DR/delphi.gen, le retour

Question

Bonjour,

Depuis quelques jours, j'ai des soucis avec DR/delphi.gen. 

Je n'arrive pas à m'en débarasser. Il crée un dossier au nom aléatoire dans c:\windows	emp du genre \ditl.tmp et il crée un fichier svchost.exe qui est repéré par le pare feu Online Armor et Antivir, mais le fichier s'auto efface. 

J'ai fait un scan hijack qui ne m'a pas appris grand chose, un scan complet antivir, spybot, ccleaner, advanced system care, superantispyware et malwarebyte (rien que ça)... sans effet. J'ai désactivé la restauration, vidé le cache etc... je suis à jour me semble t-il sur XP, Firefox, java etc... 

Online Armor me dit que l'application qui crée ça est c:\windows\system32\svchost.exe mais ce fichier est un fichier system valide, je me trompe ? Et un scan sur virustotal ne trouve rien. 

Voilà, je me débrouille habituellement en lisant les posts mais là, je cale...

Un coup de main serait le bienvenu ! 

Merci par avance

Thié

dédétraqué · Answer

Salut Thierrrrry


On va vérifier cela, télécharge RSIT (de random/random) sur le bureau ici :
http://images.malwareremoval.com/random/RSIT.exe

- Double clique sur RSIT.exe qui est sur le bureau
- Clique sur Continue dans la fenêtre
- RSIT téléchargera HijackThis si il n’est pas présent où détecté, alors il faudra accepter la licence
- Poste le contenue des deux rapports, log.txt et info.txt(réduit dans la barre des tâches) à la fin de l’analyse

Les rapports sont dans le dossier ici C:\rsit


@++ :)

Thierrrrry · Answer

Bonjour,

Merci de ta réponse, voici le rapport log.txt, bonne lecture ! 




Logfile of random's system information tool 1.06 (written by random/random)
Run by Leon at 2010-01-12 09:22:27
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 2 GB (13%) free of 16 GB
Total RAM: 3615 MB (88% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:23:07, on 12/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\digi96.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Documents and Settings\Leon\Bureau\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Leon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.talti.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [RMETray] digi96.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Tout télécharger avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/...
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

dédétraqué · Answer

Salut Thierrrrry 


Je voie que tu as utilisé Combofix également... Te fais tu aider sur un autre forum?

Poste le rapport de Combofix en date du 6, il se trouve ici : C:\Combofix.txt


@++   :)

Thierrrrry · Answer

Bonjour

Non, j'ai vu ça en potassant les forums de ci de là, mais vus les avertissements sur son utilisation, je ne m'en suis pas encore servi. Je me doutais bien que j'allais y passer ! 

Voici donc le rapport tout frais :

ComboFix 10-01-11.04 - Leon 13/01/2010  12:59:29.3.2 - x86
Microsoft Windows XP Professionnel  5.1.2600.3.1252.33.1036.18.3615.3181 [GMT 1:00]
Lancé depuis: c:\documents and settings\Leon\Bureau\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Pare-feu Online Armor *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((   Fichiers créés du 2009-12-13 au 2010-01-13  ))))))))))))))))))))))))))))))))))))
.

