Suite suppression EOREZO
Fermé
VINY74
Messages postés
18
Statut
Membre
-
crapoulou Messages postés 42848 Date d'inscription Statut Modérateur, Contributeur sécurité Dernière intervention -
crapoulou Messages postés 42848 Date d'inscription Statut Modérateur, Contributeur sécurité Dernière intervention -
Bonjour,
je reviens avec mon rapport COMBOFIX.
J'espère avoir réussi les manip, notamment de désactivation de mon antivirus.
ComboFix 10-08-10.06 - VIRGINIE 11/08/2010 13:46:59.4.1 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1015.590 [GMT 2:00]
Lancé depuis: c:\documents and settings\VIRGINIE\Bureau\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Un antivirus résident est actif
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HelpAssistant\delself.bat
c:\documents and settings\HelpAssistant\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\LocalService\Cookies\adalisili._sy
c:\documents and settings\LocalService\Cookies\amugo.dll
c:\documents and settings\LocalService\Cookies\cedecyx.bat
c:\documents and settings\LocalService\Cookies\cokej.ban
c:\documents and settings\LocalService\Cookies\ojonani.exe
c:\documents and settings\LocalService\Cookies\pasudire._sy
c:\documents and settings\LocalService\Cookies\qozonecab.com
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\bevunypi.dl
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\mopefe.exe
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\utet.com
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\VIRGINIE\delself.bat
c:\documents and settings\VIRGINIE\Recent\DBOLE.tmp
c:\documents and settings\VIRGINIE\Recent\eb.tmp
c:\documents and settings\VIRGINIE\Recent\kernel32.tmp
c:\documents and settings\VIRGINIE\Recent\SM.tmp
c:\documents and settings\VIRGINIE\Recent\tjd.tmp
C:\IE8-WI~1.EXE
C:\install.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\Fonts\unins000.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\DelSelf.bat
c:\windows\system32\Thumbs.db
c:\windows\system32\drivers\soqwx32.sys . . . est infecté!! . . . Failed to find a valid replacement.
Une copie infectée de c:\windows\system32\drivers\beep.sys a été trouvée et désinfectée
Copie restaurée à partir de - c:\windows\system32\dllcache\cache\beep.sys
.
((((((((((((((((((((((((((((( Fichiers créés du 2010-07-11 au 2010-08-11 ))))))))))))))))))))))))))))))))))))
.
2010-08-11 10:16 . 2010-08-11 10:28 -------- d-----w- c:\program files\ZHPDiag
2010-08-01 19:06 . 2010-08-01 19:06 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-01 19:06 . 2010-08-10 12:19 -------- d-----w- c:\documents and settings\VIRGINIE\Local Settings\Application Data\EoRezo
2010-08-01 09:16 . 2010-08-01 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\b703141
2010-07-29 11:47 . 2010-08-04 08:55 -------- d-----w- c:\program files\EoRezo
2010-07-24 19:52 . 2010-07-24 19:53 -------- d-----w- c:\program files\Fichiers communs\Adobe
2010-07-24 19:47 . 2010-07-24 19:48 23489040 ----a-w- C:\AdbeRdr709_fr_FR.exe
2010-07-24 15:39 . 2010-07-24 15:39 42643880 ----a-w- C:\AdbeRdr933_fr_FR.exe
2010-07-14 19:42 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 12:08 . 2009-08-11 17:25 -------- d-----w- c:\documents and settings\VIRGINIE\Application Data\vlc
2010-08-04 09:14 . 2009-08-23 20:48 -------- d-----w- c:\documents and settings\VIRGINIE\Application Data\EoRezo
2010-08-01 09:13 . 2009-07-06 03:20 -------- d-----w- c:\program files\Fichiers communs\Java
2010-08-01 09:12 . 2009-07-06 03:20 -------- d-----w- c:\program files\Java
2010-07-25 06:18 . 2009-07-18 10:24 -------- d-----w- c:\program files\Yahoo!
