Sujet Précédent Sujet Suivant

Suite rootkit agent

Fermé
noopnoop - 22 mai 2010 à 09:03
sKe69 Messages postés 21360 Date d'inscription samedi 15 mars 2008 Statut Contributeur sécurité Dernière intervention 30 décembre 2012 - 22 mai 2010 à 09:09
merci beaucoup pour la rapidité de votre réponse, voici mon rapport d'analyse

ComboFix 10-05-21.05 - Admin 22/05/2010 8:49.1.2 - x86
Microsoft® Windows Vista(TM) Édition Familiale Premium 6.0.6000.0.1252.33.1036.18.3326.2388 [GMT 2:00]
Lancé depuis: c:\users\Admin\Desktop\adeshi.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DFRE171.tmp
c:\windows\system32\AbaleZip.dll

.
((((((((((((((((((((((((((((( Fichiers créés du 2010-04-22 au 2010-05-22 ))))))))))))))))))))))))))))))))))))
.

2010-05-20 17:30 . 2010-05-22 06:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-20 17:30 . 2010-05-22 06:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-20 16:06 . 2010-05-20 16:06 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2010-05-20 16:06 . 2010-05-22 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-20 16:06 . 2010-05-20 16:06 -------- d-----w- c:\programdata\Malwarebytes
2010-05-20 16:06 . 2010-05-20 16:06 -------- dc-h--w- c:\programdata\{4C69BCF0-B586-4D30-83FD-D1FFA37AF48C}
2010-05-20 16:06 . 2010-05-20 16:06 -------- d-----w- c:\users\Admin\AppData\Roaming\Fighters
2010-05-20 16:06 . 2010-05-20 16:06 -------- d-----w- c:\users\Admin\AppData\Local\PackageAware
2010-05-20 16:04 . 2010-05-20 18:38 -------- d-----w- c:\program files\trend micro
2010-05-20 16:04 . 2010-05-20 16:04 -------- d-----w- C:\rsit
2010-05-19 11:32 . 2010-05-20 16:14 -------- d-----w- c:\users\Admin\AppData\Local\nsksahifv
2010-05-15 15:46 . 2010-05-16 19:16 -------- d-----w- c:\users\Admin\VIDEO ADULTES
2010-05-02 11:45 . 2010-05-02 11:45 -------- d-----w- c:\users\Admin\AppData\Roaming\WildTangent

