DR/delphi.gen, le retour

Thierrrrry Messages postés 6 Statut Membre -  
 art21 -
Bonjour,

Depuis quelques jours, j'ai des soucis avec DR/delphi.gen.

Je n'arrive pas à m'en débarasser. Il crée un dossier au nom aléatoire dans c:\windows\temp du genre \ditl.tmp et il crée un fichier svchost.exe qui est repéré par le pare feu Online Armor et Antivir, mais le fichier s'auto efface.

J'ai fait un scan hijack qui ne m'a pas appris grand chose, un scan complet antivir, spybot, ccleaner, advanced system care, superantispyware et malwarebyte (rien que ça)... sans effet. J'ai désactivé la restauration, vidé le cache etc... je suis à jour me semble t-il sur XP, Firefox, java etc...

Online Armor me dit que l'application qui crée ça est c:\windows\system32\svchost.exe mais ce fichier est un fichier system valide, je me trompe ? Et un scan sur virustotal ne trouve rien.

Voilà, je me débrouille habituellement en lisant les posts mais là, je cale...

Un coup de main serait le bienvenu !

Merci par avance

Thié
Configuration: Ancienne, mais musclée sous XP pro SP3

9 réponses

  1. dédétraqué Messages postés 4522 Statut Contributeur sécurité 286
     
    Salut Thierrrrry

    On va vérifier cela, télécharge RSIT (de random/random) sur le bureau ici :
    http://images.malwareremoval.com/random/RSIT.exe

    - Double clique sur RSIT.exe qui est sur le bureau
    - Clique sur Continue dans la fenêtre
    - RSIT téléchargera HijackThis si il n’est pas présent où détecté, alors il faudra accepter la licence
    - Poste le contenue des deux rapports, log.txt et info.txt(réduit dans la barre des tâches) à la fin de l’analyse

    Les rapports sont dans le dossier ici C:\rsit

    @++ :)
    0
  2. Thierrrrry Messages postés 6 Statut Membre
     
    Bonjour,

    Merci de ta réponse, voici le rapport log.txt, bonne lecture !

    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Leon at 2010-01-12 09:22:27
    Microsoft Windows XP Professionnel Service Pack 3
    System drive C: has 2 GB (13%) free of 16 GB
    Total RAM: 3615 MB (88% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:23:07, on 12/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Tall Emu\Online Armor\OAcat.exe
    C:\Program Files\Tall Emu\Online Armor\oasrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\digi96.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Tall Emu\Online Armor\oaui.exe
    C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
    C:\Documents and Settings\Leon\Bureau\RSIT.exe
    C:\Program Files\Trend Micro\HijackThis\Leon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talti.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O4 - HKLM\..\Run: [RMETray] digi96.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
    O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
    0
  3. dédétraqué Messages postés 4522 Statut Contributeur sécurité 286
     
    Salut Thierrrrry

    Je voie que tu as utilisé Combofix également... Te fais tu aider sur un autre forum?

    Poste le rapport de Combofix en date du 6, il se trouve ici : C:\Combofix.txt

    @++ :)
    0
  4. Thierrrrry Messages postés 6 Statut Membre
     
    Bonjour

    Non, j'ai vu ça en potassant les forums de ci de là, mais vus les avertissements sur son utilisation, je ne m'en suis pas encore servi. Je me doutais bien que j'allais y passer !

    Voici donc le rapport tout frais :

    ComboFix 10-01-11.04 - Leon 13/01/2010 12:59:29.3.2 - x86
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.3615.3181 [GMT 1:00]
    Lancé depuis: c:\documents and settings\Leon\Bureau\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: Pare-feu Online Armor *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    .

    ((((((((((((((((((((((((((((( Fichiers créés du 2009-12-13 au 2010-01-13 ))))))))))))))))))))))))))))))))))))
    .