2010-06-14 14:31 . 2004-09-23 17:07 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 20:17 . 2004-09-23 16:12 86526 ----a-w- c:\windows\system32\perfc00C.dat
2010-06-10 20:17 . 2004-09-23 16:12 513928 ----a-w- c:\windows\system32\perfh00C.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Assistant DartyBox"="c:\program files\DartyBox_v3\Sagem\AssistantDB\AssistantDB_Sagem.exe" [2009-04-09 4665856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Raccourci vers la page des propriétés de High Definition Audio"="HDAShCut.exe" [2005-01-07 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-12 774233]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-17 110592]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-05 98304]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-08-17 950664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"eorezo"="c:\program files\EoRezo\eorezo.exe" [2010-04-12 667648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"OoPDFSettingsv6.exe"="c:\program files\OFFICE One6.5\OFFICE One PDF Manager\OoPDFSettingsv6.exe" [2003-11-20 460800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\VIRGINIE\Menu D'marrer\Programmes\D'marrage\
Notification de cadeaux MSN.lnk - c:\documents and settings\VIRGINIE\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe [2009-7-8 135680]
OFFICE One 6.5.lnk - c:\program files\OFFICE One6.5\program\quickstart.exe [2004-3-8 36864]
c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
OFFICE One Clock v6.5.lnk - c:\program files\OFFICE One6.5\OFFICE One Clock\ooneclockv65.exe [2009-7-5 257536]
OFFICE One Notes v6.5.lnk - c:\program files\OFFICE One6.5\OFFICE One Notes\oonotesv65.exe [2009-7-5 559104]
Utilitaire r'seau pour SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\DartyBox Wifi\SAGEM WiFi manager\WLANUTL.exe [2009-7-6 950272]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6995:TCP"= 6995:TCP:Services
"6996:TCP"= 6996:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"2746:TCP"= 2746:TCP:Services
"3992:TCP"= 3992:TCP:Services
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [17/08/2009 15:39 15424]
R3 SynMini;USB2.0 VGA WebCam;c:\windows\system32\drivers\SynMini.sys [06/10/2006 00:27 1056512]
R3 SynScan;USB2.0 VGA WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [06/10/2006 00:28 8064]
S1 soqwx32;soqwx32;c:\windows\system32\drivers\soqwx32.sys [12/08/2009 18:27 0]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [29/05/2009 17:13 234864]
.
Contenu du dossier 'Tâches planifiées'
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.dartybox.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://192.168.1.254/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\windows\system32\imon.dll
DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
.
- - - - ORPHELINS SUPPRIMES - - - -
HKCU-Run-msword98 - c:\documents and settings\VIRGINIE\msword98.exe
HKLM-Run-EoEngine - (no file)
HKLM-Run-SoftwareHelper - c:\documents and settings\VIRGINIE\Application Data\eoRezo\SoftwareUpdate\SoftwareUpdateHP.exe
AddRemove-OFFICE One 450 Fonts_is1 - c:\windows\Fonts\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 14:01
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8640678A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf770bf28
\Driver\ACPI -> ACPI.sys @ 0xf751dcb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> 0x8646cb60
PacketIndicateHandler -> NDIS.sys @ 0xf734da0d
SendHandler -> NDIS.sys @ 0xf7361b40
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\imon.dll
- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\OFFICE One6.5\program\soffice.exe
c:\progra~1\FICHIE~1\AOL\ACS\AOLacsd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ATK0100\ATKOSD.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Heure de fin: 2010-08-11 14:09:13 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-08-11 12:09
Avant-CF: 50 020 917 248 octets libres
Après-CF: 52 037 251 072 octets libres
Current=6 Default=6 Failed=5 LastKnownGood=1 Sets=1,3,5,6
- - End Of File - - 2D147F1F10094D312752E8B9052348DC
je reviens avec mon rapport COMBOFIX.
J'espère avoir réussi les manip, notamment de désactivation de mon antivirus.
