Sujet Précédent Sujet Suivant

Virus braviax, [hijackthis]

Résolu/Fermé
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009 - 6 févr. 2008 à 08:53
 jacques.gache - 11 mai 2008 à 10:41
Bonjour,

ça plusieurs heures que jessaie d'eradiquer un virus de mon pc.

voici le rapport hijack apres avoir fait plusieurs tour en sans echec :
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:37:00, on 06/02/2008
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tgaud\Bureau\antivir\HijackTdhis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O20 - AppInit_DLLs: cru629.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
A voir également:

55 réponses

Précédent
Réponse 21 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
6 févr. 2008 à 10:52
ok

passe ceci :

Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
• Redémarre ton ordinateur
• Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
• A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
• Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
• Choisis ton compte.
Déroule la liste des instructions ci-dessous :
• Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
• Appuie sur Y pour commencer le processus de nettoyage.
• Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
• Appuie sur une touche pour redémarrer le PC.
• Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
• Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
• Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
• Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
• Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum

@+
0
Réponse 22 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
6 févr. 2008 à 10:52
comme indiqué au poste 19 ça marche pas.
0
Réponse 23 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
6 févr. 2008 à 10:52
les reponses se croisent...passe sdfix
0
Réponse 24 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
6 févr. 2008 à 11:04
Alors jai executé le truc en mode sans echec, puis redemarré en mode normal.
le virus est tjrs present au passage.

voici le log :


SDFix: Version 1.137

Run by Tgaud on 06/02/2008 at 10:59

Microsoft Windows XP [version 5.1.2600]

Running From: C:\tytyty\SDFix

Safe Mode:
Checking Services:

Patched user32.dll detected!

Note: SDFix Does Not Repair This File!

"C:\WINDOWS\SoftwareDistribution\Download\46faa4cd5c82200be099d1b1e8a12eed\sp2gdr\user32.dll" 578048 02/03/2005 19:10
"C:\WINDOWS\SoftwareDistribution\Download\46faa4cd5c82200be099d1b1e8a12eed\sp2qfe\user32.dll" 578048 02/03/2005 19:20
"C:\WINDOWS\SoftwareDistribution\Download\807aa275a612b3508a3d1d613bbf6226\sp2gdr\user32.dll" 578560 08/03/2007 16:37
"C:\WINDOWS\SoftwareDistribution\Download\807aa275a612b3508a3d1d613bbf6226\sp2qfe\user32.dll" 579072 08/03/2007 16:50
"C:\WINDOWS\system32\user32.dll" 579072 17/11/2007 02:53
"C:\WINDOWS\system32\dllcache\user32.dll" 579072 17/11/2007 02:53

Download the below update to restore original files:

https://docs.microsoft.com/en-us/


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Session Manager\SubSystems:
Trojan File basepwo32.dll and startup entry Found!
basepwo32.dll will be removed after reboot if registry value is repaired


Rebooting...


Session Manager\SubSystems:
ServerDll value restored to basesrv.dll
Key export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"=%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Removing C:\WINDOWS\system32\basepwo32.dll


Original beep.sys Restored

"C:\WINDOWS\system32\dllcache\beep.sys" 4224 05/02/2008 20:09
"C:\WINDOWS\system32\drivers\beep.sys" 4224 05/02/2008 20:09



Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\OSAREWQP.TMP - Deleted
C:\WINDOWS\system32\5_exception.nls - Deleted
C:\WINDOWS\system32\bns.dat - Deleted
C:\WINDOWS\system32\users32.dat - Deleted
C:\WINDOWS\system32\basepwo32.dll - Deleted





Removing Temp Files...

ADS Check:



