Ordi de ma copine infecté

volavoil -  
 volavoil -
Bonjour,
suite à la super qualité de vos réponses, je me permets un autre post
Ma copine étudiante en infographie est à un mois de finir son projet, malheureusement son ordi portable ne marche qu une fois sur trois...
quand il ne marche pas, le bureau est completement bloqué (rien de clickable et/ou souris incative)
je vous joint le rapport de MBAM, puis sur le post suivant celui de combofix....
Que dois je faire de plus ?

Merci

rapport de MBAM

Malwarebytes' Anti-Malware 1.37
Version de la base de données: 2182
Windows 5.1.2600 Service Pack 2

01/06/2009 09:50:31
mbam-log-2009-06-01 (09-50-27).txt

Type de recherche: Examen rapide
Eléments examinés: 83620
Temps écoulé: 6 minute(s), 15 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 1
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 2
Elément(s) de données du Registre infecté(s): 4
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 4

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnlineGames) -> No action taken.

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Spyware.OnlineGames) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\nmdfgds0.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\olhrwef.exe (Spyware.OnlineGames) -> No action taken.
C:\autorun.inf (Spyware.OnlineGames) -> No action taken.
c:\ej10fkdo.bat (Spyware.OnlineGames) -> No action taken.
Configuration: Windows XP
Firefox 3.0.10

1 réponse

  1. volavoil
     
    et voici le rapport de combofix:

    ComboFix 09-05-30.06 - lea 01/06/2009 10:00.1 - NTFSx86
    Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.2038.1399 [GMT 2:00]
    Lancé depuis: c:\documents and settings\lea\Bureau\ComboFix.exe
    AV: AVG 7.5.557 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
    FW: Look 'n' Stop 2.06 (Soft4Ever) *enabled* {2A530F53-4A99-4EE0-8471-4A00BA4A47B0}
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\autorun.inf
    C:\ej10fkdo.bat
    c:\windows\system32\msconfig.exe
    c:\windows\system32\nmdfgds0.dll
    c:\windows\system32\olhrwef.exe
    D:\Autorun.inf
    D:\ej10fkdo.bat

    .
    ((((((((((((((((((((((((((((( Fichiers créés du 2009-05-01 au 2009-06-01 ))))))))))))))))))))))))))))))))))))
    .

    2009-06-01 07:42 . 2009-06-01 07:42 -------- d-----w- c:\documents and settings\lea\Application Data\Malwarebytes
    2009-06-01 07:42 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-06-01 07:42 . 2009-06-01 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-06-01 07:42 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-05-27 11:52 . 2009-05-27 11:52 -------- d-----w- c:\program files\Feeling Software
    2009-05-10 10:47 . 2007-10-17 23:09 1334272 ----a-w- c:\documents and settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\backup\setup.exe

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-06-01 07:35 . 2007-12-17 18:57 13084 ----a-w- c:\windows\system32\tablet.dat
    2009-05-28 08:30 . 2007-10-17 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7
    2009-05-26 10:12 . 2008-10-28 09:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2009-05-17 10:40 . 2001-08-28 18:00 83484 ----a-w- c:\windows\system32\perfc00C.dat
    2009-05-17 10:40 . 2001-08-28 18:00 505148 ----a-w- c:\windows\system32\perfh00C.dat
    2009-04-08 22:10 . 2008-03-01 18:49 -------- d-----w- c:\documents and settings\lea\Application Data\uTorrent
    .

    ------- Sigcheck -------

    [-] 2007-07-18 19:14 506368 FA7C7C2B461130A792ADF6A28F1D652B c:\windows\system32\winlogon.exe

    [-] 2004-11-28 18:36 8704 AB3D62010AF342203FFA60C2D94DBC68 c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
    "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-16 167368]
    "LClock"="lclock.exe" - c:\windows\LClock.exe [2004-12-08 65536]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
    "JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
    "36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-01-08 1953792]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-23 857648]
    "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-05-10 590848]
    "NeroFilterCheck"="c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
    "Look 'n' Stop"="c:\program files\Soft4Ever\looknstop\looknstop.exe" [2008-03-01 512070]
    "QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
    "FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984]
    "UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-12 304640]
    "lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-03-20 668328]
    "lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-03-20 16040]
    "lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
    "lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
    "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-17 61952]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
    "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-01-28 219136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "LSD_III"="c:\windows\LSD\end.cmd" [2007-08-07 2336]
    "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-19 44544]
    "nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-08-20 124928]

    c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2004-2-28 83360]
    TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-12-17 114688]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoSMBalloonTip"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
    "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Autodesk\\backburner\\monitor.exe"=
    "c:\\Program Files\\Autodesk\\backburner\\manager.exe"=
    "c:\\Program Files\\Autodesk\\backburner\\server.exe"=
    "d:\\3dsmax.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=
    "c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxamon.exe"=
    "c:\\Program Files\\Lexmark 3600-4600 Series\\frun.exe"=
    "c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
    "c:\\WINDOWS\\system32\\lxdxcfg.exe"=
    "c:\\WINDOWS\\system32\\lxdxcoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\App4r.exe"=
    "c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
    "c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
    "c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
    "c:\\WINDOWS\\system32\\lxdicfg.exe"=
    "c:\\WINDOWS\\system32\\lxdicoms.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=

    R1 lnsfw1;lnsfw1;c:\windows\system32\drivers\lnsfw1.sys [01/03/2008 16:54 77184]
    R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
    R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
    S2 ITECIRService;ITE Remote Controler service;c:\program files\ITECIR\RemoteControlService.exe [24/11/2007 11:47 656896]
    S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [01/03/2009 14:11 99248]
    S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [16/02/2009 23:04 98984]
    S3 itecir;ITE EC CIR Driver (PMC);c:\windows\system32\drivers\ITECIR.sys [17/10/2007 04:51 7808]

    --- Autres Services/Pilotes en mémoire ---

    *NewlyCreated* - JRAID
    .
    Contenu du dossier 'Tâches planifiées'

    2009-06-01 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-28 23:16]
    .
    - - - - ORPHELINS SUPPRIMES - - - -

    SafeBoot-procexp90.Sys

    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://home.neuf.fr/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.fr/keyword/%s
    IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
    TCP: {F7CDA5BB-8330-4D2B-A948-C866A4C54373} = 212.27.54.252,212.27.53.252
    FF - ProfilePath - c:\documents and settings\lea\Application Data\Mozilla\Firefox\Profiles\7g5pqi5o.default\
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
    FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
    FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
    FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
    FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
    FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin6.dll
    FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin7.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-06-01 10:02
    Windows 5.1.2600 Service Pack 2 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************
    .
    Heure de fin: 2009-06-01 10:03
    ComboFix-quarantined-files.txt 2009-06-01 08:03

    Avant-CF: 5 101 617 152 octets libres
    Après-CF: 7 922 823 168 octets libres

    WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect /kernel=ntkrnlmp.exe
    multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect /kernel=ntkrnlmp.exe

    182
    0