ComboFix 10-08-10.06 - VIRGINIE 11/08/2010 13:46:59.4.1 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1015.590 [GMT 2:00]
Lancé depuis: c:\documents and settings\VIRGINIE\Bureau\ComboFix.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
* Un antivirus résident est actif
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HelpAssistant\delself.bat
c:\documents and settings\HelpAssistant\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\LocalService\Cookies\adalisili._sy
c:\documents and settings\LocalService\Cookies\amugo.dll
c:\documents and settings\LocalService\Cookies\cedecyx.bat
c:\documents and settings\LocalService\Cookies\cokej.ban
c:\documents and settings\LocalService\Cookies\ojonani.exe
c:\documents and settings\LocalService\Cookies\pasudire._sy
c:\documents and settings\LocalService\Cookies\qozonecab.com
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\bevunypi.dl
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\mopefe.exe
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\utet.com
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\VIRGINIE\delself.bat
c:\documents and settings\VIRGINIE\Recent\DBOLE.tmp
c:\documents and settings\VIRGINIE\Recent\eb.tmp
c:\documents and settings\VIRGINIE\Recent\kernel32.tmp
c:\documents and settings\VIRGINIE\Recent\SM.tmp
c:\documents and settings\VIRGINIE\Recent\tjd.tmp
C:\IE8-WI~1.EXE
C:\install.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\Fonts\unins000.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\DelSelf.bat
c:\windows\system32\Thumbs.db
c:\windows\system32\drivers\soqwx32.sys . . . est infecté!! . . . Failed to find a valid replacement.
Une copie infectée de c:\windows\system32\drivers\beep.sys a été trouvée et désinfectée
Copie restaurée à partir de - c:\windows\system32\dllcache\cache\beep.sys
.
((((((((((((((((((((((((((((( Fichiers créés du 2010-07-11 au 2010-08-11 ))))))))))))))))))))))))))))))))))))
.
2010-08-11 10:16 . 2010-08-11 10:28 -------- d-----w- c:\program files\ZHPDiag
2010-08-01 19:06 . 2010-08-01 19:06 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-01 19:06 . 2010-08-10 12:19 -------- d-----w- c:\documents and settings\VIRGINIE\Local Settings\Application Data\EoRezo
2010-08-01 09:16 . 2010-08-01 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\b703141
2010-07-29 11:47 . 2010-08-04 08:55 -------- d-----w- c:\program files\EoRezo
2010-07-24 19:52 . 2010-07-24 19:53 -------- d-----w- c:\program files\Fichiers communs\Adobe
2010-07-24 19:47 . 2010-07-24 19:48 23489040 ----a-w- C:\AdbeRdr709_fr_FR.exe
2010-07-24 15:39 . 2010-07-24 15:39 42643880 ----a-w- C:\AdbeRdr933_fr_FR.exe
2010-07-14 19:42 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 12:08 . 2009-08-11 17:25 -------- d-----w- c:\documents and settings\VIRGINIE\Application Data\vlc
2010-08-04 09:14 . 2009-08-23 20:48 -------- d-----w- c:\documents and settings\VIRGINIE\Application Data\EoRezo
2010-08-01 09:13 . 2009-07-06 03:20 -------- d-----w- c:\program files\Fichiers communs\Java
2010-08-01 09:12 . 2009-07-06 03:20 -------- d-----w- c:\program files\Java
2010-07-25 06:18 . 2009-07-18 10:24 -------- d-----w- c:\program files\Yahoo!