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 11:02:13
Windows 5.1.2600 Service Pack 2, v.2149 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ebcc33]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:6e,45,e8,6c,96,af,b9,db,9c,73,57,77,c8,7d,d1,bb,81,6f,35,fd,84,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c6,e2,7d,d8,8f,48,fc,e1,72,e8,b7,b7,96,45,05,f0,a8,..
"khjeh"=hex:d7,1f,30,5e,30,97,bc,ae,a4,1d,65,2c,17,b5,53,da,3f,05,f9,36,6a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:64,62,05,00,60,66,42,00,00,00,00,00,e8,ff,ff,ff,20,70,42,00,20,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:64,62,03,00,a0,69,42,00,72,69,74,79,d8,ff,ff,ff,d8,39,06,00,88,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ebcc33]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:000008ba
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:6e,45,e8,6c,96,af,b9,db,9c,73,57,77,c8,7d,d1,bb,81,6f,35,fd,84,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c6,e2,7d,d8,8f,48,fc,e1,72,e8,b7,b7,96,45,05,f0,a8,..
"khjeh"=hex:d7,1f,30,5e,30,97,bc,ae,a4,1d,65,2c,17,b5,53,da,3f,05,f9,36,6a,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:53,8d,af,45,9b,b0,2b,94,df,bd,25,74,bb,0b,84,8c,a6,ca,06,9e,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:0f,9f,06,17,89,d7,8b,f0,5c,d1,60,3a,8b,5f,9a,ac,90,44,fa,e6,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Ebcc33]
"Type"=dword:00000001
"Tag"=dword:00000001
"Group"="System Reserved\0Boot Bus Extender\0System Bus Extender\0SCSI miniport\0Port\0Primary Disk\0SCSI Class\0SCSI CDROM Class\0FSFilter Infrastructure\0FSFilter System\0FSFilter Bottom\0FSFilter Copy Protection\0FSFilter Security Enhancer\0FSFilter Open File\0FSFilter Physical Quota Management\0FSFilter Encryption\0FSFilter Compression\0FSFilter HSM\0FSFilter Cluster File System\0FSFilter System Recovery\0FSFilter Quota Management\0FSFilter Content Screener\0FSFilter Continuous Backup\0FSFilter Replication\0FSFilter Anti-Virus\0FSFilter Undelete\0FSFilter Activity Monitor\0FSFilter Top\0Filter\0Boot File System\0Base\0Pointer Port\0Keyboard Port\0Pointer Class\0Keyboard Class\0Video Init\0Video\0Video Save\0File System\0Event Log\0Streams Drivers\0NDIS Wrapper\0COM Infrastructure\0UIGroup\0LocalValidation\0PlugPlay\0PNP_TDI\0NDIS\0TDI\0NetBIOSGroup\0ShellSvcGroup\0SchedulerGroup\0SpoolerGroup\0AudioGroup\0SmartCardGroup\0NetworkProvider\0RemoteValidation\0NetDDEGroup\0Parallel arbitrator\0Extended Base\0PCI Configuration\0MS Transactions\0"
"ErrorControl"=dword:00000001
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:6e,45,e8,6c,96,af,b9,db,9c,73,57,77,c8,7d,d1,bb,81,6f,35,fd,84,..
"p0"="C:\Program Files\DAEMON Tools\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c6,e2,7d,d8,8f,48,fc,e1,72,e8,b7,b7,96,45,05,f0,a8,..
"khjeh"=hex:d7,1f,30,5e,30,97,bc,ae,a4,1d,65,2c,17,b5,53,da,3f,05,f9,36,6a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:53,8d,af,45,9b,b0,2b,94,df,bd,25,74,bb,0b,84,8c,a6,ca,06,9e,91,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:0f,9f,06,17,89,d7,8b,f0,5c,d1,60,3a,8b,5f,9a,ac,90,44,fa,e6,48,..

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\Ebcc33.sys 167936 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 21


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\tytyty\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 11 Jun 2004 1,667,584 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT5.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\18b19374451d28a8fbaf1939cf31ff45\BIT8.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\22fb973e059470cc1b5d76c4ae605351\BITC.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT4.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT9.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30285791903730fbf957a83562db4ff4\BIT6.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4844df1d57a292079101da42a26d7d72\BIT2.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT1.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9e870549834e2bceb796e44a1e3ac6f5\BITB.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT3.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cb8921d0c7830b2f33c00fa4c8a10d17\BIT7.tmp"
Tue 5 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BITA.tmp"
Wed 16 Jan 2008 4,608 A.SH. --- "C:\_OTMoveIt\MovedFiles\02062008_102950\Documents and Settings\Tgaud\Bureau\~tmp1174.exe"

Finished!
0

Vous n’avez pas trouvé la réponse que vous recherchez ?

Posez votre question
Réponse 25 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
6 févr. 2008 à 11:12
J'ai essayé de lancer combofix.exe ça a marché !
mais je l'ai fais en mode "normal" et pas en mode "sans echec".

Bon le virus est tjrs la, mais voici le log :


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


ComboFix 08-02.05.3 - Tgaud 2008-02-06 11:05:37.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1528 [GMT 1:00]
Endroit: C:\Documents and Settings\Tgaud\Bureau\CombroFix.exe
* Création d'un nouveau point de restauration

[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\drivers\EBCC33.sys
C:\WINDOWS\system32\users32.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_EBCC33
-------\LEGACY_MSUPDATE


((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-06 to 2008-02-06 ))))))))))))))))))))))))))))))))))))
.

