A voir également:
- Infecté par des trojans, besoin d'aide.
- Alerte windows ordinateur infecté - Accueil - Arnaque
- Trojan sms-par google - Accueil - Virus
- Google Messages va mieux vous protéger des liens dangereux - Accueil - Messagerie instantanée
- L'ordinateur d'arthur a été infecté par un virus répertorié récemment ✓ - Forum Virus
- L'ordinateur de simon a été infecté par un virus répertorié récemment ✓ - Forum Virus
34 réponses
bonsoir,
Télécharge puis installe Hijackthis (Trend Micro)
Poste ensuite un rapport dans ta prochaine réponse.
AIDE : Comment utiliser Hijackthis v2.0.2 : http://www.infos-du-net.com/forum/271838-11-tuto-utiliser-hijackthis
Télécharge puis installe Hijackthis (Trend Micro)
Poste ensuite un rapport dans ta prochaine réponse.
AIDE : Comment utiliser Hijackthis v2.0.2 : http://www.infos-du-net.com/forum/271838-11-tuto-utiliser-hijackthis
crawford2
Messages postés
87
Statut
Membre
1
D'accord, merci beaucoups je fais ça tout de suite!
Voila le rapport Hijackthis,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:15, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\live.messenger.com
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MalwareAlarm\MalwareAlarm.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BMdf5306f8] Rundll32.exe "C:\WINDOWS\system32\aplqwefi.dll",s
O4 - HKLM\..\Run: [dc603564] rundll32.exe "C:\WINDOWS\system32\kcpwsbjc.dll",b
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MalwareAlarm] "C:\Program Files\MalwareAlarm\MalwareAlarm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:15, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\live.messenger.com
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MalwareAlarm\MalwareAlarm.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [MSN Messenger] live.messenger.com
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BMdf5306f8] Rundll32.exe "C:\WINDOWS\system32\aplqwefi.dll",s
O4 - HKLM\..\Run: [dc603564] rundll32.exe "C:\WINDOWS\system32\kcpwsbjc.dll",b
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [MalwareAlarm] "C:\Program Files\MalwareAlarm\MalwareAlarm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
ok c'est partis
Télécharge SDFix: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
Guide d'utilisation : http://mickael.barroux.free.fr/securite/sdfix.php
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
* Redémarre ton ordinateur
* Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
* A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
* Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
* Choisis ton compte.
Déroule la liste des instructions ci-dessous :
* Ouvre le dossier SDFix qui vient d'être créé sur le Bureau et double clique sur RunThis.bat pour lancer le script.
* Appuie sur Y pour commencer le processus de nettoyage.
* Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
* Appuie sur une touche pour redémarrer le PC.
* Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
* Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
* Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
* Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
* Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum.
N.B.:
- Le fichier SDFIX_README.htm (dans le dossier SDFix) contient la liste des malwares pris en compte par l'outil.
- Andy fait plusieurs mises à jour, souvent plus d'une par jour... N'hésitez donc pas à demander de télécharger une nouvelle version lorsque le nettoyage dure et que l'outil ne semble pas tout voir.
+ nouveau rapport hijackthis
Télécharge SDFix: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
Guide d'utilisation : http://mickael.barroux.free.fr/securite/sdfix.php
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau. Redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :
* Redémarre ton ordinateur
* Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
* A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
* Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
* Choisis ton compte.
Déroule la liste des instructions ci-dessous :
* Ouvre le dossier SDFix qui vient d'être créé sur le Bureau et double clique sur RunThis.bat pour lancer le script.
* Appuie sur Y pour commencer le processus de nettoyage.
* Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
* Appuie sur une touche pour redémarrer le PC.
* Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
* Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
* Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
* Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
* Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum.
N.B.:
- Le fichier SDFIX_README.htm (dans le dossier SDFix) contient la liste des malwares pris en compte par l'outil.
- Andy fait plusieurs mises à jour, souvent plus d'une par jour... N'hésitez donc pas à demander de télécharger une nouvelle version lorsque le nettoyage dure et que l'outil ne semble pas tout voir.
+ nouveau rapport hijackthis
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Voila le rapport SDFix et le deuxième rapport hijackthis:
[b]SDFix: Version 1.169 /b
Run by Administrateur on 11/04/2008 at 22:27
Microsoft Windows XP [version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Bureau\SDFix
[b]Checking Services /b:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
[b]Checking Files /b:
Trojan Files Found:
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\install.dat - Deleted
C:\WINDOWS\admintxt.txt - Deleted
C:\WINDOWS\live.messenger.com - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
Removing Temp Files
[b]ADS Check /b:
[b]Final Check /b:
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 22:40:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services /b:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files /b:
File Backups: - C:\DOCUME~1\ADMINI~1\Bureau\SDFix\backups\backups.zip
[b]Files with Hidden Attributes /b:
Fri 7 Jan 2000 20 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\00000001.TMP"
Fri 7 Jan 2000 6,784 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\clcd16.dll"
Fri 7 Jan 2000 27,648 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\clcd32.dll"
Fri 7 Jan 2000 177,152 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\clokspl.exe"
Fri 7 Jan 2000 172,544 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\dplayerx.dll"
Fri 7 Jan 2000 31,744 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\drvmgt.dll"
Fri 7 Jan 2000 10,848 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\secdrv.sys"
