your computer is infected

Question

Bonjour,
j'ai un virus ds mon pc  ( your computer is infected)
j'ai fait la procedure smitfraudfix
mais le pb persiste
voici le rapport
SmitFraudFix v2.347

Rapport fait à 17:17:11.75, 09-09-2008
Executé à partir de C:\Documents and Settings\user\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est FAT32
Fix executé en mode normal

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\All Users\Application Data\xqzaryhe\dapwbozq.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Fichiers communs\Real\Update_OBealsched.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Huawei Technologies\Huawei SmartAX MT810\dslmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\WinCtrl32.dll détecté, utilisez un scanner de Rootkit

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Menu Démarrer


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\Favoris


»»»»»»»»»»»»»»»»»»»»»»»» Bureau


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Clés corrompues


»»»»»»»»»»»»»»»»»»»»»»»» Eléments du bureau
 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
 

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Recherche infection wininet.dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin

salutations

ludsfa · Answer

salut,


Télécharge Gmer:
http://www2.gmer.net/gmer.zip
Dézippe le dans un dossier ou sur ton bureau:
http://www.7-zip.org/fr/

Déconnecte toi d'Internet puis et ferme tous les programmes.
Double-clique sur Gmer.exe.

IMPORTANT: Si une alerte de ton antivirus apparaît pour le fichier gmer.sys ou gmer.exe, laisse le s'executer.

Clique sur l'onglet rootkit.
A droite, coche Files et Services.
Clique maintenant sur Scan.

Lorsque le scan est terminé, clique sur Copy.

Ouvre le Bloc-notes puis clique sur le Menu Edition / Coller.
Le rapport doit alors apparaître.
Enregistre le fichier sur ton bureau et copie/colle le contenu ici.

malou · Answer

une precision
j'obtiens ce rapport en cochant toutes les cases
mais on laissant les cases (services et files) j'obtient rien par le scan

ludsfa · Answer

Bonjour,

Télécharge ComboFix (de sUBs) sur ton Bureau.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    *  Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
    * Double clique sur ComboFix.exe.
    * Accepte la licence en cliquant sur Oui.
    * Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse. 


Le rapport se trouve ici : %systemdrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)

Aide : Comment utiliser ComboFix.
https://www.bleepingcomputer.com/combofix/fr/comment-utiliser-combofix

ludsfa · Answer

salut malou,


Si tu as passer combofix peux tu m'envoyer le rapport.

malou · Answer

j'ai pas compris comment fonnctionne combofix

ludsfa · Answer

salut,





Télécharge ComboFix (de sUBs) sur ton Bureau.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

* Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
* Double clique sur ComboFix.exe.
* Accepte la licence en cliquant sur Oui.
* Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.


Le rapport se trouve ici : %systemdrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)

ludsfa · Answer

salut malou,


peux tu m'envoyer le rapport car il y à certainement des infections que combofix n'à pas supprimé.

malou · Answer

ComboFix 08-09-12.09 - user 2008-09-13 16:23:10.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.213.1036.18.75 [GMT 2:00]
Lancé depuis: C:\Documents and Settings\user\Bureau\ComboFix.exe
* Un nouveau point de restauration a été créé

[color=red][b]AVERTISSEMENT - LA CONSOLE DE RةCUPةRATION N'EST PAS INSTALLةE SUR CETTE MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\drivers\atmapi.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pla.ax
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\shell31.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wpx63.cpx
C:\WINDOWS\wiaservb.log
F:\CNAS TARIF.pif

----- BITS: Il y a peut-ˆtre des sites infect‚s -----

http://ygsondheks.info
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF
-------\Service_poof

((((((((((((((((((((((((((((( Fichiers cr‚‚s du 2008-08-13 au 2008-09-13 ))))))))))))))))))))))))))))))))))))
.