2010-01-12 22:11 . 2008-04-14 02:34	14336	------w-	c:\windows\system32\svchost.exe
2010-01-12 17:12 . 2010-01-12 17:12	579584	-c--a-w-	c:\windows\system32\dllcache\user32.dll
2010-01-12 17:06 . 2010-01-12 17:06	--------	d-----w-	c:\windows\ERUNT
2010-01-12 17:00 . 2010-01-12 22:38	--------	d-----w-	C:\SDFix
2010-01-12 08:22 . 2010-01-12 08:23	--------	d-----w-	C:sit
2010-01-11 23:07 . 2010-01-11 23:07	--------	d-----w-	c:\program files\Trend Micro
2010-01-11 20:54 . 2010-01-12 23:52	52224	----a-w-	c:\documents and settings\Leon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-11 20:54 . 2010-01-12 23:52	117760	----a-w-	c:\documents and settings\Leon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-11 20:53 . 2010-01-11 20:53	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-11 20:53 . 2010-01-11 20:53	--------	d-----w-	c:\program files\SUPERAntiSpyware
2010-01-11 20:53 . 2010-01-11 20:53	--------	d-----w-	c:\documents and settings\Leon\Application Data\SUPERAntiSpyware.com
2010-01-11 20:53 . 2010-01-11 20:53	--------	d-----w-	c:\program files\Fichiers communs\Wise Installation Wizard
2010-01-11 16:13 . 2010-01-11 16:13	--------	d-----w-	c:\program files\Image-Line
2010-01-11 13:36 . 2010-01-11 13:36	--------	d-----w-	c:\program files\D16 Group
2010-01-07 09:41 . 2010-01-07 09:41	--------	d-----w-	c:\documents and settings\Leon\Application Data\Malwarebytes
2010-01-07 09:41 . 2009-12-30 13:55	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 09:41 . 2010-01-07 09:41	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-01-07 09:41 . 2010-01-07 09:41	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-07 09:41 . 2009-12-30 13:54	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-01-07 09:05 . 2009-11-21 15:58	471552	-c----w-	c:\windows\system32\dllcache\aclayers.dll
2010-01-07 00:18 . 2010-01-07 08:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\OnlineArmor
2010-01-07 00:18 . 2010-01-07 00:18	--------	d-----w-	c:\documents and settings\Leon\Application Data\OnlineArmor
2010-01-07 00:17 . 2009-12-05 06:28	24656	----a-w-	c:\windows\system32\drivers\OAmon.sys
2010-01-07 00:17 . 2009-12-05 06:27	29776	----a-w-	c:\windows\system32\drivers\OAnet.sys
2010-01-07 00:17 . 2009-12-05 06:27	223312	----a-w-	c:\windows\system32\drivers\OADriver.sys
2010-01-07 00:17 . 2010-01-07 00:17	--------	d-----w-	c:\program files\Tall Emu
2010-01-06 18:12 . 2010-01-06 18:12	218736	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\patch.exe
2010-01-06 18:12 . 2010-01-06 18:12	189968	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\ciussi32.dll
2010-01-06 18:12 . 2010-01-06 18:12	170512	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\PATCHW32.DLL
2010-01-06 18:12 . 2010-01-06 18:12	1267320	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\TmUpdate.dll
2010-01-06 18:12 . 2010-01-06 18:12	61440	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\Toolkit.dll
2010-01-06 18:12 . 2010-01-06 18:12	832776	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\lea.dll
2010-01-06 18:12 . 2010-01-06 18:12	439560	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\jlea.dll
2010-01-06 18:12 . 2010-01-06 18:12	42320	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\dsvout.dll
2010-01-06 18:12 . 2010-01-06 18:12	183356	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\Uninstaller.exe
2010-01-06 18:12 . 2010-01-06 19:38	--------	d-----w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6
2009-12-28 01:21 . 2010-01-08 18:39	--------	d-----w-	c:\program files\Handbrake
2009-12-27 14:34 . 2009-12-27 14:34	--------	d-----w-	c:\documents and settings\All Users\Application Data\F4
2009-12-27 14:28 . 2008-12-17 18:22	57344	----a-w-	c:\windows\system32\ff_vfw.dll
2009-12-27 14:28 . 2008-12-11 12:26	60273	----a-w-	c:\windows\system32\pthreadGC2.dll
2009-12-27 14:28 . 2009-12-27 14:28	--------	d-----w-	c:\program files\ffdshow
2009-12-27 14:27 . 2009-12-27 18:29	--------	d-----w-	c:\windows\SxsCaPendDel
2009-12-27 13:23 . 2009-12-27 13:23	--------	d-----w-	c:\program files\DVD Shrink
2009-12-27 12:26 . 2009-12-27 12:26	--------	d-----w-	c:\documents and settings\All Users\Application Data\SlySoft
2009-12-26 21:54 . 2009-12-26 22:01	--------	d-----w-	c:\documents and settings\Leon\Application Data\Download Manager
2009-12-26 21:28 . 2009-12-26 21:28	411368	----a-w-	c:\windows\system32\deploytk.dll
2009-12-26 21:27 . 2009-12-26 21:27	152576	----a-w-	c:\documents and settings\Leon\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-26 21:27 . 2009-12-26 21:27	79488	----a-w-	c:\documents and settings\Leon\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-24 10:52 . 2009-12-24 10:52	--------	d-s---w-	c:\windows\system32\config\systemprofile\UserData
2009-12-22 15:27 . 2009-12-22 15:27	--------	d-----w-	c:\program files\Alcohol Soft
2009-12-21 21:37 . 2009-12-27 13:24	--------	d-----w-	c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-21 20:44 . 2009-12-21 20:44	--------	d-----w-	c:\documents and settings\Leon\Local Settings\Application Data\ATI
2009-12-21 20:44 . 2009-12-21 20:44	--------	d-----w-	c:\documents and settings\Leon\Application Data\ATI
2009-12-21 20:28 . 2006-05-03 10:57	520192	------w-	c:\windows\system32\ati2sgag.exe
2009-12-20 18:10 . 2009-12-20 18:13	--------	d-----w-	c:\windows\$regcmp$
2009-12-18 13:28 . 2009-12-18 13:28	--------	d-----w-	c:\documents and settings\Leon\Application Data\VST3 Presets

