VIRUS ALERT a coté de l'horloge
Pirux
Messages postés
6
Statut
Membre
-
Pirux Messages postés 6 Statut Membre -
Pirux Messages postés 6 Statut Membre -
Bonjour,
Je poste ce sujet car ce matin j'ai été infecté par un virus qui me flood en me disant que j'ai des virus et qui me redirige sur une page web me disant de télécharger leur antivirus ce que je n'ai bien sure pas fait. Je n'ai plus accès non plus a mon panneau de configuration et au menu "tout les programmes". Et enfin j'ai également VIRUS ALERT a coté de mon horloge :s.
Un des sites est celui-ci: http://ww1.viruswebprotect2008.com/shandler.php?sid=0&pn=&said=0&aid=0&sg=0
et un autre veut me vendre UCleaner.
Que dois-je faire ?
Merci d'avance pour vos réponses .
Je poste ce sujet car ce matin j'ai été infecté par un virus qui me flood en me disant que j'ai des virus et qui me redirige sur une page web me disant de télécharger leur antivirus ce que je n'ai bien sure pas fait. Je n'ai plus accès non plus a mon panneau de configuration et au menu "tout les programmes". Et enfin j'ai également VIRUS ALERT a coté de mon horloge :s.
Un des sites est celui-ci: http://ww1.viruswebprotect2008.com/shandler.php?sid=0&pn=&said=0&aid=0&sg=0
et un autre veut me vendre UCleaner.
Que dois-je faire ?
Merci d'avance pour vos réponses .
A voir également:
- VIRUS ALERT a coté de l'horloge
- Appli horloge - Télécharger - Guide Android
- Comment supprimer fausse alerte virus mcafee - Accueil - Piratage
- Horloge mondiale gratuite - Télécharger - Outils professionnels
- Horloge en ligne aesthetic - Télécharger - Thèmes & Fonds d'écran
- Croix a cote contact snap - Forum Snapchat
6 réponses
Bonjour...
Ce n'est pas le virus sympa ! Pas bon pour le moral, mais...pas facile à s'en défaire !
Commencer par ouvrir l'ordi en mode sans echec ( appuyer sur la touche F8 en même temps que le bouton de la mise en marche de l'ordi.
Deux façons d'ouvrir sans echec s'affichent. Ouvrir la deuxième ligne. ( glisser d'une à l'autre avec les touche du clavier sur lesquelles il y a les flèches ( droite gauche bas haut)
Ensuite aller sur internet? Afficher dans google le nom du soit disant antivirus ( qui ouvre normalement une page moitié rouge et bleu) . Cet antivirus est un Virus trés efficace pour destruction massive.
Quand vous avez trouvé sur internet ( il y en a plusieurs) le site- "Comment se débarasser du virus etc...etc..." , Il ne vous reste qu'à suivre les instructions ( pas facile) mais normalement ça marche.
Bon courage / Elie
Ce n'est pas le virus sympa ! Pas bon pour le moral, mais...pas facile à s'en défaire !
Commencer par ouvrir l'ordi en mode sans echec ( appuyer sur la touche F8 en même temps que le bouton de la mise en marche de l'ordi.
Deux façons d'ouvrir sans echec s'affichent. Ouvrir la deuxième ligne. ( glisser d'une à l'autre avec les touche du clavier sur lesquelles il y a les flèches ( droite gauche bas haut)
Ensuite aller sur internet? Afficher dans google le nom du soit disant antivirus ( qui ouvre normalement une page moitié rouge et bleu) . Cet antivirus est un Virus trés efficace pour destruction massive.
Quand vous avez trouvé sur internet ( il y en a plusieurs) le site- "Comment se débarasser du virus etc...etc..." , Il ne vous reste qu'à suivre les instructions ( pas facile) mais normalement ça marche.
Bon courage / Elie
bonjour, n'écoute surtout pas ces conseils qui n'en sont pas, moi personnellement je ne suis pas un pro de l'informatique mais je ne m'avance pas, surtout si c'est pour dire n'importe quoi, attend plutot que quelqu'un de plus experimenté. pour l'instant la seule chose que je peux te recommander c'est passer un coup de nettoyage sur ton pc, tu peux déja te servir de spybot c'est un antispyware que tu pourras télécharger sur ccm, telecharge aussi hijackthis (c'est un utilitaire qui sert à analyser les infections de ton pc) et copie-colle le rapport sur le forum... et pour l'instant attend qu'un des experts viennent te donner les conseils (ils sont faciles à reconnaitre, déja ils sont menbre de ccm et tu as juste à cliquer sur leur pseudo "de couleur bleu". sur ce, bonne chance...