2008-02-06 11:08 . 2008-02-06 11:08 6,656 --a------ C:\WINDOWS\system32\users32.dat
2008-02-06 11:02 . 2008-02-06 11:02 29 --a------ C:\WINDOWS\system32\ytfqhgia.tmp
2008-02-06 10:54 . 2008-02-06 11:05 <REP> d-------- C:\tytyty
2008-02-06 10:44 . 2008-02-06 10:56 11,264 --a------ C:\WINDOWS\braviax.exe
2008-02-06 09:50 . 2008-02-06 09:50 <REP> d-------- C:\Deckard
2008-02-06 08:32 . 2008-02-06 10:56 11,264 --a------ C:\WINDOWS\system32\braviax.exe
2008-02-06 08:32 . 2008-02-06 10:56 6,144 --a------ C:\WINDOWS\system32\cru629.dat
2008-02-06 08:32 . 2008-02-06 10:56 6,144 --a------ C:\WINDOWS\cru629.dat
2008-02-06 07:38 . 2008-02-05 22:05 1,593,889 --a------ C:\C1gomb4odFix.exe
2008-02-06 07:19 . 2008-02-06 11:08 160,568 --a------ C:\WINDOWS\system32\winivstr.exe
2008-02-06 07:17 . 2004-06-10 15:18 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2008-02-06 07:15 . 2008-02-06 07:15 <REP> d-------- C:\WINDOWS\ERUNT
2008-02-06 05:47 . 2008-02-06 05:47 <REP> d-------- C:\Documents and Settings\Tgaud\Application Data\Grisoft
2008-02-06 05:40 . 2008-02-06 05:40 <REP> d-------- C:\toto
2008-02-06 05:37 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-06 05:29 . 2008-02-06 05:29 <REP> d-------- C:\Program Files\Lavasoft
2008-02-06 05:29 . 2008-02-06 05:33 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 04:14 . 2008-02-05 20:09 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-02-06 04:14 . 2008-02-05 20:09 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-02-06 00:33 . 2008-02-06 00:33 <REP> d-------- C:\_OTMoveIt
2008-02-05 23:08 . 2008-02-06 06:44 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 22:18 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-05 22:18 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-05 22:18 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-05 22:18 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-05 22:18 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-05 22:18 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-05 22:18 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-05 22:18 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-05 22:15 . 2008-02-05 22:17 <REP> d-------- C:\Program Files\Lop SD
2008-02-05 21:54 . 2008-02-05 21:54 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-05 21:29 . 2008-02-05 21:29 <REP> d-------- C:\Program Files\Trend Micro
2008-02-05 20:57 . 2008-02-06 10:53 <REP> d-------- C:\SDFix
2008-02-05 20:02 . 2008-02-06 07:13 2,764 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-05 20:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-05 20:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-05 20:01 . 2008-02-05 00:23 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-05 20:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-05 20:01 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-05 20:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-05 20:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-05 19:49 . 2008-02-05 19:49 <REP> d-------- C:\Program Files\CCleaner
2008-02-05 19:14 . 2008-02-05 19:14 16,384 --a------ C:\WINDOWS\system32\nod32se.exe
2008-02-05 19:14 . 2008-02-05 19:14 80 --a------ C:\WINDOWS\system32\suspend.bin
2008-02-04 20:11 . 2008-02-04 20:11 <REP> d-------- C:\Program Files\Microsoft Games
2008-02-03 07:59 . 2006-08-03 13:53 31,232 --a------ C:\WINDOWS\system32\drivers\odptdi.sys
2008-02-02 01:34 . 2008-02-02 01:34 <REP> d-------- C:\Program Files\Hamachi
2008-02-02 01:34 . 2008-02-05 00:55 <REP> d-------- C:\Documents and Settings\Tgaud\Application Data\Hamachi
2008-02-02 01:34 . 2008-02-02 01:54 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-02-01 20:21 . 2008-02-01 20:21 58,368 --a------ C:\okfcats.exe
2008-02-01 20:21 . 2008-02-01 20:21 55,568 --a------ C:\eyegc.exe
2008-01-25 22:40 . 2008-01-25 22:40 <REP> d-------- C:\Program Files\QuickTime
2008-01-20 17:52 . 2008-01-20 17:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-01-16 22:25 . 2008-01-16 22:30 14 --ah----- C:\WINDOWS\mmax.ini
2008-01-16 22:23 . 2008-01-16 22:23 4 --a------ C:\WINDOWS\c.pid
2008-01-16 22:22 . 2008-01-16 22:22 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-01-16 22:19 . 2008-01-16 22:19 4 --a------ C:\E5.tmp

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-06 04:29 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-06 03:39 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 03:36 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-06 03:36 --------- d-----w C:\Program Files\Bonjour
2008-02-03 13:36 196,608 ----a-w C:\WINDOWS\system32\drivers\aStandard.bin
2008-01-27 22:13 --------- d-----w C:\Program Files\eMule
2008-01-20 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 21:53 --------- d-----w C:\Documents and Settings\Tgaud\Application Data\Skype
2008-01-16 15:02 --------- d-----w C:\Documents and Settings\Tgaud\Application Data\skypePM
2008-01-15 17:42 --------- d-----w C:\Program Files\Steam
2008-01-05 19:57 --------- d-----w C:\Program Files\Alwil Software
2008-01-05 18:30 --------- d-----w C:\Program Files\Microsoft Security AdviserREN
2008-01-05 17:35 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 17:33 --------- d-----w C:\Program Files\Java
2008-01-05 17:32 --------- d-----w C:\Program Files\Fichiers communs\Java
2007-12-23 00:58 --------- d-----w C:\Program Files\Super macro
2007-12-18 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Media Center Programs
2007-12-17 19:46 --------- d-----w C:\Program Files\THQ
2007-12-12 13:44 --------- d-----w C:\Program Files\DivX
2007-12-11 22:55 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-11 22:55 --------- d-----w C:\Program Files\Skype
2007-12-11 22:55 --------- d-----w C:\Program Files\Fichiers communs\Skype
2007-12-11 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-19 19:59 22,328 ----a-w C:\Documents and Settings\Tgaud\Application Data\PnkBstrK.sys
.
[color=blue]Infected C:\WINDOWS\system32\user32.dll hex repaired[/color]


((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-09-30 03:18 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"braviax"="braviax.exe" [2008-02-06 10:56 11264 C:\WINDOWS\system32\braviax.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tgaud^Menu Démarrer^Programmes^Démarrage^CCC.lnk]
path=C:\Documents and Settings\Tgaud\Menu Démarrer\Programmes\Démarrage\CCC.lnk
backup=C:\WINDOWS\pss\CCC.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-02-06 13:08 1953792 C:\WINDOWS\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
--a------ 2007-04-23 20:20 1114112 C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bonjour]
C:\WINDOWS\vmmreg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-06-11 15:43 14336 C:\WINDOWS\system32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GamerOSD]
--a------ 2007-02-14 08:42 380928 C:\Program Files\ASUS\GamerOSD\GamerOSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2006-10-30 13:44 36864 C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft all]
C:\WINDOWS\mmall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-06-11 15:54 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostBootReminder]
C:\Documents and Settings\Tgaud\Bureau\~tmp1174.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-11-12 15:48 21760296 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-03 21:00 1266936 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Windows IPSEC Monitor"=2 (0x2)
"Microsoft I Service"=2 (0x2)
"Windows Management Service"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"msupdate"=2 (0x2)
"usnjsvc"=3 (0x3)
"aswUpdSv"=2 (0x2)
"aawservice"=2 (0x2)