2008-09-13 13:24 . 2008-09-13 13:24 <REP> d--hs---- C:\FOUND.002
2008-09-13 13:05 . 2008-09-13 13:05 <REP> d--hs---- C:\FOUND.001
2008-09-11 17:35 . 2008-09-11 17:35 <REP> d-------- C:\Documents and Settings\user\Application Data\Grisoft
2008-09-11 17:35 . 2008-09-11 17:35 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-09-11 17:35 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-09-11 16:41 . 2008-09-11 16:41 <REP> d-------- C:\Program Files\Trend Micro
2008-09-10 18:06 . 2008-09-11 16:50 250 --a------ C:\WINDOWS\gmer.ini
2008-09-09 17:16 . 2008-09-09 17:16 73,728 --a------ C:\WINDOWS\system32\drivers\796.exe
2008-09-09 16:46 . 2008-09-09 16:46 73,728 --a------ C:\WINDOWS\system32\drivers\203.exe
2008-09-09 15:59 . 2008-09-09 17:17 2,640 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-09 14:48 . 2008-09-09 14:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\xqzaryhe
2008-09-09 13:57 . 2008-09-09 13:57 <REP> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-09 13:57 . 2008-09-09 14:00 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-09-09 13:56 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-09-09 13:56 . 2008-07-09 09:05 42,384 --a------ C:\WINDOWS\zllsputility_loc040c.dll
2008-09-09 13:56 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-09 13:55 . 2008-09-09 13:55 <REP> d-------- C:\WINDOWS\system32\ZoneLabs
2008-09-09 13:55 . 2008-09-09 13:55 <REP> d-------- C:\Program Files\Zone Labs
2008-09-09 13:54 . 2008-09-09 13:54 <REP> d-------- C:\WINDOWS\Internet Logs
2008-09-09 12:21 . 2008-09-09 12:21 73,728 --a------ C:\WINDOWS\system32\drivers\968.exe
2008-09-09 12:05 . 2008-09-09 12:05 <REP> d-------- C:\Program Files\Trojan Remover
2008-09-09 12:05 . 2008-09-09 12:05 <REP> d-------- C:\Documents and Settings\user\Application Data\Simply Super Software
2008-09-08 14:42 . 2008-09-08 14:42 <REP> d-------- C:\Program Files\a-squared Free
2008-09-08 14:08 . 2008-09-08 14:08 130 --a------ C:\Documents and Settings\user\delself.bat
2008-09-08 13:53 . 2008-09-08 13:53 249,856 --a------ C:\WINDOWS\system32\nvrsol32.dll.vir
2008-09-08 13:15 . 2008-09-08 13:15 2,840,059 --a------ C:\WINDOWS\system32\SRPSig.zip
2008-09-08 13:15 . 2008-09-08 13:15 870,601 --a------ C:\WINDOWS\system32\SRPExe.zip
2008-09-08 13:12 . 2008-09-08 13:12 421 --a------ C:\WINDOWS\system32\10002.sks
2008-09-08 13:12 . 2008-09-08 13:12 97 --a------ C:\WINDOWS\system32\10001.sks
2008-09-08 13:12 . 2008-09-08 13:15 72 --a------ C:\WINDOWS\system32\SRPVer.ini
2008-09-08 13:12 . 2008-09-08 13:12 0 --a------ C:\WINDOWS\system32\10004.sks
2008-09-08 13:12 . 2008-09-08 13:12 0 --a------ C:\WINDOWS\system32\10003.sks
2008-09-08 13:11 . 2008-09-08 13:17 2,380 --a------ C:\WINDOWS\system32\BlockedCookies
2008-09-08 13:10 . 2008-09-08 13:10 <REP> d-------- C:\Program Files\SpyRemover Pro
2008-09-08 12:26 . 2008-09-08 12:27 313,474 --a------ C:\WINDOWS\system32\winivstr.exe.vir
2008-09-08 12:25 . 2008-09-08 12:25 <REP> d--hs---- C:\FOUND.000
2008-09-07 16:34 . 2004-08-04 04:55 25,088 --a------ C:\WINDOWS\system32\srv
2008-09-07 16:34 . 2004-08-04 04:55 25,088 --a------ C:\WINDOWS\system32\{e0e899ab-f487-11d5-8d29-0050ba6940e3}
2008-09-07 16:26 . 2008-09-07 16:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\kfulyrgv
2008-09-07 16:26 . 2008-09-07 16:26 98,816 --a------ C:\WINDOWS\system32\r4h.e33
2008-09-07 16:26 . 2008-09-07 16:26 64,000 --a------ C:\WINDOWS\system32\fds.i386
2008-09-07 16:26 . 2008-09-07 16:26 42,496 --a------ C:\WINDOWS\system32\drivers\656.exe
2008-09-07 16:26 . 2008-09-07 16:26 29,184 --a------ C:\WINDOWS\iexplorer.exe.vir
2008-09-07 16:26 . 2008-09-07 16:26 21,504 --a------ C:\WINDOWS\system32\sof.586
2008-09-07 16:26 . 2008-09-07 16:28 32 --a-s---- C:\WINDOWS\system32\2633133696.dat
2008-09-07 16:25 . 2008-09-07 16:25 55,063 --a------ C:\Documents and Settings\user\S87ekhV.exe
2008-08-31 13:54 . 2008-08-31 13:54 <REP> d-------- C:\Program Files\Fichiers communs\Adobe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 14:26 578,048 ----a-w C:\WINDOWS\system32\user32.DLL
2008-09-07 14:26 578,048 ----a-w C:\WINDOWS\system32\dllcache\user32.dll
2008-08-25 17:13 26 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-06-21 12:10 8,813,777 ----a-w C:\WINDOWS\system32\SRPRSig.dll
2008-06-21 12:09 6,538,067 ----a-w C:\WINDOWS\system32\SRPFSig.dll
2008-06-21 12:08 623,157 ----a-w C:\WINDOWS\system32\SRPESig.dll
2004-09-03 08:32 3,488 ----a-w C:\WINDOWS\inf\OTHER\CMIAINFO.SYS
2007-01-01 13:28 220 --sha-w C:\WINDOWS\dwin.sys
.
[color=red] C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) [/color]
578,048 2008-09-07 14:26:32 C:\WINDOWS\system32\user32.DLL
578,048 2008-09-07 14:26:32 C:\WINDOWS\system32\dllcache\user32.dll