    2010-01-12 22:11 . 2008-04-14 02:34 14336 ------w- c:\windows\system32\svchost.exe
    2010-01-12 17:12 . 2010-01-12 17:12 579584 -c--a-w- c:\windows\system32\dllcache\user32.dll
    2010-01-12 17:06 . 2010-01-12 17:06 -------- d-----w- c:\windows\ERUNT
    2010-01-12 17:00 . 2010-01-12 22:38 -------- d-----w- C:\SDFix
    2010-01-12 08:22 . 2010-01-12 08:23 -------- d-----w- C:\rsit
    2010-01-11 23:07 . 2010-01-11 23:07 -------- d-----w- c:\program files\Trend Micro
    2010-01-11 20:54 . 2010-01-12 23:52 52224 ----a-w- c:\documents and settings\Leon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-11 20:54 . 2010-01-12 23:52 117760 ----a-w- c:\documents and settings\Leon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-01-11 20:53 . 2010-01-11 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-01-11 20:53 . 2010-01-11 20:53 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-01-11 20:53 . 2010-01-11 20:53 -------- d-----w- c:\documents and settings\Leon\Application Data\SUPERAntiSpyware.com
    2010-01-11 20:53 . 2010-01-11 20:53 -------- d-----w- c:\program files\Fichiers communs\Wise Installation Wizard
    2010-01-11 16:13 . 2010-01-11 16:13 -------- d-----w- c:\program files\Image-Line
    2010-01-11 13:36 . 2010-01-11 13:36 -------- d-----w- c:\program files\D16 Group
    2010-01-07 09:41 . 2010-01-07 09:41 -------- d-----w- c:\documents and settings\Leon\Application Data\Malwarebytes
    2010-01-07 09:41 . 2009-12-30 13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 09:41 . 2010-01-07 09:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-07 09:41 . 2010-01-07 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-07 09:41 . 2009-12-30 13:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-07 09:05 . 2009-11-21 15:58 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-01-07 00:18 . 2010-01-07 08:35 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
    2010-01-07 00:18 . 2010-01-07 00:18 -------- d-----w- c:\documents and settings\Leon\Application Data\OnlineArmor
    2010-01-07 00:17 . 2009-12-05 06:28 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys
    2010-01-07 00:17 . 2009-12-05 06:27 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys
    2010-01-07 00:17 . 2009-12-05 06:27 223312 ----a-w- c:\windows\system32\drivers\OADriver.sys
    2010-01-07 00:17 . 2010-01-07 00:17 -------- d-----w- c:\program files\Tall Emu
    2010-01-06 18:12 . 2010-01-06 18:12 218736 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\patch.exe
    2010-01-06 18:12 . 2010-01-06 18:12 189968 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\ciussi32.dll
    2010-01-06 18:12 . 2010-01-06 18:12 170512 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\PATCHW32.DLL
    2010-01-06 18:12 . 2010-01-06 18:12 1267320 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\TmUpdate.dll
    2010-01-06 18:12 . 2010-01-06 18:12 61440 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\Toolkit.dll
    2010-01-06 18:12 . 2010-01-06 18:12 832776 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\lea.dll
    2010-01-06 18:12 . 2010-01-06 18:12 439560 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\jlea.dll
    2010-01-06 18:12 . 2010-01-06 18:12 42320 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\dsvout.dll
    2010-01-06 18:12 . 2010-01-06 18:12 183356 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\Uninstaller.exe
    2010-01-06 18:12 . 2010-01-06 19:38 -------- d-----w- c:\documents and settings\Leon\Application Data\HouseCall 6.6
    2009-12-28 01:21 . 2010-01-08 18:39 -------- d-----w- c:\program files\Handbrake
    2009-12-27 14:34 . 2009-12-27 14:34 -------- d-----w- c:\documents and settings\All Users\Application Data\F4
    2009-12-27 14:28 . 2008-12-17 18:22 57344 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-12-27 14:28 . 2008-12-11 12:26 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
    2009-12-27 14:28 . 2009-12-27 14:28 -------- d-----w- c:\program files\ffdshow
    2009-12-27 14:27 . 2009-12-27 18:29 -------- d-----w- c:\windows\SxsCaPendDel
    2009-12-27 13:23 . 2009-12-27 13:23 -------- d-----w- c:\program files\DVD Shrink
    2009-12-27 12:26 . 2009-12-27 12:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
    2009-12-26 21:54 . 2009-12-26 22:01 -------- d-----w- c:\documents and settings\Leon\Application Data\Download Manager
    2009-12-26 21:28 . 2009-12-26 21:28 411368 ----a-w- c:\windows\system32\deploytk.dll
    2009-12-26 21:27 . 2009-12-26 21:27 152576 ----a-w- c:\documents and settings\Leon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2009-12-26 21:27 . 2009-12-26 21:27 79488 ----a-w- c:\documents and settings\Leon\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2009-12-24 10:52 . 2009-12-24 10:52 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
    2009-12-22 15:27 . 2009-12-22 15:27 -------- d-----w- c:\program files\Alcohol Soft
    2009-12-21 21:37 . 2009-12-27 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
    2009-12-21 20:44 . 2009-12-21 20:44 -------- d-----w- c:\documents and settings\Leon\Local Settings\Application Data\ATI
    2009-12-21 20:44 . 2009-12-21 20:44 -------- d-----w- c:\documents and settings\Leon\Application Data\ATI
    2009-12-21 20:28 . 2006-05-03 10:57 520192 ------w- c:\windows\system32\ati2sgag.exe
    2009-12-20 18:10 . 2009-12-20 18:13 -------- d-----w- c:\windows\$regcmp$
    2009-12-18 13:28 . 2009-12-18 13:28 -------- d-----w- c:\documents and settings\Leon\Application Data\VST3 Presets