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 11:57 . 2008-04-14 21:22	--------	d-----w-	c:\program files\Mozilla Thunderbird
2010-01-12 23:08 . 2008-04-17 21:24	--------	d-----w-	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-12 13:10 . 2008-04-19 15:03	--------	d-----w-	c:\documents and settings\Leon\Application Data\uTorrent
2010-01-12 10:29 . 2009-07-14 18:07	--------	d-----w-	c:\documents and settings\Leon\Application Data\vlc
2010-01-12 09:20 . 2009-04-16 09:33	--------	d-----w-	c:\program files\Unlocker
2010-01-12 09:01 . 2009-02-17 12:00	--------	d-----w-	c:\program files\PopCap Games
2010-01-12 08:54 . 2009-04-12 12:08	--------	d-----w-	c:\program files\Ingava.com
2010-01-12 08:45 . 2008-04-25 18:05	--------	d-----w-	c:\program files\Norton Ghost
2010-01-12 00:05 . 2009-01-19 08:39	--------	d-----w-	c:\documents and settings\All Users\Application Data\ma-config.com
2010-01-12 00:05 . 2009-01-19 08:39	--------	d-----w-	c:\program files\ma-config.com
2010-01-12 00:01 . 2009-06-17 15:53	--------	d-----w-	c:\program files\Google
2010-01-11 15:44 . 2008-04-17 21:24	--------	d-----w-	c:\program files\FlashGet
2010-01-11 13:37 . 2008-06-21 10:30	--------	d-----w-	c:\program files\Vstplugins
2010-01-10 12:26 . 2008-11-01 16:16	--------	d-----w-	c:\program files\ABC Amber BlackBerry Converter
2010-01-10 09:46 . 2008-04-21 06:59	32	----a-w-	c:\windows\msocreg32.dat
2010-01-07 11:19 . 2002-08-30 12:00	101888	----a-w-	c:\windows\system32\drivers\adpu160m.sys
2010-01-07 00:18 . 2002-08-30 12:00	98038	----a-w-	c:\windows\system32\perfc00C.dat
2010-01-07 00:18 . 2002-08-30 12:00	545420	----a-w-	c:\windows\system32\perfh00C.dat
2010-01-06 18:13 . 2010-01-06 18:13	116048	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\TmEngDrv.dll
2010-01-06 18:13 . 2010-01-06 18:13	98304	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\getMac.exe
2010-01-06 18:13 . 2010-01-06 18:13	69632	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfcm80.dll
2010-01-06 18:13 . 2010-01-06 18:13	626688	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\msvcr80.dll
2010-01-06 18:13 . 2010-01-06 18:13	57344	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfcm80u.dll
2010-01-06 18:13 . 2010-01-06 18:13	548864	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\msvcp80.dll
2010-01-06 18:13 . 2010-01-06 18:13	479232	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\msvcm80.dll
2010-01-06 18:13 . 2010-01-06 18:13	1093632	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfc80.dll
2010-01-06 18:13 . 2010-01-06 18:13	1079808	----a-w-	c:\documents and settings\Leon\Application Data\HouseCall 6.6\mfc80u.dll
2010-01-06 12:58 . 2008-07-26 13:48	--------	d-----w-	c:\documents and settings\Leon\Application Data\dvdcss
2010-01-05 17:21 . 2008-04-19 09:33	--------	d-----w-	c:\documents and settings\Leon\Application Data\UseNeXT
2009-12-28 21:31 . 2009-01-09 16:02	--------	d-----w-	c:\program files\Ray Adams
2009-12-28 16:42 . 2008-06-22 14:25	--------	d-----w-	c:\program files\SyncBack
2009-12-26 21:28 . 2008-05-02 09:46	--------	d-----w-	c:\program files\Java
2009-12-21 20:29 . 2008-05-27 08:09	--------	d-----w-	c:\program files\ATI Technologies
2009-12-21 16:28 . 2009-07-05 12:09	--------	d-----w-	c:\program files\IObit
2009-12-18 15:42 . 2009-04-20 12:28	--------	d-----w-	c:\program files\XtremSplit
2009-12-14 11:24 . 2008-04-15 07:42	--------	d-----w-	c:\program files\XnView
2009-12-13 14:19 . 2008-07-13 21:24	--------	d-----w-	c:\documents and settings\Leon\Application Data\FileZilla
2009-12-12 21:49 . 2009-09-26 15:09	24340	---ha-w-	c:\windows\system32\mlfcache.dat
2009-12-10 20:49 . 2009-05-09 10:00	56816	----a-w-	c:\windows\system32\drivers\avgntflt.sys
2009-12-10 20:34 . 2008-04-17 21:24	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2009-12-08 19:25 . 2008-05-01 22:21	1	----a-w-	c:\documents and settings\Leon\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-12-08 19:24 . 2008-05-01 22:21	--------	d-----w-	c:\documents and settings\Leon\Application Data\OpenOffice.org2
2009-12-07 21:09 . 2008-04-21 06:58	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-12-07 21:09 . 2009-12-07 21:09	--------	d-----w-	c:\program files\CyberLink
2009-12-03 19:47 . 2009-12-03 19:44	--------	d-----w-	c:\program files\ABC Amber Text Converter
2009-12-03 19:42 . 2008-11-01 15:14	--------	d-----w-	c:\program files\ABC Amber BlackBerry Editor
2009-12-03 19:31 . 2008-04-19 08:56	33696	----a-w-	c:\documents and settings\Leon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-03 19:22 . 2009-05-29 18:33	--------	d-----w-	c:\program files\Ask & Record Toolbar
2009-12-03 19:18 . 2008-05-17 15:55	--------	d-----w-	c:\program files\Fichiers communs\Roxio Shared
2009-12-03 19:18 . 2008-05-17 15:55	--------	d-----w-	c:\documents and settings\All Users\Application Data\Roxio
2009-12-03 18:58 . 2009-02-17 12:00	10	----a-w-	c:\windows\popcinfo.dat
2009-12-03 10:34 . 2008-04-18 19:39	--------	d-----w-	c:\program files\UseNeXT
2009-12-01 18:05 . 2009-12-01 18:05	--------	d-----w-	c:\program files\laetjr
2009-12-01 17:56 . 2009-12-01 17:51	--------	d-----w-	c:\program files\ABC Amber PDF Merger
2009-11-28 15:57 . 2009-11-28 15:57	721904	----a-w-	c:\windows\system32\drivers\sptd.sys
2009-11-27 10:24 . 2009-11-27 10:24	--------	d-----w-	c:\program files\Recuva
2009-11-23 19:47 . 2009-11-23 19:43	--------	d-----w-	c:\program files\Html to Jpg
2009-11-23 18:20 . 2009-11-23 17:52	--------	d-----w-	c:\program files\Monster Truck Nitro 2
2009-11-21 18:38 . 2009-11-21 18:38	--------	d-----w-	c:\program files\AviSynth 2.5
2009-11-21 18:38 . 2009-11-21 18:38	--------	d-----w-	c:\program files\eRightSoft
2009-11-21 15:58 . 2002-08-30 12:00	471552	----a-w-	c:\windows\AppPatch\aclayers.dll
2009-10-29 05:25 . 2002-08-30 12:00	671232	------w-	c:\windows\system32\wininet.dll
2009-10-21 05:39 . 2008-04-19 08:43	25088	----a-w-	c:\windows\system32\httpapi.dll
2009-10-21 05:39 . 2008-04-19 08:43	75776	----a-w-	c:\windows\system32\strmfilt.dll
2009-10-20 16:20 . 2008-04-19 08:44	265728	------w-	c:\windows\system32\drivers\http.sys
2009-10-15 16:32 . 2002-08-30 12:00	81920	----a-w-	c:\windows\system32\fontsub.dll
2009-10-15 16:32 . 2002-08-30 12:00	119808	----a-w-	c:\windows\system32	2embed.dll
2006-12-15 09:50 . 2008-04-14 21:03	934054	----a-w-	c:\program files\xnview wallpaper.bmp
2006-05-03 09:06 . 2009-11-21 18:38	163328	--sh--r-	c:\windows\system32\flvDX.dll
2009-10-02 11:20 . 2009-10-02 11:14	952	--sha-w-	c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2009-11-21 18:38	31232	--sh--r-	c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-11-21 18:38	216064	--sh--r-	c:\windows\system32
bDX.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-01-06_20.16.40   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-09-22 16:12 . 2009-05-26 11:40	18296              c:\windows\system32\spmsg.dll
+ 2009-09-22 16:12 . 2008-07-08 13:03	18296              c:\windows\system32\spmsg.dll
+ 2002-08-30 12:00 . 2010-01-07 00:18	80780              c:\windows\system32\perfc009.dat
+ 2002-08-30 12:00 . 2008-04-14 02:34	14336              c:\windows\system32\dllcache\svchost.exe
- 2009-09-23 07:29 . 2009-07-29 04:35	81920              c:\windows\system32\dllcache\fontsub.dll
+ 2009-09-23 07:29 . 2009-10-15 16:32	81920              c:\windows\system32\dllcache\fontsub.dll
- 2009-12-24 10:52 . 2010-01-06 20:17	32768              c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2009-12-24 10:52 . 2010-01-12 08:27	32768              c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2010-01-12 08:26 . 2010-01-12 08:26	32768              c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012010011220100113\index.dat
+ 2010-01-12 08:26 . 2010-01-12 08:26	32768              c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012010010420100111\index.dat
+ 2010-01-09 12:51 . 2010-01-09 12:51	32768              c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\MSHist012009122820100104\index.dat
+ 2008-04-14 17:54 . 2010-01-13 11:31	32768              c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2008-04-14 17:54 . 2010-01-06 20:12	32768              c:\windows\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2008-04-14 17:54 . 2010-01-13 11:31	32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-14 17:54 . 2010-01-06 20:12	32768              c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-01-11 20:53 . 2010-01-11 20:53	65024              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-01-11 20:53 . 2010-01-11 20:53	18944              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-01-11 20:53 . 2010-01-11 20:53	5120              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2002-08-30 12:00 . 2010-01-07 00:18	470006              c:\windows\system32\perfh009.dat
- 2009-09-23 07:29 . 2009-07-29 04:35	119808              c:\windows\system32\dllcache	2embed.dll
+ 2009-09-23 07:29 . 2009-10-15 16:32	119808              c:\windows\system32\dllcache	2embed.dll
+ 2002-08-30 12:00 . 2010-01-07 11:19	101888              c:\windows\system32\dllcache\adpu160m.sys
+ 2008-04-14 17:54 . 2010-01-13 11:31	180224              c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-11 13:36 . 2010-01-11 13:36	911360              c:\windows\Installer\8815b8.msi
+ 2010-01-12 17:06 . 2010-01-12 17:06	274432              c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2010-01-12 17:06 . 2008-08-07 14:27	163328              c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2010-01-12 17:07 . 2010-01-12 17:07	274432              c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2010-01-12 17:07 . 2008-08-07 14:27	163328              c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2010-01-11 20:53 . 2010-01-11 20:53	1583616              c:\windows\Installer\121f1c7.msi
+ 2009-01-15 20:17 . 2010-01-04 15:17	29634504              c:\windows\system32\MRT.exe
+ 2010-01-12 17:06 . 2010-01-12 17:06	13152256              c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2010-01-12 17:07 . 2010-01-12 17:07	13152256              c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RMETray"="digi96.exe" [2005-06-14 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-12-05 6622920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-12-05 923336]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\!SASWinLogon]
2009-09-03 13:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=digi96.dll
"wave4"=digi96.dll
"wave5"=digi96.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk *\0sprestrt