Voila j'ai scanné mon ordi avec hijackthis
J'ai aussi scanné mon ordi avec f secure et ad aware qui m'ont trouvé des malwares mais l'infection est toujours là.
Voila le scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25:14, on 16/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Propriétaire\Bureau\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [68bc5379] rundll32.exe "C:\WINDOWS\system32\bughbhov.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
J'ai aussi scanné mon ordi avec f secure et ad aware qui m'ont trouvé des malwares mais l'infection est toujours là.
Voila le scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25:14, on 16/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Propriétaire\Bureau\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [68bc5379] rundll32.exe "C:\WINDOWS\system32\bughbhov.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
salut Télécharger sur le bureau Malwarebyte's Anti-Malware
=> double-clic sur mbam-setup pour lancer l'installation
=> Installer simplement sans rien modifier
=> Quand le programme lancé ==> onglet Mise à jour cliquer sur => Recherche de mise à jour
Onglet Recherche => cocher Exécuter un examen complet
=> Clic Rechercher
=> Eventuellement décocher les disque à ne pas analyser
=> Clic Lancer l'examen
=> En fin de scan , si infection trouvée
==> Clic Afficher résultat
=> Fermer vos applications en cours
=> Vérifier si tout est coché et clic Supprimer la sélection
=> un rapport s'ouvre le copier et le coller dans la réponse
+
Télécharger et enregistrer sur le bureau Combofix
=> Désactive l'antivirus
=> Double-clic sur Combofix
=> Presser 1 quand demandé
=> Attendre la fermeture de l’outil ( 5 à 10 mn)
=> Copier/coller le rapport dans la réponse
=> Un rapport dans C:\Combofix.txt à mettre dans la réponse
=> Qoobox dans C:\ à supprimer
+
Un nouveau Hijack
=> double-clic sur mbam-setup pour lancer l'installation
=> Installer simplement sans rien modifier
=> Quand le programme lancé ==> onglet Mise à jour cliquer sur => Recherche de mise à jour
Onglet Recherche => cocher Exécuter un examen complet
=> Clic Rechercher
=> Eventuellement décocher les disque à ne pas analyser
=> Clic Lancer l'examen
=> En fin de scan , si infection trouvée
==> Clic Afficher résultat
=> Fermer vos applications en cours
=> Vérifier si tout est coché et clic Supprimer la sélection
=> un rapport s'ouvre le copier et le coller dans la réponse
+
Télécharger et enregistrer sur le bureau Combofix
=> Désactive l'antivirus
=> Double-clic sur Combofix
=> Presser 1 quand demandé
=> Attendre la fermeture de l’outil ( 5 à 10 mn)
=> Copier/coller le rapport dans la réponse
=> Un rapport dans C:\Combofix.txt à mettre dans la réponse
=> Qoobox dans C:\ à supprimer
+
Un nouveau Hijack
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
Voila le rapport de malware
Malwarebytes' Anti-Malware 1.24
Version de la base de données: 1058
Windows 5.1.2600 Service Pack 2
17:54:25 16/08/2008
mbam-log-8-16-2008 (17-54-25).txt
Type de recherche: Examen complet (C:\|E:\|)
Eléments examinés: 91639
Temps écoulé: 1 hour(s), 10 minute(s), 53 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 7
Clé(s) du Registre infectée(s): 13
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 6
Fichier(s) infecté(s): 26
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
C:\WINDOWS\system32\bughbhov.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlJYqPjH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtsSmJy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\wbqxfpgl.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\rqhpkjec.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mtwrip.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\tpabfelq.dll (Trojan.FakeAlert) -> Delete on reboot.
Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9628e5e4-d81e-42d3-9310-98679e8c741e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9628e5e4-d81e-42d3-9310-98679e8c741e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{36d84c7e-cc68-4eb4-84dd-1c39f19f8937} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36d84c7e-cc68-4eb4-84dd-1c39f19f8937} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtssmjy (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68bc5379 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{36d84c7e-cc68-4eb4-84dd-1c39f19f8937} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s9201 (Rogue.Multiple) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljyqpjh -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljyqpjh -> Delete on reboot.
Dossier(s) infecté(s):
C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.
Fichier(s) infecté(s):
C:\WINDOWS\system32\mlJYqPjH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\HjPqYJlm.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\HjPqYJlm.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bughbhov.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vohbhgub.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtsSmJy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\wbqxfpgl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqhpkjec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtwrip.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Propriétaire\Local Settings\Temp\lwpwer.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\A9LAJALS\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\K31RQUFL\CA0TMBS1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\K31RQUFL\cntr[1].gif (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\L7FFLPGE\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\NEOBVHG9\d100526[1].exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ateqoflr.exe (Trojan.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\edpw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccaXPJc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{74EA4B44-2B57-4B38-B606-4BE6C1733BE7}\RP26\A0002007.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080816142832156.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080816144610515.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tpabfelq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Favoris\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Favoris\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
LE reste arrive
Voila le rapport de Combofix
ComboFix 08-08-15.04 - Propriétaire 2008-08-16 18:03:57.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.614 [GMT 2:00]
Endroit: C:\Documents and Settings\Propriétaire\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@ad.yieldmanager[1].txt
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@ads.128b[2].txt
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@diffusion[1].txt
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@fr.netlog[2].txt
.
((((((((((((((((((((((((((((( Fichiers créés 2008-07-16 to 2008-08-16 ))))))))))))))))))))))))))))))))))))
.
2008-08-16 16:37 . 2008-08-16 16:37 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 16:37 . 2008-08-16 16:37 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\Malwarebytes
2008-08-16 16:37 . 2008-08-16 16:37 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 16:37 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-16 16:37 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 15:13 . 2008-08-16 15:13 <REP> d-------- C:\Program Files\Lavasoft
2008-08-16 15:13 . 2008-08-16 15:14 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-16 15:11 . 2008-08-16 15:11 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-08-16 14:28 . 2008-08-16 17:54 <REP> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-16 14:26 . 2008-08-16 14:52 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\TmpRecentIcons
2008-08-16 14:26 . 2008-08-16 14:26 73,728 ---hs---- C:\Documents and Settings\Propriétaire\MediaTubeCodec_ver1.1463.0.exe
2008-08-16 14:26 . 2008-08-16 14:26 73,728 ---hs---- C:\Documents and Settings\Propriétaire\MediaTubeCodec_ver1.1463.0.exe
2008-08-16 14:00 . 2008-08-16 17:58 <REP> d-------- C:\Program Files\DNA
2008-08-16 14:00 . 2008-08-16 14:00 <REP> d-------- C:\Program Files\BitTorrent
2008-08-16 14:00 . 2008-08-16 17:58 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\DNA
2008-08-16 14:00 . 2008-08-16 14:36 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\BitTorrent
2008-08-16 13:56 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-16 13:47 . 2008-08-16 13:47 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-08-15 03:48 . 2004-08-05 14:00 5,305,344 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-08-15 03:47 . 2004-08-05 14:00 1,836,032 --a------ C:\WINDOWS\system32\win32k.sys
2008-08-15 03:46 . 2004-08-05 14:00 2,826,752 --a------ C:\WINDOWS\system32\syssetup.dll
2008-08-15 03:44 . 2003-07-30 10:49 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2008-08-15 03:43 . 2004-08-05 14:00 4,708,352 --a------ C:\WINDOWS\system32\logon.scr
2008-08-15 03:42 . 2004-08-05 14:00 5,723,648 --a------ C:\WINDOWS\system32\inetcpl.cpl
2008-08-15 03:41 . 2004-08-05 14:00 1,502,208 --a--c--- C:\WINDOWS\system32\dllcache\diskcopy.dll
2008-08-15 03:40 . 2004-08-05 14:00 2,067,968 --a--c--- C:\WINDOWS\system32\dllcache\cdosys.dll