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-13 11:57 . 2008-04-14 21:22 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-01-12 23:08 . 2008-04-17 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-01-12 13:10 . 2008-04-19 15:03 -------- d-----w- c:\documents and settings\Leon\Application Data\uTorrent
    2010-01-12 10:29 . 2009-07-14 18:07 -------- d-----w- c:\documents and settings\Leon\Application Data\vlc
    2010-01-12 09:20 . 2009-04-16 09:33 -------- d-----w- c:\program files\Unlocker
    2010-01-12 09:01 . 2009-02-17 12:00 -------- d-----w- c:\program files\PopCap Games
    2010-01-12 08:54 . 2009-04-12 12:08 -------- d-----w- c:\program files\Ingava.com
    2010-01-12 08:45 . 2008-04-25 18:05 -------- d-----w- c:\program files\Norton Ghost
    2010-01-12 00:05 . 2009-01-19 08:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ma-config.com
    2010-01-12 00:05 . 2009-01-19 08:39 -------- d-----w- c:\program files\ma-config.com
    2010-01-12 00:01 . 2009-06-17 15:53 -------- d-----w- c:\program files\Google
    2010-01-11 15:44 . 2008-04-17 21:24 -------- d-----w- c:\program files\FlashGet
    2010-01-11 13:37 . 2008-06-21 10:30 -------- d-----w- c:\program files\Vstplugins
    2010-01-10 12:26 . 2008-11-01 16:16 -------- d-----w- c:\program files\ABC Amber BlackBerry Converter
    2010-01-10 09:46 . 2008-04-21 06:59 32 ----a-w- c:\windows\msocreg32.dat
    2010-01-07 11:19 . 2002-08-30 12:00 101888 ----a-w- c:\windows\system32\drivers\adpu160m.sys
    2010-01-07 00:18 . 2002-08-30 12:00 98038 ----a-w- c:\windows\system32\perfc00C.dat
    2010-01-07 00:18 . 2002-08-30 12:00 545420 ----a-w- c:\windows\system32\perfh00C.dat
    2010-01-06 18:13 . 2010-01-06 18:13 116048 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\TmEngDrv.dll
    2010-01-06 18:13 . 2010-01-06 18:13 98304 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\getMac.exe
    2010-01-06 18:13 . 2010-01-06 18:13 69632 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfcm80.dll
    2010-01-06 18:13 . 2010-01-06 18:13 626688 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\msvcr80.dll
    2010-01-06 18:13 . 2010-01-06 18:13 57344 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfcm80u.dll
    2010-01-06 18:13 . 2010-01-06 18:13 548864 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\msvcp80.dll
    2010-01-06 18:13 . 2010-01-06 18:13 479232 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\msvcm80.dll
    2010-01-06 18:13 . 2010-01-06 18:13 1093632 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfc80.dll
    2010-01-06 18:13 . 2010-01-06 18:13 1079808 ----a-w- c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfc80u.dll
    2010-01-06 12:58 . 2008-07-26 13:48 -------- d-----w- c:\documents and settings\Leon\Application Data\dvdcss
    2010-01-05 17:21 . 2008-04-19 09:33 -------- d-----w- c:\documents and settings\Leon\Application Data\UseNeXT
    2009-12-28 21:31 . 2009-01-09 16:02 -------- d-----w- c:\program files\Ray Adams
    2009-12-28 16:42 . 2008-06-22 14:25 -------- d-----w- c:\program files\SyncBack
    2009-12-26 21:28 . 2008-05-02 09:46 -------- d-----w- c:\program files\Java
    2009-12-21 20:29 . 2008-05-27 08:09 -------- d-----w- c:\program files\ATI Technologies
    2009-12-21 16:28 . 2009-07-05 12:09 -------- d-----w- c:\program files\IObit
    2009-12-18 15:42 . 2009-04-20 12:28 -------- d-----w- c:\program files\XtremSplit
    2009-12-14 11:24 . 2008-04-15 07:42 -------- d-----w- c:\program files\XnView
    2009-12-13 14:19 . 2008-07-13 21:24 -------- d-----w- c:\documents and settings\Leon\Application Data\FileZilla
    2009-12-12 21:49 . 2009-09-26 15:09 24340 ---ha-w- c:\windows\system32\mlfcache.dat
    2009-12-10 20:49 . 2009-05-09 10:00 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2009-12-10 20:34 . 2008-04-17 21:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-12-08 19:25 . 2008-05-01 22:21 1 ----a-w- c:\documents and settings\Leon\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-12-08 19:24 . 2008-05-01 22:21 -------- d-----w- c:\documents and settings\Leon\Application Data\OpenOffice.org2
    2009-12-07 21:09 . 2008-04-21 06:58 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-12-07 21:09 . 2009-12-07 21:09 -------- d-----w- c:\program files\CyberLink
    2009-12-03 19:47 . 2009-12-03 19:44 -------- d-----w- c:\program files\ABC Amber Text Converter
    2009-12-03 19:42 . 2008-11-01 15:14 -------- d-----w- c:\program files\ABC Amber BlackBerry Editor
    2009-12-03 19:31 . 2008-04-19 08:56 33696 ----a-w- c:\documents and settings\Leon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-12-03 19:22 . 2009-05-29 18:33 -------- d-----w- c:\program files\Ask & Record Toolbar