R1 Odptdi;Odptdi;C:\WINDOWS\system32\drivers\odptdi.sys [2006-08-03 13:53]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2006-09-29 09:06]
R4 atidgllk;atidgllk;C:\WINDOWS\atidgllk.sys [2005-10-20 08:29]
S1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb32.sys [2005-10-20 15:25]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-09-30 07:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a58c786-9a16-11dc-95ac-00604cd59310}]
\Shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a58c787-9a16-11dc-95ac-00604cd59310}]
\Shell\AutoRun\command - G:\Setup.exe

.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-02-06 09:31:00 C:\WINDOWS\Tasks\At1.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
"2008-02-06 09:36:08 C:\WINDOWS\Tasks\At2.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
"2008-02-06 09:38:10 C:\WINDOWS\Tasks\At3.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
"2008-02-06 09:38:12 C:\WINDOWS\Tasks\At4.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-06 11:08:37
Windows 5.1.2600 Service Pack 2, v.2149 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs
Les fichiers cach‚s: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ATKKBService.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-06 11:09:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 10:09:34
.
2008-02-05 21:59:27 --- E O F ---

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
0
Réponse 26 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
6 févr. 2008 à 11:13
petit post pour dire que je viens de rajouter le log ComboFix.exe ci dessus
juste apres celui du SDfix.exe.
0
Réponse 27 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
6 févr. 2008 à 11:15
re,

fais ceci :

rends toi sur ce site et fais l´update :

https://docs.microsoft.com/en-us/

vide tes fichier temporaire avec ceci :

->Clean Up 40:
http://pageperso.aol.fr/balltrap34/CleanUp40.exe
->aide en image:(merci a Balltrap34)
http://pageperso.aol.fr/balltrap34/democleanup.htm

click sur option et décoche la case devant : delete prefect files

vide le manuellement :

:: Le contenu du dossier prefetch ::

* C:\WINDOWS\Prefetch <= sauf le fichier layout.ini

* Ne pas oublier de vider la corbeille !

redemarre

puis repost un hijack this stp

@+
0
Réponse 28 / 55
tgaudlol
6 févr. 2008 à 11:31
Impossible de nettoyer mieux que ça, il se relance pas apres un redemarrage :(




CleanUp! started on 02/06/08 11:29:31.
C:\Documents and Settings\Tgaud\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Historique\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
'Typed URLs' (Internet Explorer) - removed from the registry.
C:\Documents and Settings\Tgaud\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Application Data\Mozilla\Firefox\Profiles\b9ksu0pt.default\cookies.txt.old - deleted
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DF214E.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DF2159.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DFF431.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DFF43C.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DF214E.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DF2159.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DFF431.tmp currently in use. Will be deleted when Windows is restarted.
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\~DFF43C.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DF214E.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DF2159.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DFF431.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DFF43C.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Historique\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DF214E.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DF2159.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DFF431.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DFF43C.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DF214E.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DF2159.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DFF431.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temp\~DFF43C.tmp currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Tgaud\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\Resources\Themes\Luna\luna.msstyles - deleted
'Run MRU' list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.0 recovered 4.0 MB of disk space from 2 files.
CleanUp! finished on 02/06/08 11:29:34.

Jattend pour le reste?
0
Réponse 29 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
6 févr. 2008 à 11:36
oui c´est normal il te demande juste de redemarrer...

post un nouveau comboscan stp

@+
0
Réponse 30 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
6 févr. 2008 à 11:56
Bon j'ai pas reussi à effacer tous les fichiers.
La plupart il dit qu'il va les effacer au redemarrage windows, mais si au redemarrage je clique sur "cleanup" encore il
en re-éfface plein, et me dis qu'il yen a encore en utilisation qu'il peut pas effacer....
Sans compter que dans windows/prefatch les fichiers reviennent à chaque fois.


Voici le nouvo comboscan en mode normal.



Deckard's System Scanner v20071014.68
Run by Tgaud on 2008-02-06 11:51:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]System Drive C: has 4.52 GiB (less than 15%) free./color


-- HijackThis (run as Tgaud.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:03, on 06/02/2008
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\braviax.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tgaud\Bureau\dsds.exe (cest le nom de comboscan chez moi)
C:\DOCUME~1\Tgaud\Bureau\antivir\Tgaud.exe ( mon username.exe???????)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
0
Réponse 31 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
6 févr. 2008 à 12:22
re,

redemarre en mode sans echec

Ouvre le bloc-notes (click droit sur le bureau > dans l´arborescence choisie nouveau et nouveau fichier texte) et fais un copier coller de ce qui est en citation ci-dessous (copie tout d'un trait-sans les barres(X)) :

