2004-08-05 12:00 474316 ----a-w c:\windows\system32\perfh00C.dat
2009-04-19 08:56 . 2009-01-19 08:56 52224 --sha-w c:\windows\system32\vonowiya.exe
2009-04-18 20:08 . 2009-01-18 20:08 52224 --sha-w c:\windows\system32\nubamiko.exe
2009-04-18 08:08 . 2009-01-18 08:08 52224 --sha-w c:\windows\system32\ribemago.exe
2009-04-17 20:08 . 2009-01-17 20:08 52224 --sha-w c:\windows\yenejesa.exe
2009-04-11 13:17 . 2008-07-25 17:40 -------- d-----w c:\program files\Fichiers communs\Apple
2009-03-19 18:27 . 2007-01-27 10:52 -------- d-----w c:\program files\Lx_cats
2009-03-19 14:32 . 2008-01-29 10:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 21:56 . 2009-03-14 21:56 -------- d-----w c:\program files\Fichiers communs\DivX Shared
2009-03-06 14:20 . 2004-08-05 12:00 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:13 . 2004-08-05 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 14:52 . 2009-03-01 14:36 -------- d-----w c:\documents and settings\All Users\Application Data\KEDDS
2009-03-01 14:45 . 2009-03-01 14:34 -------- d-----w c:\documents and settings\Jérôme\Application Data\KEDDS
2009-03-01 14:37 . 2009-03-01 14:37 -------- d-----w c:\documents and settings\kodak\Application Data\KodakCredentialStore
2009-03-01 14:37 . 2009-02-21 08:39 -------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2009-03-01 14:36 . 2009-02-21 08:37 -------- d-----w c:\program files\Kodak
2009-02-22 10:45 . 2009-02-21 10:45 -------- d-----w c:\documents and settings\Jérôme\Application Data\ArcSoft
2009-02-21 14:37 . 2009-02-21 14:37 -------- d-----w c:\program files\Bonjour
2009-02-21 14:36 . 2006-09-06 09:37 -------- d-----w c:\program files\Messenger Plus! Live
2009-02-21 14:36 . 2006-08-22 19:43 -------- d-----w c:\program files\MSN Messenger
2009-02-21 10:57 . 2009-02-21 10:57 -------- d-----w c:\documents and settings\Jérôme\Application Data\KodakCredentialStore
2009-02-21 10:55 . 2009-02-21 10:55 -------- d-----w c:\documents and settings\Jérôme\Application Data\Skinux
2009-02-21 10:45 . 2006-08-22 14:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-21 10:45 . 2009-02-21 10:45 -------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2009-02-21 10:45 . 2009-02-21 10:44 -------- d-----w c:\program files\Fichiers communs\ArcSoft
2009-02-21 10:44 . 2009-02-21 10:44 -------- d-----w c:\program files\ArcSoft
2009-02-21 10:43 . 2009-02-21 08:38 -------- d-----w c:\program files\Fichiers communs\Kodak
2009-02-21 10:40 . 2009-02-21 08:41 36315 ----a-w C:\logfile
2009-02-21 08:39 . 2009-02-21 08:33 -------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-02-20 17:10 . 2004-08-05 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-15 10:27 . 2007-12-29 10:57 1082 ----a-w C:\lxbu.log
2009-02-15 10:10 . 2007-01-27 11:44 54523 ----a-w C:\lxbuscan.log
2009-02-10 17:06 . 2004-08-04 00:48 2068096 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:05 . 2004-08-05 12:00 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:24 . 2004-08-05 12:00 2191104 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2004-08-05 12:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2004-08-05 12:00 735744 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2004-08-05 12:00 739840 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2004-08-05 12:00 685568 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:53 . 2004-08-05 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-06 10:39 . 2004-08-05 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:58 . 2004-08-05 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-27 01:35 . 2009-03-14 21:56 129784 ------w c:\windows\system32\pxafs.dll
2009-01-27 01:35 . 2009-03-14 21:56 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-01-27 01:35 . 2009-03-14 21:56 118520 ------w c:\windows\system32\pxinsi64.exe
