Trojan
ElLoKi
Messages postés
6
Statut
Membre
-
ElLoKi -
ElLoKi -
Bonjour,
J'ai attrapé un virus depuis peu, je l'ai remarqué car un certain nombre de pubs est soudainement apparu. Suite à la lecture de certains sujets, j'ai téléchargé Malwarebytes ce qui a supprimé tous les problèmes excepté un: j'ai un fichier kdcns qui est toujours présent.
Pourriez-vous m'aider à le supprimer?
Merci d'avance.
Voici le scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:06, on 26/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\ADVANC~1\wh_exec.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Azureus\Azureus.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WheelMouse] C:\ADVANC~1\wh_exec.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdcns.exe] C:\WINDOWS\system32\kdcns.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: rkhvex.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
J'ai attrapé un virus depuis peu, je l'ai remarqué car un certain nombre de pubs est soudainement apparu. Suite à la lecture de certains sujets, j'ai téléchargé Malwarebytes ce qui a supprimé tous les problèmes excepté un: j'ai un fichier kdcns qui est toujours présent.
Pourriez-vous m'aider à le supprimer?
Merci d'avance.
Voici le scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:06, on 26/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\ADVANC~1\wh_exec.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Azureus\Azureus.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.fr/?gws_rd=ssl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WheelMouse] C:\ADVANC~1\wh_exec.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdcns.exe] C:\WINDOWS\system32\kdcns.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: rkhvex.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
A voir également:
- Trojan
- Trojan remover - Télécharger - Antivirus & Antimalwares
- Anti trojan - Télécharger - Antivirus & Antimalwares
- Trojan b901 system32 win config 34 ✓ - Forum Virus
- Csrss.exe trojan fr ✓ - Forum Virus
- Virus trojan al11 ✓ - Forum Virus
11 réponses
slt,
Télécharge Combofix de sUBs : Renomme le avant toute installation, par exemple, nomme le "KillBagle". aide ici : https://forum.pcastuces.com/sujet.asp?f=25&s=37315
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Sauvegarde le sur ton bureau et pas ailleurs !
Aide à l’utilisation de combofix ici: http://bibou0007.forumpro.fr/tutos-f45/tutorial-combofix-t121.htm
Double-clic sur combofix, Il va te poser une question, réponds par la touche 1 et entrée pour valider, laisse toi guider.
Attends que combofix ait terminé, un rapport sera créé. Poste le rapport.
Télécharge Combofix de sUBs : Renomme le avant toute installation, par exemple, nomme le "KillBagle". aide ici : https://forum.pcastuces.com/sujet.asp?f=25&s=37315
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Sauvegarde le sur ton bureau et pas ailleurs !
Aide à l’utilisation de combofix ici: http://bibou0007.forumpro.fr/tutos-f45/tutorial-combofix-t121.htm
Double-clic sur combofix, Il va te poser une question, réponds par la touche 1 et entrée pour valider, laisse toi guider.
Attends que combofix ait terminé, un rapport sera créé. Poste le rapport.
Voici le rapport (j'ai eu le temps de faire le boulet O_o)
ComboFix 08-11-26.03 - ElLoKi 2008-11-26 12:07:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1429 [GMT 1:00]
Running from: c:\documents and settings\ElLoKi\Desktop\KillBagle.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.