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PostBootReminder]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note : regedit4 est sur la premiere ligne dans le bloc note et il y a une ligne blanche a la fin
Puis click sur "fichier"/"enregistrer sous" :
dans : sur le bureau
Nom du fichier : fix.reg
Type de fichier : "tous les fichiers"
clique sur "enregistrer"

ca doit ressembler a ca une fois enrregistré :

http://img520.imageshack.us/img520/4251/screenshot005ps2.png

quitte internet et double clique sur fix.reg => tu dois obligatoirement avoir un message "voulez-vous vraiment ajouter les informations contenues dans ce fichier .reg au registre ?"
Si c'est bien le cas, clique sur "oui"

* Double-clique sur OTMoveIt.exe pour lancer le programme,
* Copie la liste de fichiers ou de dossiers ci-dessous et colle-la dans la fenêtre du programme "Paste Custom List of Files/Folders to Move" :

C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\cru629.dat
C:\C1gomb4odFix.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\test12.exe
C:\WINDOWS\system32\dfsj2321.exe
C:\Documents and Settings\Tgaud\Bureau\~tmp1174.exe

* Clique sur MoveIt! pour lancer la suppression,
* Le résultat appraraîtra dans le cadre Results.
* Clique sur Exit pour fermer le programme.
* Poste le rapport qui est situé ici : C:\\\_OTMoveIt\MovedFiles
* Il te sera peut-être demandé de redémarrer ton PC. Dans ce cas, clique sur Yes.

redemarre normalement et repost un hijack this

@+
0
Réponse 32 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
6 févr. 2008 à 15:45
Le virus est parti pour l'instant, je suis en mode normal, mais j'ai peur qu'en redemarrant il revienne.
Avant de prendre ce risque et de verifier une fois pour toute je dois faire quelquehcose d'autre?


Ok voici les deux d'affilé :



C:\WINDOWS\system32\users32.dat moved successfully.
C:\WINDOWS\system32\braviax.exe moved successfully.
C:\WINDOWS\cru629.dat moved successfully.
C:\C1gomb4odFix.exe moved successfully. (celui ci cetait combofix, mais je l'avais renomé de maniere bizzarre ;) )
C:\WINDOWS\system32\tmp.reg moved successfully.
C:\WINDOWS\system32\WS2Fix.exe moved successfully.
C:\WINDOWS\system32\test12.exe moved successfully.
C:\WINDOWS\system32\dfsj2321.exe moved successfully.
File/Folder C:\Documents and Settings\Tgaud\Bureau\~tmp1174.exe not found.

OTMoveIt2 v1.0.17 log created on 02062008_153434


+++++++++++++++++++++++++++++++++++++++++++++++++

Deckard's System Scanner v20071014.68
Run by Tgaud on 2008-02-06 15:41:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]System Drive C: has 4.52 GiB (less than 15%) free./color


-- HijackThis (run as Tgaud.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:41:30, on 06/02/2008
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tgaud\Bureau\dsds.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Tgaud\Bureau\antivir\Tgaud.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
0
Réponse 33 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
6 févr. 2008 à 15:59
re,

ca a l´air d´etre ok pour braviax car la cle a disparue.

regarde ceci concernant avast :

antivir vs avast :

-> http://forum.malekal.com/ftopic3528.php

alors je te conseille de le desinstaller et d´installer antivir a la place

Telecharge et instal l'antivirus Antivir Personal Edition Classic :

->https://www.malekal.com/avira-free-security-antivirus-gratuit/

https://www.avira.com/en/prime

http://mickael.barroux.free.fr/securite/antivir.php
http://speedweb1.free.fr/frames2.php?page=tuto5
<- tutoriel configuration du scanner...

une fois antivir ouvert click surconfiguration et coche la case "expert mode" puis sur l´onglet scanner dans la fenetre du dessous tu va voir : rootkit search click sur le petit + pour deployer et coche la case a coté de ton disk dur
puis click sur configuration en haut a droite; dans la nouvelle fenetre a gauche >scanner > coche "scan all files" et en dessous >scanner priority = High
coche : allow stopping the scanner, comme cela tu peux faire une pause pendant le scan si tu le desir.
puis sur la droite coche les case suivantes :
scan boot sectors of selected drives
scan master boot sectors
scan memory
search foe rootkit before scan
decoche :
ignore off line files
toujours a gauche > scan > deploie > heuristique > macrovirus heuristic = coché et en dessous > win32 heuristic la case coché et high detection level

instale aussi :

par feu : kerio

http://www.malekal.com/kerio_firewall.php#mozTocId721480

https://www.vulgarisation-informatique.com/kerio.php

https://kerio.probb.fr/f2-sunbelt-kerio-personal-firewall

ou zone alarm plus facil a configurer mais moins performant

https://www.malekal.com/tutoriel-zonealarm-firewall/

refais tourner clean up

et redemarre

apres j´aimerais que tu fasse un scan a l´aide d´antivir avec les reglages que je t´ai stipulés au dessus; vu le resultat alarmant de celui de bitdefender...

post le rapport d´antivir une fois effectué.

@+
0
Réponse 34 / 55
tgaudlol
6 févr. 2008 à 21:14
Le virus est plus la.
j'ai un peu galeré à installer le firewall etc (mise a jour pour sunbelt software firewall associé à kério + mise à jour des updates windows = deux minute de freeze sur les appli au demarrage de windows, sans que je puisse rien faire car un logiciel invisible faisait un truc, et le firewall demarrait plus il plantait a cause d'un Db.() qquechose comme ça.