2010-06-14 14:31 . 2004-09-23 17:07 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 20:17 . 2004-09-23 16:12 86526 ----a-w- c:\windows\system32\perfc00C.dat
2010-06-10 20:17 . 2004-09-23 16:12 513928 ----a-w- c:\windows\system32\perfh00C.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Assistant DartyBox"="c:\program files\DartyBox_v3\Sagem\AssistantDB\AssistantDB_Sagem.exe" [2009-04-09 4665856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"Raccourci vers la page des propriétés de High Definition Audio"="HDAShCut.exe" [2005-01-07 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-12 774233]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-08-14 94208]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-17 110592]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-05 98304]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-08-17 950664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"eorezo"="c:\program files\EoRezo\eorezo.exe" [2010-04-12 667648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"OoPDFSettingsv6.exe"="c:\program files\OFFICE One6.5\OFFICE One PDF Manager\OoPDFSettingsv6.exe" [2003-11-20 460800]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\VIRGINIE\Menu D'marrer\Programmes\D'marrage\
Notification de cadeaux MSN.lnk - c:\documents and settings\VIRGINIE\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe [2009-7-8 135680]
OFFICE One 6.5.lnk - c:\program files\OFFICE One6.5\program\quickstart.exe [2004-3-8 36864]
c:\documents and settings\All Users\Menu D'marrer\Programmes\D'marrage\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
OFFICE One Clock v6.5.lnk - c:\program files\OFFICE One6.5\OFFICE One Clock\ooneclockv65.exe [2009-7-5 257536]
OFFICE One Notes v6.5.lnk - c:\program files\OFFICE One6.5\OFFICE One Notes\oonotesv65.exe [2009-7-5 559104]
Utilitaire r'seau pour SAGEM Wi-Fi 11g USB adapter.lnk - c:\program files\DartyBox Wifi\SAGEM WiFi manager\WLANUTL.exe [2009-7-6 950272]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\APPS\\skype\\phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6995:TCP"= 6995:TCP:Services
"6996:TCP"= 6996:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"2746:TCP"= 2746:TCP:Services
"3992:TCP"= 3992:TCP:Services
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [17/08/2009 15:39 15424]
R3 SynMini;USB2.0 VGA WebCam;c:\windows\system32\drivers\SynMini.sys [06/10/2006 00:27 1056512]
R3 SynScan;USB2.0 VGA WebCam Still Image;c:\windows\system32\drivers\SynScan.sys [06/10/2006 00:28 8064]
S1 soqwx32;soqwx32;c:\windows\system32\drivers\soqwx32.sys [12/08/2009 18:27 0]
S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [29/05/2009 17:13 234864]
.
Contenu du dossier 'Tâches planifiées'
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.dartybox.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://192.168.1.254/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\windows\system32\imon.dll
DPF: {5d86ddb5-bdf9-441b-9e9e-d4730f4ee499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
.
- - - - ORPHELINS SUPPRIMES - - - -
HKCU-Run-msword98 - c:\documents and settings\VIRGINIE\msword98.exe
HKLM-Run-EoEngine - (no file)
HKLM-Run-SoftwareHelper - c:\documents and settings\VIRGINIE\Application Data\eoRezo\SoftwareUpdate\SoftwareUpdateHP.exe
AddRemove-OFFICE One 450 Fonts_is1 - c:\windows\Fonts\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 14:01
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8640678A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf770bf28
\Driver\ACPI -> ACPI.sys @ 0xf751dcb8
\Driver\atapi -> ntkrnlpa.exe @ 0x80586e11
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> 0x8646cb60
PacketIndicateHandler -> NDIS.sys @ 0xf734da0d
SendHandler -> NDIS.sys @ 0xf7361b40
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\imon.dll
- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\OFFICE One6.5\program\soffice.exe
c:\progra~1\FICHIE~1\AOL\ACS\AOLacsd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ATK0100\ATKOSD.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Fichiers communs\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Heure de fin: 2010-08-11 14:09:13 - La machine a redémarré
ComboFix-quarantined-files.txt 2010-08-11 12:09
Avant-CF: 50 020 917 248 octets libres
Après-CF: 52 037 251 072 octets libres
Current=6 Default=6 Failed=5 LastKnownGood=1 Sets=1,3,5,6
- - End Of File - - 2D147F1F10094D312752E8B9052348DC
A voir également:
- Suite suppression EOREZO
- Forcer suppression fichier - Guide
- Suppression compte gmail - Guide
- Suppression facebook - Guide
- Suppression compte google - Guide
- Suppression page word - Guide
1 réponse
Bonjour,
Merci de rester sur la discussion créée initialement :
https://forums.commentcamarche.net/forum/affich-18790143-suppression-de-eorezo
Ton rapport Combofix a été restauré sur le topic.
La Modération de CCM.
Merci de rester sur la discussion créée initialement :
https://forums.commentcamarche.net/forum/affich-18790143-suppression-de-eorezo
Ton rapport Combofix a été restauré sur le topic.
La Modération de CCM.