2008-11-26 11:54 . 2008-11-26 12:01 <DIR> d-------- C:\ComboFix
2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-26 10:24 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-22 21:40 . 2008-11-22 21:40 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-17 17:02 . 2008-11-17 17:02 <DIR> d-------- c:\program files\Custom-Strike
2008-11-17 17:02 . 1998-06-18 00:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Ventrilo
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-16 12:24 . 2008-11-16 12:24 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-11 01:50 . 2008-11-11 01:50 <DIR> d-------- C:\ProgramData
2008-11-11 01:50 . 2008-11-11 01:50 4,720 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-11-09 15:52 . 2008-11-09 15:52 <DIR> dr-h----- c:\documents and settings\ElLoKi\Application Data\SecuROM
2008-10-31 18:37 . 2008-10-31 18:37 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Red Alert 3
2008-10-31 18:11 . 2008-11-11 00:25 <DIR> d-------- C:\ra3
2008-10-31 15:31 . 2008-10-31 15:31 <DIR> d-------- c:\windows\Logs
2008-10-31 15:31 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-10-29 14:01 . 2008-10-29 14:03 <DIR> d-------- c:\program files\MessenPass
2008-10-29 14:01 . 2008-10-29 14:01 39,424 --a------ c:\windows\zipinst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 11:07 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Azureus
2008-11-26 11:00 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-26 00:08 --------- d-----w c:\program files\Steam
2008-11-25 21:57 --------- d-----w c:\documents and settings\ElLoKi\Application Data\teamspeak2
2008-11-25 20:03 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Hamachi
2008-11-25 18:28 --------- d-----w c:\documents and settings\ElLoKi\Application Data\OpenOffice.org2
2008-11-22 01:32 --------- d-----w c:\documents and settings\ElLoKi\Application Data\foobar2000
2008-11-17 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 11:24 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Ventrilo
2008-11-11 00:50 --------- d-----w c:\program files\Electronic Arts
2008-11-04 23:51 --------- d-----w c:\documents and settings\ElLoKi\Application Data\LimeWire
2008-11-04 16:01 --------- d-----w c:\program files\LimeWire
2008-10-20 06:38 --------- d-----w c:\program files\foobar2000
2008-10-08 14:30 --------- d-----w c:\program files\WinGrosMaigre
2008-10-01 13:27 --------- d-----w c:\program files\Safari
2008-10-01 13:27 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Apple Computer
2008-10-01 13:26 --------- d-----w c:\program files\Bonjour
2008-10-01 13:26 --------- d-----w c:\program files\Apple Software Update
2008-10-01 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-07-07 07:44 357 ----a-w c:\documents and settings\ElLoKi\.cb_layout.bin
2007-12-22 15:59 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007122220071223\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-11 133104]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-22 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"WheelMouse"="c:\advanc~1\wh_exec.exe" [2007-03-11 86016]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-16 368640]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2007-10-11 c:\windows\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rkhvex.dll
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-03 14:54 486856 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-08 08:49 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\9loki2\\counter-strike\\hl.exe"=
"c:\\Program Files\\AOE2 on home\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2005-11-14 17824]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-25 6784]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\DRIVERS\whmice2k.sys [2004-04-26 6885]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-22 27904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44a6e1a2-b7c5-11dc-a862-0015af487e60}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\setup\command - E:\setup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-11 23:19]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\ElLoKi\Application Data\Mozilla\Firefox\Profiles\hfpz8zn1.default\
FF -: plugin - c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:08:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-26 12:08:41
ComboFix-quarantined-files.txt 2008-11-26 11:08:36
ComboFix2.txt 2008-11-26 11:01:25
Pre-Run: 76 632 449 024 bytes free
Post-Run: 76,622,606,336 bytes free
172
ComboFix 08-11-26.03 - ElLoKi 2008-11-26 12:07:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1429 [GMT 1:00]
Running from: c:\documents and settings\ElLoKi\Desktop\KillBagle.exe
.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.
2008-11-26 11:54 . 2008-11-26 12:01 <DIR> d-------- C:\ComboFix
2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-26 10:24 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-22 21:40 . 2008-11-22 21:40 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-17 17:02 . 2008-11-17 17:02 <DIR> d-------- c:\program files\Custom-Strike
2008-11-17 17:02 . 1998-06-18 00:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Ventrilo
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-16 12:24 . 2008-11-16 12:24 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-11 01:50 . 2008-11-11 01:50 <DIR> d-------- C:\ProgramData
2008-11-11 01:50 . 2008-11-11 01:50 4,720 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-11-09 15:52 . 2008-11-09 15:52 <DIR> dr-h----- c:\documents and settings\ElLoKi\Application Data\SecuROM
2008-10-31 18:37 . 2008-10-31 18:37 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Red Alert 3
2008-10-31 18:11 . 2008-11-11 00:25 <DIR> d-------- C:\ra3
2008-10-31 15:31 . 2008-10-31 15:31 <DIR> d-------- c:\windows\Logs