    2009-12-03 19:18 . 2008-05-17 15:55 -------- d-----w- c:\program files\Fichiers communs\Roxio Shared
    2009-12-03 19:18 . 2008-05-17 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
    2009-12-03 18:58 . 2009-02-17 12:00 10 ----a-w- c:\windows\popcinfo.dat
    2009-12-03 10:34 . 2008-04-18 19:39 -------- d-----w- c:\program files\UseNeXT
    2009-12-01 18:05 . 2009-12-01 18:05 -------- d-----w- c:\program files\laetjr
    2009-12-01 17:56 . 2009-12-01 17:51 -------- d-----w- c:\program files\ABC Amber PDF Merger
    2009-11-28 15:57 . 2009-11-28 15:57 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
    2009-11-27 10:24 . 2009-11-27 10:24 -------- d-----w- c:\program files\Recuva
    2009-11-23 19:47 . 2009-11-23 19:43 -------- d-----w- c:\program files\Html to Jpg
    2009-11-23 18:20 . 2009-11-23 17:52 -------- d-----w- c:\program files\Monster Truck Nitro 2
    2009-11-21 18:38 . 2009-11-21 18:38 -------- d-----w- c:\program files\AviSynth 2.5
    2009-11-21 18:38 . 2009-11-21 18:38 -------- d-----w- c:\program files\eRightSoft
    2009-11-21 15:58 . 2002-08-30 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-10-29 05:25 . 2002-08-30 12:00 671232 ------w- c:\windows\system32\wininet.dll
    2009-10-21 05:39 . 2008-04-19 08:43 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-21 05:39 . 2008-04-19 08:43 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-20 16:20 . 2008-04-19 08:44 265728 ------w- c:\windows\system32\drivers\http.sys
    2009-10-15 16:32 . 2002-08-30 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-10-15 16:32 . 2002-08-30 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
    2006-12-15 09:50 . 2008-04-14 21:03 934054 ----a-w- c:\program files\xnview wallpaper.bmp
    2006-05-03 09:06 . 2009-11-21 18:38 163328 --sh--r- c:\windows\system32\flvDX.dll
    2009-10-02 11:20 . 2009-10-02 11:14 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2007-02-21 10:47 . 2009-11-21 18:38 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30 . 2009-11-21 18:38 216064 --sh--r- c:\windows\system32\nbDX.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-01-06_20.16.40 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-09-22 16:12 . 2009-05-26 11:40 18296 c:\windows\system32\spmsg.dll
    + 2009-09-22 16:12 . 2008-07-08 13:03 18296 c:\windows\system32\spmsg.dll
    + 2002-08-30 12:00 . 2010-01-07 00:18 80780 c:\windows\system32\perfc009.dat
    + 2002-08-30 12:00 . 2008-04-14 02:34 14336 c:\windows\system32\dllcache\svchost.exe
    - 2009-09-23 07:29 . 2009-07-29 04:35 81920 c:\windows\system32\dllcache\fontsub.dll
    + 2009-09-23 07:29 . 2009-10-15 16:32 81920 c:\windows\system32\dllcache\fontsub.dll
    - 2009-12-24 10:52 . 2010-01-06 20:17 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
    + 2009-12-24 10:52 . 2010-01-12 08:27 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
    + 2010-01-12 08:26 . 2010-01-12 08:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012010011220100113\index.dat
    + 2010-01-12 08:26 . 2010-01-12 08:26 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012010010420100111\index.dat
    + 2010-01-09 12:51 . 2010-01-09 12:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012009122820100104\index.dat
    + 2008-04-14 17:54 . 2010-01-13 11:31 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
    - 2008-04-14 17:54 . 2010-01-06 20:12 32768 c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
    + 2008-04-14 17:54 . 2010-01-13 11:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2008-04-14 17:54 . 2010-01-06 20:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2010-01-11 20:53 . 2010-01-11 20:53 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    + 2010-01-11 20:53 . 2010-01-11 20:53 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2010-01-11 20:53 . 2010-01-11 20:53 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
    + 2002-08-30 12:00 . 2010-01-07 00:18 470006 c:\windows\system32\perfh009.dat
    - 2009-09-23 07:29 . 2009-07-29 04:35 119808 c:\windows\system32\dllcache\t2embed.dll
    + 2009-09-23 07:29 . 2009-10-15 16:32 119808 c:\windows\system32\dllcache\t2embed.dll
    + 2002-08-30 12:00 . 2010-01-07 11:19 101888 c:\windows\system32\dllcache\adpu160m.sys
    + 2008-04-14 17:54 . 2010-01-13 11:31 180224 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-11 13:36 . 2010-01-11 13:36 911360 c:\windows\Installer\8815b8.msi
    + 2010-01-12 17:06 . 2010-01-12 17:06 274432 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
    + 2010-01-12 17:06 . 2008-08-07 14:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
    + 2010-01-12 17:07 . 2010-01-12 17:07 274432 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
    + 2010-01-12 17:07 . 2008-08-07 14:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