------- Sigcheck -------

2008-09-07 16:26 578048 e7889e529904597373304d4fcfe25429 C:\WINDOWS\system32\user32.DLL
2008-09-07 16:26 578048 e7889e529904597373304d4fcfe25429 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 03:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys
2004-08-04 03:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-02-24 185896]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2007-09-13 77824]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"LTXA09sMbw"="C:\Documents and Settings\All Users\Application Data\xqzaryhe\dapwbozq.exe" [2008-09-09 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winag27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windl84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfk16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnt62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winov05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvc62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxe63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\eMule\\emule.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 adiusbae;USB ADSL LAN Adapter;C:\WINDOWS\system32\DRIVERS\adiusbae.sys [2003-12-01 117785]
S0 Winag27;Winag27;C:\WINDOWS\system32\Drivers\Winag27.sys [ ]
S0 Windj38;Windj38;C:\WINDOWS\system32\Drivers\Windj38.sys [ ]
S0 Windj84;Windj84;C:\WINDOWS\system32\Drivers\Windj84.sys [ ]
S0 Windl84;Windl84;C:\WINDOWS\system32\Drivers\Windl84.sys [ ]
S0 Winfk16;Winfk16;C:\WINDOWS\system32\Drivers\Winfk16.sys [ ]
S0 Winfl16;Winfl16;C:\WINDOWS\system32\Drivers\Winfl16.sys [ ]
S0 Winfl40;Winfl40;C:\WINDOWS\system32\Drivers\Winfl40.sys [ ]
S0 Wingm05;Wingm05;C:\WINDOWS\system32\Drivers\Wingm05.sys [ ]
S0 Winio30;Winio30;C:\WINDOWS\system32\Drivers\Winio30.sys [ ]
S0 Winkq27;Winkq27;C:\WINDOWS\system32\Drivers\Winkq27.sys [ ]
S0 Winkq84;Winkq84;C:\WINDOWS\system32\Drivers\Winkq84.sys [ ]
S0 Winms05;Winms05;C:\WINDOWS\system32\Drivers\Winms05.sys [ ]
S0 Winms38;Winms38;C:\WINDOWS\system32\Drivers\Winms38.sys [ ]
S0 Winms40;Winms40;C:\WINDOWS\system32\Drivers\Winms40.sys [ ]
S0 Winnt62;Winnt62;C:\WINDOWS\system32\Drivers\Winnt62.sys [ ]
S0 Winov05;Winov05;C:\WINDOWS\system32\Drivers\Winov05.sys [ ]
S0 Winvc62;Winvc62;C:\WINDOWS\system32\Drivers\Winvc62.sys [ ]
S0 Winwd30;Winwd30;C:\WINDOWS\system32\Drivers\Winwd30.sys [ ]
S0 Winxe63;Winxe63;C:\WINDOWS\system32\Drivers\Winxe63.sys [ ]
S2 E2ECAP;e2eCap - WDM Video Capture;C:\WINDOWS\system32\DRIVERS\e2ecap.sys [2006-07-10 124416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57e52f3c-f9b1-11dc-ac10-007304430c3e}]
\Shell\AutoRun\command - H:\juok3st.bat
\Shell\explore\Command - H:\juok3st.bat
\Shell\open\Command - H:\juok3st.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8eb66220-8fa7-11dc-ab6f-007304430c3e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af67f332-2259-11dc-aa72-007304430c3e}]
\Shell\AutoRun\command - H:\RavMon.exe
\Shell\explore\Command - H:\RavMon.exe -e
\Shell\open\Command - H:\RavMon.exe