2009-01-27 01:34 . 2009-01-27 01:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 . 2009-01-27 01:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 . 2009-01-27 01:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 . 2009-01-27 01:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 . 2009-01-27 01:34 684032 ----a-w c:\windows\system32\DivX.dll
2008-11-02 10:48 . 2006-09-08 12:51 48912 ----a-w c:\documents and settings\Jérôme\Application Data\GDIPFONTCACHEV1.DAT
2008-10-07 13:44 . 2006-08-22 20:12 48912 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-07 13:44 . 2006-08-22 20:12 48912 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-07 13:44 . 2006-08-22 20:12 48912 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-02-22 08:19 . 2007-02-22 08:19 129 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\fusioncache.dat
2007-02-22 08:19 . 2007-02-22 08:19 129 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\fusioncache.dat
2007-02-22 08:19 . 2007-02-22 08:19 129 ----a-w c:\documents and settings\Jérôme\Local Settings\Application Data\fusioncache.dat
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-07-31 07:38 . 2008-07-31 07:38 24 --sh--w c:\windows\S3A99858A.tmp
2008-10-07 21:27 . 2008-10-07 21:27 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012008100720081008\index.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 204288]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"PMCRemote"="c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2007-07-04 253000]
"PMCLoader"="c:\program files\Pinnacle\TVCenter Pro\PMCLoader.exe" [2007-07-26 105544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2004-11-22 299008]
"DNHelper32"="c:\windows\system32\DNHlp32.exe" [2005-10-20 45056]
"FLSDeviceControlPanel"="c:\windows\system32\FLSDEVCP.EXE" [2007-09-15 81920]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"PMCRemote"="c:\program files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe" [2007-07-04 253000]
"ArcSoft Connection Service"="c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Lancement rapide d'Adobe Reader.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logiciel Kodak EasyShare.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"FileZilla Server"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxbuPSWX.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5019:TCP"= 5019:TCP:TCP Port 5019
"5000:TCP"= 5000:TCP:TCP Port 5000
"85:TCP"= 85:TCP:TCP Port 85
"15:UDP"= 15:UDP:UDP Port 15
"41952:UDP"= 41952:UDP:UDP Port 41952
"60000:TCP"= 60000:TCP:TCP Port 60000
"61000:UDP"= 61000:UDP:UDP Port 61000
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\DRIVERS\modrc.sys [2007-02-06 13440]
S2 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\Drivers\dk2drv.sys [2005-11-22 42624]
S2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\System32\Drivers\fle5wnnt.sys [2007-09-15 33404]
S2 FLSIFACE;FLSIFACE;c:\windows\System32\Drivers\flsiface.sys [2007-09-15 13440]
S2 FLSPAR;FLSPAR;c:\windows\System32\Drivers\flspar.sys [2007-09-15 16314]
S2 FLSSER;FLSSER;c:\windows\System32\Drivers\flsser.sys [2007-09-15 8344]
S2 FLSVCOM;FLSVCOM;c:\windows\System32\Drivers\flsvcom.sys [2007-09-15 33402]
S2 KodakDigitalDisplayService;Kodak Digital Display Service;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [2008-08-14 98304]
S3 Ltn_stk7070P;PCTV based TV tuner device;c:\windows\system32\DRIVERS\Ltn_stk7070P.sys [2007-06-14 466048]
S3 Ltn_stkrc;PCTV Infrared Receiver;c:\windows\system32\DRIVERS\Ltn_stkrc.sys [2007-06-13 13440]
S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys [2005-12-14 794624]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51a9e682-2278-11dc-a778-00161771dada}]
\Shell\AutoRun\command - K:\InstallTomTomHOME.exe
.
Contenu du dossier 'Tâches planifiées'
2009-04-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:34]
.