    + 2010-01-11 20:53 . 2010-01-11 20:53 1583616 c:\windows\Installer\121f1c7.msi
    + 2009-01-15 20:17 . 2010-01-04 15:17 29634504 c:\windows\system32\MRT.exe
    + 2010-01-12 17:06 . 2010-01-12 17:06 13152256 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
    + 2010-01-12 17:07 . 2010-01-12 17:07 13152256 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RMETray"="digi96.exe" [2005-06-14 86016]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave"=digi96.dll
    "wave4"=digi96.dll
    "wave5"=digi96.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^MOTU Pedal Handler.lnk]
    path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\MOTU Pedal Handler.lnk
    backup=c:\windows\pss\MOTU Pedal Handler.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Leon^Menu Démarrer^Programmes^Démarrage^Adobe Gamma.lnk]
    path=c:\documents and settings\Leon\Menu Démarrer\Programmes\Démarrage\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    c:\windows\system32\dumprep 0 -u [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    2009-12-22 14:50 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATnotes.exe]
    2005-01-05 13:45 1015808 ----a-w- c:\program files\ATnotes\ATnotes.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    2004-12-13 13:30 58992 ----a-w- c:\program files\Fichiers communs\Symantec Shared\ccApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2008-06-24 14:06 1840424 ----a-w- c:\program files\Fichiers communs\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
    2006-09-11 02:40 218032 ----a-w- c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2008-06-19 07:53 570664 ----a-w- c:\program files\Fichiers communs\Nero\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
    2005-09-09 17:09 1537648 ----a-w- c:\program files\Norton Ghost\Agent\GhostTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-04 23:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    2004-11-02 19:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-12-26 21:28 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2008-04-19 11:45 185896 ----a-w- c:\program files\Fichiers communs\Real\Update_OB\realsched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\eMule\\emule.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\FlashGet\\flashget.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    R0 amdagpxp;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagpxp.sys [19/01/2009 10:34 27776]
    R0 amdeide;amdeide;c:\windows\system32\drivers\amdeide.sys [19/01/2009 10:34 4864]
    R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [02/05/2008 18:27 16384]
    R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [17/04/2008 22:45 11264]
    R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [25/11/2009 13:11 19232]
    R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [07/01/2010 01:17 223312]
    R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [07/01/2010 01:17 24656]
    R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [07/01/2010 01:17 29776]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
    R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [09/05/2009 11:00 108289]
    R2 digi96;RME Digi Audio Device;c:\windows\system32\drivers\digi96.sys [21/07/2005 16:55 48768]
    R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [15/06/2008 15:58 16400]
    R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [07/01/2010 01:17 1282248]
    R2 tyansmb;tyansmb;c:\windows\system32\drivers\tyansmb.sys [26/09/2009 15:56 12751]
    R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [14/04/2008 21:41 33792]
    R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [13/06/2008 12:04 23600]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28/11/2009 16:57 721904]
    S2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [22/05/2008 18:32 83596]
    S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [07/01/2010 01:17 3291336]
    S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [22/05/2008 18:32 5331]
    S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [02/05/2008 18:26 97808]
    S3 mfwagsif;MOTU Audio GSIF;c:\windows\system32\drivers\mfwagsif.sys [13/06/2008 12:04 22576]
    S3 mfwamidi;MOTU Audio MIDI;c:\windows\system32\drivers\mfwamidi.sys [13/06/2008 12:04 26160]
    S3 mfwawave;MOTU Audio Wave;c:\windows\system32\drivers\mfwawave.sys [13/06/2008 12:04 62000]
    S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [13/06/2008 12:04 438320]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
    S4 gupdate1c9ef63de99bb6c;Service Google Update (gupdate1c9ef63de99bb6c);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
    .
    Contenu du dossier 'Tâches planifiées'