Tue 4 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\04d77a314e978a6d2e5e499ece3dd910\download\BIT15A.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12c9c7b74d009cd8f751411d54cc4b11\download\BIT152.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4c5c888ff189ce65af20cc141b13bcd3\download\BIT150.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\50b1dbf091e5ad2003668acab0cb3bc0\download\BIT46.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8d788a6c74bdc379d0d986e24df63dac\download\BIT151.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aac32b147e85d7e385723db20710e304\download\BIT159.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ce032cf8ac93ba1b2a73a4a1e2f9d609\download\BIT14F.tmp"
[b]Finished!/b
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:32, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [dc603564] rundll32.exe "C:\WINDOWS\system32\kcpwsbjc.dll",b
O4 - HKLM\..\Run: [BMdf5306f8] Rundll32.exe "C:\WINDOWS\system32\aplqwefi.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MalwareAlarm] "C:\Program Files\MalwareAlarm\MalwareAlarm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
[b]SDFix: Version 1.169 /b
Run by Administrateur on 11/04/2008 at 22:27
Microsoft Windows XP [version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Bureau\SDFix
[b]Checking Services /b:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
[b]Checking Files /b:
Trojan Files Found:
C:\Documents and Settings\All Users\Application Data\Webroot\Spy Sweeper\install.dat - Deleted
C:\WINDOWS\admintxt.txt - Deleted
C:\WINDOWS\live.messenger.com - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
Removing Temp Files
[b]ADS Check /b:
[b]Final Check /b:
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 22:40:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services /b:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files /b:
File Backups: - C:\DOCUME~1\ADMINI~1\Bureau\SDFix\backups\backups.zip
[b]Files with Hidden Attributes /b:
Fri 7 Jan 2000 20 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\00000001.TMP"
Fri 7 Jan 2000 6,784 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\clcd16.dll"
Fri 7 Jan 2000 27,648 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\clcd32.dll"
Fri 7 Jan 2000 177,152 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\clokspl.exe"
Fri 7 Jan 2000 172,544 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\dplayerx.dll"
Fri 7 Jan 2000 31,744 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\drvmgt.dll"
Fri 7 Jan 2000 10,848 A..H. --- "C:\Documents and Settings\Administrateur\Mes documents\CD\secdrv.sys"
Tue 4 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\04d77a314e978a6d2e5e499ece3dd910\download\BIT15A.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12c9c7b74d009cd8f751411d54cc4b11\download\BIT152.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4c5c888ff189ce65af20cc141b13bcd3\download\BIT150.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\50b1dbf091e5ad2003668acab0cb3bc0\download\BIT46.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8d788a6c74bdc379d0d986e24df63dac\download\BIT151.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aac32b147e85d7e385723db20710e304\download\BIT159.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ce032cf8ac93ba1b2a73a4a1e2f9d609\download\BIT14F.tmp"
[b]Finished!/b
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:32, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [dc603564] rundll32.exe "C:\WINDOWS\system32\kcpwsbjc.dll",b
O4 - HKLM\..\Run: [BMdf5306f8] Rundll32.exe "C:\WINDOWS\system32\aplqwefi.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MalwareAlarm] "C:\Program Files\MalwareAlarm\MalwareAlarm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
1) Affiche les fichiers et dossiers cachés …
Pour ce faire, tu vas dans un dossier, par ex. "Mes Images".
Ensuite, clique sur > Outils > Options des dossiers ...
clique sur l' onglet « Affichage » et ...
coche ---> Afficher les fichiers et dossiers cachés
décoche > Masquer les extensions des fichiers dont le type est connu
décoche > Masquer les fichiers protégés du système d' exploitation (recommandé).
« Appliquer » et « OK ».
2) Désactive toute protection résidente ( antivirus…) !
Déconnecte-toi d’internet, ferme tous les programmes en cours et laisse combofix travailler : ne fais donc pas autre chose en même temps !
Télécharge Combofix de sUBs http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Sauvegarde le sur ton bureau et pas ailleurs !
Redémarre en mode sans échecs : aide ici >>>
http://forum.telecharger.01net.com/forum/high-tech/SECURITE/Securite/redemarrer-mode-echec-sujet_1526_1.htm
/!\ Ne jamais redémarrer en mode sans échec via msconfig ! /!\
Double-clic sur combofix, Il va te poser une question, réponds par la touche 1 et entrée pour valider, laisse toi guider.
Attends que combofix ait terminé, un rapport sera créé. Poste le rapport. Il se trouve ici : C:\Combofix.txt
3) Copie/colle un nouveau rapport HiJackThis avec.
Pour ce faire, tu vas dans un dossier, par ex. "Mes Images".
Ensuite, clique sur > Outils > Options des dossiers ...
clique sur l' onglet « Affichage » et ...
coche ---> Afficher les fichiers et dossiers cachés
décoche > Masquer les extensions des fichiers dont le type est connu
décoche > Masquer les fichiers protégés du système d' exploitation (recommandé).
« Appliquer » et « OK ».
2) Désactive toute protection résidente ( antivirus…) !
Déconnecte-toi d’internet, ferme tous les programmes en cours et laisse combofix travailler : ne fais donc pas autre chose en même temps !
Télécharge Combofix de sUBs http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Sauvegarde le sur ton bureau et pas ailleurs !
Redémarre en mode sans échecs : aide ici >>>
http://forum.telecharger.01net.com/forum/high-tech/SECURITE/Securite/redemarrer-mode-echec-sujet_1526_1.htm
/!\ Ne jamais redémarrer en mode sans échec via msconfig ! /!\
Double-clic sur combofix, Il va te poser une question, réponds par la touche 1 et entrée pour valider, laisse toi guider.
Attends que combofix ait terminé, un rapport sera créé. Poste le rapport. Il se trouve ici : C:\Combofix.txt
3) Copie/colle un nouveau rapport HiJackThis avec.
Salut
Combofix est un outil puissant, donc particulièrement risqué.
Il vaut donc mieux ne l'utiliser qu'en dernier recours, quand les autres outils ont échoué. Vundofix, Virtumundobegone, SDFix, Navilog, SmitfraudFix, Clean.zip peuvent faire une grosse partie du travail. L'antivirus et les antispywares aussi.
Combofix est un outil puissant, donc particulièrement risqué.
Il vaut donc mieux ne l'utiliser qu'en dernier recours, quand les autres outils ont échoué. Vundofix, Virtumundobegone, SDFix, Navilog, SmitfraudFix, Clean.zip peuvent faire une grosse partie du travail. L'antivirus et les antispywares aussi.