2008-10-31 15:31 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-10-29 14:01 . 2008-10-29 14:03 <DIR> d-------- c:\program files\MessenPass
2008-10-29 14:01 . 2008-10-29 14:01 39,424 --a------ c:\windows\zipinst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 11:07 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Azureus
2008-11-26 11:00 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-26 00:08 --------- d-----w c:\program files\Steam
2008-11-25 21:57 --------- d-----w c:\documents and settings\ElLoKi\Application Data\teamspeak2
2008-11-25 20:03 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Hamachi
2008-11-25 18:28 --------- d-----w c:\documents and settings\ElLoKi\Application Data\OpenOffice.org2
2008-11-22 01:32 --------- d-----w c:\documents and settings\ElLoKi\Application Data\foobar2000
2008-11-17 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 11:24 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Ventrilo
2008-11-11 00:50 --------- d-----w c:\program files\Electronic Arts
2008-11-04 23:51 --------- d-----w c:\documents and settings\ElLoKi\Application Data\LimeWire
2008-11-04 16:01 --------- d-----w c:\program files\LimeWire
2008-10-20 06:38 --------- d-----w c:\program files\foobar2000
2008-10-08 14:30 --------- d-----w c:\program files\WinGrosMaigre
2008-10-01 13:27 --------- d-----w c:\program files\Safari
2008-10-01 13:27 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Apple Computer
2008-10-01 13:26 --------- d-----w c:\program files\Bonjour
2008-10-01 13:26 --------- d-----w c:\program files\Apple Software Update
2008-10-01 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-07-07 07:44 357 ----a-w c:\documents and settings\ElLoKi\.cb_layout.bin
2007-12-22 15:59 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007122220071223\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-11 133104]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-22 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"WheelMouse"="c:\advanc~1\wh_exec.exe" [2007-03-11 86016]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-16 368640]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2007-10-11 c:\windows\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rkhvex.dll
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-03 14:54 486856 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-08 08:49 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\9loki2\\counter-strike\\hl.exe"=
"c:\\Program Files\\AOE2 on home\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2005-11-14 17824]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-25 6784]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\DRIVERS\whmice2k.sys [2004-04-26 6885]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-22 27904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44a6e1a2-b7c5-11dc-a862-0015af487e60}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\setup\command - E:\setup.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
2008-11-26 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-11 23:19]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\ElLoKi\Application Data\Mozilla\Firefox\Profiles\hfpz8zn1.default\
FF -: plugin - c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 12:08:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-26 12:08:41
ComboFix-quarantined-files.txt 2008-11-26 11:08:36
ComboFix2.txt 2008-11-26 11:01:25
Pre-Run: 76 632 449 024 bytes free
Post-Run: 76,622,606,336 bytes free
172
peut être que malwarebyte l'avais viré! ou alors avait écrit qu'il le virerai au prochain démarrage
tu avais gardé le rapport? colle le
_____________________
télécharge OTMoveIt
http://oldtimer.geekstogo.com/OTMoveIt3.exe
(de Old_Timer) sur ton Bureau.
double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste List of Files/Folders to be moved.
:files
C:\WINDOWS\system32\kdcns.exe
clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre "Results".
clique sur Exit pour fermer.
poste le rapport situé dans C:\_OTMoveIt\MovedFiles.
il te sera peut-être demander de redémarrer le pc pour achever la suppression.si c'est le cas accepte par Yes.
tu avais gardé le rapport? colle le
_____________________
télécharge OTMoveIt
http://oldtimer.geekstogo.com/OTMoveIt3.exe
(de Old_Timer) sur ton Bureau.
double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste List of Files/Folders to be moved.
:files
C:\WINDOWS\system32\kdcns.exe
clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre "Results".
clique sur Exit pour fermer.
poste le rapport situé dans C:\_OTMoveIt\MovedFiles.
il te sera peut-être demander de redémarrer le pc pour achever la suppression.si c'est le cas accepte par Yes.
Vous n’avez pas trouvé la réponse que vous recherchez ?
Posez votre question
slt garde malwarebyte en complément de bitdefender , vire le reste utilisé,
mets a jour adobe reader avec la version 9 et java avec la version 1.6.07 et windows avec le sp3
mets a jour adobe reader avec la version 9 et java avec la version 1.6.07 et windows avec le sp3
Fais un clic droit sur ce lien : (IL-MAFIOSO)
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Enregistrer la cible (du lien) sous... et enregistre-le sur ton bureau.
Ensuite double clique sur navilog1.exe pour lancer l'installation.
Une fois l'installation terminée, le fix s'exécutera automatiquement.
(Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).
Laisse-toi guider. Au menu principal, choisis 1 et valides.
(ne fais pas le choix 2,3 ou 4 sans notre avis/accord)
Patiente jusqu'au message :
*** Analyse Termine le ..... ***
Appuie sur une touche comme demandé, le blocnote va s'ouvrir.
Copie-colle l'intégralité dans une réponse. Referme le blocnote.
Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe
Enregistrer la cible (du lien) sous... et enregistre-le sur ton bureau.