2008-08-15 01:10 . 2008-08-16 17:43 <REP> d-------- C:\Program Files\eMule
2008-08-15 00:55 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-15 00:55 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-15 00:53 . 2001-08-23 17:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-15 00:53 . 2001-08-23 17:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-15 00:42 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-15 00:42 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-15 00:40 . 2008-08-15 00:40 <REP> d-------- C:\Program Files\Messenger Plus! Live
2008-08-15 00:18 . 2008-08-15 00:18 <REP> d-------- C:\WINDOWS\system32\LogFiles
2008-08-15 00:18 . 2008-08-15 00:18 <REP> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-15 00:00 . 2008-08-15 00:00 3,932,214 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-08-15 00:00 . 2008-08-15 00:00 51,919 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-08-14 23:58 . 2008-08-14 23:58 <REP> d-------- C:\WINDOWS\BricoPacks
2008-08-14 23:58 . 2008-08-15 00:00 4,839 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-08-14 21:02 . 2001-08-17 23:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-14 21:01 . 2004-08-04 02:54 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-08-14 21:01 . 2004-08-04 02:39 58,496 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-08-14 21:01 . 2001-08-17 23:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-08-14 21:00 . 2004-08-04 01:07 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2008-08-14 21:00 . 2001-08-17 23:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-08-14 21:00 . 2001-08-17 23:58 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 22:33 --------- dcsh--w C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-08-14 22:33 --------- d-----w C:\Program Files\Windows Live
2008-08-14 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-14 22:00 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-08-14 17:47 --------- d-----w C:\Program Files\DirectX
2008-08-14 17:30 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.55-7681197L.exe
2008-08-14 17:30 --------- d-----w C:\Program Files\F-Secure
2008-08-14 17:25 --------- d-----w C:\Program Files\Power Manager
2008-08-14 17:24 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-08-14 17:24 --------- d-----w C:\Program Files\Broadcom
2008-08-14 17:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-14 17:23 --------- d-----w C:\Program Files\Apoint2K
2008-08-14 17:22 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-08-14 17:22 --------- d-----w C:\Program Files\AvRack
2008-08-14 17:22 --------- d-----w C:\Program Files\ATI Technologies
2008-08-14 17:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-14 17:10 --------- d-----w C:\Program Files\Java
2008-08-14 17:10 --------- d-----w C:\Program Files\Fichiers communs\Java
2008-08-14 17:08 --------- d-----w C:\Program Files\Services en ligne
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
------- Sigcheck -------
2004-09-29 20:47 660992 61cdcab341ade3482101da90fcc793ac C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2008-06-23 17:40 663552 95d92788889b847309c63e2ec287d1c0 C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp2gdr\wininet.dll
2008-06-23 18:15 671232 8ca18fd7cccabff7e84702bc1bbf5dcb C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp2qfe\wininet.dll
2008-06-23 17:10 670208 d2177655bc338a07b99913f6a4bed52d C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp3gdr\wininet.dll
2008-06-23 16:56 670720 4e00327da458beffea8f4b222f466b20 C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp3qfe\wininet.dll
2004-09-29 20:49 1138688 fe88b718b24cc2395ad4090cd6ade229 C:\WINDOWS\system32\wininet.dll
2004-09-29 20:49 1138688 fe88b718b24cc2395ad4090cd6ade229 C:\WINDOWS\system32\dllcache\wininet.dll
2004-08-05 14:00 3198464 cdc990fbeceff120d114c94cf07af248 C:\WINDOWS\explorer.exe
2004-08-05 14:00 3198464 cdc990fbeceff120d114c94cf07af248 C:\WINDOWS\system32\dllcache\explorer.exe
2007-07-30 19:19 71000 c8d27565f1835b5c4848183572e375ab C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 71000 c8d27565f1835b5c4848183572e375ab C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"RocketDock"="C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [2006-05-14 22:47 344064]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-08-16 14:00 342336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2008-08-14 19:10 36972]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-22 21:15 344064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 14:22 159744]
"PowerManager"="C:\Program Files\Power Manager\PM.exe" [2005-08-19 09:11 163840]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2002-12-05 16:24 106571]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 18:48 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005-07-06 04:47 544768 C:\WINDOWS\sm56hlpr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360]
C:\Documents and Settings\Propri‚taire\Menu D‚marrer\Programmes\D‚marrage\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 22:47:48 344064]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 14:20:14 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 21:09:06 131072]
Y'z Toolbar.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe [2002-09-29 14:41:10 90112]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4500:TCP"= 4500:TCP:emule tcp
