Infection Win32:Obfuscated-EER

Résolu
nckgr -  
 Paulussse -
Bonjour,

je suis infecté par le trojan Win32:Obfuscated-EER. Avast ne semble pas pouvoir en venir à bout.
Je précise que c'est mon pc professionnel qui est infecté et que je souhaiterais dans la mesure du possible ne pas avoir à désinstaller Avast.
Merci d'avance pour votre aide.

Nckgr
Configuration: Windows XP
Internet Explorer 7.0

15 réponses

  1. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    Salut

    Télécharge ceci :

    Lien : http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis

    Démo : http://pageperso.aol.fr/balltrap34/demohijack.htm

    Choisir l'option "do a scan and a logfile", et faire un copier/coller du rapport ainsi générer sur le forum.

    ++
    0
  2. nckgr
     
    voilà le rapport hijackthis :

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:17:11, on 30/01/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\00THotkey.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Documents and Settings\xxx\Application Data\Simply Super Software\Trojan Remover\reo2.exe
    C:\Documents and Settings\xxx\Application Data\Simply Super Software\Trojan Remover\reo2.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://news.google.com/topstories?hl=fr&gl=FR&ceid=FR:fr
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [\\AGS-SVR01\EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /P36 "\\AGS-SVR01\EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O16 - DPF: {104B0A37-AB99-4F06-8032-8BBDC3B77DDB} (Telechargement Control) - http://www2.photoweb.fr/telechargement/Photoweb_uploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ags.local
    O17 - HKLM\Software\..\Telephony: DomainName = ags.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ags.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
    O20 - Winlogon Notify: ur32megareg - C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll (file missing)
    O23 - Service: Gestion d'applications (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Audio Windows (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Explorateur d'ordinateur (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Services de cryptographie (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Lanceur de processus serveur DCOM (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Client DHCP (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Gestionnaire de disque logique (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Client DNS (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Service de rapport d'erreurs (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Système d'événements de COM+ (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Compatibilité avec le Changement rapide d'utilisateur (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Aide et support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Moniteur infrarouge (Irmon) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Serveur (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Station de travail (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Assistance TCP/IP NetBIOS (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Connexions réseau (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: NLA (Network Location Awareness) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Stockage amovible (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Gestionnaire de connexion automatique d'accès distant (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Gestionnaire de connexions d'accès distant (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Accès à distance au Registre (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Appel de procédure distante (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Connexion secondaire (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Notification d'événement système (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Détection matériel noyau (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Service de restauration système (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Service de découvertes SSDP (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Acquisition d'image Windows (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Téléphonie (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Services Terminal Server (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Thèmes (Themes) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Client de suivi de lien distribué (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Hôte de périphérique universel Plug-and-Play (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: vtigercrm4_2 - Unknown owner - C:\Program Files\vtigerCRM4_2\apache\bin\Apache.exe (file missing)
    O23 - Service: Horloge Windows (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Infrastructure de gestion Windows (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Service de numéro de série du lecteur multimédia portable (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Extensions du pilote WMI (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Mises à jour automatiques (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
    O23 - Service: Configuration automatique sans fil (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    O23 - Service: Service d'approvisionnement réseau (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe
    0
  3. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    ok,

    Télécharger ComboFix (par sUBs) sur le Bureau : http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    * Démarrer en mode sans echec
    * Double cliquer combofix.exe.
    * Appuyer sur la touche Y (Yes) pour démarrer le scan
    * Le rapport sera crée dans: C:\Combofix.txt, poste le stp

    ++
    0
  4. nckgr
     
    rapport combofix :

    ComboFix 08-01-31.1 - xxxx 2008-01-30 22:33:14.1 - NTFSx86 NETWORK
    Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.374 [GMT 1:00]
    Endroit: C:\Documents and Settings\xxxx\Bureau\ComboFix.exe

    [color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
    .
    [i] ADS - svchost.exe: deleted 24064 bytes in 1 streams. [/i]

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users.\documents\settings
    C:\Documents and Settings\All Users.\documents\settings\desktop.ini
    C:\Program Files\network monitor
    C:\WINDOWS\keyboard21.dat
    C:\WINDOWS\Temp\2009914126.exe
    C:\WINDOWS\uninstall_nmon.vbs

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_ICF
    -------\ICF
    -------\nm

    ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-28 to 2008-01-31 ))))))))))))))))))))))))))))))))))))
    .