Ensuite double clique sur navilog1.exe pour lancer l'installation.
Une fois l'installation terminée, le fix s'exécutera automatiquement.
(Si ce n'est pas le cas, double-clique sur le raccourci Navilog1 présent sur le bureau).
Laisse-toi guider. Au menu principal, choisis 1 et valides.
(ne fais pas le choix 2,3 ou 4 sans notre avis/accord)
Patiente jusqu'au message :
*** Analyse Termine le ..... ***
Appuie sur une touche comme demandé, le blocnote va s'ouvrir.
Copie-colle l'intégralité dans une réponse. Referme le blocnote.
Le rapport est en outre sauvegardé à la racine du disque (fixnavi.txt)
Voici le rapport:
Search Navipromo version 3.6.9 commencé le 29/11/2008 à 14:44:11,12
!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!
Outil exécuté depuis C:\Program Files\navilog1
Session actuelle : "ElLoKi"
Mise à jour le 05.11.2008 à 21h00 par IL-MAFIOSO
Microsoft Windows XP [Version 5.1.2600]
Internet Explorer : 7.0.5730.11
Système de fichiers : NTFS
Recherche executé en mode normal
*** Recherche Programmes installés ***
*** Recherche dossiers dans "C:\WINDOWS" ***
*** Recherche dossiers dans "C:\Program Files" ***
*** Recherche dossiers dans "C:\Documents and Settings\All Users\startm~1\programs" ***
*** Recherche dossiers dans "C:\Documents and Settings\All Users\startm~1" ***
*** Recherche dossiers dans "c:\docume~1\alluse~1\applic~1" ***
*** Recherche dossiers dans "C:\Documents and Settings\ElLoKi\applic~1" ***
*** Recherche dossiers dans "C:\Documents and Settings\ElLoKi\locals~1\applic~1" ***
*** Recherche dossiers dans "C:\Documents and Settings\ElLoKi\startm~1\programs" ***
*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net
*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!
* Recherche dans "C:\WINDOWS\system32" *
* Recherche dans "C:\Documents and Settings\ElLoKi\locals~1\applic~1" *
*** Recherche fichiers ***
*** Recherche clés spécifiques dans le Registre ***
*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)
1)Recherche nouveaux fichiers Instant Access :
2)Recherche Heuristique :
* Dans "C:\WINDOWS\system32" :
* Dans "C:\Documents and Settings\ElLoKi\locals~1\applic~1" :
3)Recherche Certificats :
Certificat Egroup absent !
Certificat Electronic-Group absent !
Certificat Montorgueil absent !
Certificat OOO-Favorit absent !
Certificat Sunny-Day-Design-Ltd absent !
4)Recherche fichiers connus :
C:\WINDOWS\system32\wyFOonmp.ini2 trouvé ! infection Vundo possible non traitée par cet outil !
*** Analyse terminée le 29/11/2008 à 14:52:08,82 ***
Search Navipromo version 3.6.9 commencé le 29/11/2008 à 14:44:11,12
!!! Attention,ce rapport peut indiquer des fichiers/programmes légitimes!!!
!!! Postez ce rapport sur le forum pour le faire analyser !!!
!!! Ne lancez pas la partie désinfection sans l'avis d'un spécialiste !!!
Outil exécuté depuis C:\Program Files\navilog1
Session actuelle : "ElLoKi"
Mise à jour le 05.11.2008 à 21h00 par IL-MAFIOSO
Microsoft Windows XP [Version 5.1.2600]
Internet Explorer : 7.0.5730.11
Système de fichiers : NTFS
Recherche executé en mode normal
*** Recherche Programmes installés ***
*** Recherche dossiers dans "C:\WINDOWS" ***
*** Recherche dossiers dans "C:\Program Files" ***
*** Recherche dossiers dans "C:\Documents and Settings\All Users\startm~1\programs" ***
*** Recherche dossiers dans "C:\Documents and Settings\All Users\startm~1" ***
*** Recherche dossiers dans "c:\docume~1\alluse~1\applic~1" ***
*** Recherche dossiers dans "C:\Documents and Settings\ElLoKi\applic~1" ***
*** Recherche dossiers dans "C:\Documents and Settings\ElLoKi\locals~1\applic~1" ***
*** Recherche dossiers dans "C:\Documents and Settings\ElLoKi\startm~1\programs" ***
*** Recherche avec Catchme-rootkit/stealth malware detector par gmer ***
pour + d'infos : http://www.gmer.net
*** Recherche avec GenericNaviSearch ***
!!! Tous ces résultats peuvent révéler des fichiers légitimes !!!