    2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUser.job
    - c:\documents and settings\Leon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-23 09:17]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.talti.com
    uInternet Settings,ProxyOverride = *.local
    IE: &Tout télécharger avec FlashGet - c:\program files\FlashGet\jc_all.htm
    IE: &Télécharger avec FlashGet - c:\program files\FlashGet\jc_link.htm
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
    FF - ProfilePath - c:\documents and settings\Leon\Application Data\Mozilla\Firefox\Profiles\stv2pt3f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.GOOGLE.fr
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - plugin: c:\documents and settings\Leon\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npornap.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- PARAMETRES FIREFOX ----
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - fales
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-13 13:06
    Windows 5.1.2600 Service Pack 3 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------

    - - - - - - - > 'winlogon.exe'(508)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(2572)
    c:\windows\system32\eappprxy.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Heure de fin: 2010-01-13 13:10:06
    ComboFix-quarantined-files.txt 2010-01-13 12:10
    ComboFix2.txt 2010-01-13 11:51
    ComboFix3.txt 2010-01-06 20:23

    Avant-CF: 2 324 176 896 octets libres
    Après-CF: 2 308 366 336 octets libres

    Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
    - - End Of File - - 9D838D76CE304AC2BAB35082431AE254

    Merci de ton attention, je commence doucement à fatiguer là.... ;O)
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. Thierrrrry Messages postés 6 Statut Membre
     
    Complément d'info, les propriétés du fichier svchost.exe crée dans windows\temp\*.* me donne

    Langue russe
    nom du fichier odbcconf.dll
    versin 3.525.1132.0
    xpsp080413-0852
    microsoft data access components

    J'ai analysé toutes les dll trouvées sur le disque avec totalvirus sans succès.

    Voilà, merci !
    0
  7. Thierrrrry Messages postés 6 Statut Membre
     
    Suite de la suite du retour, j'ai pu analyser le fichier svchost.exe avant qu'il ne disparaisse, voici le rapport virustotal. A noter que ni Antivir, ni malwarebyte ne le voient.

    Fichier svchost.exe reçu le 2010.01.13 14:06:48 (UTC)
    Antivirus Version Dernière mise à jour Résultat
    a-squared 4.5.0.48 2010.01.13 -
    AhnLab-V3 5.0.0.2 2010.01.13 -
    AntiVir 7.9.1.134 2010.01.13 TR/Hooker.BS
    Antiy-AVL 2.0.3.7 2010.01.12 -
    Authentium 5.2.0.5 2010.01.12 -
    Avast 4.8.1351.0 2010.01.13 -
    AVG 9.0.0.725 2010.01.13 -
    BitDefender 7.2 2010.01.13 -
    CAT-QuickHeal 10.00 2010.01.13 -
    ClamAV 0.94.1 2010.01.13 -
    Comodo 3569 2010.01.13 TrojWare.Win32.Trojan.Agent.Gen
    DrWeb 5.0.1.12222 2010.01.13 -
    eSafe 7.0.17.0 2010.01.13 -
    eTrust-Vet 35.2.7234 2010.01.13 -
    F-Prot 4.5.1.85 2010.01.12 -
    F-Secure 9.0.15370.0 2010.01.13 Suspicious:W32/Riskware!Online
    Fortinet 4.0.14.0 2010.01.13 W32/Agent.BFF2!tr.rkit
    GData 19 2010.01.13 -
    Ikarus T3.1.1.80.0 2010.01.13 -
    Jiangmin 13.0.900 2010.01.13 -
    K7AntiVirus 7.10.946 2010.01.13 -
    Kaspersky 7.0.0.125 2010.01.13 Trojan.Win32.Hooker.bs
    McAfee 5859 2010.01.12 -
    McAfee+Artemis 5859 2010.01.12 -
    McAfee-GW-Edition 6.8.5 2010.01.13 Trojan.Hooker.BS
    Microsoft 1.5302 2010.01.13 -
    NOD32 4766 2010.01.13 -
    Norman 6.04.03 2010.01.13 -
    nProtect 2009.1.8.0 2010.01.13 -
    Panda 10.0.2.2 2010.01.12 -
    PCTools 7.0.3.5 2010.01.13 -
    Prevx 3.0 2010.01.13 High Risk Cloaked Malware
    Rising 22.30.02.06 2010.01.13 -
    Sophos 4.49.0 2010.01.13 Mal/Generic-A
    Sunbelt 3.2.1858.2 2010.01.13 -
    Symantec 20091.2.0.41 2010.01.13 -
    TheHacker 6.5.0.3.148 2010.01.13 -
    TrendMicro 9.120.0.1004 2010.01.13 -
    VBA32 3.12.12.1 2010.01.13 -
    ViRobot 2010.1.13.2134 2010.01.13 -
    VirusBuster 5.0.21.0 2010.01.12 -
    Information additionnelle
    File size: 134656 bytes
    MD5...: 7f0db2a3c0b0af4869c7884661b514b5
    SHA1..: ed7fb4170509ce56dc6457fb9464d712c25ada48
    SHA256: 70f9b9556aa2fc1b7a584ac72a9b442bb179a39113dd511b9d8c6f3124b79ce9
    ssdeep: 3072:hn9NoqnBnY58gXife6FBtDSdTFRidJcldu5cEWDDAO+9:hn9NtBnM8gXife<br>CBtSRidJAdLl+<br>
    PEiD..: -
    PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x8190<br>timedatestamp.....: 0x4b4a747e (Mon Jan 11 00:44:46 2010)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x8e30 0x9000 5.96 df23d813025091f60fdd058b1ad0ef9b<br>.rdata 0xa000 0x824 0xa00 4.80 ebdb4ed94c2032a53fa56192c2c0ced8<br>.data 0xb000 0x3c 0x200 0.12 0654b61762ac51f4a1ed65d4bb7037eb<br>.rsrc 0xc000 0x169a8 0x16a00 7.55 69894b42657efc04878694ab2b7cbbde<br>.reloc 0x23000 0x1000 0x400 3.67 05c2adcd3f360dfeb0fb6167a8870a2d<br><br>( 3 imports ) <br>> KERNEL32.dll: GetCurrentProcessId, LocalFree, ReleaseMutex, GetCurrentDirectoryA, GetSystemDirectoryA, WriteFile, SetFilePointer, GetVersionExA, ResetEvent, GetComputerNameA, DeleteFileA, GetCurrentProcess, GetFileSize, CloseHandle, LocalAlloc, CreateMutexA, GetStdHandle, GetModuleHandleA, ResumeThread, WaitForSingleObject<br>> ADVAPI32.dll: GetUserNameA<br>> USER32.dll: GetSystemMetrics, PostMessageA, CreateDialogParamA, wsprintfA, GetClassInfoExA, GetWindow, GetActiveWindow<br><br>( 0 exports ) <br>
    RDS...: NSRL Reference Data Set<br>-
    pdfid.: -
    trid..: Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
    <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=C74129AC0041EF150ED102C04183720054AADD59' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=C74129AC0041EF150ED102C04183720054AADD59</a>