    2008-01-30 21:53 . 2008-01-30 22:21 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-01-30 21:51 . 2008-01-31 22:38 <REP> d-------- C:\Program Files\Trojan Remover
    2008-01-30 21:51 . 2008-01-30 21:51 <REP> d-------- C:\Documents and Settings\xxxx\Application Data\Simply Super Software
    2008-01-30 21:51 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
    2008-01-30 21:51 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
    2008-01-24 23:34 . 2008-01-29 22:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-24 23:34 . 2008-01-24 23:34 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-01-06 23:00 . 2008-01-06 23:00 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Pok3d
    2008-01-02 19:43 . 2008-01-02 19:43 <REP> d-------- C:\Program Files\mIRC
    2008-01-02 19:43 . 2008-01-02 19:58 <REP> d-------- C:\Documents and Settings\xxxx\Application Data\mIRC
    2007-12-21 23:00 . 2007-12-21 23:00 <REP> d-------- C:\Documents and Settings\xxxx\Application Data\Talkback
    2007-12-21 23:00 . 2007-12-21 23:00 0 --a------ C:\WINDOWS\nsreg.dat

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-30 21:09 --------- d-----w C:\Program Files\Trend Micro
    2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
    2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
    2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
    2005-07-29 15:24 472 --sha-r C:\WINDOWS\Tmljb2xhcyBHYXJyaWRv\nA53vZU1wV1JsrLVuqlS.vbs
    .

    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 12:00 15360]
    "TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 17:19 65536]
    "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2006-02-13 15:49 565248]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-08-28 16:21 4861952]
    "00THotkey"="C:\WINDOWS\system32\[u]0[/u]0THotkey.exe" [2004-08-11 11:36 253952]
    "000StTHK"="000StTHK.exe" [2001-06-23 20:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
    "TFNF5"="TFNF5.exe" [2003-07-18 16:41 73728 C:\WINDOWS\system32\TFNF5.exe]
    "SigmaTel StacMon"="C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe" [2003-08-03 15:01 86073]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 16:09 98304]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 16:08 495616]
    "TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 13:58 122880]
    "LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 14:43 184320]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 14:00 88363 C:\WINDOWS\agrsmmsg.exe]
    "TPSMain"="TPSMain.exe" [2004-06-28 11:39 266240 C:\WINDOWS\system32\TPSMain.exe]
    "TFncKy"="TFncKy.exe" []
    "NDSTray.exe"="NDSTray.exe" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
    "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-05 12:00 144384]
    "\\AGS-SVR01\EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.exe" [2004-09-08 02:00 98304]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-19 22:55 155648]
    "TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-01-30 22:22 737872]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 12:00 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoWelcomeScreen"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ur32megareg]
    C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3001051914-2764525902-2624039741-1196\Scripts\Logon\[u]0[/u]\[u]0[/u]]
    "Script"=logon.cmd

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3001051914-2764525902-2624039741-500\Scripts\Logon\[u]0[/u]\[u]0[/u]]
    "Script"=logon.cmd

    [HKLM\~\startupfolder\C:^Documents and Settings^xxxxx^Menu Démarrer^Programmes^Démarrage^Lancement rapide de Microsoft Office OneNote 2003.lnk]
    path=C:\Documents and Settings\xxxxx\Menu Démarrer\Programmes\Démarrage\Lancement rapide de Microsoft Office OneNote 2003.lnk
    backup=C:\WINDOWS\pss\Lancement rapide de Microsoft Office OneNote 2003.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2005-10-18 11:58 278528 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    -ra------ 2003-08-28 16:21 323584 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2005-11-19 22:55 155648 C:\Program Files\QuickTime\qttask.exe