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^MOTU Pedal Handler.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\MOTU Pedal Handler.lnk
backup=c:\windows\pss\MOTU Pedal Handler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Leon^Menu Démarrer^Programmes^Démarrage^Adobe Gamma.lnk]
path=c:\documents and settings\Leon\Menu Démarrer\Programmes\Démarrage\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2009-12-22 14:50	45056	----a-w-	c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATnotes.exe]
2005-01-05 13:45	1015808	----a-w-	c:\program files\ATnotes\ATnotes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2004-12-13 13:30	58992	----a-w-	c:\program files\Fichiers communs\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 14:06	1840424	----a-w-	c:\program files\Fichiers communs\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 02:40	218032	----a-w-	c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-06-19 07:53	570664	----a-w-	c:\program files\Fichiers communs\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
2005-09-09 17:09	1537648	----a-w-	c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 23:54	417792	----a-w-	c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-02 19:24	32768	----a-w-	c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-26 21:28	149280	----a-w-	c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-19 11:45	185896	----a-w-	c:\program files\Fichiers communs\Real\Update_OBealsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"c:\Program Files\eMule\emule.exe"=
"c:\Program Files\uTorrent\uTorrent.exe"=
"c:\Program Files\FlashGet\flashget.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"c:\Program Files\Messenger\msmsgs.exe"=
"c:\Program Files\Windows Live\Messenger\wlcsdk.exe"=
"c:\Program Files\Windows Live\Messenger\msnmsgr.exe"=

