Infection Win32:Obfuscated-EER

Résolu
nckgr -  
 Paulussse -
Bonjour,

je suis infecté par le trojan Win32:Obfuscated-EER. Avast ne semble pas pouvoir en venir à bout.
Je précise que c'est mon pc professionnel qui est infecté et que je souhaiterais dans la mesure du possible ne pas avoir à désinstaller Avast.
Merci d'avance pour votre aide.

Nckgr

15 réponses

Réponse 1 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
Salut

Télécharge ceci :

Lien : http://www.commentcamarche.net/telecharger/telecharger 159 hijackthis

Démo : http://pageperso.aol.fr/balltrap34/demohijack.htm

Choisir l'option "do a scan and a logfile", et faire un copier/coller du rapport ainsi générer sur le forum.

++
0
Réponse 2 / 15
nckgr
 
voilà le rapport hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:17:11, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Documents and Settings\xxx\Application Data\Simply Super Software\Trojan Remover\reo2.exe
C:\Documents and Settings\xxx\Application Data\Simply Super Software\Trojan Remover\reo2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://news.google.com/topstories?hl=fr&gl=FR&ceid=FR:fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [\\AGS-SVR01\EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /P36 "\\AGS-SVR01\EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {104B0A37-AB99-4F06-8032-8BBDC3B77DDB} (Telechargement Control) - http://www2.photoweb.fr/telechargement/Photoweb_uploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ags.local
O17 - HKLM\Software\..\Telephony: DomainName = ags.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ags.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
O20 - Winlogon Notify: ur32megareg - C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll (file missing)
O23 - Service: Gestion d'applications (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Audio Windows (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Explorateur d'ordinateur (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Services de cryptographie (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Lanceur de processus serveur DCOM (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Client DHCP (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Gestionnaire de disque logique (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Client DNS (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Service de rapport d'erreurs (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Système d'événements de COM+ (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Compatibilité avec le Changement rapide d'utilisateur (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Aide et support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Moniteur infrarouge (Irmon) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Serveur (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Station de travail (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Assistance TCP/IP NetBIOS (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Connexions réseau (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: NLA (Network Location Awareness) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Stockage amovible (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Gestionnaire de connexion automatique d'accès distant (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Gestionnaire de connexions d'accès distant (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Accès à distance au Registre (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Appel de procédure distante (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Connexion secondaire (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Notification d'événement système (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Détection matériel noyau (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Service de restauration système (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Service de découvertes SSDP (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Acquisition d'image Windows (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Téléphonie (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Services Terminal Server (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Thèmes (Themes) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Client de suivi de lien distribué (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Hôte de périphérique universel Plug-and-Play (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: vtigercrm4_2 - Unknown owner - C:\Program Files\vtigerCRM4_2\apache\bin\Apache.exe (file missing)
O23 - Service: Horloge Windows (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Infrastructure de gestion Windows (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Service de numéro de série du lecteur multimédia portable (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Extensions du pilote WMI (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Mises à jour automatiques (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Configuration automatique sans fil (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Service d'approvisionnement réseau (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe
0
Réponse 3 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
ok,

Télécharger ComboFix (par sUBs) sur le Bureau : http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Démarrer en mode sans echec
* Double cliquer combofix.exe.
* Appuyer sur la touche Y (Yes) pour démarrer le scan
* Le rapport sera crée dans: C:\Combofix.txt, poste le stp

++
0
Réponse 4 / 15
nckgr
 
rapport combofix :

ComboFix 08-01-31.1 - xxxx 2008-01-30 22:33:14.1 - NTFSx86 NETWORK
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.374 [GMT 1:00]
Endroit: C:\Documents and Settings\xxxx\Bureau\ComboFix.exe

[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.
[i] ADS - svchost.exe: deleted 24064 bytes in 1 streams. [/i]

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\network monitor
C:\WINDOWS\keyboard21.dat
C:\WINDOWS\Temp\2009914126.exe
C:\WINDOWS\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ICF
-------\ICF
-------\nm


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2007-12-28 to 2008-01-31 ))))))))))))))))))))))))))))))))))))
.