    S2 vtigercrm4_2;vtigercrm4_2;"C:\Program Files\vtigerCRM4_2\apache\bin\Apache.exe" []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26c93275-0795-11dc-a2a1-000e35a3f0f4}]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a

    .
    Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
    "2005-04-21 14:16:15 C:\WINDOWS\Tasks\Rappel d'enregistrement 2.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2005-04-21 14:16:15 C:\WINDOWS\Tasks\Rappel d'enregistrement 3.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    "2008-01-31 21:41:00 C:\WINDOWS\Tasks\vtigerCRM Email Reminder.job"
    - C:\PROGRA~1\VTIGER~1\apache\htdocs\vtigerCRM\modules\Activities\SendReminder.bat
    "2008-01-14 10:00:00 C:\WINDOWS\Tasks\vtigerCRM Notification Scheduler.job"
    - C:\PROGRA~1\VTIGER~1\apache\htdocs\vtigerCRM\cron\intimateTaskStatus.bat
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-31 22:38:27
    Windows 5.1.2600 Service Pack 2 NTFS

    Balayage processus cach‚s ...

    Balayage cach‚ autostart entries ...

    Balayage des fichiers cach‚s ...

    Scan termin‚ avec succŠs
    Les fichiers cach‚s: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "\\\\AGS-SVR01\\EPSON Stylus Photo R1800"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9LE.EXE /P36 \"\\\\AGS-SVR01\\EPSON Stylus Photo R1800\" /O6 \"USB001\" /M \"Stylus Photo R1800\""
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\[u]0[/u]0THotkey.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    .
    **************************************************************************
    .
    Temps d'accomplissement: 2008-01-31 22:41:19 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-31 21:41:10
    .
    2008-01-08 22:54:00 --- E O F ---
    0
  5. Vous n’avez pas trouvé la réponse que vous recherchez ?

    Posez votre question
  6. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    ok, fais ce qui est indiqué ici stp :

    http://www.commentcamarche.net/faq/sujet 3174 virus methode preliminaire de desinfection version fr

    ++
    0
  7. nckgr
     
    1) Ccleaner passé

    2) Rapport AVG anti-spyware (NB : les éléments détectés ont été nettoyés après l'édition du rapport)---------------------------------------------------------
    AVG Anti-Spyware - Rapport d'analyse
    ---------------------------------------------------------

    + Créé à: 23:41 2008-01-31

    + Résultat de l'analyse:

    C:\Program Files\Fichiers communs\ikzf\ikzfd\vocabulary -> Downloader.TSUpdate.j : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@atdmt[2].txt -> TrackingCookie.Atdmt : Aucune action entreprise.
    C:\Documents and Settings\nckgr\Cookies\nckgr@atdmt[2].txt -> TrackingCookie.Atdmt : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@bluestreak[1].txt -> TrackingCookie.Bluestreak : Aucune action entreprise.
    C:\Documents and Settings\nckgr\Cookies\nckgr@bluestreak[1].txt -> TrackingCookie.Bluestreak : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@doubleclick[1].txt -> TrackingCookie.Doubleclick : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@as1.falkag[2].txt -> TrackingCookie.Falkag : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@serving-sys[2].txt -> TrackingCookie.Serving-sys : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@statcounter[1].txt -> TrackingCookie.Statcounter : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@tacoda[1].txt -> TrackingCookie.Tacoda : Aucune action entreprise.
    C:\Documents and Settings\societe\Cookies\societe@weborama[1].txt -> TrackingCookie.Weborama : Aucune action entreprise.
    C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir -> Trojan.Small : Aucune action entreprise.