R0 amdagpxp;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagpxp.sys [19/01/2009 10:34 27776]
R0 amdeide;amdeide;c:\windows\system32\drivers\amdeide.sys [19/01/2009 10:34 4864]
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [02/05/2008 18:27 16384]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [17/04/2008 22:45 11264]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [25/11/2009 13:11 19232]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [07/01/2010 01:17 223312]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [07/01/2010 01:17 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [07/01/2010 01:17 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [09/05/2009 11:00 108289]
R2 digi96;RME Digi Audio Device;c:\windows\system32\drivers\digi96.sys [21/07/2005 16:55 48768]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys [15/06/2008 15:58 16400]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [07/01/2010 01:17 1282248]
R2 tyansmb;tyansmb;c:\windows\system32\drivers	yansmb.sys [26/09/2009 15:56 12751]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [14/04/2008 21:41 33792]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [13/06/2008 12:04 23600]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28/11/2009 16:57 721904]
S2 ALIEHCD;ULi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [22/05/2008 18:32 83596]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [07/01/2010 01:17 3291336]
S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [22/05/2008 18:32 5331]
S3 dalwdmservice;dal service;c:\windows\system32\drivers\Dalwdm.sys [02/05/2008 18:26 97808]
S3 mfwagsif;MOTU Audio GSIF;c:\windows\system32\drivers\mfwagsif.sys [13/06/2008 12:04 22576]
S3 mfwamidi;MOTU Audio MIDI;c:\windows\system32\drivers\mfwamidi.sys [13/06/2008 12:04 26160]
S3 mfwawave;MOTU Audio Wave;c:\windows\system32\drivers\mfwawave.sys [13/06/2008 12:04 62000]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [13/06/2008 12:04 438320]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S4 gupdate1c9ef63de99bb6c;Service Google Update (gupdate1c9ef63de99bb6c);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
Contenu du dossier 'Tâches planifiées'