Une restauration systeme tout remarche, firewall comprisapres et me voici.
(sauf la mise à jour de kerio qui atteint pas le site sunbelt)

Nouveau hijack :


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:09:32, on 06/02/2008
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tgaud\Bureau\antivir\HijackTdhis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
0
Réponse 35 / 55
Utilisateur anonyme
6 févr. 2008 à 21:15
test pseudo
0
Réponse 36 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
6 févr. 2008 à 21:21
bon j'ai installé noscript pour firefox ainsi que spybot qui ma fait un peu de menage en plus ds les troyen.

sinon voici le dernier rapport "COMPLET" en date, penses tu que je puisse passer le sujet en resolve? ou il reste des choses à faire?:

Deckard's System Scanner v20071014.68
Run by Tgaud on 2008-02-06 21:18:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

[color=red]System Drive C: has 3.18 GiB (less than 15%) free.[/color]


-- HijackThis (run as Tgaud.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:50, on 06/02/2008
Platform: Windows XP SP2, v.2149 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2149)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tgaud\Bureau\antivir\dsds.exe
C:\DOCUME~1\Tgaud\Bureau\antivir\Tgaud.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
0
Réponse 37 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
6 févr. 2008 à 22:43
re,

peux tu faire un scan a l´aide d´antivir et poster le rapport ici, comme je t´avais demandé au post 33

regarde les réglages que je t´ai indiqués avant de le lancer...

@´+
0
Réponse 38 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
7 févr. 2008 à 03:05
AntiVir PersonalEdition Classic
Report file date: jeudi 7 février 2008 02:12

Scanning for 1094800 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2, v.2149) [5.1.2600]
Username: Tgaud
Computer name: TGAUDLAND

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 16:26:12
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 25/01/2008 16:26:12
ANTIVIR3.VDF : 7.0.2.101 336896 Bytes 06/02/2008 20:09:17
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 06/02/2008 16:26:12
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 06/02/2008 16:26:12
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: high

Start of the scan: jeudi 7 février 2008 02:12

Starting search for hidden objects.
'35686' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'rsvp.exe' - '1' Module(s) have been scanned
Scan process 'hamachi.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ATKKBService.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
29 processes with 29 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[NOTE] No virus was found!
Master boot sector HD1
[NOTE] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '25' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\QooBox\Quarantine\catchme2008-02-06_110835.10.zip
[0] Archive type: ZIP
--> beep.sys
[DETECTION] Is the Trojan horse TR/Agent.29184.25
--> beep.sys.1
[DETECTION] Is the Trojan horse TR/Agent.29184.25
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Ebcc33.sys.vir
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/fnhoje
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\tytyty\SDFix\backups\backups.zip
[0] Archive type: ZIP
--> backups/basepwo32.dll
[DETECTION] Is the Trojan horse TR/Agent.ehk.5
--> backups/beep.sys
[DETECTION] Is the Trojan horse TR/Agent.29184.25
[INFO] The file was deleted!
C:\WINDOWS\braviax.exe
[DETECTION] Is the Trojan horse TR/Agent.11264.61
[INFO] The file was deleted!
C:\WINDOWS\system32\winivstr.exe
[WARNING] 'Is the Trojan horse TR/Crypt.XDR.Gen'. This detection is probably an error. Please send us this file immediately for further analysis.
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\_OTMoveIt\MovedFiles\02062008_041742\Windows\system32\crypts.dll
[DETECTION] Is the Trojan horse TR/Click.Agent.LT.5
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\02062008_041853\WINDOWS\system32\braviax.exe
[DETECTION] Is the Trojan horse TR/Agent.11264.61
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\02062008_102950\WINDOWS\braviax.exe
[DETECTION] Is the Trojan horse TR/Agent.11264.61
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\02062008_104045\WINDOWS\braviax.exe
[DETECTION] Is the Trojan horse TR/Agent.11264.61
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\02062008_153434\WINDOWS\cru629.dat
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\02062008_153434\WINDOWS\system32\braviax.exe
[DETECTION] Is the Trojan horse TR/Agent.11264.61
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\02062008_153434\WINDOWS\system32\dfsj2321.exe
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\_OTMoveIt\MovedFiles\02062008_153434\WINDOWS\system32\test12.exe
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
Begin scan in 'E:\' <Stockage>


End of the scan: jeudi 7 février 2008 03:01
Used time: 49:02 min

The scan has been done completely.

7501 Scanning directories
494327 Files were scanned
15 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
13 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
494312 Files not concerned
1775 Archives were scanned
3 Warnings
45 Notes
35686 Objects were scanned with rootkit scan
0 Hidden objects were found
0
Réponse 39 / 55
g!rly Messages postés 18209 Date d'inscription vendredi 17 août 2007 Statut Contributeur Dernière intervention 30 novembre 2014 406
7 févr. 2008 à 09:54
salut Tgaudlol,

oui c´est normal que kerio ne se mette pas a jour, ils ont arreté le developpement de leur par feu...

peux tu repasser combofix et poster le rapport ici stp sans le renommer :

Télécharge combofix.exe (par sUBs) sur ton Bureau.

-> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-> Double clique combofix.exe.
-> Tape sur la touche 1 (Yes) pour démarrer le scan.
-> Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\Combofix.txt

@+
0
Réponse 40 / 55
Tgaudlol Messages postés 53 Date d'inscription vendredi 9 novembre 2007 Statut Membre Dernière intervention 12 juin 2009
7 févr. 2008 à 14:39
ComboFix 08-02.05.3 - Tgaud 2008-02-07 14:35:25.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1339 [GMT 1:00]
Endroit: C:\Documents and Settings\Tgaud\Bureau\ComboFix.exe

[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible sites infectés -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((( Fichiers créés 2008-01-07 to 2008-02-07 ))))))))))))))))))))))))))))))))))))
.

2008-02-06 21:02 . 2008-02-06 21:02 <REP> d-------- C:\WINDOWS\LastGood
2008-02-06 20:01 . 2008-02-06 20:26 547 --a------ C:\WINDOWS\system32\drivers\fwdrv.err
2008-02-06 19:59 . 2008-02-06 19:59 <REP> d-------- C:\Program Files\Sunbelt Software
2008-02-06 19:41 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-02-06 19:41 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2008-02-06 19:41 . 2007-07-30 19:19 203,096 --a--c--- C:\WINDOWS\system32\dllcache\wuweb.dll
2008-02-06 18:12 . 2008-02-06 18:12 <REP> d-------- C:\Program Files\Kerio
2008-02-06 17:55 . 2008-02-06 17:55 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-06 17:55 . 2008-02-06 18:01 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-06 17:26 . 2008-02-06 17:26 250 --a------ C:\WINDOWS\gmer.ini
2008-02-06 17:24 . 2008-02-06 17:24 <REP> d-------- C:\Program Files\Avira
2008-02-06 17:24 . 2008-02-06 17:24 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-06 11:21 . 2008-02-06 11:21 <REP> d-------- C:\Program Files\CleanUp!
2008-02-06 10:54 . 2008-02-07 14:35 <REP> d-------- C:\tytyty
2008-02-06 09:50 . 2008-02-06 09:50 <REP> d-------- C:\Deckard
2008-02-06 07:19 . 2008-02-06 11:45 160,568 --a------ C:\WINDOWS\system32\winivstr.exe
2008-02-06 07:17 . 2004-06-10 15:18 29,056 --a------ C:\WINDOWS\system32\drivers\ip6fw.sys
2008-02-06 07:15 . 2008-02-06 07:15 <REP> d-------- C:\WINDOWS\ERUNT
2008-02-06 05:47 . 2008-02-06 05:47 <REP> d-------- C:\Documents and Settings\Tgaud\Application Data\Grisoft
2008-02-06 05:40 . 2008-02-06 05:40 <REP> d-------- C:\toto
2008-02-06 05:37 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-06 05:29 . 2008-02-06 05:29 <REP> d-------- C:\Program Files\Lavasoft
2008-02-06 05:29 . 2008-02-06 05:33 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-06 04:14 . 2008-02-05 20:09 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-02-06 04:14 . 2008-02-05 20:09 4,224 --a--c--- C:\WINDOWS\system32\dllcache\beep.sys
2008-02-06 00:33 . 2008-02-06 00:33 <REP> d-------- C:\_OTMoveIt
2008-02-05 23:08 . 2008-02-06 06:44 <REP> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 22:18 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-05 22:18 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-02-05 22:18 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-05 22:18 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-05 22:18 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-05 22:18 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-05 22:18 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-05 22:18 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-05 22:15 . 2008-02-05 22:17 <REP> d-------- C:\Program Files\Lop SD
2008-02-05 22:15 . 2008-02-06 11:09 <REP> d-------- C:\CombroFix
2008-02-05 22:15 . 2004-06-11 15:43 402,432 --a------ C:\kmd.exe
2008-02-05 21:54 . 2008-02-05 21:54 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-05 21:29 . 2008-02-05 21:29 <REP> d-------- C:\Program Files\Trend Micro
2008-02-05 20:57 . 2008-02-06 10:53 <REP> d-------- C:\SDFix
2008-02-05 20:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-05 20:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-05 20:01 . 2008-02-05 00:23 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-05 20:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-05 20:01 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-05 20:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-05 19:49 . 2008-02-05 19:49 <REP> d-------- C:\Program Files\CCleaner
2008-02-05 19:14 . 2008-02-05 19:14 16,384 --a------ C:\WINDOWS\system32\nod32se.exe
2008-02-05 19:14 . 2008-02-05 19:14 80 --a------ C:\WINDOWS\system32\suspend.bin
2008-02-04 20:11 . 2008-02-04 20:11 <REP> d-------- C:\Program Files\Microsoft Games
2008-02-02 01:34 . 2008-02-02 01:34 <REP> d-------- C:\Program Files\Hamachi
2008-02-02 01:34 . 2008-02-06 23:14 <REP> d-------- C:\Documents and Settings\Tgaud\Application Data\Hamachi
2008-02-02 01:34 . 2008-02-02 01:54 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-01-25 22:40 . 2008-01-25 22:40 <REP> d-------- C:\Program Files\QuickTime
2008-01-20 17:52 . 2008-01-20 17:52 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
2008-01-16 22:25 . 2008-01-16 22:30 14 --ah----- C:\WINDOWS\mmax.ini
2008-01-16 22:23 . 2008-01-16 22:23 4 --a------ C:\WINDOWS\c.pid
2008-01-16 22:22 . 2008-01-16 22:22 <REP> dr------- C:\Documents and Settings\LocalService\Favoris