    Antivirus Version Dernière mise à jour Résultat
    a-squared 4.5.0.48 2010.01.13 -
    AhnLab-V3 5.0.0.2 2010.01.13 -
    AntiVir 7.9.1.134 2010.01.13 TR/Hooker.BS
    Antiy-AVL 2.0.3.7 2010.01.12 -
    Authentium 5.2.0.5 2010.01.12 -
    Avast 4.8.1351.0 2010.01.13 -
    AVG 9.0.0.725 2010.01.13 -
    BitDefender 7.2 2010.01.13 -
    CAT-QuickHeal 10.00 2010.01.13 -
    ClamAV 0.94.1 2010.01.13 -
    Comodo 3569 2010.01.13 TrojWare.Win32.Trojan.Agent.Gen
    DrWeb 5.0.1.12222 2010.01.13 -
    eSafe 7.0.17.0 2010.01.13 -
    eTrust-Vet 35.2.7234 2010.01.13 -
    F-Prot 4.5.1.85 2010.01.12 -
    F-Secure 9.0.15370.0 2010.01.13 Suspicious:W32/Riskware!Online
    Fortinet 4.0.14.0 2010.01.13 W32/Agent.BFF2!tr.rkit
    GData 19 2010.01.13 -
    Ikarus T3.1.1.80.0 2010.01.13 -
    Jiangmin 13.0.900 2010.01.13 -
    K7AntiVirus 7.10.946 2010.01.13 -
    Kaspersky 7.0.0.125 2010.01.13 Trojan.Win32.Hooker.bs
    McAfee 5859 2010.01.12 -
    McAfee+Artemis 5859 2010.01.12 -
    McAfee-GW-Edition 6.8.5 2010.01.13 Trojan.Hooker.BS
    Microsoft 1.5302 2010.01.13 -
    NOD32 4766 2010.01.13 -
    Norman 6.04.03 2010.01.13 -
    nProtect 2009.1.8.0 2010.01.13 -
    Panda 10.0.2.2 2010.01.12 -
    PCTools 7.0.3.5 2010.01.13 -
    Prevx 3.0 2010.01.13 High Risk Cloaked Malware
    Rising 22.30.02.06 2010.01.13 -
    Sophos 4.49.0 2010.01.13 Mal/Generic-A
    Sunbelt 3.2.1858.2 2010.01.13 -
    Symantec 20091.2.0.41 2010.01.13 -
    TheHacker 6.5.0.3.148 2010.01.13 -
    TrendMicro 9.120.0.1004 2010.01.13 -
    VBA32 3.12.12.1 2010.01.13 -
    ViRobot 2010.1.13.2134 2010.01.13 -
    VirusBuster 5.0.21.0 2010.01.12 -