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Leon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-23 09:17]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.talti.com
uInternet Settings,ProxyOverride = *.local
IE: &Tout télécharger avec FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Télécharger avec FlashGet - c:\program files\FlashGet\jc_link.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
FF - ProfilePath - c:\documents and settings\Leon\Application Data\Mozilla\Firefox\Profiles\stv2pt3f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.GOOGLE.fr
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\Leon\Local Settings\Application Data\Google\Update\1.2.131.11
pGoogleOneClick5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins
p-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins
pornap.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology
pViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- PARAMETRES FIREFOX ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 13:06
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(508)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Heure de fin: 2010-01-13  13:10:06
ComboFix-quarantined-files.txt  2010-01-13 12:10
ComboFix2.txt  2010-01-13 11:51
ComboFix3.txt  2010-01-06 20:23

Avant-CF: 2 324 176 896 octets libres
Après-CF: 2 308 366 336 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9D838D76CE304AC2BAB35082431AE254




Merci de ton attention, je commence doucement à fatiguer là.... ;O)

Thierrrrry · Answer

Complément d'info, les propriétés du fichier svchost.exe crée dans windows	emp\*.* me donne 

Langue russe
nom du fichier odbcconf.dll
versin 3.525.1132.0
xpsp080413-0852
microsoft data access components

J'ai analysé toutes les dll trouvées sur le disque avec totalvirus sans succès. 

Voilà, merci !

Thierrrrry · Answer

Suite de la suite du retour, j'ai pu analyser le fichier svchost.exe avant qu'il ne disparaisse, voici le rapport virustotal. A noter que ni Antivir, ni malwarebyte ne le voient. Fichier svchost.exe reçu le 2010.01.13 14:06:48 (UTC) Antivirus Version Dernière mise à jour Résultat a-squared 4.5.0.48 2010.01.13 - AhnLab-V3 5.0.0.2 2010.01.13 - AntiVir 7.9.1.134 2010.01.13 TR/Hooker.BS Antiy-AVL 2.0.3.7 2010.01.12 - Authentium 5.2.0.5 2010.01.12 - Avast 4.8.1351.0 2010.01.13 - AVG 9.0.0.725 2010.01.13 - BitDefender 7.2 2010.01.13 - CAT-QuickHeal 10.00 2010.01.13 - ClamAV 0.94.1 2010.01.13 - Comodo 3569 2010.01.13 TrojWare.Win32.Trojan.Agent.Gen DrWeb 5.0.1.12222 2010.01.13 - eSafe 7.0.17.0 2010.01.13 - eTrust-Vet 35.2.7234 2010.01.13 - F-Prot 4.5.1.85 2010.01.12 - F-Secure 9.0.15370.0 2010.01.13 Suspicious:W32/Riskware!Online Fortinet 4.0.14.0 2010.01.13 W32/Agent.BFF2!tr.rkit GData 19 2010.01.13 - Ikarus T3.1.1.80.0 2010.01.13 - Jiangmin 13.0.900 2010.01.13 - K7AntiVirus 7.10.946 2010.01.13 - Kaspersky 7.0.0.125 2010.01.13 Trojan.Win32.Hooker.bs McAfee 5859 2010.01.12 - McAfee+Artemis 5859 2010.01.12 - McAfee-GW-Edition 6.8.5 2010.01.13 Trojan.Hooker.BS Microsoft 1.5302 2010.01.13 - NOD32 4766 2010.01.13 - Norman 6.04.03 2010.01.13 - nProtect 2009.1.8.0 2010.01.13 - Panda 10.0.2.2 2010.01.12 - PCTools 7.0.3.5 2010.01.13 - Prevx 3.0 2010.01.13 High Risk Cloaked Malware Rising 22.30.02.06 2010.01.13 - Sophos 4.49.0 2010.01.13 Mal/Generic-A Sunbelt 3.2.1858.2 2010.01.13 - Symantec 20091.2.0.41 2010.01.13 - TheHacker 6.5.0.3.148 2010.01.13 - TrendMicro 9.120.0.1004 2010.01.13 - VBA32 3.12.12.1 2010.01.13 - ViRobot 2010.1.13.2134 2010.01.13 - VirusBuster 5.0.21.0 2010.01.12 - Information additionnelle File size: 134656 bytes MD5...: 7f0db2a3c0b0af4869c7884661b514b5 SHA1..: ed7fb4170509ce56dc6457fb9464d712c25ada48 SHA256: 70f9b9556aa2fc1b7a584ac72a9b442bb179a39113dd511b9d8c6f3124b79ce9 ssdeep: 3072:hn9NoqnBnY58gXife6FBtDSdTFRidJcldu5cEWDDAO+9:hn9NtBnM8gXife
CBtSRidJAdLl+
PEiD..: - PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8190
timedatestamp.....: 0x4b4a747e (Mon Jan 11 00:44:46 2010)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8e30 0x9000 5.96 df23d813025091f60fdd058b1ad0ef9b
.rdata 0xa000 0x824 0xa00 4.80 ebdb4ed94c2032a53fa56192c2c0ced8
.data 0xb000 0x3c 0x200 0.12 0654b61762ac51f4a1ed65d4bb7037eb
.rsrc 0xc000 0x169a8 0x16a00 7.55 69894b42657efc04878694ab2b7cbbde
.reloc 0x23000 0x1000 0x400 3.67 05c2adcd3f360dfeb0fb6167a8870a2d