2008-01-30 21:53 . 2008-01-30 22:21 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-30 21:51 . 2008-01-31 22:38 <REP> d-------- C:\Program Files\Trojan Remover
2008-01-30 21:51 . 2008-01-30 21:51 <REP> d-------- C:\Documents and Settings\xxxx\Application Data\Simply Super Software
2008-01-30 21:51 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-01-30 21:51 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-01-24 23:34 . 2008-01-29 22:58 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-24 23:34 . 2008-01-24 23:34 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 23:00 . 2008-01-06 23:00 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Pok3d
2008-01-02 19:43 . 2008-01-02 19:43 <REP> d-------- C:\Program Files\mIRC
2008-01-02 19:43 . 2008-01-02 19:58 <REP> d-------- C:\Documents and Settings\xxxx\Application Data\mIRC
2007-12-21 23:00 . 2007-12-21 23:00 <REP> d-------- C:\Documents and Settings\xxxx\Application Data\Talkback
2007-12-21 23:00 . 2007-12-21 23:00 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 21:09 --------- d-----w C:\Program Files\Trend Micro
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-07-29 15:24 472 --sha-r C:\WINDOWS\Tmljb2xhcyBHYXJyaWRv\nA53vZU1wV1JsrLVuqlS.vbs
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 12:00 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-15 17:19 65536]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2006-02-13 15:49 565248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-08-28 16:21 4861952]
"00THotkey"="C:\WINDOWS\system32\[u]0[/u]0THotkey.exe" [2004-08-11 11:36 253952]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe]
"TFNF5"="TFNF5.exe" [2003-07-18 16:41 73728 C:\WINDOWS\system32\TFNF5.exe]
"SigmaTel StacMon"="C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe" [2003-08-03 15:01 86073]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-01-22 16:09 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-01-22 16:08 495616]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 13:58 122880]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2003-09-26 14:43 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-20 14:00 88363 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2004-06-28 11:39 266240 C:\WINDOWS\system32\TPSMain.exe]
"TFncKy"="TFncKy.exe" []
"NDSTray.exe"="NDSTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-05 12:00 144384]
"\\AGS-SVR01\EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.exe" [2004-09-08 02:00 98304]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-19 22:55 155648]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-01-30 22:22 737872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ur32megareg]
C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3001051914-2764525902-2624039741-1196\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3001051914-2764525902-2624039741-500\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=logon.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^xxxxx^Menu Démarrer^Programmes^Démarrage^Lancement rapide de Microsoft Office OneNote 2003.lnk]
path=C:\Documents and Settings\xxxxx\Menu Démarrer\Programmes\Démarrage\Lancement rapide de Microsoft Office OneNote 2003.lnk
backup=C:\WINDOWS\pss\Lancement rapide de Microsoft Office OneNote 2003.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-10-18 11:58 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2003-08-28 16:21 323584 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-19 22:55 155648 C:\Program Files\QuickTime\qttask.exe

S2 vtigercrm4_2;vtigercrm4_2;"C:\Program Files\vtigerCRM4_2\apache\bin\Apache.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26c93275-0795-11dc-a2a1-000e35a3f0f4}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2005-04-21 14:16:15 C:\WINDOWS\Tasks\Rappel d'enregistrement 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-04-21 14:16:15 C:\WINDOWS\Tasks\Rappel d'enregistrement 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-01-31 21:41:00 C:\WINDOWS\Tasks\vtigerCRM Email Reminder.job"
- C:\PROGRA~1\VTIGER~1\apache\htdocs\vtigerCRM\modules\Activities\SendReminder.bat
"2008-01-14 10:00:00 C:\WINDOWS\Tasks\vtigerCRM Notification Scheduler.job"
- C:\PROGRA~1\VTIGER~1\apache\htdocs\vtigerCRM\cron\intimateTaskStatus.bat
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 22:38:27
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\AGS-SVR01\\EPSON Stylus Photo R1800"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9LE.EXE /P36 \"\\\\AGS-SVR01\\EPSON Stylus Photo R1800\" /O6 \"USB001\" /M \"Stylus Photo R1800\""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\[u]0[/u]0THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-01-31 22:41:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 21:41:10
.
2008-01-08 22:54:00 --- E O F ---
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 5 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
ok, fais ce qui est indiqué ici stp :

http://www.commentcamarche.net/faq/sujet 3174 virus methode preliminaire de desinfection version fr