"4510:UDP"= 4510:UDP:emule udp
"11000:TCP"= 11000:TCP:emule tcp 30
"11010:UDP"= 11010:UDP:emule udp 30
R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2008-08-14 19:30]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2002-04-23 13:23]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2002-12-03 08:36]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2002-04-23 13:23]
R2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [2002-12-05 16:24]
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 17:22]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - WINIO
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.be/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 18:05:36
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-08-16 18:06:21
ComboFix-quarantined-files.txt 2008-08-16 16:06:18
Pre-Run: 73,904,824,320 octets libres
Post-Run: 74,166,579,200 octets libres
165 --- E O F --- 2008-08-15 01:27:40
et le hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:44, on 16/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Propriétaire\Bureau\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
Malwarebytes' Anti-Malware 1.24
Version de la base de données: 1058
Windows 5.1.2600 Service Pack 2
17:54:25 16/08/2008
mbam-log-8-16-2008 (17-54-25).txt
Type de recherche: Examen complet (C:\|E:\|)
Eléments examinés: 91639
Temps écoulé: 1 hour(s), 10 minute(s), 53 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 7
Clé(s) du Registre infectée(s): 13
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 6
Fichier(s) infecté(s): 26
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
C:\WINDOWS\system32\bughbhov.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlJYqPjH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtsSmJy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\wbqxfpgl.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\rqhpkjec.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mtwrip.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\tpabfelq.dll (Trojan.FakeAlert) -> Delete on reboot.
Clé(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9628e5e4-d81e-42d3-9310-98679e8c741e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9628e5e4-d81e-42d3-9310-98679e8c741e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{36d84c7e-cc68-4eb4-84dd-1c39f19f8937} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36d84c7e-cc68-4eb4-84dd-1c39f19f8937} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtssmjy (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\68bc5379 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{36d84c7e-cc68-4eb4-84dd-1c39f19f8937} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s9201 (Rogue.Multiple) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljyqpjh -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mljyqpjh -> Delete on reboot.
Dossier(s) infecté(s):
C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.
Fichier(s) infecté(s):
C:\WINDOWS\system32\mlJYqPjH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\HjPqYJlm.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\HjPqYJlm.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bughbhov.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vohbhgub.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\awtsSmJy.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\wbqxfpgl.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqhpkjec.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtwrip.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Propriétaire\Local Settings\Temp\lwpwer.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\A9LAJALS\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\K31RQUFL\CA0TMBS1 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\K31RQUFL\cntr[1].gif (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\L7FFLPGE\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Local Settings\Temporary Internet Files\Content.IE5\NEOBVHG9\d100526[1].exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ateqoflr.exe (Trojan.Vapsup) -> Quarantined and deleted successfully.
C:\WINDOWS\edpw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccaXPJc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{74EA4B44-2B57-4B38-B606-4BE6C1733BE7}\RP26\A0002007.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080816142832156.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080816144610515.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\tpabfelq.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Favoris\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propriétaire\Favoris\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
LE reste arrive
Voila le rapport de Combofix
ComboFix 08-08-15.04 - Propriétaire 2008-08-16 18:03:57.1 - NTFSx86
Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.614 [GMT 2:00]
Endroit: C:\Documents and Settings\Propriétaire\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
[color=red][b]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!/b/color
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@ad.yieldmanager[1].txt
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@ads.128b[2].txt
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@diffusion[1].txt
C:\Documents and Settings\Propriétaire\Cookies\propriétaire@fr.netlog[2].txt
.
((((((((((((((((((((((((((((( Fichiers créés 2008-07-16 to 2008-08-16 ))))))))))))))))))))))))))))))))))))
.