    Fin du rapport

    3) Rapport BitDefender

    BitDefender Online Scanner

    Scan report generated at: Fri, Feb 01, 2008 - 07:59:04

    Scan path: C:\;D:\;

    Statistics

    Time
    08:10:22

    Files
    246257

    Folders
    5255

    Boot Sectors
    2

    Archives
    7268

    Packed Files
    11558

    Results

    Identified Viruses
    2

    Infected Files
    5

    Suspect Files
    0

    Warnings
    0

    Disinfected
    0

    Deleted Files
    5

    Engines Info

    Virus Definitions
    978260

    Engine build
    AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

    Scan plugins
    16

    Archive plugins
    41

    Unpack plugins
    7

    E-mail plugins
    6

    System plugins
    5

    Scan Settings

    First Action
    Disinfect

    Second Action
    Delete

    Heuristics
    Yes

    Enable Warnings
    Yes

    Scanned Extensions
    *;

    Exclude Extensions

    Scan Emails
    Yes

    Scan Archives
    Yes

    Scan Packed
    Yes

    Scan Files
    Yes

    Scan Boot
    Yes

    Scanned File
    Status

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA
    Infected with: Dropped:Backdoor.Agent.ZCI

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA
    Disinfection failed

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA
    Deleted

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe
    Updated

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA.2
    Infected with: Dropped:Backdoor.Agent.ZCI

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA.2
    Disinfection failed

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA.2
    Deleted

    C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe
    Updated

    C:\QooBox\Quarantine\C\WINDOWS\Temp\2009914126.exe.vir
    Infected with: BehavesLike:Win32.ExplorerHijack

    C:\QooBox\Quarantine\C\WINDOWS\Temp\2009914126.exe.vir
    Disinfection failed

    C:\QooBox\Quarantine\C\WINDOWS\Temp\2009914126.exe.vir
    Deleted

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA
    Infected with: Dropped:Backdoor.Agent.ZCI

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA
    Disinfection failed

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA
    Deleted

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe
    Updated

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA.2
    Infected with: Dropped:Backdoor.Agent.ZCI

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA.2
    Disinfection failed

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA.2
    Deleted

    C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe
    Updated

    4) Rapport HiJackThis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:06, on 2008-02-01
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\00THotkey.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://news.google.com/topstories?hl=fr&gl=FR&ceid=FR:fr
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [\\AGS-SVR01\EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /P36 "\\AGS-SVR01\EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O16 - DPF: {104B0A37-AB99-4F06-8032-8BBDC3B77DDB} (Telechargement Control) - http://www2.photoweb.fr/telechargement/Photoweb_uploader.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ags.local
    O17 - HKLM\Software\..\Telephony: DomainName = ags.local
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ags.local
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
    O20 - Winlogon Notify: ur32megareg - C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: vtigercrm4_2 - Unknown owner - C:\Program Files\vtigerCRM4_2\apache\bin\Apache.exe (file missing)
    0
  8. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    Salut

    ok, comment évolue la situation ??

    ++
    0
  9. nckgr
     
    salut,

    j'ai fait tout ce que tu m'as demandé (cf. rapports plus haut) donc je suis plutôt à l'écoute d'une expertise des rapports.

    Merci d'avance.
    0
  10. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    pas mal de bébéttes ont été supprimé ! mais il faut me dire comment ça évolue de ton coté ! :)

    ++
    0
  11. nckgr
     
    aucun signe négatif depuis que j'ai lancé le PC.
    J'ai fait un scan avast sur le répertoire system32 qui contient le fichier svchost.exe qui déclenchait à chaque fois l'alerte ==> aucun signe cette fois de la part d'avast.

    Maintenant, as-tu vu d'autres choses à nettoyer, pas forcément en rapport avec ce trojan ? j'ai lu dans les rapports quelques échecs de nettoyage...