++
0
Réponse 6 / 15
nckgr
 
1) Ccleaner passé

2) Rapport AVG anti-spyware (NB : les éléments détectés ont été nettoyés après l'édition du rapport)---------------------------------------------------------
AVG Anti-Spyware - Rapport d'analyse
---------------------------------------------------------

+ Créé à: 23:41 2008-01-31

+ Résultat de l'analyse:



C:\Program Files\Fichiers communs\ikzf\ikzfd\vocabulary -> Downloader.TSUpdate.j : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@atdmt[2].txt -> TrackingCookie.Atdmt : Aucune action entreprise.
C:\Documents and Settings\nckgr\Cookies\nckgr@atdmt[2].txt -> TrackingCookie.Atdmt : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@bluestreak[1].txt -> TrackingCookie.Bluestreak : Aucune action entreprise.
C:\Documents and Settings\nckgr\Cookies\nckgr@bluestreak[1].txt -> TrackingCookie.Bluestreak : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@doubleclick[1].txt -> TrackingCookie.Doubleclick : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@as1.falkag[2].txt -> TrackingCookie.Falkag : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@serving-sys[2].txt -> TrackingCookie.Serving-sys : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@statcounter[1].txt -> TrackingCookie.Statcounter : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@tacoda[1].txt -> TrackingCookie.Tacoda : Aucune action entreprise.
C:\Documents and Settings\societe\Cookies\societe@weborama[1].txt -> TrackingCookie.Weborama : Aucune action entreprise.
C:\QooBox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir -> Trojan.Small : Aucune action entreprise.


Fin du rapport

3) Rapport BitDefender

BitDefender Online Scanner



Scan report generated at: Fri, Feb 01, 2008 - 07:59:04





Scan path: C:\;D:\;







Statistics

Time
08:10:22

Files
246257

Folders
5255

Boot Sectors
2

Archives
7268

Packed Files
11558




Results

Identified Viruses
2

Infected Files
5

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
5




Engines Info

Virus Definitions
978260

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
41

Unpack plugins
7

E-mail plugins
6

System plugins
5




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA
Infected with: Dropped:Backdoor.Agent.ZCI

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA
Disinfection failed

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA
Deleted

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe
Updated

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA.2
Infected with: Dropped:Backdoor.Agent.ZCI

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA.2
Disinfection failed

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe=>:$DATA.2
Deleted

C:\Program Files\Alwil Software\Avast4\DATA\moved\exe.exe
Updated

C:\QooBox\Quarantine\C\WINDOWS\Temp\2009914126.exe.vir
Infected with: BehavesLike:Win32.ExplorerHijack

C:\QooBox\Quarantine\C\WINDOWS\Temp\2009914126.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\Temp\2009914126.exe.vir
Deleted

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA
Infected with: Dropped:Backdoor.Agent.ZCI

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA
Disinfection failed

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA
Deleted

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe
Updated

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA.2
Infected with: Dropped:Backdoor.Agent.ZCI

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA.2
Disinfection failed

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe=>:$DATA.2
Deleted

C:\System Volume Information\_restore{C93053C6-2A30-4C77-8117-AA8DAB8EF892}\RP1\A0000084.exe
Updated


4) Rapport HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:06, on 2008-02-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Commandes TOSHIBA\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://news.google.com/topstories?hl=fr&gl=FR&ceid=FR:fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\Pilotes Audio SigmaTel AC97\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [\\AGS-SVR01\EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /P36 "\\AGS-SVR01\EPSON Stylus Photo R1800" /O6 "USB001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O16 - DPF: {104B0A37-AB99-4F06-8032-8BBDC3B77DDB} (Telechargement Control) - http://www2.photoweb.fr/telechargement/Photoweb_uploader.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ags.local
O17 - HKLM\Software\..\Telephony: DomainName = ags.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ags.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B89E77F-3ED2-4B9B-88DF-6DDE6AD0527E}: NameServer = 212.27.53.252,212.27.54.252
O20 - Winlogon Notify: ur32megareg - C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: vtigercrm4_2 - Unknown owner - C:\Program Files\vtigerCRM4_2\apache\bin\Apache.exe (file missing)
0
Réponse 7 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
Salut

ok, comment évolue la situation ??