Salut, désolé l'ordi a planté hier soir, voila le rapport combofix,
ComboFix 08-04-11.8 - Administrateur 2008-04-12 18:40:52.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.390 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\MalwareAlarm
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\MalwareAlarm\Uninstall.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aplqwefi.dll
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\awturQiG.dll
C:\WINDOWS\system32\awturRkL.dll
C:\WINDOWS\system32\awtuvULE.dll
C:\WINDOWS\system32\bYOFwTMD.dll
C:\WINDOWS\system32\byXNdeed.dll
C:\WINDOWS\system32\byXPJBUO.dll
C:\WINDOWS\system32\cbXPjHXP.dll
C:\WINDOWS\system32\cbXQiHBR.dll
C:\WINDOWS\system32\cbXRJASm.dll
C:\WINDOWS\system32\cjbswpck.ini
C:\WINDOWS\system32\ddcArQkI.dll
C:\WINDOWS\system32\ddcCUmLc.dll
C:\WINDOWS\system32\ddcDvtrq.dll
C:\WINDOWS\system32\dukpvrgy.dll
C:\WINDOWS\system32\dygeicap.dll
C:\WINDOWS\system32\fcccbcbX.dll
C:\WINDOWS\system32\geBtUmKA.dll
C:\WINDOWS\system32\geBuSMed.dll
C:\WINDOWS\system32\gyexuhyk.dll
C:\WINDOWS\system32\hgGaxxYO.dll
C:\WINDOWS\system32\hgGwUoME.dll
C:\WINDOWS\system32\hgGxXrPi.dll
C:\WINDOWS\system32\iifgDwVP.dll
C:\WINDOWS\system32\ivbfnjci.dll
C:\WINDOWS\system32\jkkHYqnM.dll
C:\WINDOWS\system32\jkkJdCUk.dll
C:\WINDOWS\system32\jkkLEUKB.dll
C:\WINDOWS\system32\kcpwsbjc.dll
C:\WINDOWS\system32\khfCtrRK.dll
C:\WINDOWS\system32\ljJATKaB.dll
C:\WINDOWS\system32\ljJBsQkL.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJArpPi.dll
C:\WINDOWS\system32\mmnmnpXx.ini
C:\WINDOWS\system32\mmnmnpXx.ini2
C:\WINDOWS\system32\nnnoMCUm.dll
C:\WINDOWS\system32\ocjewmuo.ini
C:\WINDOWS\system32\opnmJCts.dll
C:\WINDOWS\system32\opnooNgg.dll
C:\WINDOWS\system32\paciegyd.ini
C:\WINDOWS\system32\pmnkIBqR.dll
C:\WINDOWS\system32\pmnlllkk.dll
C:\WINDOWS\system32\pphpywgt.ini
C:\WINDOWS\system32\ptaepgpx.dll
C:\WINDOWS\system32\pwnsqskg.dll
C:\WINDOWS\system32\qoMcabay.dll
C:\WINDOWS\system32\qoMdBSiG.dll
C:\WINDOWS\system32\rqRIaAsR.dll
C:\WINDOWS\system32\rqRIcdCr.dll
C:\WINDOWS\system32\rqRLbbCr.dll
C:\WINDOWS\system32\sgwpsbuq.dll
C:\WINDOWS\system32\ssqRKecc.dll
C:\WINDOWS\system32\tuvSifDS.dll
C:\WINDOWS\system32\tuvSljif.dll
C:\WINDOWS\system32\tuvSllIy.dll
C:\WINDOWS\system32\tuvTnMFy.dll
C:\WINDOWS\system32\urqQgfGy.dll
C:\WINDOWS\system32\vtqxjkaa.ini
C:\WINDOWS\system32\vtUooLdD.dll
C:\WINDOWS\system32\vxpcrswo.ini
C:\WINDOWS\system32\wvUkIAPG.dll
C:\WINDOWS\system32\wvUlmjkL.dll
C:\WINDOWS\system32\wvUlmnki.dll
C:\WINDOWS\system32\wvUmkhgE.dll
C:\WINDOWS\system32\wvUmmLbY.dll
C:\WINDOWS\system32\wvUnMgeE.dll
C:\WINDOWS\system32\wxeifaop.ini
C:\WINDOWS\system32\xfihchxk.dll
C:\WINDOWS\system32\xXpnmnmm.dll
.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-03-12 to 2008-04-12 ))))))))))))))))))))))))))))))))))))
.
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 20:17 . 2008-04-11 20:17 3,648 --a------ C:\WINDOWS\system32\hhrctdly.dll
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-11 15:23 . 2008-04-11 15:23 3,648 --a------ C:\WINDOWS\system32\mwpnsacs.dll
2008-04-10 21:05 . 2008-04-11 19:05 <REP> d-------- C:\Program Files\MalwareAlarm
2008-04-09 21:05 . 2008-04-09 21:05 3,648 --a------ C:\WINDOWS\system32\waphibsr.dll
2008-04-08 19:43 . 2008-04-08 19:43 3,648 --a------ C:\WINDOWS\system32\pxgoesge.dll
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:48 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-31 12:48 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 15:02 . 2008-03-28 15:02 <REP> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu D‚marrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 16:25 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"MalwareAlarm"="C:\Program Files\MalwareAlarm\MalwareAlarm.exe" [2008-04-10 21:05 440832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
"2008-04-02 11:00:06 C:\WINDOWS\Tasks\wrSpySweeper_LDBD09B02E40D438ABDF29579B4E2D8B3.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LDBD09B02E40D438ABDF29579B4E2D8B3
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 18:50:16
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-04-12 18:54:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 16:53:48
Pre-Run: 21,749,301,248 octets libres
Post-Run: 21,746,728,960 octets libres
.
2008-03-29 19:23:52 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:53, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
ComboFix 08-04-11.8 - Administrateur 2008-04-12 18:40:52.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.390 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\MalwareAlarm
C:\Documents and Settings\Administrateur\Menu Démarrer\Programmes\MalwareAlarm\Uninstall.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aplqwefi.dll
C:\WINDOWS\system32\awtqnkhe.dll
C:\WINDOWS\system32\awturQiG.dll
C:\WINDOWS\system32\awturRkL.dll
C:\WINDOWS\system32\awtuvULE.dll
C:\WINDOWS\system32\bYOFwTMD.dll
C:\WINDOWS\system32\byXNdeed.dll
C:\WINDOWS\system32\byXPJBUO.dll
C:\WINDOWS\system32\cbXPjHXP.dll
C:\WINDOWS\system32\cbXQiHBR.dll
C:\WINDOWS\system32\cbXRJASm.dll
C:\WINDOWS\system32\cjbswpck.ini
C:\WINDOWS\system32\ddcArQkI.dll
C:\WINDOWS\system32\ddcCUmLc.dll
C:\WINDOWS\system32\ddcDvtrq.dll
C:\WINDOWS\system32\dukpvrgy.dll
C:\WINDOWS\system32\dygeicap.dll
C:\WINDOWS\system32\fcccbcbX.dll
C:\WINDOWS\system32\geBtUmKA.dll
C:\WINDOWS\system32\geBuSMed.dll
C:\WINDOWS\system32\gyexuhyk.dll
C:\WINDOWS\system32\hgGaxxYO.dll
C:\WINDOWS\system32\hgGwUoME.dll
C:\WINDOWS\system32\hgGxXrPi.dll
C:\WINDOWS\system32\iifgDwVP.dll
C:\WINDOWS\system32\ivbfnjci.dll
C:\WINDOWS\system32\jkkHYqnM.dll
C:\WINDOWS\system32\jkkJdCUk.dll
C:\WINDOWS\system32\jkkLEUKB.dll
C:\WINDOWS\system32\kcpwsbjc.dll
C:\WINDOWS\system32\khfCtrRK.dll