    Information additionnelle
    File size: 134656 bytes
    MD5...: 7f0db2a3c0b0af4869c7884661b514b5
    SHA1..: ed7fb4170509ce56dc6457fb9464d712c25ada48
    SHA256: 70f9b9556aa2fc1b7a584ac72a9b442bb179a39113dd511b9d8c6f3124b79ce9
    ssdeep: 3072:hn9NoqnBnY58gXife6FBtDSdTFRidJcldu5cEWDDAO+9:hn9NtBnM8gXife<br>CBtSRidJAdLl+<br>
    PEiD..: -
    PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x8190<br>timedatestamp.....: 0x4b4a747e (Mon Jan 11 00:44:46 2010)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x8e30 0x9000 5.96 df23d813025091f60fdd058b1ad0ef9b<br>.rdata 0xa000 0x824 0xa00 4.80 ebdb4ed94c2032a53fa56192c2c0ced8<br>.data 0xb000 0x3c 0x200 0.12 0654b61762ac51f4a1ed65d4bb7037eb<br>.rsrc 0xc000 0x169a8 0x16a00 7.55 69894b42657efc04878694ab2b7cbbde<br>.reloc 0x23000 0x1000 0x400 3.67 05c2adcd3f360dfeb0fb6167a8870a2d<br><br>( 3 imports ) <br>> KERNEL32.dll: GetCurrentProcessId, LocalFree, ReleaseMutex, GetCurrentDirectoryA, GetSystemDirectoryA, WriteFile, SetFilePointer, GetVersionExA, ResetEvent, GetComputerNameA, DeleteFileA, GetCurrentProcess, GetFileSize, CloseHandle, LocalAlloc, CreateMutexA, GetStdHandle, GetModuleHandleA, ResumeThread, WaitForSingleObject<br>> ADVAPI32.dll: GetUserNameA<br>> USER32.dll: GetSystemMetrics, PostMessageA, CreateDialogParamA, wsprintfA, GetClassInfoExA, GetWindow, GetActiveWindow<br><br>( 0 exports ) <br>
    RDS...: NSRL Reference Data Set<br>-
    pdfid.: -
    trid..: Win32 Executable Generic (42.3%)<br>Win32 Dynamic Link Library (generic) (37.6%)<br>Generic Win/DOS Executable (9.9%)<br>DOS Executable Generic (9.9%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
    sigcheck:<br>publisher....: n/a<br>copyright....: n/a<br>product......: n/a<br>description..: n/a<br>original name: n/a<br>internal name: n/a<br>file version.: n/a<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>
    <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=C74129AC0041EF150ED102C04183720054AADD59' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=C74129AC0041EF150ED102C04183720054AADD59</a>
    0
  8. dédétraqué Messages postés 4522 Statut Contributeur sécurité 286
     
    Salut Thierrrrry

    Pourquoi me mentir quand je le voie dans les rapports???

    Et tu as même utilisé Combofix deux fois aujourd'hui...

    ComboFix-quarantined-files.txt 2010-01-13 12:10
    ComboFix2.txt 2010-01-13 11:51
    ComboFix3.txt 2010-01-06 20:23 <-----


    Comme demandé plus haut, poste le rapport de Combofix en date du 6, il ce trouve maintenant ici :
    C:\Qoobox\ComboFix3.txt

    @++ :)
    0
  9. Thierrrrry Messages postés 6 Statut Membre
     
    Bonjour,

    Je ne comprends pas, pourtant il ne me semblait pas avoir lancé combofix...

    Bref. Je n'avais pas vu que tu voulais la version du 6, je l'ai relancé. Il a voulu désactiver alcohol et a redémarré, et là, j'ai eu la fenêtre disant que je devais activer XP, avec une fenêtre oui/non, qui revenait quoique je fasse. (mon installation d'XP date de longtemps) Impossible d'avoir l'explorateur. Impossible de restaurer par la console. Bref, réparation par le cd, et là, idem, numéro invalide ! Prise de tête, et même une coupure de courant qui m'a montré que l'onduleur est HS. Donc, coup de fil à microsoft, nouveau numéro d'activation, rebelotte SP2/3 etc... plus de connection. Réparation de la base de registre, et là, ça a l'air d'aller, plus d'alerte. Je vais rapidement faire un ghost je crois...

    Merci en tout cas de ta tentative de secours.

    A bientôt

    Thierrrrrrrrry
    0
  10. art21
     
    Bonjour j'ai le même problème que Thierrrrrrrrry et je n'arrive pas à le résoudre.

    Voila les rapports rsi et hijack.

    Merci.

    log.txt :

    Logfile of random's system information tool 1.06 (written by random/random)
    Run by Utilisateur at 2010-01-22 11:11:31
    Microsoft® Windows Vista™ Édition Familiale Premium Service Pack 2
    System drive C: has 31 GB (13%) free of 238 GB
    Total RAM: 2046 MB (42% free)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:11:41, on 22/01/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Windows\System32\fireface.exe
    C:\Windows\System32\firefacemix.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Utilisateur\Desktop\RSIT.exe
    C:\Program Files\trend micro\Utilisateur.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [FirefaceTray] fireface.exe
    O4 - HKLM\..\Run: [FirefaceMixTray] firefacemix.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
    O4 - HKLM\..\Run: [BboxUpdate] C:\Program Files\BboxUpdate\eStantAutoRunV.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\pmtc.tmp\svchost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\pmtc.tmp\svchost.exe (User 'Default user')
    O13 - Gopher Prefix:
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
    O23 - Service: BboxUpdate (eStantLaunchService) - TechCity Solutions France - C:\Program Files\BboxUpdate\eSRunService.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Service Google Update (gupdate1ca4c6d777e69c0) (gupdate1ca4c6d777e69c0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    0