++
0
Réponse 8 / 15
nckgr
 
salut,

j'ai fait tout ce que tu m'as demandé (cf. rapports plus haut) donc je suis plutôt à l'écoute d'une expertise des rapports.

Merci d'avance.
0
Réponse 9 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
pas mal de bébéttes ont été supprimé ! mais il faut me dire comment ça évolue de ton coté ! :)

++
0
Réponse 10 / 15
nckgr
 
aucun signe négatif depuis que j'ai lancé le PC.
J'ai fait un scan avast sur le répertoire system32 qui contient le fichier svchost.exe qui déclenchait à chaque fois l'alerte ==> aucun signe cette fois de la part d'avast.

Maintenant, as-tu vu d'autres choses à nettoyer, pas forcément en rapport avec ce trojan ? j'ai lu dans les rapports quelques échecs de nettoyage...

Merci.
0
Réponse 11 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
ok, à supprimer, juste ceci :

Relance HijackThis : choisis " do a scan only" coche la case devant les lignes ci-dessous et clique en bas sur "fix checked" :


O20 - Winlogon Notify: ur32megareg - C:\Documents and Settings\All Users\Documents\Settings\ur32mega.dll (file missing)

++

0
Réponse 12 / 15
nckgr
 
c'est fait !

si tout le reste est ok selon toi, je te remercie beaucoup pour ton aide.
0
Réponse 13 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
oui, c'est tout bon ;-)

installe un parefeu !

==> voir ici : http://www.commentcamarche.net/faq/sujet 2432 securite proteger un ordinateur contre les malwares d internet

@+
0
pitance Messages postés 1 Date d'inscription   Statut Membre Dernière intervention  
 
Bonjour, je suis infecté par le même virus, voici le rapport Hijackthis :



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:39, on 25/02/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\antivirus gratuit Avast\aswUpdSv.exe
F:\antivirus gratuit Avast\ashServ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
F:\ANTIVI~1\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Ad Aware\aawservice.exe
F:\antivirus gratuit Avast\ashWebSv.exe
F:\antivirus gratuit Avast\ashMaiSv.exe
F:\Emule\emule.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
F:\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] F:\ANTIVI~1\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - F:\Ad Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avertissement (Alerter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Gestion d'applications (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\antivirus gratuit Avast\aswUpdSv.exe
O23 - Service: Audio Windows (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\antivirus gratuit Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\antivirus gratuit Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\antivirus gratuit Avast\ashWebSv.exe
O23 - Service: Service de transfert intelligent en arrière-plan (BITS) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Explorateur d'ordinateur (Browser) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Services de cryptographie (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Client DHCP (Dhcp) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Gestionnaire de disque logique (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Client DNS (Dnscache) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Service de rapport d'erreurs (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Système d'événements de COM+ (EventSystem) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Compatibilité avec le Changement rapide d'utilisateur (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Aide et support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe
O23 - Service: Serveur (lanmanserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Station de travail (lanmanworkstation) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Assistance TCP/IP NetBIOS (LmHosts) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Affichage des messages (Messenger) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Connexions réseau (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: NLA (Network Location Awareness) (Nla) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Stockage amovible (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Gestionnaire de connexion automatique d'accès distant (RasAuto) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Gestionnaire de connexions d'accès distant (RasMan) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Accès à distance au Registre (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Appel de procédure distante (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Planificateur de tâches (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Connexion secondaire (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Notification d'événement système (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Pare-feu de connexion Internet (ICF) / Partage de connexion Internet (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Détection matériel noyau (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Service de restauration système (srservice) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Service de découvertes SSDP (SSDPSRV) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Acquisition d'image Windows (WIA) (stisvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Téléphonie (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Services Terminal Server (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Thèmes (Themes) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Client de suivi de lien distribué (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Gestionnaire de téléchargement (uploadmgr) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Hôte de périphérique universel Plug-and-Play (upnphost) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Horloge Windows (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Infrastructure de gestion Windows (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Extensions du pilote WMI (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Mises à jour automatiques (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Configuration automatique sans fil (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
0
Réponse 14 / 15
green day Messages postés 26374 Date d'inscription   Statut Modérateur, Contributeur sécurité Dernière intervention   2 163
 