    Merci.
    0
  12. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    ok, à supprimer, juste ceci :

    Relance HijackThis : choisis " do a scan only" coche la case devant les lignes ci-dessous et clique en bas sur "fix checked" :

    O20 - Winlogon Notify: ur32megareg - C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll (file missing)

    ++

    0
  13. nckgr
     
    c'est fait !

    si tout le reste est ok selon toi, je te remercie beaucoup pour ton aide.
    0
  14. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    oui, c'est tout bon ;-)

    installe un parefeu !

    ==> voir ici : http://www.commentcamarche.net/faq/sujet 2432 securite proteger un ordinateur contre les malwares d internet

    @+
    0
    1. pitance Messages postés 1 Date d'inscription   Statut Membre
       
      Bonjour, je suis infecté par le même virus, voici le rapport Hijackthis :



      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 16:48:39, on 25/02/2008
      Platform: Windows XP (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 (6.00.2600.0000)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      F:\antivirus gratuit Avast\aswUpdSv.exe
      F:\antivirus gratuit Avast\ashServ.exe
      C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
      F:\ANTIVI~1\ashDisp.exe
      C:\WINDOWS\System32\ctfmon.exe
      C:\WINDOWS\system32\spoolsv.exe
      F:\Ad Aware\aawservice.exe
      F:\antivirus gratuit Avast\ashWebSv.exe
      F:\antivirus gratuit Avast\ashMaiSv.exe
      F:\Emule\emule.exe
      C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
      F:\Winamp\winamp.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
      O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [avast!] F:\ANTIVI~1\ashDisp.exe
      O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
      O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
      O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
      O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
      O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Ad Aware\aawservice.exe
      O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
      O23 - Service: Avertissement (Alerter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Gestion d'applications (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\antivirus gratuit Avast\aswUpdSv.exe
      O23 - Service: Audio Windows (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: avast! Antivirus - ALWIL Software - F:\antivirus gratuit Avast\ashServ.exe
      O23 - Service: avast! Mail Scanner - ALWIL Software - F:\antivirus gratuit Avast\ashMaiSv.exe
      O23 - Service: avast! Web Scanner - ALWIL Software - F:\antivirus gratuit Avast\ashWebSv.exe
      O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Explorateur d'ordinateur (Browser) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Services de cryptographie (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Client DHCP (Dhcp) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Gestionnaire de disque logique (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Client DNS (Dnscache) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Service de rapport d'erreurs (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Système d'événements de COM+ (EventSystem) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Compatibilité avec le Changement rapide d'utilisateur (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Aide et support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
      O23 - Service: Serveur (lanmanserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Station de travail (lanmanworkstation) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Assistance TCP/IP NetBIOS (LmHosts) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Affichage des messages (Messenger) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Connexions réseau (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: NLA (Network Location Awareness) (Nla) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Stockage amovible (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Gestionnaire de connexion automatique d'accès distant (RasAuto) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Gestionnaire de connexions d'accès distant (RasMan) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Accès à distance au Registre (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Appel de procédure distante (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Connexion secondaire (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Notification d'événement système (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Pare-feu de connexion Internet (ICF) / Partage de connexion Internet (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Détection matériel noyau (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Service de restauration système (srservice) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Service de découvertes SSDP (SSDPSRV) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Acquisition d'image Windows (WIA) (stisvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Téléphonie (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Services Terminal Server (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Thèmes (Themes) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Client de suivi de lien distribué (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Gestionnaire de téléchargement (uploadmgr) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Hôte de périphérique universel Plug-and-Play (upnphost) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Horloge Windows (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: WebClient - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Infrastructure de gestion Windows (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Extensions du pilote WMI (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      O23 - Service: Mises à jour automatiques (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
      O23 - Service: Configuration automatique sans fil (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
      0
  15. green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 166
     
    Salut

    Télécharger ComboFix (par sUBs) sur le Bureau : http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    * Démarrer en mode sans echec
    * Double cliquer combofix.exe.
    * Appuyer sur la touche Y (Yes) pour démarrer le scan
    * Le rapport sera crée dans: C:\Combofix.txt, poste le stp

    ++
    0
  16. Paulussse
     
    lu all, moi aussi je suis infecté, j'ai fait les démarches et voici le rapport de combofix :
    ComboFix 08-04-14.2 - maxime 2008-04-15 19:31:10.1 - NTFSx86 MINIMAL
    Running from: C:\Documents and Settings\maxime\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MSUPDATE

    ((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
    .