2008-08-16 16:37 . 2008-08-16 16:37 <REP> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-16 16:37 . 2008-08-16 16:37 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\Malwarebytes
2008-08-16 16:37 . 2008-08-16 16:37 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-16 16:37 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-16 16:37 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-16 15:13 . 2008-08-16 15:13 <REP> d-------- C:\Program Files\Lavasoft
2008-08-16 15:13 . 2008-08-16 15:14 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-16 15:11 . 2008-08-16 15:11 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-08-16 14:28 . 2008-08-16 17:54 <REP> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-16 14:26 . 2008-08-16 14:52 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\TmpRecentIcons
2008-08-16 14:26 . 2008-08-16 14:26 73,728 ---hs---- C:\Documents and Settings\Propriétaire\MediaTubeCodec_ver1.1463.0.exe
2008-08-16 14:26 . 2008-08-16 14:26 73,728 ---hs---- C:\Documents and Settings\Propriétaire\MediaTubeCodec_ver1.1463.0.exe
2008-08-16 14:00 . 2008-08-16 17:58 <REP> d-------- C:\Program Files\DNA
2008-08-16 14:00 . 2008-08-16 14:00 <REP> d-------- C:\Program Files\BitTorrent
2008-08-16 14:00 . 2008-08-16 17:58 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\DNA
2008-08-16 14:00 . 2008-08-16 14:36 <REP> d-------- C:\Documents and Settings\Propriétaire\Application Data\BitTorrent
2008-08-16 13:56 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-08-16 13:47 . 2008-08-16 13:47 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-08-15 03:48 . 2004-08-05 14:00 5,305,344 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-08-15 03:47 . 2004-08-05 14:00 1,836,032 --a------ C:\WINDOWS\system32\win32k.sys
2008-08-15 03:46 . 2004-08-05 14:00 2,826,752 --a------ C:\WINDOWS\system32\syssetup.dll
2008-08-15 03:44 . 2003-07-30 10:49 13,107,200 --a------ C:\WINDOWS\system32\oembios.bin
2008-08-15 03:43 . 2004-08-05 14:00 4,708,352 --a------ C:\WINDOWS\system32\logon.scr
2008-08-15 03:42 . 2004-08-05 14:00 5,723,648 --a------ C:\WINDOWS\system32\inetcpl.cpl
2008-08-15 03:41 . 2004-08-05 14:00 1,502,208 --a--c--- C:\WINDOWS\system32\dllcache\diskcopy.dll
2008-08-15 03:40 . 2004-08-05 14:00 2,067,968 --a--c--- C:\WINDOWS\system32\dllcache\cdosys.dll
2008-08-15 01:10 . 2008-08-16 17:43 <REP> d-------- C:\Program Files\eMule
2008-08-15 00:55 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-08-15 00:55 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-08-15 00:53 . 2001-08-23 17:04 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-08-15 00:53 . 2001-08-23 17:04 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-08-15 00:42 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-08-15 00:42 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-08-15 00:40 . 2008-08-15 00:40 <REP> d-------- C:\Program Files\Messenger Plus! Live
2008-08-15 00:18 . 2008-08-15 00:18 <REP> d-------- C:\WINDOWS\system32\LogFiles
2008-08-15 00:18 . 2008-08-15 00:18 <REP> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-08-15 00:00 . 2008-08-15 00:00 3,932,214 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp
2008-08-15 00:00 . 2008-08-15 00:00 51,919 --a------ C:\WINDOWS\BricoPackUninst.cmd
2008-08-14 23:58 . 2008-08-14 23:58 <REP> d-------- C:\WINDOWS\BricoPacks
2008-08-14 23:58 . 2008-08-15 00:00 4,839 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-08-14 21:02 . 2001-08-17 23:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-08-14 21:01 . 2004-08-04 02:54 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-08-14 21:01 . 2004-08-04 02:39 58,496 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-08-14 21:01 . 2001-08-17 23:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-08-14 21:00 . 2004-08-04 01:07 14,080 --a------ C:\WINDOWS\system32\drivers\CmBatt.sys
2008-08-14 21:00 . 2001-08-17 23:57 14,080 --a------ C:\WINDOWS\system32\drivers\battc.sys
2008-08-14 21:00 . 2001-08-17 23:58 9,344 --a------ C:\WINDOWS\system32\drivers\compbatt.sys
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 22:33 --------- dcsh--w C:\Program Files\Fichiers communs\WindowsLiveInstaller
2008-08-14 22:33 --------- d-----w C:\Program Files\Windows Live
2008-08-14 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-14 22:00 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll
2008-08-14 17:47 --------- d-----w C:\Program Files\DirectX
2008-08-14 17:30 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.55-7681197L.exe
2008-08-14 17:30 --------- d-----w C:\Program Files\F-Secure
2008-08-14 17:25 --------- d-----w C:\Program Files\Power Manager