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 18:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-06 10:22 --------- d-----w C:\Program Files\Super macro
2008-02-06 10:22 --------- d-----w C:\Program Files\eMule
2008-02-06 04:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-06 04:29 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-06 03:39 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 03:36 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-06 03:36 --------- d-----w C:\Program Files\Bonjour
2008-02-03 13:36 196,608 ----a-w C:\WINDOWS\system32\drivers\aStandard.bin
2008-01-20 16:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 21:53 --------- d-----w C:\Documents and Settings\Tgaud\Application Data\Skype
2008-01-16 15:02 --------- d-----w C:\Documents and Settings\Tgaud\Application Data\skypePM
2008-01-15 17:42 --------- d-----w C:\Program Files\Steam
2008-01-05 19:57 --------- d-----w C:\Program Files\Alwil Software
2008-01-05 19:47 9,216 ----a-w C:\WINDOWS\system32\avgwlntf.dll
2008-01-05 19:34 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-05 18:30 --------- d-----w C:\Program Files\Microsoft Security AdviserREN
2008-01-05 17:35 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 17:33 --------- d-----w C:\Program Files\Java
2008-01-05 17:32 --------- d-----w C:\Program Files\Fichiers communs\Java
2007-12-18 19:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Media Center Programs
2007-12-17 19:46 --------- d-----w C:\Program Files\THQ
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-12 13:44 --------- d-----w C:\Program Files\DivX
2007-12-11 22:55 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-11 22:55 --------- d-----w C:\Program Files\Skype
2007-12-11 22:55 --------- d-----w C:\Program Files\Fichiers communs\Skype
2007-12-11 22:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-11 22:34 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:34 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-25 22:43 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-11-19 20:29 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-19 19:59 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2007-11-19 19:59 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-11-19 19:59 22,328 ----a-w C:\Documents and Settings\Tgaud\Application Data\PnkBstrK.sys
2007-11-19 19:59 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-15 22:39 364,544 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-11-15 22:38 268,288 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-11-15 22:31 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-11-15 22:30 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-11-15 22:30 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-11-15 22:30 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-11-15 22:30 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-11-15 22:30 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-11-15 22:28 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-11-15 22:28 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-11-15 22:23 9,314,304 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-11-15 22:19 3,135,040 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-11-15 22:08 1,601,792 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-11-15 21:54 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-11-15 21:52 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-11-15 21:50 176,128 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-11-15 21:46 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-11-15 15:39 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-09-30 03:18 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-06 17:26 249896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Logitech SetPoint.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Logitech SetPoint.lnk
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tgaud^Menu Démarrer^Programmes^Démarrage^CCC.lnk]
path=C:\Documents and Settings\Tgaud\Menu Démarrer\Programmes\Démarrage\CCC.lnk
backup=C:\WINDOWS\pss\CCC.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
-r------- 2007-02-06 13:08 1953792 C:\WINDOWS\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
--a------ 2007-04-23 20:20 1114112 C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bonjour]
C:\WINDOWS\vmmreg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-06-11 15:43 14336 C:\WINDOWS\system32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\Tgaud\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GamerOSD]
--a------ 2007-02-14 08:42 380928 C:\Program Files\ASUS\GamerOSD\GamerOSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
-r------- 2006-10-30 13:44 36864 C:\WINDOWS\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 14:32 56080 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft all]
C:\WINDOWS\mmall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-06-11 15:54 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-11-12 15:48 21760296 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-12-03 21:00 1266936 c:\program files\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Windows IPSEC Monitor"=2 (0x2)
"Microsoft I Service"=2 (0x2)
"Windows Management Service"=2 (0x2)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"msupdate"=2 (0x2)
"usnjsvc"=3 (0x3)
"aswUpdSv"=2 (0x2)
"aawservice"=2 (0x2)

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2004-04-15 11:02]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2006-09-29 09:06]
R4 atidgllk;atidgllk;C:\WINDOWS\atidgllk.sys [2005-10-20 08:29]
R4 Odptdi;Odptdi;C:\WINDOWS\system32\drivers\odptdi.sys []
S1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb32.sys [2005-10-20 15:25]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-09-30 07:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a58c786-9a16-11dc-95ac-00604cd59310}]
\Shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a58c787-9a16-11dc-95ac-00604cd59310}]
\Shell\AutoRun\command - G:\Setup.exe

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-07 09:31:00 C:\WINDOWS\Tasks\At1.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
"2008-02-07 09:36:00 C:\WINDOWS\Tasks\At2.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
"2008-02-07 09:38:00 C:\WINDOWS\Tasks\At3.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
"2008-02-07 09:38:00 C:\WINDOWS\Tasks\At4.job"
- C:\DOCUME~1\Tgaud\Bureau\Look2Me-Destroyer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 14:36:55
Windows 5.1.2600 Service Pack 2, v.2149 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
Temps d'accomplissement: 2008-02-07 14:37:13
ComboFix-quarantined-files.txt 2008-02-07 13:37:11
.
2008-02-05 21:59:27 --- E O F ---
0

Discussions similaires

Est ce que le site tlauncher est dangereux ?
caribou -
bazfile -

1 réponse
Softonic,est-ce un virus ?
techmel1 -
techmel1 -

6 réponses
4 virus en raison d’un porno ????
valou -
Bello040420 -

9 réponses
problême Opéra est ce un virus??
sand2504 -
sand2504 -

85 réponses
Comment savoir si j'ai attrapé un virus sur mon téléphone ?
Infolock -
bell -

66 réponses