Bonjour, Chrifleur
D'abord un grand MERCI pou tes précieux conseils puisque j'ai pu reprendre la main hier soir sur mon PC.
Le loup étant peut-être toujours dans la bergerie, je te joints les rapports demandés pour contrôle (report.txte et rapport.txt.
Encore une fois en majuscule un grand MERCI
SmitFraudFix v2.253
Rapport fait à 17:01:28.47, 25/11/2007
Executé à partir de F:\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est FAT32
Fix executé en mode normal
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZpAcer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.2\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\boisgrosset bernard
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\boisgrosset bernard\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BOISGR~1\FAVORIS
»»»»»»»»»»»»»»»»»»»»»»»» Bureau
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues
»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: VIA Rhine II Fast Ethernet Adapter - Miniport d'ordonnancement de paquets
DNS Server Search Order: 212.27.54.252
DNS Server Search Order: 212.27.53.252
HKLM\SYSTEM\CCS\Services\Tcpip\..\{38881500-4037-485B-857E-2EE41F26DCB6}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CCS\Services\Tcpip\..\{83E5C17B-1441-4E44-BFD1-84BDF2A78D19}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\..\{38881500-4037-485B-857E-2EE41F26DCB6}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\..\{83E5C17B-1441-4E44-BFD1-84BDF2A78D19}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS3\Services\Tcpip\..\{38881500-4037-485B-857E-2EE41F26DCB6}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS3\Services\Tcpip\..\{83E5C17B-1441-4E44-BFD1-84BDF2A78D19}: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=212.27.54.252 212.27.53.252
»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll
»»»»»»»»»»»»»»»»»»»»»»»» Fin
SDFix: Version 1.115
Run by boisgrosset bernard on 25/11/2007 at 16:43
Microsoft Windows XP [version 5.1.2600]
Running From: C:\DOCUME~1\BOISGR~1\Bureau\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\Documents and Settings\boisgrosset bernard\Favoris\Error Cleaner.url - Deleted
C:\Documents and Settings\boisgrosset bernard\Bureau\Error Cleaner.url - Deleted
C:\Documents and Settings\boisgrosset bernard\Favoris\Privacy Protector.url - Deleted
C:\Documents and Settings\boisgrosset bernard\Bureau\Privacy Protector.url - Deleted
C:\Documents and Settings\boisgrosset bernard\Favoris\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\boisgrosset bernard\Bureau\Spyware&Malware Protection.url - Deleted
C:\Program Files\RichVideoCodec\install.ico - Deleted
C:\Program Files\RichVideoCodec\RichVideoCodec.ocx - Deleted
C:\Program Files\RichVideoCodec\Uninstall.exe - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\nethop.exe - Deleted
C:\WINDOWS\popnetnlf.dll - Deleted
C:\WINDOWS\rmvgor.dll - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\sapnet.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system32\TFTP1548 - Deleted
C:\WINDOWS\system32\TFTP1752 - Deleted
C:\WINDOWS\system32\TFTP420 - Deleted
C:\WINDOWS\system32\TFTP308 - Deleted
C:\WINDOWS\system32\TFTP540 - Deleted
C:\WINDOWS\system32\TFTP3468 - Deleted
C:\WINDOWS\system32\TFTP3484 - Deleted
C:\WINDOWS\system32\TFTP3700 - Deleted
C:\WINDOWS\system32\TFTP3756 - Deleted
C:\WINDOWS\system32\TFTP812 - Deleted
C:\WINDOWS\system32\TFTP3212 - Deleted
C:\WINDOWS\system32\TFTP288 - Deleted
Folder C:\Program Files\RichVideoCodec - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2007-11-25 16:51:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows Automation = mslaugh.exe?I dedicate this particular strain to m
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
File Backups: - C:\DOCUME~1\BOISGR~1\Bureau\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 1 Sep 2003 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Fri 15 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 26 Oct 2007 1,294,336 A.SH. --- "C:\Documents and Settings\boisgrosset bernard\Mes documents\Photo Nantes IBM 251007\SIV12.tmp"
Thu 29 Jul 2004 1,206 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\ccReg_old.reg"
Thu 29 Jul 2004 12,368 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\CommonClient_old.reg"
Thu 19 Aug 2004 1,206 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\ccReg.reg"
Thu 19 Aug 2004 12,368 A..HR --- "C:\Program Files\Fichiers communs\Symantec Shared\Registry Backup\CommonClient.reg"
Sat 27 May 2006 1,018 A..H. --- "C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy\gPyPTksr\btY76jCyyv06.tmp"
Tue 9 Oct 2007 154,624 A..H. --- "C:\boisgrosset bernard\G7-083\BUREAUTIQUE\PIECES ECRITES\01 -Faisabilit‚\~WRL2764.tmp"
Mon 15 Oct 2007 174,080 A..H. --- "C:\boisgrosset bernard\G7-083\BUREAUTIQUE\PIECES ECRITES\01 -Faisabilit‚\~WRL0004.tmp"
Finished!
En attente de ta réponse en espérant que le virus est bien parti.
MERCI
Afficher la suite