C:\WINDOWS\system32\ljJATKaB.dll
C:\WINDOWS\system32\ljJBsQkL.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJArpPi.dll
C:\WINDOWS\system32\mmnmnpXx.ini
C:\WINDOWS\system32\mmnmnpXx.ini2
C:\WINDOWS\system32\nnnoMCUm.dll
C:\WINDOWS\system32\ocjewmuo.ini
C:\WINDOWS\system32\opnmJCts.dll
C:\WINDOWS\system32\opnooNgg.dll
C:\WINDOWS\system32\paciegyd.ini
C:\WINDOWS\system32\pmnkIBqR.dll
C:\WINDOWS\system32\pmnlllkk.dll
C:\WINDOWS\system32\pphpywgt.ini
C:\WINDOWS\system32\ptaepgpx.dll
C:\WINDOWS\system32\pwnsqskg.dll
C:\WINDOWS\system32\qoMcabay.dll
C:\WINDOWS\system32\qoMdBSiG.dll
C:\WINDOWS\system32\rqRIaAsR.dll
C:\WINDOWS\system32\rqRIcdCr.dll
C:\WINDOWS\system32\rqRLbbCr.dll
C:\WINDOWS\system32\sgwpsbuq.dll
C:\WINDOWS\system32\ssqRKecc.dll
C:\WINDOWS\system32\tuvSifDS.dll
C:\WINDOWS\system32\tuvSljif.dll
C:\WINDOWS\system32\tuvSllIy.dll
C:\WINDOWS\system32\tuvTnMFy.dll
C:\WINDOWS\system32\urqQgfGy.dll
C:\WINDOWS\system32\vtqxjkaa.ini
C:\WINDOWS\system32\vtUooLdD.dll
C:\WINDOWS\system32\vxpcrswo.ini
C:\WINDOWS\system32\wvUkIAPG.dll
C:\WINDOWS\system32\wvUlmjkL.dll
C:\WINDOWS\system32\wvUlmnki.dll
C:\WINDOWS\system32\wvUmkhgE.dll
C:\WINDOWS\system32\wvUmmLbY.dll
C:\WINDOWS\system32\wvUnMgeE.dll
C:\WINDOWS\system32\wxeifaop.ini
C:\WINDOWS\system32\xfihchxk.dll
C:\WINDOWS\system32\xXpnmnmm.dll
.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-03-12 to 2008-04-12 ))))))))))))))))))))))))))))))))))))
.
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 20:17 . 2008-04-11 20:17 3,648 --a------ C:\WINDOWS\system32\hhrctdly.dll
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-11 15:23 . 2008-04-11 15:23 3,648 --a------ C:\WINDOWS\system32\mwpnsacs.dll
2008-04-10 21:05 . 2008-04-11 19:05 <REP> d-------- C:\Program Files\MalwareAlarm
2008-04-09 21:05 . 2008-04-09 21:05 3,648 --a------ C:\WINDOWS\system32\waphibsr.dll
2008-04-08 19:43 . 2008-04-08 19:43 3,648 --a------ C:\WINDOWS\system32\pxgoesge.dll
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:48 . 2008-03-29 19:31 75,856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-31 12:48 . 2008-03-29 19:35 20,560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 15:02 . 2008-03-28 15:02 <REP> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu D‚marrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 16:25 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-29 17:45 1,146,232 ----a-w C:\WINDOWS\system32\aswBoot.exe
2008-03-29 17:35 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 17:29 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 17:27 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 17:26 26,944 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 17:23 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"MalwareAlarm"="C:\Program Files\MalwareAlarm\MalwareAlarm.exe" [2008-04-10 21:05 440832]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
"2008-04-02 11:00:06 C:\WINDOWS\Tasks\wrSpySweeper_LDBD09B02E40D438ABDF29579B4E2D8B3.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe>/ScheduleSweep=wrSpySweeper_LDBD09B02E40D438ABDF29579B4E2D8B3
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 18:50:16
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-04-12 18:54:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 16:53:48
Pre-Run: 21,749,301,248 octets libres
Post-Run: 21,746,728,960 octets libres
.
2008-03-29 19:23:52 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:53, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
Bonjour ,
Télécharge VundoFix [:eric_71:8] :http://www.atribune.org/ccount/click.php?id=4
Double-clique VundoFix.exe pour le lancer
lorsque il se lance à nouveau , clique sur [Scan for Vundo]
à la fin du scan , clique sur [Remove Vundo]
il te demandera si tu veux supprimer les fichiers , clique sur [YES]
ton Bureau va disparaitre lors de la suppression des fichiers
ensuite , il va t'annoncer que ton PC va s'éteindre , clique [OK]
Redémarre ton PC
Copie/colle le rapport ( C:\vundofix.txt )
et un nouveau rapport HijackThis
Il est possible que VundoFix ne puisse pas supprimer un fichier ,
dans ce cas, il se relancera au prochain redémarrage ,
il suffit de recommencer à partir de clique sur [Scan for Vundo]
---------------
Télécharge VundoFix [:eric_71:8] :http://www.atribune.org/ccount/click.php?id=4
Double-clique VundoFix.exe pour le lancer
lorsque il se lance à nouveau , clique sur [Scan for Vundo]
à la fin du scan , clique sur [Remove Vundo]
il te demandera si tu veux supprimer les fichiers , clique sur [YES]
ton Bureau va disparaitre lors de la suppression des fichiers
ensuite , il va t'annoncer que ton PC va s'éteindre , clique [OK]
Redémarre ton PC
Copie/colle le rapport ( C:\vundofix.txt )
et un nouveau rapport HijackThis
Il est possible que VundoFix ne puisse pas supprimer un fichier ,
dans ce cas, il se relancera au prochain redémarrage ,
il suffit de recommencer à partir de clique sur [Scan for Vundo]
---------------
Vundofix n'a pas trouvé de fichier infécté, il ne me pas proposer de supprimer les fichiers comme vous me l'avez indiqué. Est ce normal?
Voila le dernier rapport hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:23, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
Voila le dernier rapport hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:23, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
oui tout à fait fait le
ensuite,
Désinstalle correctement Avast: le lien pour désinstaller avast:https://www.avast.com/fr-fr/uninstall-utility
pour le remplacer par AntiVir. le lien antivir:ftp://ftp3.tnc.edu.tw/antivir/antivir_workstation_win7u_en_h.exe
Pourquoi changer ? Avast! vs AntiVir :http://forum.malekal.com/ftopic3528.php
Fais un scan complet en mode sans echec puis poste le rapport en fin d'analyse.