- - - - ORPHELINS SUPPRIMES - - - -
BHO-{28a70b96-db83-49bf-8add-0e4b6390ca25} - c:\windows\system32\dezogewi.dll
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.club-internet.fr/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {F2C1BBCE-8C2C-4506-BCE3-1A393745B6F3} = 192.168.1.1,80.10.246.129
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan8/oscan8.cab
FF - ProfilePath - c:\documents and settings\Jérôme\Application Data\Mozilla\Firefox\Profiles\wyi5iiag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.fr
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 15:41
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\AMON]
"ImagePath"="\??\c:\windows\system32\drivers\amon.sys"
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,ec,05,fe,be,ff,
97,b6,41,2e,e8,e1,00,eb,16,2b,de,91,aa,0d,73,6d,9f,68,96,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,2a,e8,7e,e9,92,
db,43,20,46,47,15,b0,92,4b,c7,ef,8f,7d,50,18,c7,7c,04,f8,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,2e,f7,95,fb,f3,
3b,21,08,7a,45,05,fd,91,e8,6f,31,c2,ca,b9,b5,4c,c3,5c,4f,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,31,8c,70,95,36,
ca,44,5e,6b,65,49,6a,7e,99,74,f7,07,61,d2,87,4c,92,54,75,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,1d,13,4f,78,d1,
09,ae,46,e9,02,6c,fa,fb,1d,47,57,e1,92,0b,14,0d,04,e7,1c,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,07,13,f0,6a,c4,
e5,d3,c8,50,93,e5,ab,ec,6a,4e,ab,7d,42,ec,82,1a,36,62,79,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,fe,cd,b0,35,33,
3c,4a,ed,97,20,4e,9a,c7,f1,35,ee,aa,9f,14,96,65,5a,50,62,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ed,1c,d5,b9,6d,
56,e5,d9,aa,52,c6,00,84,3c,26,64,06,18,ef,c7,a9,96,d4,0a,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,c6,96,8f,c7,9c,
72,87,49,b2,46,9a,e2,1b,fe,1b,94,0a,0e,7e,e3,3a,bb,dc,ec,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:37,a4,aa,c3,a6,15,56,0a,b1,88,fe,d2,7b,
5c,90,ed,37,a4,aa,c3,a6,15,56,0a,c8,61,4d,15,f2,c0,cd,93,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,36,7f,31,4d,76,
bd,2c,b4,f8,31,0f,a9,5f,a0,ec,fb,b5,a8,38,57,60,7f,c6,52,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,32,35,93,38,69,
20,96,f7,05,73,21,dd,54,d8,4a,c5,51,08,17,1c,42,a1,bb,9b,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'explorer.exe'(3004)
c:\program files\Logitech\iTouch\iTchHk.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Fichiers communs\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Fichiers communs\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Heure de fin: 2009-04-19 15:44 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-04-19 13:44
Avant-CF: 18 145 280 000 octets libres
Après-CF: 18 219 782 144 octets libres
WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect
342 --- E O F --- 2009-04-15 22:08
6 réponses
J'ai ensuite utilisé RSIT et voici les résultats :
log.txt :
Logfile of random's system information tool 1.06 (written by random/random)
Run by Jérôme at 2009-05-14 17:31:43
Microsoft Windows XP Édition familiale Service Pack 3
System drive C: has 17 GB (48%) free of 35 GB
Total RAM: 958 MB (59% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:00, on 14/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Fighters\configservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fighters\licenseservice.exe
C:\Program Files\Fighters\updateservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\DNHlp32.exe
C:\WINDOWS\system32\FLSDEVCP.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Jérôme\Bureau\RSIT.exe
C:\Program Files\trend micro\Jérôme.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DNHelper32] C:\WINDOWS\system32\DNHlp32.exe
O4 - HKLM\..\Run: [FLSDeviceControlPanel] C:\WINDOWS\system32\FLSDEVCP.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C1BBCE-8C2C-4506-BCE3-1A393745B6F3}: NameServer = 192.168.1.1,80.10.246.129
O20 - Winlogon Notify: __c005E524 - C:\WINDOWS\system32\__c005E524.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PTK License-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\configservice.exe
log.txt :
Logfile of random's system information tool 1.06 (written by random/random)
Run by Jérôme at 2009-05-14 17:31:43
Microsoft Windows XP Édition familiale Service Pack 3
System drive C: has 17 GB (48%) free of 35 GB
Total RAM: 958 MB (59% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:32:00, on 14/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Fighters\configservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fighters\licenseservice.exe
C:\Program Files\Fighters\updateservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\DNHlp32.exe
C:\WINDOWS\system32\FLSDEVCP.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Jérôme\Bureau\RSIT.exe
C:\Program Files\trend micro\Jérôme.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DNHelper32] C:\WINDOWS\system32\DNHlp32.exe
O4 - HKLM\..\Run: [FLSDeviceControlPanel] C:\WINDOWS\system32\FLSDEVCP.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\Fighters\spywarefighter\SpywarefighterUser.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PMCRemote] C:\Program Files\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
O4 - HKCU\..\Run: [PMCLoader] C:\Program Files\Pinnacle\TVCenter Pro\PMCLoader.exe -checktasks
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C1BBCE-8C2C-4506-BCE3-1A393745B6F3}: NameServer = 192.168.1.1,80.10.246.129
O20 - Winlogon Notify: __c005E524 - C:\WINDOWS\system32\__c005E524.dat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PTK License-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\licenseservice.exe
O23 - Service: PTK Live Update-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\updateservice.exe
O23 - Service: PTK Scanner-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\ScannerService.exe
O23 - Service: PTK SharedAccess-FIGHTERS-297811811 - SPAMfighter - C:\Program Files\Fighters\configservice.exe
Re,
Je viens de me souvenir des autres virus que le pc a eu, je ne sais pas si cela est lié ou pas, il y avait un trojan dropper et un virtumonde.