!!! A vérifier impérativement avant toute suppression manuelle !!!
* Recherche dans "C:\WINDOWS\system32" *
* Recherche dans "C:\Documents and Settings\ElLoKi\locals~1\applic~1" *
*** Recherche fichiers ***
*** Recherche clés spécifiques dans le Registre ***
*** Module de Recherche complémentaire ***
(Recherche fichiers spécifiques)
1)Recherche nouveaux fichiers Instant Access :
2)Recherche Heuristique :
* Dans "C:\WINDOWS\system32" :
* Dans "C:\Documents and Settings\ElLoKi\locals~1\applic~1" :
3)Recherche Certificats :
Certificat Egroup absent !
Certificat Electronic-Group absent !
Certificat Montorgueil absent !
Certificat OOO-Favorit absent !
Certificat Sunny-Day-Design-Ltd absent !
4)Recherche fichiers connus :
C:\WINDOWS\system32\wyFOonmp.ini2 trouvé ! infection Vundo possible non traitée par cet outil !
*** Analyse terminée le 29/11/2008 à 14:52:08,82 ***
slt ok
une infection vundo
télécharge OTMoveIt
http://oldtimer.geekstogo.com/OTMoveIt3.exe (de Old_Timer) sur ton Bureau.
double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste instruction for items to be moved.
:files
C:\WINDOWS\system32\wyFOonmp.ini2
clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre "Results".
clique sur Exit pour fermer.
poste le rapport situé dans C:\_OTMoveIt\MovedFiles.
il te sera peut-être demander de redémarrer le pc pour achever la suppression.si c'est le cas accepte par Yes.
____________
passe malwarebyte en mode normal
_____________
puis
retelecharge combofix pour avoir la dernière version et lance le et colle le rapport
une infection vundo
télécharge OTMoveIt
http://oldtimer.geekstogo.com/OTMoveIt3.exe (de Old_Timer) sur ton Bureau.
double-clique sur OTMoveIt.exe pour le lancer.
copie la liste qui se trouve en citation ci-dessous,
et colle-la dans le cadre de gauche de OTMoveIt :Paste instruction for items to be moved.
:files
C:\WINDOWS\system32\wyFOonmp.ini2
clique sur MoveIt! pour lancer la suppression.
le résultat apparaitra dans le cadre "Results".
clique sur Exit pour fermer.
poste le rapport situé dans C:\_OTMoveIt\MovedFiles.
il te sera peut-être demander de redémarrer le pc pour achever la suppression.si c'est le cas accepte par Yes.
____________
passe malwarebyte en mode normal
_____________
puis
retelecharge combofix pour avoir la dernière version et lance le et colle le rapport
Voici le rapport de OTMovit3:
========== FILES ==========
C:\WINDOWS\system32\wyFOonmp.ini2 moved successfully.
Et le rapport de Combofix
ComboFix 08-11-28.03 - ElLoKi 2008-11-29 15:25:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1474 [GMT 1:00]
Running from: c:\documents and settings\ElLoKi\Desktop\KillBagle.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\wyFOonmp.ini2
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.