AIDE : Tutorial sur l'antivirus AntiVir Personal Edition Classic:https://www.malekal.com/avira-free-security-antivirus-gratuit/
ensuite,
Désinstalle correctement Avast: le lien pour désinstaller avast:https://www.avast.com/fr-fr/uninstall-utility
pour le remplacer par AntiVir. le lien antivir:ftp://ftp3.tnc.edu.tw/antivir/antivir_workstation_win7u_en_h.exe
Pourquoi changer ? Avast! vs AntiVir :http://forum.malekal.com/ftopic3528.php
Fais un scan complet en mode sans echec puis poste le rapport en fin d'analyse.
AIDE : Tutorial sur l'antivirus AntiVir Personal Edition Classic:https://www.malekal.com/avira-free-security-antivirus-gratuit/
Voila le rapport antivir, il a dectecté 5 virus je crois...
AntiVir PersonalEdition Classic
Report file date: samedi 12 avril 2008 20:21
Scanning for 835736 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Administrateur
Computer name: ANONYMOUS
Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 12:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 11:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 14:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 11:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 13:27:15
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13/09/2007 13:26:55
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 13/09/2007 13:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 13/09/2007 13:27:13
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 17/09/2007 16:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 06:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 03/08/2007 07:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 06:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 11:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 06:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 10:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 11:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 11:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 08:37:21
Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: samedi 12 avril 2008 20:21
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
14 processes with 14 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Starting to scan the registry.
The registry was scanned ( '19' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ErrorKiller13.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '487300d0.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ErrorKiller6.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '487300d3.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\bYOFwTMD.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4850029a.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\xXpnmnmm.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '487102a0.qua'!
Begin scan in 'A:\'
Search path A:\ could not be opened!
Le périphérique n'est pas prêt.
Begin scan in 'D:\'
Search path D:\ could not be opened!
Le périphérique n'est pas prêt.
End of the scan: samedi 12 avril 2008 20:46
Used time: 25:28 min
The scan has been done completely.
2879 Scanning directories
96604 Files were scanned
2 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
96602 Files not concerned
586 Archives were scanned
1 Warnings
0 Notes
AntiVir PersonalEdition Classic
Report file date: samedi 12 avril 2008 20:21
Scanning for 835736 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Administrateur
Computer name: ANONYMOUS
Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 12:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 11:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 14:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 11:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 13:27:15
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 13/09/2007 13:26:55
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 13/09/2007 13:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 13/09/2007 13:27:13
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 17/09/2007 16:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 09:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 06:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 12:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 03/08/2007 07:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 06:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 11:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 06:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 10:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 11:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 11:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 08:37:21
Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\program files\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: samedi 12 avril 2008 20:21
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
14 processes with 14 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Starting to scan the registry.
The registry was scanned ( '19' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ErrorKiller13.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '487300d0.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ErrorKiller6.zip
[DETECTION] Contains suspicious code HEUR/PwdZIP
[INFO] The file was moved to '487300d3.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\bYOFwTMD.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4850029a.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\xXpnmnmm.dll.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '487102a0.qua'!
Begin scan in 'A:\'
Search path A:\ could not be opened!
Le périphérique n'est pas prêt.
Begin scan in 'D:\'
Search path D:\ could not be opened!
Le périphérique n'est pas prêt.
End of the scan: samedi 12 avril 2008 20:46
Used time: 25:28 min
The scan has been done completely.
2879 Scanning directories
96604 Files were scanned
2 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
96602 Files not concerned
586 Archives were scanned
1 Warnings
0 Notes
ok
on continue,
Copie tout le texte en gras ci-dessous:
files::
C:\WINDOWS\system32\pxgoesge.dll
C:\WINDOWS\system32\waphibsr.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\sqmnoopt05.sqm
C:\sqmdata05.sqm
C:\WINDOWS\wininit.ini
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmnoopt13.sqm
C:\sqmdata13.sqm
C:\sqmnoopt14.sqm
C:\sqmdata14.sqm
C:\sqmnoopt15.sqm
C:\sqmdata15.sqm
C:\sqmnoopt16.sqm
C:\sqmdata16.sqm
folder::
C:\Program Files\Spybot - Search & Destroy
registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.
Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :clic sur le lien.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Cela va relancer Combofix, tape sur 1 puis valide. Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
S'il n'y a pas de rédémarrage, poste quand même les rapports.
on continue,
Copie tout le texte en gras ci-dessous:
files::
C:\WINDOWS\system32\pxgoesge.dll
C:\WINDOWS\system32\waphibsr.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\sqmnoopt05.sqm
C:\sqmdata05.sqm
C:\WINDOWS\wininit.ini
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmnoopt13.sqm
C:\sqmdata13.sqm
C:\sqmnoopt14.sqm
C:\sqmdata14.sqm
C:\sqmnoopt15.sqm
C:\sqmdata15.sqm
C:\sqmnoopt16.sqm
C:\sqmdata16.sqm
folder::
C:\Program Files\Spybot - Search & Destroy
registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)
Sauvegarde ce fichier sous le nom de CFScript.txt.
Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :clic sur le lien.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Cela va relancer Combofix, tape sur 1 puis valide. Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
S'il n'y a pas de rédémarrage, poste quand même les rapports.
Voici le rapport combofix suivi du rapport hijackthis:
ComboFix 08-04-11.8 - Administrateur 2008-04-13 12:32:17.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.230 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt..txt
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Spybot - Search & Destroy
C:\Program Files\Spybot - Search & Destroy\advcheck.dll
C:\Program Files\Spybot - Search & Destroy\Help\Francais.chm
C:\Program Files\Spybot - Search & Destroy\Help\Francais.Resident.chm
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))))))))
.
2008-04-12 23:26 . 2008-04-12 23:26 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Program Files\Avira
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-12 19:40 . 2008-04-12 19:40 <REP> d-------- C:\VundoFix Backups
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 20:17 . 2008-04-11 20:17 3,648 --a------ C:\WINDOWS\system32\hhrctdly.dll
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-11 15:23 . 2008-04-11 15:23 3,648 --a------ C:\WINDOWS\system32\mwpnsacs.dll
2008-04-10 21:05 . 2008-04-12 18:55 <REP> d-------- C:\Program Files\MalwareAlarm
2008-04-09 21:05 . 2008-04-09 21:05 3,648 --a------ C:\WINDOWS\system32\waphibsr.dll
2008-04-08 19:43 . 2008-04-08 19:43 3,648 --a------ C:\WINDOWS\system32\pxgoesge.dll
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu Démarrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 10:27 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((( snapshot@2008-04-12_18.53.10.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-12 18:17:00 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2007-08-09 11:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 12:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2007-09-07 10:05:19 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 08:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
+ 2008-03-24 18:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-24 18:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 12:34:26
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-04-13 12:35:20
ComboFix-quarantined-files.txt 2008-04-13 10:34:57
ComboFix2.txt 2008-04-12 16:54:04
Pre-Run: 23,980,531,712 octets libres
Post-Run: 23,981,461,504 octets libres
.