( 3 imports )
> KERNEL32.dll: GetCurrentProcessId, LocalFree, ReleaseMutex, GetCurrentDirectoryA, GetSystemDirectoryA, WriteFile, SetFilePointer, GetVersionExA, ResetEvent, GetComputerNameA, DeleteFileA, GetCurrentProcess, GetFileSize, CloseHandle, LocalAlloc, CreateMutexA, GetStdHandle, GetModuleHandleA, ResumeThread, WaitForSingleObject
> ADVAPI32.dll: GetUserNameA
> USER32.dll: GetSystemMetrics, PostMessageA, CreateDialogParamA, wsprintfA, GetClassInfoExA, GetWindow, GetActiveWindow

( 0 exports )
RDS...: NSRL Reference Data Set
- pdfid.: - trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
http://info.prevx.com/aboutprogramtext.asp?PX5=C74129AC0041EF150ED102C04183720054AADD59 Antivirus Version Dernière mise à jour Résultat a-squared 4.5.0.48 2010.01.13 - AhnLab-V3 5.0.0.2 2010.01.13 - AntiVir 7.9.1.134 2010.01.13 TR/Hooker.BS Antiy-AVL 2.0.3.7 2010.01.12 - Authentium 5.2.0.5 2010.01.12 - Avast 4.8.1351.0 2010.01.13 - AVG 9.0.0.725 2010.01.13 - BitDefender 7.2 2010.01.13 - CAT-QuickHeal 10.00 2010.01.13 - ClamAV 0.94.1 2010.01.13 - Comodo 3569 2010.01.13 TrojWare.Win32.Trojan.Agent.Gen DrWeb 5.0.1.12222 2010.01.13 - eSafe 7.0.17.0 2010.01.13 - eTrust-Vet 35.2.7234 2010.01.13 - F-Prot 4.5.1.85 2010.01.12 - F-Secure 9.0.15370.0 2010.01.13 Suspicious:W32/Riskware!Online Fortinet 4.0.14.0 2010.01.13 W32/Agent.BFF2!tr.rkit GData 19 2010.01.13 - Ikarus T3.1.1.80.0 2010.01.13 - Jiangmin 13.0.900 2010.01.13 - K7AntiVirus 7.10.946 2010.01.13 - Kaspersky 7.0.0.125 2010.01.13 Trojan.Win32.Hooker.bs McAfee 5859 2010.01.12 - McAfee+Artemis 5859 2010.01.12 - McAfee-GW-Edition 6.8.5 2010.01.13 Trojan.Hooker.BS Microsoft 1.5302 2010.01.13 - NOD32 4766 2010.01.13 - Norman 6.04.03 2010.01.13 - nProtect 2009.1.8.0 2010.01.13 - Panda 10.0.2.2 2010.01.12 - PCTools 7.0.3.5 2010.01.13 - Prevx 3.0 2010.01.13 High Risk Cloaked Malware Rising 22.30.02.06 2010.01.13 - Sophos 4.49.0 2010.01.13 Mal/Generic-A Sunbelt 3.2.1858.2 2010.01.13 - Symantec 20091.2.0.41 2010.01.13 - TheHacker 6.5.0.3.148 2010.01.13 - TrendMicro 9.120.0.1004 2010.01.13 - VBA32 3.12.12.1 2010.01.13 - ViRobot 2010.1.13.2134 2010.01.13 - VirusBuster 5.0.21.0 2010.01.12 - Information additionnelle File size: 134656 bytes MD5...: 7f0db2a3c0b0af4869c7884661b514b5 SHA1..: ed7fb4170509ce56dc6457fb9464d712c25ada48 SHA256: 70f9b9556aa2fc1b7a584ac72a9b442bb179a39113dd511b9d8c6f3124b79ce9 ssdeep: 3072:hn9NoqnBnY58gXife6FBtDSdTFRidJcldu5cEWDDAO+9:hn9NtBnM8gXife
CBtSRidJAdLl+
PEiD..: - PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8190
timedatestamp.....: 0x4b4a747e (Mon Jan 11 00:44:46 2010)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8e30 0x9000 5.96 df23d813025091f60fdd058b1ad0ef9b
.rdata 0xa000 0x824 0xa00 4.80 ebdb4ed94c2032a53fa56192c2c0ced8
.data 0xb000 0x3c 0x200 0.12 0654b61762ac51f4a1ed65d4bb7037eb
.rsrc 0xc000 0x169a8 0x16a00 7.55 69894b42657efc04878694ab2b7cbbde
.reloc 0x23000 0x1000 0x400 3.67 05c2adcd3f360dfeb0fb6167a8870a2d