*Newly Created Service* - RPCSSVSS
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-SpyRemoverPro - C:\PROGRA~1\SPYREM~1\SpyRemoverPro.exe
HKLM-Run-Cmaudio - cmicnfg.cpl

.
------- Examen suppl‚mentaire -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 -: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 -: E&xporter vers Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations (Beta) -------
.
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-13 16:37:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Recherche de processus cach‚s ...

Recherche d'‚l‚ments en d‚marrage automatique cach‚s ...

Recherche de fichiers cach‚s ...

Scan termin‚ avec succٹs
Fichiers cach‚s: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITSUMWdf]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BrowserLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvcAudioSrv]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDMSchedule]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MessengerProtectedStorage]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdmwuauserv]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogonmnmsrvc]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaMcAfeeFramework]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgentShellHWDetection]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgentShellHWDetectionCOMSysApp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgrdmserver]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSsusnjsvc]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSsVSS]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogonBrowserLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogonThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWksNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphostMessengerProtectedStorage]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSTermService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSNWmiApSrvImapiService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrvImapiService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservRemoteAccess]
"ImagePath"=" srv"
.
--------------------- DLLs charg‚es dans les processus actifs ---------------------

PROCESSUS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Autres processus actifs ------------------------
.
C:\PROGRAM FILES\A-SQUARED FREE\A2SERVICE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Huawei Technologies\Huawei SmartAX MT810\dslmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Heure de fin: 2008-09-13 16:42:06 - La machine a red‚marr‚ [user]
ComboFix-quarantined-files.txt 2008-09-13 14:41:54

Avant-CF: 5,793,849,344 octets libres
Après-CF: 5,754,134,528 octets libres

302

malou · Answer

ComboFix 08-09-12.09 - user 2008-09-13 16:23:10.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.213.1036.18.75 [GMT 2:00]
Lancé depuis: C:\Documents and Settings\user\Bureau\ComboFix.exe
* Un nouveau point de restauration a été créé

[color=red][b]AVERTISSEMENT - LA CONSOLE DE RةCUPةRATION N'EST PAS INSTALLةE SUR CETTE MACHINE !![/b][/color]
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\drivers\atmapi.sys
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pla.ax
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\shell31.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wpx63.cpx
C:\WINDOWS\wiaservb.log
F:\CNAS TARIF.pif

----- BITS: Il y a peut-ˆtre des sites infect‚s -----

http://ygsondheks.info
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF
-------\Service_poof

((((((((((((((((((((((((((((( Fichiers cr‚‚s du 2008-08-13 au 2008-09-13 ))))))))))))))))))))))))))))))))))))
.