2008-03-29 19:23:52 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:02, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
ComboFix 08-04-11.8 - Administrateur 2008-04-13 12:32:17.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.230 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt..txt
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Spybot - Search & Destroy
C:\Program Files\Spybot - Search & Destroy\advcheck.dll
C:\Program Files\Spybot - Search & Destroy\Help\Francais.chm
C:\Program Files\Spybot - Search & Destroy\Help\Francais.Resident.chm
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))))))))
.
2008-04-12 23:26 . 2008-04-12 23:26 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Program Files\Avira
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-12 19:40 . 2008-04-12 19:40 <REP> d-------- C:\VundoFix Backups
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 20:17 . 2008-04-11 20:17 3,648 --a------ C:\WINDOWS\system32\hhrctdly.dll
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-11 15:23 . 2008-04-11 15:23 3,648 --a------ C:\WINDOWS\system32\mwpnsacs.dll
2008-04-10 21:05 . 2008-04-12 18:55 <REP> d-------- C:\Program Files\MalwareAlarm
2008-04-09 21:05 . 2008-04-09 21:05 3,648 --a------ C:\WINDOWS\system32\waphibsr.dll
2008-04-08 19:43 . 2008-04-08 19:43 3,648 --a------ C:\WINDOWS\system32\pxgoesge.dll
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu Démarrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 10:27 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((( snapshot@2008-04-12_18.53.10.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-12 18:17:00 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\NtUser.dat
+ 2007-08-09 11:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2007-07-18 12:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2007-09-07 10:05:19 62,016 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2007-03-01 08:34:36 28,352 ----a-w C:\WINDOWS\system32\drivers\ssmdrv.sys
+ 2008-03-24 18:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-24 18:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 12:34:26
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-04-13 12:35:20
ComboFix-quarantined-files.txt 2008-04-13 10:34:57
ComboFix2.txt 2008-04-12 16:54:04
Pre-Run: 23,980,531,712 octets libres
Post-Run: 23,981,461,504 octets libres
.
2008-03-29 19:23:52 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:02, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
ok même opération avec cette liste ci-dessous.
files::
C\WINDOWS\system32\bYOFwTMD.dll.vir
C\WINDOWS\system32\xXpnmnmm.dll.vir
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\waphibsr.dll
folder::
C:\VundoFix Backups
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\QooBox
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
files::
C\WINDOWS\system32\bYOFwTMD.dll.vir
C\WINDOWS\system32\xXpnmnmm.dll.vir
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\waphibsr.dll
folder::
C:\VundoFix Backups
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\QooBox
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
Salut, je m'excuse que mon probleme dur autant de temps :s J'ai effectué la dernière manœuvre avec combofix et le rapport s'est affiché mais l'ordinateur s'est bloqué, il a donc fallut que je le redémarre. Est ce possible de retrouver le rapport dans l'ordinateur? Par ailleur, Antivir a detecté des trojans: TR/Trash.Gen et Heur
ce n'est pas grave.
recopie encore une fois le texte et fait pareil.
files::
C\WINDOWS\system32\bYOFwTMD.dll.vir
C\WINDOWS\system32\xXpnmnmm.dll.vir
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\waphibsr.dll
folder::
C:\VundoFix Backups
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\QooBox
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
recopie encore une fois le texte et fait pareil.
files::
C\WINDOWS\system32\bYOFwTMD.dll.vir
C\WINDOWS\system32\xXpnmnmm.dll.vir
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\waphibsr.dll
folder::
C:\VundoFix Backups
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\QooBox
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
ComboFix 08-04-11.8 - Administrateur 2008-04-13 21:13:16.4 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.222 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt..txt
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\QooBox
C:\QooBox\BackEnv\appdata.folder.dat
C:\QooBox\BackEnv\cache.folder.dat
C:\QooBox\BackEnv\desktop.folder.dat
C:\QooBox\BackEnv\favorites.folder.dat
C:\QooBox\BackEnv\localappdata.folder.dat
C:\QooBox\BackEnv\localsettings.folder.dat
C:\QooBox\BackEnv\mypictures.folder.dat
C:\QooBox\BackEnv\personal.folder.dat
C:\QooBox\BackEnv\profiles.folder.dat
C:\QooBox\BackEnv\programs.folder.dat
C:\QooBox\BackEnv\SetPath.bat
C:\QooBox\BackEnv\startmenu.folder.dat
C:\QooBox\BackEnv\startup.folder.dat
C:\QooBox\BackEnv\SysPath.dat
C:\QooBox\BackEnv\templates.folder.dat
C:\QooBox\CFScript_used_2008-04-13@21.13.txt
C:\QooBox\ComboFix-quarantined-files.txt
C:\QooBox\ComboFix2.txt
C:\QooBox\lastrun\drevB.dat
C:\QooBox\snapshot@2008-04-13_19.35.24,51.dat
C:\QooBox\snapshot@2008-04-13_19.35.24,51_B.dat
C:\sqmdata05.sqm\
C:\sqmnoopt05.sqm\
.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))))))))
.
2008-04-12 23:26 . 2008-04-12 23:26 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Program Files\Avira
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-10 21:05 . 2008-04-12 18:55 <REP> d-------- C:\Program Files\MalwareAlarm
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu Démarrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 18:57 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-13 20:20 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 21:16:02
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-04-13 21:16:55
ComboFix-quarantined-files.txt 2008-04-13 19:16:37
Pre-Run: 23,966,642,176 octets libres
Post-Run: 23,960,010,752 octets libres
.