( 3 imports )
> KERNEL32.dll: GetCurrentProcessId, LocalFree, ReleaseMutex, GetCurrentDirectoryA, GetSystemDirectoryA, WriteFile, SetFilePointer, GetVersionExA, ResetEvent, GetComputerNameA, DeleteFileA, GetCurrentProcess, GetFileSize, CloseHandle, LocalAlloc, CreateMutexA, GetStdHandle, GetModuleHandleA, ResumeThread, WaitForSingleObject
> ADVAPI32.dll: GetUserNameA
> USER32.dll: GetSystemMetrics, PostMessageA, CreateDialogParamA, wsprintfA, GetClassInfoExA, GetWindow, GetActiveWindow

( 0 exports )
RDS...: NSRL Reference Data Set
- pdfid.: - trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
http://info.prevx.com/aboutprogramtext.asp?PX5=C74129AC0041EF150ED102C04183720054AADD59

dédétraqué · Answer

Salut Thierrrrry


Pourquoi me mentir quand je le voie dans les rapports???

Et tu as même utilisé Combofix deux fois aujourd'hui...

ComboFix-quarantined-files.txt 2010-01-13 12:10
ComboFix2.txt 2010-01-13 11:51
ComboFix3.txt 2010-01-06 20:23   <-----


Comme demandé plus haut, poste le rapport de Combofix en date du 6, il ce trouve maintenant ici :
C:\Qoobox\ComboFix3.txt


@++   :)

Thierrrrry · Answer

Bonjour,

Je ne comprends pas, pourtant il ne me semblait pas avoir lancé combofix...

Bref. Je n'avais pas vu que tu voulais la version du 6, je l'ai relancé. Il a voulu désactiver alcohol et a redémarré, et là, j'ai eu la fenêtre disant que je devais activer XP, avec une fenêtre oui/non, qui revenait quoique je fasse. (mon installation d'XP date de longtemps) Impossible d'avoir l'explorateur. Impossible de restaurer par la console. Bref, réparation par le cd, et là, idem, numéro invalide ! Prise de tête, et même une coupure de courant qui m'a montré que l'onduleur est HS. Donc, coup de fil à microsoft, nouveau numéro d'activation, rebelotte SP2/3 etc... plus de connection. Réparation de la base de registre, et là, ça a l'air d'aller, plus d'alerte. Je vais rapidement faire un ghost je crois...

Merci en tout cas de ta tentative de secours.

A bientôt

Thierrrrrrrrry

art21 · Answer

Bonjour j'ai le même problème que Thierrrrrrrrry et je n'arrive pas à le résoudre.

Voila les rapports rsi et hijack.

Merci.

log.txt :

Logfile of random's system information tool 1.06 (written by random/random)
Run by Utilisateur at 2010-01-22 11:11:31
Microsoft® Windows Vista™ Édition Familiale Premium  Service Pack 2
System drive C: has 31 GB (13%) free of 238 GB
Total RAM: 2046 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:41, on 22/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32	askeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\System32\fireface.exe
C:\Windows\System32\firefacemix.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Utilisateur\Desktop\RSIT.exe
C:\Program Files	rend micro\Utilisateur.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FirefaceTray] fireface.exe
O4 - HKLM\..\Run: [FirefaceMixTray] firefacemix.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Ovi Player\NokiaOviPlayer.exe" /command:faststart
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles startup
O4 - HKLM\..\Run: [BboxUpdate] C:\Program Files\BboxUpdate\eStantAutoRunV.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\Windows\TEMP\pmtc.tmp\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\Windows\TEMP\pmtc.tmp\svchost.exe (User 'Default user')
O13 - Gopher Prefix: 
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: BboxUpdate (eStantLaunchService) - TechCity Solutions France - C:\Program Files\BboxUpdate\eSRunService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Service Google Update (gupdate1ca4c6d777e69c0) (gupdate1ca4c6d777e69c0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

DR/delphi.gen, le retour

9 réponses

Votre réponse

Discussions similaires

Newsletters