    2008-04-13 14:28 . 2008-04-13 14:17 691,545 --a------ C:\WINDOWS\unins000.exe
    2008-04-13 14:28 . 2008-04-13 14:28 2,540 --a------ C:\WINDOWS\unins000.dat
    2008-04-12 20:17 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
    2008-04-12 20:17 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2008-04-09 18:33 . 2008-04-09 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
    2008-04-09 18:32 . 2008-04-09 18:32 0 --a------ C:\WINDOWS\ativpsrm.bin
    2008-04-09 16:16 . 2008-04-09 16:16 <DIR> d-------- C:\Program Files\SystemRequirementsLab
    2008-04-09 16:16 . 2008-04-09 16:16 <DIR> d-------- C:\Documents and Settings\maxime\Application Data\SystemRequirementsLab
    2008-04-09 15:59 . 2008-04-09 15:59 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
    2008-04-09 15:38 . 2008-03-29 22:26 412,485 --a------ C:\WINDOWS\rzr-crys.exe
    2008-04-04 19:31 . 2008-04-05 17:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-04-04 19:31 . 2008-04-04 19:31 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-24 16:58 . 2008-04-06 17:17 <DIR> d-------- C:\Program Files\Phun

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-15 17:17 --------- d-----w C:\Program Files\Steam
    2008-04-13 15:44 --------- d-----w C:\Program Files\Electronic Arts
    2008-04-13 15:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-13 15:28 --------- d-----w C:\Program Files\EA GAMES
    2008-04-13 12:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-04-13 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-04-12 15:10 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-04-12 12:37 --------- d-----w C:\Documents and Settings\maxime\Application Data\BitTorrent
    2008-04-12 08:51 --------- d-----w C:\Program Files\Folding@Home
    2008-04-09 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-04-09 16:26 --------- d-----w C:\Program Files\ATI Technologies
    2008-04-09 14:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-04-09 13:59 22,328 ----a-w C:\Documents and Settings\maxime\Application Data\PnkBstrK.sys
    2008-04-06 13:39 --------- d-----w C:\Program Files\Fraps
    2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
    2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
    2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
    2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
    2008-03-14 19:12 --------- d-----w C:\Program Files\THQ
    2008-03-13 16:44 --------- d-----w C:\Program Files\Diablo
    2008-03-12 16:12 --------- d-----w C:\Program Files\Savage 2 - A Tortured Soul
    2008-02-27 20:16 --------- d-----w C:\Program Files\TrackMania Nations ESWC
    2008-02-27 20:03 --------- d-----w C:\Program Files\Warcraft III
    2008-02-27 19:36 --------- d-----w C:\Program Files\Sierra Entertainment
    2008-02-27 17:16 --------- d-----w C:\Documents and Settings\maxime\Application Data\BitTorrent DNA
    2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
    2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
    2008-02-24 12:49 --------- d-----w C:\Program Files\Ubisoft
    2008-02-24 12:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-18 11:58 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-02-17 17:16 --------- d-----w C:\Program Files\AGEIA Technologies
    2008-02-16 16:24 --------- d-----w C:\Program Files\Heinle
    2007-06-13 10:23 399,988 --sh--r C:\WINDOWS\system32\Sysctrls.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
    "\\DAVID\EPSON Stylus DX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.exe" [2005-03-08 06:00 98304]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe]
    "PD0630 STISvc"="P0630Pin.dll" [2005-06-05 19:01 36864 C:\WINDOWS\system32\P0630Pin.dll]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Sysctrls"="Sysctrls.exe" [2007-06-13 12:23 399988 C:\WINDOWS\system32\Sysctrls.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-12 18:07:53 434176]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WiFi Station for Livebox.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WiFi Station for Livebox.lnk
    backup=C:\WINDOWS\pss\WiFi Station for Livebox.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^maxime^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
    path=C:\Documents and Settings\maxime\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
    backup=C:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^maxime^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter® 2 Demo SP.LNK]
    path=C:\Documents and Settings\maxime\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter® 2 Demo SP.LNK
    backup=C:\WINDOWS\pss\Registration Ghost Recon Advanced Warfighter® 2 Demo SP.LNKStartup