2008-08-14 17:24 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-08-14 17:24 --------- d-----w C:\Program Files\Broadcom
2008-08-14 17:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-14 17:23 --------- d-----w C:\Program Files\Apoint2K
2008-08-14 17:22 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-08-14 17:22 --------- d-----w C:\Program Files\AvRack
2008-08-14 17:22 --------- d-----w C:\Program Files\ATI Technologies
2008-08-14 17:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-14 17:10 --------- d-----w C:\Program Files\Java
2008-08-14 17:10 --------- d-----w C:\Program Files\Fichiers communs\Java
2008-08-14 17:08 --------- d-----w C:\Program Files\Services en ligne
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
------- Sigcheck -------
2004-09-29 20:47 660992 61cdcab341ade3482101da90fcc793ac C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
2008-06-23 17:40 663552 95d92788889b847309c63e2ec287d1c0 C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp2gdr\wininet.dll
2008-06-23 18:15 671232 8ca18fd7cccabff7e84702bc1bbf5dcb C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp2qfe\wininet.dll
2008-06-23 17:10 670208 d2177655bc338a07b99913f6a4bed52d C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp3gdr\wininet.dll
2008-06-23 16:56 670720 4e00327da458beffea8f4b222f466b20 C:\WINDOWS\SoftwareDistribution\Download\[u]0/u8226861086a18779ae960326e29c1a3\sp3qfe\wininet.dll
2004-09-29 20:49 1138688 fe88b718b24cc2395ad4090cd6ade229 C:\WINDOWS\system32\wininet.dll
2004-09-29 20:49 1138688 fe88b718b24cc2395ad4090cd6ade229 C:\WINDOWS\system32\dllcache\wininet.dll
2004-08-05 14:00 3198464 cdc990fbeceff120d114c94cf07af248 C:\WINDOWS\explorer.exe
2004-08-05 14:00 3198464 cdc990fbeceff120d114c94cf07af248 C:\WINDOWS\system32\dllcache\explorer.exe
2007-07-30 19:19 71000 c8d27565f1835b5c4848183572e375ab C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 71000 c8d27565f1835b5c4848183572e375ab C:\WINDOWS\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"RocketDock"="C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [2006-05-14 22:47 344064]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-08-16 14:00 342336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2008-08-14 19:10 36972]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-22 21:15 344064]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-12-05 14:22 159744]
"PowerManager"="C:\Program Files\Power Manager\PM.exe" [2005-08-19 09:11 163840]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2002-12-05 16:24 106571]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 18:48 77824 C:\WINDOWS\SOUNDMAN.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005-07-06 04:47 544768 C:\WINDOWS\sm56hlpr.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 14:00 15360]
C:\Documents and Settings\Propri‚taire\Menu D‚marrer\Programmes\D‚marrage\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 22:47:48 344064]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 14:20:14 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 21:09:06 131072]
Y'z Toolbar.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe [2002-09-29 14:41:10 90112]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4500:TCP"= 4500:TCP:emule tcp
"4510:UDP"= 4510:UDP:emule udp
"11000:TCP"= 11000:TCP:emule tcp 30
"11010:UDP"= 11010:UDP:emule udp 30
R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE [2008-08-14 19:30]
R2 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2002-04-23 13:23]
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys [2002-12-03 08:36]
R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2002-04-23 13:23]
R2 FSpm;F-Secure Policy Manager;C:\Program Files\F-Secure\Common\FSPM.SYS [2002-12-05 16:24]
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 17:22]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - WINIO
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.be/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 18:05:36
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
Temps d'accomplissement: 2008-08-16 18:06:21
ComboFix-quarantined-files.txt 2008-08-16 16:06:18
Pre-Run: 73,904,824,320 octets libres
Post-Run: 74,166,579,200 octets libres
165 --- E O F --- 2008-08-15 01:27:40
et le hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:44, on 16/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Propriétaire\Bureau\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.be/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerManager] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/...
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