2008-03-29 19:23:52 --- E O F ---
Et voila le rapport hijackthis,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:12, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.222 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt..txt
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\QooBox
C:\QooBox\BackEnv\appdata.folder.dat
C:\QooBox\BackEnv\cache.folder.dat
C:\QooBox\BackEnv\desktop.folder.dat
C:\QooBox\BackEnv\favorites.folder.dat
C:\QooBox\BackEnv\localappdata.folder.dat
C:\QooBox\BackEnv\localsettings.folder.dat
C:\QooBox\BackEnv\mypictures.folder.dat
C:\QooBox\BackEnv\personal.folder.dat
C:\QooBox\BackEnv\profiles.folder.dat
C:\QooBox\BackEnv\programs.folder.dat
C:\QooBox\BackEnv\SetPath.bat
C:\QooBox\BackEnv\startmenu.folder.dat
C:\QooBox\BackEnv\startup.folder.dat
C:\QooBox\BackEnv\SysPath.dat
C:\QooBox\BackEnv\templates.folder.dat
C:\QooBox\CFScript_used_2008-04-13@21.13.txt
C:\QooBox\ComboFix-quarantined-files.txt
C:\QooBox\ComboFix2.txt
C:\QooBox\lastrun\drevB.dat
C:\QooBox\snapshot@2008-04-13_19.35.24,51.dat
C:\QooBox\snapshot@2008-04-13_19.35.24,51_B.dat
C:\sqmdata05.sqm\
C:\sqmnoopt05.sqm\
.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))))))))
.
2008-04-12 23:26 . 2008-04-12 23:26 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Program Files\Avira
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-10 21:05 . 2008-04-12 18:55 <REP> d-------- C:\Program Files\MalwareAlarm
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu Démarrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 18:57 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-13 20:20 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 21:16:02
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-04-13 21:16:55
ComboFix-quarantined-files.txt 2008-04-13 19:16:37
Pre-Run: 23,966,642,176 octets libres
Post-Run: 23,960,010,752 octets libres
.
2008-03-29 19:23:52 --- E O F ---
Et voila le rapport hijackthis,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:12, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.94.151.34:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87D22BD9-D8DC-4B1B-A542-69DBDC10D801} - C:\WINDOWS\system32\opnon.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bYOFwTMD - bYOFwTMD.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
repasse ce script là stp.
files::
C\WINDOWS\system32\bYOFwTMD.dll.vir
C\WINDOWS\system32\xXpnmnmm.dll.vir
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\waphibsr.dll
folder::
C:\VundoFix Backups
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\QooBox
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
files::
C\WINDOWS\system32\bYOFwTMD.dll.vir
C\WINDOWS\system32\xXpnmnmm.dll.vir
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\adrlbpor.ini
C:\WINDOWS\system32\hhrctdly.dll
C:\WINDOWS\system32\mwpnsacs.dll
C:\WINDOWS\system32\waphibsr.dll
folder::
C:\VundoFix Backups
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\QooBox
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
Voila,
ComboFix 08-04-11.8 - Administrateur 2008-04-13 22:23:19.5 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.174 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt..txt
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\QooBox
C:\QooBox\BackEnv\appdata.folder.dat
C:\QooBox\BackEnv\cache.folder.dat
C:\QooBox\BackEnv\desktop.folder.dat
C:\QooBox\BackEnv\favorites.folder.dat
C:\QooBox\BackEnv\localappdata.folder.dat
C:\QooBox\BackEnv\localsettings.folder.dat
C:\QooBox\BackEnv\mypictures.folder.dat
C:\QooBox\BackEnv\personal.folder.dat
C:\QooBox\BackEnv\profiles.folder.dat
C:\QooBox\BackEnv\programs.folder.dat
C:\QooBox\BackEnv\SetPath.bat
C:\QooBox\BackEnv\startmenu.folder.dat
C:\QooBox\BackEnv\startup.folder.dat
C:\QooBox\BackEnv\SysPath.dat
C:\QooBox\BackEnv\templates.folder.dat
C:\QooBox\CFScript_used_2008-04-13@22.23.txt
C:\QooBox\ComboFix-quarantined-files.txt
C:\QooBox\ComboFix2.txt
C:\QooBox\lastrun\drevB.dat
C:\QooBox\snapshot@2008-04-13_21.16.26,50.dat
C:\QooBox\snapshot@2008-04-13_21.16.26,50_B.dat
C:\sqmdata05.sqm\
C:\sqmnoopt05.sqm\
.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))))))))
.
2008-04-12 23:26 . 2008-04-12 23:26 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Program Files\Avira
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-10 21:05 . 2008-04-12 18:55 <REP> d-------- C:\Program Files\MalwareAlarm
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu Démarrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 20:25 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-13 20:20 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 22:25:12
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-04-13 22:26:04
ComboFix-quarantined-files.txt 2008-04-13 20:25:41
Pre-Run: 23,954,644,992 octets libres
Post-Run: 23,948,496,896 octets libres
.
2008-03-29 19:23:52 --- E O F ---
ComboFix 08-04-11.8 - Administrateur 2008-04-13 22:23:19.5 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.174 [GMT 2:00]
Endroit: C:\Documents and Settings\Administrateur\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur\Bureau\CFScript.txt..txt
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/b][/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\QooBox
C:\QooBox\BackEnv\appdata.folder.dat
C:\QooBox\BackEnv\cache.folder.dat
C:\QooBox\BackEnv\desktop.folder.dat
C:\QooBox\BackEnv\favorites.folder.dat
C:\QooBox\BackEnv\localappdata.folder.dat
C:\QooBox\BackEnv\localsettings.folder.dat
C:\QooBox\BackEnv\mypictures.folder.dat
C:\QooBox\BackEnv\personal.folder.dat
C:\QooBox\BackEnv\profiles.folder.dat
C:\QooBox\BackEnv\programs.folder.dat
C:\QooBox\BackEnv\SetPath.bat
C:\QooBox\BackEnv\startmenu.folder.dat
C:\QooBox\BackEnv\startup.folder.dat
C:\QooBox\BackEnv\SysPath.dat
C:\QooBox\BackEnv\templates.folder.dat
C:\QooBox\CFScript_used_2008-04-13@22.23.txt
C:\QooBox\ComboFix-quarantined-files.txt
C:\QooBox\ComboFix2.txt
C:\QooBox\lastrun\drevB.dat
C:\QooBox\snapshot@2008-04-13_21.16.26,50.dat
C:\QooBox\snapshot@2008-04-13_21.16.26,50_B.dat
C:\sqmdata05.sqm\
C:\sqmnoopt05.sqm\
.
((((((((((((((((((((((((((((( Fichiers créés 2008-03-13 to 2008-04-13 ))))))))))))))))))))))))))))))))))))
.