Salut

Télécharger ComboFix (par sUBs) sur le Bureau : http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Démarrer en mode sans echec
* Double cliquer combofix.exe.
* Appuyer sur la touche Y (Yes) pour démarrer le scan
* Le rapport sera crée dans: C:\Combofix.txt, poste le stp

++
0
Réponse 15 / 15
Paulussse
 
lu all, moi aussi je suis infecté, j'ai fait les démarches et voici le rapport de combofix :
ComboFix 08-04-14.2 - maxime 2008-04-15 19:31:10.1 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\maxime\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE


((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-13 14:28 . 2008-04-13 14:17 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-13 14:28 . 2008-04-13 14:28 2,540 --a------ C:\WINDOWS\unins000.dat
2008-04-12 20:17 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-04-12 20:17 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-04-09 18:33 . 2008-04-09 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-04-09 18:32 . 2008-04-09 18:32 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-09 16:16 . 2008-04-09 16:16 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-04-09 16:16 . 2008-04-09 16:16 <DIR> d-------- C:\Documents and Settings\maxime\Application Data\SystemRequirementsLab
2008-04-09 15:59 . 2008-04-09 15:59 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-04-09 15:38 . 2008-03-29 22:26 412,485 --a------ C:\WINDOWS\rzr-crys.exe
2008-04-04 19:31 . 2008-04-05 17:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-04 19:31 . 2008-04-04 19:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-24 16:58 . 2008-04-06 17:17 <DIR> d-------- C:\Program Files\Phun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 17:17 --------- d-----w C:\Program Files\Steam
2008-04-13 15:44 --------- d-----w C:\Program Files\Electronic Arts
2008-04-13 15:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 15:28 --------- d-----w C:\Program Files\EA GAMES
2008-04-13 12:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-13 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-12 15:10 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-12 12:37 --------- d-----w C:\Documents and Settings\maxime\Application Data\BitTorrent
2008-04-12 08:51 --------- d-----w C:\Program Files\Folding@Home
2008-04-09 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-09 16:26 --------- d-----w C:\Program Files\ATI Technologies
2008-04-09 14:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-09 13:59 22,328 ----a-w C:\Documents and Settings\maxime\Application Data\PnkBstrK.sys
2008-04-06 13:39 --------- d-----w C:\Program Files\Fraps
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-14 19:12 --------- d-----w C:\Program Files\THQ
2008-03-13 16:44 --------- d-----w C:\Program Files\Diablo
2008-03-12 16:12 --------- d-----w C:\Program Files\Savage 2 - A Tortured Soul
2008-02-27 20:16 --------- d-----w C:\Program Files\TrackMania Nations ESWC
2008-02-27 20:03 --------- d-----w C:\Program Files\Warcraft III
2008-02-27 19:36 --------- d-----w C:\Program Files\Sierra Entertainment
2008-02-27 17:16 --------- d-----w C:\Documents and Settings\maxime\Application Data\BitTorrent DNA
2008-02-26 05:51 2,863,616 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2008-02-26 02:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2008-02-24 12:49 --------- d-----w C:\Program Files\Ubisoft
2008-02-24 12:47 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 11:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-17 17:16 --------- d-----w C:\Program Files\AGEIA Technologies
2008-02-16 16:24 --------- d-----w C:\Program Files\Heinle
2007-06-13 10:23 399,988 --sh--r C:\WINDOWS\system32\Sysctrls.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 06:56 64512]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"\\DAVID\EPSON Stylus DX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEE.exe" [2005-03-08 06:00 98304]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 12:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 19:01 36864 C:\WINDOWS\system32\P0630Pin.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Sysctrls"="Sysctrls.exe" [2007-06-13 12:23 399988 C:\WINDOWS\system32\Sysctrls.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-12 18:07:53 434176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WiFi Station for Livebox.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WiFi Station for Livebox.lnk
backup=C:\WINDOWS\pss\WiFi Station for Livebox.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^maxime^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=C:\Documents and Settings\maxime\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=C:\WINDOWS\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^maxime^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter® 2 Demo SP.LNK]
path=C:\Documents and Settings\maxime\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter® 2 Demo SP.LNK
backup=C:\WINDOWS\pss\Registration Ghost Recon Advanced Warfighter® 2 Demo SP.LNKStartup