En espérant avoir été clair.
Merci par avance.
Je viens de me souvenir des autres virus que le pc a eu, je ne sais pas si cela est lié ou pas, il y avait un trojan dropper et un virtumonde.
En espérant avoir été clair.
Merci par avance.
J'ai le même problème.
J'ai télécharger un fichier récemment qui a infecté mon ordinateur, c'était à priori le virus Baggle.
J'ai manqué de vigilance sur ce coup, j'aurais dû faire une analyse du fichier... bref, il s'est attaqué à mon antivirus (Nod32), à Spybot S&D et à partition magique les rendant inutilisable.
J'ai trouvé un tuto dont je n'arrive pas à retrouver le lien exact, qui donnait plusieurs méthode dont le lien pour dl findykill :
http://sd-1.archive-host.com/membres/up/116615172019703188/FindyKill.exe
Il a fonctionné nikel, j'ai refais le ménage avec Spybot S&D, Nod32 et Hijackthis (Je ne suis pas sûr d'avoir complètement réussi à interprété le rapport néanmoins).
Les fichiers suspect étaient "last.exe" "audiosr.dll"
J'ai supprimé quelques clés de la bases des registres qui me paraissaient suspectent.
Actuellement, j'ai cette alerte qui revient tout le temps :
Nom : http://managesystem32.com/file/.../.../last.exe
Menace : une variante de Win32/Rootkit.Podnuha.NCB Cheval de troie
Apparemment, il tente d'ouvrir la page ci-dessus sans arrêt. J'ai effacé les fichiers temporaires, traces, cookies de mon navigateur, je verrais bien si j'ai toujours l'alerte, sinon je posterai un rapport.
J'ai télécharger un fichier récemment qui a infecté mon ordinateur, c'était à priori le virus Baggle.
J'ai manqué de vigilance sur ce coup, j'aurais dû faire une analyse du fichier... bref, il s'est attaqué à mon antivirus (Nod32), à Spybot S&D et à partition magique les rendant inutilisable.
J'ai trouvé un tuto dont je n'arrive pas à retrouver le lien exact, qui donnait plusieurs méthode dont le lien pour dl findykill :
http://sd-1.archive-host.com/membres/up/116615172019703188/FindyKill.exe
Il a fonctionné nikel, j'ai refais le ménage avec Spybot S&D, Nod32 et Hijackthis (Je ne suis pas sûr d'avoir complètement réussi à interprété le rapport néanmoins).
Les fichiers suspect étaient "last.exe" "audiosr.dll"
J'ai supprimé quelques clés de la bases des registres qui me paraissaient suspectent.
Actuellement, j'ai cette alerte qui revient tout le temps :
Nom : http://managesystem32.com/file/.../.../last.exe
Menace : une variante de Win32/Rootkit.Podnuha.NCB Cheval de troie
Apparemment, il tente d'ouvrir la page ci-dessus sans arrêt. J'ai effacé les fichiers temporaires, traces, cookies de mon navigateur, je verrais bien si j'ai toujours l'alerte, sinon je posterai un rapport.
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Bon bin voilà j'ai plus d'ennui maintenant...
Internet Explorer : Outils => Options internet => Général => Supprimer l'historique de navigation
Firefox : Outils => Effacer mes traces
Internet Explorer : Outils => Options internet => Général => Supprimer l'historique de navigation
Firefox : Outils => Effacer mes traces
Salut,
tu possède nod32 v2.7, la version 4 est disponible et elle est bien plus performante.(gratuite si ta une licence valide).
rend toi sur : https://www.eset.com/
tu possède nod32 v2.7, la version 4 est disponible et elle est bien plus performante.(gratuite si ta une licence valide).
rend toi sur : https://www.eset.com/