2008-09-13 13:24 . 2008-09-13 13:24 <REP> d--hs---- C:\FOUND.002
2008-09-13 13:05 . 2008-09-13 13:05 <REP> d--hs---- C:\FOUND.001
2008-09-11 17:35 . 2008-09-11 17:35 <REP> d-------- C:\Documents and Settings\user\Application Data\Grisoft
2008-09-11 17:35 . 2008-09-11 17:35 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-09-11 17:35 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-09-11 16:41 . 2008-09-11 16:41 <REP> d-------- C:\Program Files\Trend Micro
2008-09-10 18:06 . 2008-09-11 16:50 250 --a------ C:\WINDOWS\gmer.ini
2008-09-09 17:16 . 2008-09-09 17:16 73,728 --a------ C:\WINDOWS\system32\drivers\796.exe
2008-09-09 16:46 . 2008-09-09 16:46 73,728 --a------ C:\WINDOWS\system32\drivers\203.exe
2008-09-09 15:59 . 2008-09-09 17:17 2,640 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-09 14:48 . 2008-09-09 14:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\xqzaryhe
2008-09-09 13:57 . 2008-09-09 13:57 <REP> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-09-09 13:57 . 2008-09-09 14:00 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-09-09 13:56 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-09-09 13:56 . 2008-07-09 09:05 42,384 --a------ C:\WINDOWS\zllsputility_loc040c.dll
2008-09-09 13:56 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-09-09 13:55 . 2008-09-09 13:55 <REP> d-------- C:\WINDOWS\system32\ZoneLabs
2008-09-09 13:55 . 2008-09-09 13:55 <REP> d-------- C:\Program Files\Zone Labs
2008-09-09 13:54 . 2008-09-09 13:54 <REP> d-------- C:\WINDOWS\Internet Logs
2008-09-09 12:21 . 2008-09-09 12:21 73,728 --a------ C:\WINDOWS\system32\drivers\968.exe
2008-09-09 12:05 . 2008-09-09 12:05 <REP> d-------- C:\Program Files\Trojan Remover
2008-09-09 12:05 . 2008-09-09 12:05 <REP> d-------- C:\Documents and Settings\user\Application Data\Simply Super Software
2008-09-08 14:42 . 2008-09-08 14:42 <REP> d-------- C:\Program Files\a-squared Free
2008-09-08 14:08 . 2008-09-08 14:08 130 --a------ C:\Documents and Settings\user\delself.bat
2008-09-08 13:53 . 2008-09-08 13:53 249,856 --a------ C:\WINDOWS\system32\nvrsol32.dll.vir
2008-09-08 13:15 . 2008-09-08 13:15 2,840,059 --a------ C:\WINDOWS\system32\SRPSig.zip
2008-09-08 13:15 . 2008-09-08 13:15 870,601 --a------ C:\WINDOWS\system32\SRPExe.zip
2008-09-08 13:12 . 2008-09-08 13:12 421 --a------ C:\WINDOWS\system32\10002.sks
2008-09-08 13:12 . 2008-09-08 13:12 97 --a------ C:\WINDOWS\system32\10001.sks
2008-09-08 13:12 . 2008-09-08 13:15 72 --a------ C:\WINDOWS\system32\SRPVer.ini
2008-09-08 13:12 . 2008-09-08 13:12 0 --a------ C:\WINDOWS\system32\10004.sks
2008-09-08 13:12 . 2008-09-08 13:12 0 --a------ C:\WINDOWS\system32\10003.sks
2008-09-08 13:11 . 2008-09-08 13:17 2,380 --a------ C:\WINDOWS\system32\BlockedCookies
2008-09-08 13:10 . 2008-09-08 13:10 <REP> d-------- C:\Program Files\SpyRemover Pro
2008-09-08 12:26 . 2008-09-08 12:27 313,474 --a------ C:\WINDOWS\system32\winivstr.exe.vir
2008-09-08 12:25 . 2008-09-08 12:25 <REP> d--hs---- C:\FOUND.000
2008-09-07 16:34 . 2004-08-04 04:55 25,088 --a------ C:\WINDOWS\system32\srv
2008-09-07 16:34 . 2004-08-04 04:55 25,088 --a------ C:\WINDOWS\system32\{e0e899ab-f487-11d5-8d29-0050ba6940e3}
2008-09-07 16:26 . 2008-09-07 16:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\kfulyrgv
2008-09-07 16:26 . 2008-09-07 16:26 98,816 --a------ C:\WINDOWS\system32\r4h.e33
2008-09-07 16:26 . 2008-09-07 16:26 64,000 --a------ C:\WINDOWS\system32\fds.i386
2008-09-07 16:26 . 2008-09-07 16:26 42,496 --a------ C:\WINDOWS\system32\drivers\656.exe
2008-09-07 16:26 . 2008-09-07 16:26 29,184 --a------ C:\WINDOWS\iexplorer.exe.vir
2008-09-07 16:26 . 2008-09-07 16:26 21,504 --a------ C:\WINDOWS\system32\sof.586
2008-09-07 16:26 . 2008-09-07 16:28 32 --a-s---- C:\WINDOWS\system32\2633133696.dat
2008-09-07 16:25 . 2008-09-07 16:25 55,063 --a------ C:\Documents and Settings\user\S87ekhV.exe
2008-08-31 13:54 . 2008-08-31 13:54 <REP> d-------- C:\Program Files\Fichiers communs\Adobe