2008-04-12 23:26 . 2008-04-12 23:26 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Program Files\Avira
2008-04-12 20:15 . 2008-04-12 20:15 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-11 22:22 . 2008-04-11 22:23 <REP> d-------- C:\WINDOWS\ERUNT
2008-04-11 15:29 . 2008-04-11 15:29 294 ---hs---- C:\WINDOWS\system32\adrlbpor.ini
2008-04-10 21:05 . 2008-04-12 18:55 <REP> d-------- C:\Program Files\MalwareAlarm
2008-03-31 19:58 . 2008-03-31 19:58 268 --ah----- C:\sqmdata16.sqm
2008-03-31 19:58 . 2008-03-31 19:58 244 --ah----- C:\sqmnoopt16.sqm
2008-03-31 16:37 . 2008-03-31 16:37 268 --ah----- C:\sqmdata15.sqm
2008-03-31 16:37 . 2008-03-31 16:37 244 --ah----- C:\sqmnoopt15.sqm
2008-03-31 15:18 . 2008-03-31 15:18 268 --ah----- C:\sqmdata14.sqm
2008-03-31 15:18 . 2008-03-31 15:18 244 --ah----- C:\sqmnoopt14.sqm
2008-03-31 15:10 . 2008-03-31 15:10 268 --ah----- C:\sqmdata13.sqm
2008-03-31 15:10 . 2008-03-31 15:10 244 --ah----- C:\sqmnoopt13.sqm
2008-03-31 14:58 . 2008-03-31 14:58 268 --ah----- C:\sqmdata12.sqm
2008-03-31 14:58 . 2008-03-31 14:58 244 --ah----- C:\sqmnoopt12.sqm
2008-03-31 14:25 . 2008-03-31 14:25 268 --ah----- C:\sqmdata11.sqm
2008-03-31 14:25 . 2008-03-31 14:25 244 --ah----- C:\sqmnoopt11.sqm
2008-03-31 13:01 . 2008-03-31 13:01 268 --ah----- C:\sqmdata10.sqm
2008-03-31 13:01 . 2008-03-31 13:01 244 --ah----- C:\sqmnoopt10.sqm
2008-03-31 12:40 . 2008-03-31 12:40 268 --ah----- C:\sqmdata09.sqm
2008-03-31 12:40 . 2008-03-31 12:40 244 --ah----- C:\sqmnoopt09.sqm
2008-03-31 12:18 . 2008-03-31 12:18 268 --ah----- C:\sqmdata08.sqm
2008-03-31 12:18 . 2008-03-31 12:18 244 --ah----- C:\sqmnoopt08.sqm
2008-03-31 10:48 . 2008-03-31 10:48 268 --ah----- C:\sqmdata07.sqm
2008-03-31 10:48 . 2008-03-31 10:48 244 --ah----- C:\sqmnoopt07.sqm
2008-03-31 09:43 . 2008-03-31 09:43 268 --ah----- C:\sqmdata06.sqm
2008-03-31 09:43 . 2008-03-31 09:43 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 14:11 . 2008-03-28 14:15 <REP> dr------- C:\Documents and Settings\LocalService\Mes documents
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Menu Démarrer
2008-03-28 14:11 . 2008-03-28 14:16 <REP> dr------- C:\Documents and Settings\LocalService\Favoris
2008-03-28 14:11 . 2008-03-28 14:11 <REP> d-------- C:\Documents and Settings\LocalService\Bureau
2008-03-16 23:45 . 2008-03-16 23:46 205 --a------ C:\WINDOWS\wininit.ini
2008-03-16 22:01 . 2008-03-28 14:59 <REP> d-------- C:\Program Files\a-squared Free
2008-03-16 21:49 . 2008-03-28 13:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-16 16:53 . 2008-03-16 16:53 268 --ah----- C:\sqmdata05.sqm
2008-03-16 16:53 . 2008-03-16 16:53 244 --ah----- C:\sqmnoopt05.sqm
2008-03-15 20:13 . 2008-03-15 20:13 <REP> d-------- C:\Program Files\Lavasoft
2008-03-15 20:13 . 2008-03-15 20:16 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 20:25 --------- d-----w C:\Documents and Settings\Administrateur\Application Data\Skype
2008-03-16 17:46 --------- d-----w C:\Program Files\Winamp
2008-03-16 17:45 --------- d-----w C:\Program Files\MSN Messenger
2008-03-16 17:40 --------- d-----w C:\Program Files\Microsoft LifeCam
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
C:\WINDOWS\system32\opnon.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 14:31 22880040]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 15:43 188416]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 20:51 233472]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 19:37 229437]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-13 03:48 275800]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-13 20:20 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoUserNameInStartMenu"= 1 (0x1)
"NoStartMenuPinnedList"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
C:\WINDOWS\system32\spool.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-05-15 00:22 35328 C:\Program Files\Winamp\winampa.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-05 00:13]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]
S3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys [2006-12-06 01:39]
.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2007-12-04 20:24:31 C:\WINDOWS\Tasks\Microsoft_Hardware_Launch_setup_exe.job"
- D:\setup.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 22:25:12
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-04-13 22:26:04
ComboFix-quarantined-files.txt 2008-04-13 20:25:41
Pre-Run: 23,954,644,992 octets libres
Post-Run: 23,948,496,896 octets libres
.
2008-03-29 19:23:52 --- E O F ---
bien refais une passe avec ceci:
files::
C:\WINDOWS\wininit.ini
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmnoopt13.sqm
C:\sqmdata13.sqm
C:\sqmnoopt14.sqm
C:\sqmdata14.sqm
C:\sqmnoopt15.sqm
C:\sqmdata15.sqm
C:\sqmnoopt16.sqm
C:\sqmdata16.sqm
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
files::
C:\WINDOWS\wininit.ini
C:\sqmnoopt06.sqm
C:\sqmdata06.sqm
C:\sqmnoopt07.sqm
C:\sqmdata07.sqm
C:\sqmnoopt08.sqm
C:\sqmdata08.sqm
C:\sqmnoopt09.sqm
C:\sqmdata09.sqm
C:\sqmnoopt10.sqm
C:\sqmdata10.sqm
C:\sqmnoopt11.sqm
C:\sqmdata11.sqm
C:\sqmnoopt12.sqm
C:\sqmdata12.sqm
C:\sqmnoopt13.sqm
C:\sqmdata13.sqm
C:\sqmnoopt14.sqm
C:\sqmdata14.sqm
C:\sqmnoopt15.sqm
C:\sqmdata15.sqm
C:\sqmnoopt16.sqm
C:\sqmdata16.sqm
registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87D22BD9-D8DC-4B1B-A542-69DBDC10D801}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2006-11-07 04:26 123904 C:\WINDOWS\system32\advpack.dll]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bYOFwTMD]
bYOFwTMD.dll