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 06:52 . 2008-04-10 22:28 690594 ----a-w- c:\windows\system32\perfh00C.dat
2010-05-22 06:52 . 2008-04-10 22:28 117366 ----a-w- c:\windows\system32\perfc00C.dat
2010-05-22 06:44 . 2010-02-05 20:24 602 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-05-22 06:43 . 2009-11-05 16:55 -------- d-----w- c:\programdata\avg9
2010-05-22 05:57 . 2010-03-11 19:40 1 ----a-w- c:\users\Admin\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-20 16:10 . 2010-01-28 13:28 1712 ----a-w- c:\users\Admin\AppData\Roaming\wklnhst.dat
2010-05-19 11:31 . 2010-05-19 11:31 16 ----a-w- c:\users\Admin\AppData\Roaming\wpcalv.dat
2010-05-15 22:03 . 2009-11-05 20:28 -------- d-----w- c:\users\Admin\AppData\Roaming\LimeWire
2010-05-15 16:08 . 2009-08-15 11:57 -------- d-----w- c:\program files\EasyBits For Kids
2010-05-15 16:04 . 2009-11-05 20:27 -------- d-----w- c:\program files\LimeWire
2010-05-12 09:21 . 2009-10-03 07:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-02 11:45 . 2008-04-10 13:47 -------- d-----w- c:\programdata\WildTangent
2010-04-16 11:18 . 2009-07-01 19:05 680 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat
2010-04-15 11:41 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-13 09:13 . 2010-04-13 09:13 -------- d-----w- c:\program files\QuickTime
2010-04-13 09:13 . 2010-04-13 09:13 -------- d-----w- c:\programdata\Apple Computer
2010-04-09 14:41 . 2010-04-08 17:11 -------- d-----w- c:\programdata\QuickTime
2010-04-09 10:37 . 2010-04-09 10:37 653576 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-03-26 11:32 . 2008-04-10 13:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-26 11:31 . 2010-02-05 20:25 2485883 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2010-03-24 23:11 . 2010-03-24 22:45 -------- d-----w- c:\users\Admin\AppData\Roaming\Shareware Business Plan
2010-03-12 12:19 . 2009-06-30 07:52 76936 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-11 19:33 . 2010-03-11 19:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-11 19:33 . 2010-03-11 19:34 149280 ----a-w- c:\windows\system32\jusched.exe
2010-03-11 19:33 . 2008-04-10 13:40 55072 ----a-w- c:\windows\system32\jureg.exe
2010-03-11 19:33 . 2008-04-10 13:40 386872 ----a-w- c:\windows\system32\jucheck.exe
2010-03-05 14:01 . 2010-04-14 07:26 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 13:14 . 2010-04-14 07:27 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 13:14 . 2010-04-14 07:27 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 13:14 . 2010-04-14 07:27 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 06:39 . 2010-03-31 05:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 05:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 05:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 05:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-04-10 23:02 . 2008-04-10 22:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-04 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-11-15 44168]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logiciel Kodak EasyShare.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logiciel Kodak EasyShare.lnk
backup=c:\windows\pss\Logiciel Kodak EasyShare.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 01:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 10:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BIBLauncher]
2009-11-16 10:04 853736 ----a-w- c:\users\Admin\BIBLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 14:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-01-18 16:21 942080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-06-02 16:50 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2006-12-08 15:16 65536 ----a-w- c:\hp\KBD\KbdStub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-12-13 13:58 8530464 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-12-13 13:58 81920 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-12-13 13:58 86016 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-07-03 09:27 6266880 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-04-10 23:04 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-04 20:01 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-04-10 22:35 1006264 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate1ca4a4d6a2dccbb;Service Google Update (gupdate1ca4a4d6a2dccbb);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 133104]
R3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\PC-DOC~1\PCD5SRVC.pkms [2007-12-11 21280]
S2 ezntsvc;EasyBits Magic Desktop Services for Windows NT;c:\windows\system32\ezNTSvc.exe [2009-08-15 33792]


--- Autres Services/Pilotes en mémoire ---

*Deregistered* - cqrsgva
.
Contenu du dossier 'Tâches planifiées'

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 08:32]

2010-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 08:32]

2010-05-03 c:\windows\Tasks\HPCeeScheduleForAdmin.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-04-10 10:10]

2010-05-22 c:\windows\Tasks\User_Feed_Synchronization-{7E6065A7-C35F-4899-9C25-001C0B77A369}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
mStart Page = hxxp://www.duxet.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Recherche AOL Toolbar - c:\program files\aol\aol toolbar 5.0\resources\fr-fr\local\search.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHELINS SUPPRIMES - - - -

URLSearchHooks-{280b5d37-4a76-467a-b3d6-942fca90acde} - (no file)
URLSearchHooks-{fe37be35-b028-49f9-bb0c-6a38c4e55b97} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-igkcomka - c:\users\Admin\igkcomka.exe
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 08:56
Windows 6.0.6000 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\cqrsgva]

.
Heure de fin: 2010-05-22 08:58:04
ComboFix-quarantined-files.txt 2010-05-22 06:58

Avant-CF: 352 304 218 112 octets libres
Après-CF: 351 303 835 648 octets libres

- - End Of File - - 87FDAF472F7D9106064270841A557FA4


noopnoop


1 réponse

Réponse 1 / 1
sKe69 Messages postés 21360 Date d'inscription samedi 15 mars 2008 Statut Contributeur sécurité Dernière intervention 30 décembre 2012 463
22 mai 2010 à 09:09
hello,


DOUBLON !


merci de resté sur ton 1er sujet > https://forums.commentcamarche.net/forum/affich-17813375-rootkit-agent


A+

0

Discussions similaires

QuickShare c'est quoi ce truc
edelweiss2604 -
edelweiss2604 -

41 réponses
Comment supprimer Quickshare ?
Jo_le_rigolo -
Malekal_morte- -

5 réponses
Quick Start : qu'est-ce que c'est ?
arya-san -
Destrio5 -

1 réponse
supprimer Quickshare
nikko777 -
Malekal_morte- -

7 réponses
qu'est ce qu'un "trojan agent/gen" ? svp
Saber03 -
jacques.gache -

33 réponses