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-07 14:26 578,048 ----a-w C:\WINDOWS\system32\user32.DLL
2008-09-07 14:26 578,048 ----a-w C:\WINDOWS\system32\dllcache\user32.dll
2008-08-25 17:13 26 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-06-21 12:10 8,813,777 ----a-w C:\WINDOWS\system32\SRPRSig.dll
2008-06-21 12:09 6,538,067 ----a-w C:\WINDOWS\system32\SRPFSig.dll
2008-06-21 12:08 623,157 ----a-w C:\WINDOWS\system32\SRPESig.dll
2004-09-03 08:32 3,488 ----a-w C:\WINDOWS\inf\OTHER\CMIAINFO.SYS
2007-01-01 13:28 220 --sha-w C:\WINDOWS\dwin.sys
.
[color=red] C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) [/color]
578,048 2008-09-07 14:26:32 C:\WINDOWS\system32\user32.DLL
578,048 2008-09-07 14:26:32 C:\WINDOWS\system32\dllcache\user32.dll

------- Sigcheck -------

2008-09-07 16:26 578048 e7889e529904597373304d4fcfe25429 C:\WINDOWS\system32\user32.DLL
2008-09-07 16:26 578048 e7889e529904597373304d4fcfe25429 C:\WINDOWS\system32\dllcache\user32.dll

2004-08-04 03:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys
2004-08-04 03:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\dllcache\tcpip.sys
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-02-24 185896]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2007-09-13 77824]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"LTXA09sMbw"="C:\Documents and Settings\All Users\Application Data\xqzaryhe\dapwbozq.exe" [2008-09-09 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winag27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windl84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfk16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq27.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq84.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnt62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winov05.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvc62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd30.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxe63.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"F:\\eMule\\emule.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 adiusbae;USB ADSL LAN Adapter;C:\WINDOWS\system32\DRIVERS\adiusbae.sys [2003-12-01 117785]
S0 Winag27;Winag27;C:\WINDOWS\system32\Drivers\Winag27.sys [ ]
S0 Windj38;Windj38;C:\WINDOWS\system32\Drivers\Windj38.sys [ ]
S0 Windj84;Windj84;C:\WINDOWS\system32\Drivers\Windj84.sys [ ]
S0 Windl84;Windl84;C:\WINDOWS\system32\Drivers\Windl84.sys [ ]
S0 Winfk16;Winfk16;C:\WINDOWS\system32\Drivers\Winfk16.sys [ ]
S0 Winfl16;Winfl16;C:\WINDOWS\system32\Drivers\Winfl16.sys [ ]
S0 Winfl40;Winfl40;C:\WINDOWS\system32\Drivers\Winfl40.sys [ ]
S0 Wingm05;Wingm05;C:\WINDOWS\system32\Drivers\Wingm05.sys [ ]
S0 Winio30;Winio30;C:\WINDOWS\system32\Drivers\Winio30.sys [ ]
S0 Winkq27;Winkq27;C:\WINDOWS\system32\Drivers\Winkq27.sys [ ]
S0 Winkq84;Winkq84;C:\WINDOWS\system32\Drivers\Winkq84.sys [ ]
S0 Winms05;Winms05;C:\WINDOWS\system32\Drivers\Winms05.sys [ ]
S0 Winms38;Winms38;C:\WINDOWS\system32\Drivers\Winms38.sys [ ]
S0 Winms40;Winms40;C:\WINDOWS\system32\Drivers\Winms40.sys [ ]
S0 Winnt62;Winnt62;C:\WINDOWS\system32\Drivers\Winnt62.sys [ ]
S0 Winov05;Winov05;C:\WINDOWS\system32\Drivers\Winov05.sys [ ]
S0 Winvc62;Winvc62;C:\WINDOWS\system32\Drivers\Winvc62.sys [ ]
S0 Winwd30;Winwd30;C:\WINDOWS\system32\Drivers\Winwd30.sys [ ]
S0 Winxe63;Winxe63;C:\WINDOWS\system32\Drivers\Winxe63.sys [ ]
S2 E2ECAP;e2eCap - WDM Video Capture;C:\WINDOWS\system32\DRIVERS\e2ecap.sys [2006-07-10 124416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57e52f3c-f9b1-11dc-ac10-007304430c3e}]
\Shell\AutoRun\command - H:\juok3st.bat
\Shell\explore\Command - H:\juok3st.bat
\Shell\open\Command - H:\juok3st.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8eb66220-8fa7-11dc-ab6f-007304430c3e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af67f332-2259-11dc-aa72-007304430c3e}]
\Shell\AutoRun\command - H:\RavMon.exe
\Shell\explore\Command - H:\RavMon.exe -e
\Shell\open\Command - H:\RavMon.exe