[HKLM\~\startupfolder\C:^Documents and Settings^maxime^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter® 2.LNK]
path=C:\Documents and Settings\maxime\Start Menu\Programs\Startup\Registration Ghost Recon Advanced Warfighter® 2.LNK
backup=C:\WINDOWS\pss\Registration Ghost Recon Advanced Warfighter® 2.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
--a------ 2005-08-03 09:19 77312 C:\WINDOWS\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2008-04-08 18:17 587568 C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2007-11-23 20:47 286016 C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
c:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2005-09-21 19:41 1605740 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 01:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 11:56 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-09 18:28 1271032 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sysctrls]
-r-hs---- 2007-06-13 12:23 399988 C:\WINDOWS\system32\Sysctrls.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2005-11-11 23:16 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
c:\Program Files\Norton Internet Security\UrlLstCk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Fax"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"New.net Startup"=rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"C:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Steam\\steamapps\\dsudret\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\dsudret\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\dsudret\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Ubisoft\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"C:\\Program Files\\Steam\\steamapps\\msudret\\half-life 2 deathmatch\\hl2.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\THQ\\Dawn of War\\W40k.exe"=
"C:\\Program Files\\Diablo II\\Game.exe"=
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\Program Files\\Empire Interactive\\FlatOut 2\\flatout2.exe"=
"C:\\Program Files\\Steam\\steamapps\\dsudret\\dark messiah might and magic multi-player\\mm.exe"=
"C:\\Program Files\\Sierra Entertainment\\TimeShift MP Demo\\bin\\TimeShift.exe"=
"C:\\Program Files\\Savage 2 - A Tortured Soul\\savage2.exe"=
"C:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\Sysctrls.exe"=

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
S3 lac97inf;lac97inf;C:\DOCUME~1\maxime\LOCALS~1\Temp\lac97inf.sys []
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\system32\DRIVERS\P0630Vid.sys [2005-06-06 03:44]
S3 ZDCndis5;ZDCndis5 Protocol Driver;C:\WINDOWS\system32\ZDCndis5.SYS []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-17 15:54:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 19:41:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\DAVID\\EPSON Stylus DX4200 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAEE.EXE /P34 \"\\\\DAVID\\EPSON Stylus DX4200 Series\" /O6 \"USB001\" /M \"Stylus DX4200\""
.
Completion time: 2008-04-15 19:47:34
ComboFix-quarantined-files.txt 2008-04-15 17:47:29

Pre-Run: 75,128,401,920 bytes free
Post-Run: 75,038,810,112 bytes free
.
2008-04-09 18:45:20 --- E O F ---
0

Discussions similaires

Problème avec "PUADIManager:Win32/OfferCore
Knaki -
bazfile -

3 réponses
Pb Windows 7, .EXE n'est pas app win32 valide
Witeric -
Lio -

15 réponses
win32:malware-gen bloqué par avast
ikkual -
Utilisateur anonyme -

69 réponses
Menaces HackTool:Win32
LeMax5993 -
lisa4777 -

4 réponses
PUADlManager:Win32/OfferCore
tenmalade -
tenmalade -

2 réponses