    [HKLM\~\startupfolder\C:^Documents and Settings^maxime^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter® 2.LNK]
    path=C:\Documents and Settings\maxime\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter® 2.LNK
    backup=C:\WINDOWS\pss\Registration Ghost Recon Advanced Warfighter® 2.LNKStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    --a------ 2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
    C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
    --a------ 2008-04-08 18:17 587568 C:\Program Files\BitTorrent\bittorrent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
    --a------ 2007-11-23 20:47 286016 C:\Program Files\BitTorrent_DNA\dna.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    c:\Program Files\Common Files\Symantec Shared\ccApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    --a------ 2005-09-21 19:41 1605740 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-14 01:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    --a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    --a------ 2008-04-09 18:28 1271032 C:\Program Files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sysctrls]
    -r-hs---- 2007-06-13 12:23 399988 C:\WINDOWS\system32\Sysctrls.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a--c--- 2005-11-11 23:16 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
    c:\Program Files\Norton Internet Security\UrlLstCk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ATI Smart"=2 (0x2)
    "Ati HotKey Poller"=2 (0x2)
    "Fax"=3 (0x3)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
    "C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
    "C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
    "C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Steam\\steamapps\\dsudret\\counter-strike source\\hl2.exe"=
    "C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\Steam\\steamapps\\dsudret\\team fortress 2\\hl2.exe"=
    "C:\\Program Files\\Steam\\steamapps\\dsudret\\half-life 2 deathmatch\\hl2.exe"=
    "C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
    "C:\\Program Files\\Steam\\steamapps\\msudret\\half-life 2 deathmatch\\hl2.exe"=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
    "C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
    "C:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
    "C:\\Program Files\\Diablo II\\Game.exe"=
    "C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
    "C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
    "C:\\Program Files\\Empire Interactive\\FlatOut 2\\flatout2.exe"=
    "C:\\Program Files\\Steam\\steamapps\\dsudret\\dark messiah might and magic multi-player\\mm.exe"=
    "C:\\Program Files\\Sierra Entertainment\\TimeShift MP Demo\\bin\\TimeShift.exe"=
    "C:\\Program Files\\Savage 2 - A Tortured Soul\\savage2.exe"=
    "C:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
    "C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
    "C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
    "C:\\WINDOWS\\system32\\Sysctrls.exe"=

    S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
    S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
    S3 lac97inf;lac97inf;C:\DOCUME~1\maxime\LOCALS~1\Temp\lac97inf.sys []
    S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-06 03:44]
    S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-12-17 15:54:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-15 19:41:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "\\\\DAVID\\EPSON Stylus DX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEE.EXE /P34 \"\\\\DAVID\\EPSON Stylus DX4200 Series\" /O6 \"USB001\" /M \"Stylus DX4200\""
    .
    Completion time: 2008-04-15 19:47:34
    ComboFix-quarantined-files.txt 2008-04-15 17:47:29

    Pre-Run: 75,128,401,920 bytes free
    Post-Run: 75,038,810,112 bytes free
    .
    2008-04-09 18:45:20 --- E O F ---
    0