*Newly Created Service* - RPCSSVSS
.
- - - - ORPHELINS SUPPRIMES - - - -

HKLM-Run-SpyRemoverPro - C:\PROGRA~1\SPYREM~1\SpyRemoverPro.exe
HKLM-Run-Cmaudio - cmicnfg.cpl

.
------- Examen suppl‚mentaire -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 -: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 -: E&xporter vers Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations (Beta) -------
.
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-13 16:37:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Recherche de processus cach‚s ...

Recherche d'‚l‚ments en d‚marrage automatique cach‚s ...

Recherche de fichiers cach‚s ...

Scan termin‚ avec succٹs
Fichiers cach‚s: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITSUMWdf]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BrowserLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvcAudioSrv]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDMSchedule]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MessengerProtectedStorage]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdmwuauserv]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogonmnmsrvc]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaMcAfeeFramework]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgentShellHWDetection]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgentShellHWDetectionCOMSysApp]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgrdmserver]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSsusnjsvc]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSsVSS]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogonBrowserLmHosts]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogonThemes]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWksNetDDE]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphostMessengerProtectedStorage]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPSTermService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSNWmiApSrvImapiService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrvImapiService]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauservRemoteAccess]
"ImagePath"=" srv"
.
--------------------- DLLs charg‚es dans les processus actifs ---------------------

PROCESSUS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Autres processus actifs ------------------------
.
C:\PROGRAM FILES\A-SQUARED FREE\A2SERVICE.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Huawei Technologies\Huawei SmartAX MT810\dslmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Heure de fin: 2008-09-13 16:42:06 - La machine a red‚marr‚ [user]
ComboFix-quarantined-files.txt 2008-09-13 14:41:54

Avant-CF: 5,793,849,344 octets libres
Après-CF: 5,754,134,528 octets libres

302

ludsfa · Answer

salut malou,

Sélectionne l'intégralité du texte en gras ci-dessous.



file::
C:\FOUND.000 
C:\FOUND.001
C:\FOUND.002
C:\WINDOWS\gmer.ini 
C:\WINDOWS\system32\BlockedCookies 
C:\WINDOWS\system32\10004.sks 
C:\WINDOWS\system32\10001.sks 
C:\WINDOWS\system32\10002.sks 


folder::
C:\Documents and Settings\user\S87ekhV.exe 
C:\Documents and Settings\All Users\Application Data\kfulyrgv 
C:\Program Files\SpyRemover Pro C:\WINDOWS\system32\10003.sks 
C:\Documents and Settings\user\Application Data\Simply Super Software 
C:\Program Files\Trojan Remover 


registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] 
"LTXA09sMbw"=-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winag27.sys] 
@=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj38.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windj84.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Windl84.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfk16.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl16.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winfl40.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wingm05.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winio30.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq27.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winkq84.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms05.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms38.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winms40.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winnt62.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winov05.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvc62.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwd30.sys]
@=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winxe63.sys]
@=-





    *  Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
    * Enregistre le sous sur ton bureau sous le nom de CFScript.txt
    * Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme ci-dessous : 

http://i266.photobucket.com/albums/ii277/sUBs_/CFScript.gif

    * Cela va relancer Combofix. 


Un rapport va être créer envois le moi.

Your computer is infected

10 réponses

Votre réponse

Discussions similaires

Newsletters