2008-11-29 14:42 . 2008-11-29 14:53 <DIR> d-------- c:\program files\Navilog1
2008-11-29 14:41 . 2008-11-29 14:41 <DIR> d-------- c:\program files\Apple Software Update
2008-11-29 14:39 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-29 14:39 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-29 14:38 . 2008-11-29 14:39 <DIR> d-------- c:\program files\iTunes
2008-11-29 14:38 . 2008-11-29 14:38 <DIR> d-------- c:\program files\iPod
2008-11-29 14:38 . 2008-11-29 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 14:36 . 2008-11-29 14:37 <DIR> d-------- c:\program files\QuickTime
2008-11-29 14:20 . 2008-11-29 14:20 <DIR> d-------- C:\_OTMoveIt
2008-11-29 14:14 . 2008-11-29 14:14 <DIR> d-------- c:\program files\Bonjour
2008-11-29 14:11 . 2008-11-29 14:38 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-29 14:11 . 2008-11-29 14:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 11:54 . 2008-11-26 12:01 <DIR> d-------- C:\ComboFix
2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-26 10:24 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-22 21:40 . 2008-11-22 21:40 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-17 17:02 . 2008-11-17 17:02 <DIR> d-------- c:\program files\Custom-Strike
2008-11-17 17:02 . 1998-06-18 00:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Ventrilo
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-16 12:24 . 2008-11-16 12:24 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-11 01:50 . 2008-11-11 01:50 <DIR> d-------- C:\ProgramData
2008-11-11 01:50 . 2008-11-11 01:50 4,720 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-11-09 15:52 . 2008-11-09 15:52 <DIR> dr-h----- c:\documents and settings\ElLoKi\Application Data\SecuROM
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-10-31 18:37 . 2008-10-31 18:37 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Red Alert 3
2008-10-31 18:11 . 2008-11-11 00:25 <DIR> d-------- C:\ra3
2008-10-31 15:31 . 2008-10-31 15:31 <DIR> d-------- c:\windows\Logs
2008-10-31 15:31 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-10-29 14:01 . 2008-10-29 14:03 <DIR> d-------- c:\program files\MessenPass
2008-10-29 14:01 . 2008-10-29 14:01 39,424 --a------ c:\windows\zipinst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 14:28 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-29 14:20 --------- d-----w c:\program files\Steam
2008-11-29 13:40 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Apple Computer
2008-11-29 13:23 --------- d-----w c:\program files\Safari
2008-11-28 19:17 --------- d-----w c:\documents and settings\ElLoKi\Application Data\teamspeak2
2008-11-26 11:23 --------- d-----w c:\program files\Azureus
2008-11-26 11:23 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Azureus
2008-11-25 20:03 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Hamachi
2008-11-25 18:28 --------- d-----w c:\documents and settings\ElLoKi\Application Data\OpenOffice.org2
2008-11-22 01:32 --------- d-----w c:\documents and settings\ElLoKi\Application Data\foobar2000
2008-11-17 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 11:24 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Ventrilo
2008-11-11 00:50 --------- d-----w c:\program files\Electronic Arts
2008-11-04 23:51 --------- d-----w c:\documents and settings\ElLoKi\Application Data\LimeWire
2008-11-04 16:01 --------- d-----w c:\program files\LimeWire
2008-10-20 06:38 --------- d-----w c:\program files\foobar2000
2008-10-08 14:30 --------- d-----w c:\program files\WinGrosMaigre
2008-10-01 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 65,536 ----a-w c:\windows\system32\jdns_sd.dll
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-07-07 07:44 357 ----a-w c:\documents and settings\ElLoKi\.cb_layout.bin
2007-12-22 15:59 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007122220071223\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-26_12.00.58,54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-29 13:40:37 102,400 ----a-r c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2008-11-29 13:23:34 307,200 ----a-r c:\windows\Installer\{582D2A53-F426-4C5E-A2E6-43C1AB36B907}\SafariIco.exe
+ 2008-11-29 13:41:22 27,136 ----a-r c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-11-29 13:14:11 86,016 ----a-r c:\windows\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe
+ 2008-04-17 12:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 12:12:54 15,464 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2008-11-07 13:23:30 32,000 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-11 133104]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-22 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"WheelMouse"="c:\advanc~1\wh_exec.exe" [2007-03-11 86016]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-16 368640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2007-10-11 c:\windows\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rkhvex.dll ccxhqc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-03 14:54 486856 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-08 08:49 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\9loki2\\counter-strike\\hl.exe"=
"c:\\Program Files\\AOE2 on home\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2005-11-14 17824]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-25 6784]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\DRIVERS\whmice2k.sys [2004-04-26 6885]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-22 27904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44a6e1a2-b7c5-11dc-a862-0015af487e60}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\setup\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-11-29 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-11 23:19]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\ElLoKi\Application Data\Mozilla\Firefox\Profiles\hfpz8zn1.default\
FF -: plugin - c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 15:28:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-29 15:29:27
ComboFix-quarantined-files.txt 2008-11-29 14:29:21
ComboFix2.txt 2008-11-26 11:08:42
ComboFix3.txt 2008-11-26 11:01:25
Pre-Run: 57 878 687 744 bytes free
Post-Run: 57,921,904,640 bytes free
206
========== FILES ==========
C:\WINDOWS\system32\wyFOonmp.ini2 moved successfully.
Et le rapport de Combofix
ComboFix 08-11-28.03 - ElLoKi 2008-11-29 15:25:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1474 [GMT 1:00]
Running from: c:\documents and settings\ElLoKi\Desktop\KillBagle.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\wyFOonmp.ini2
.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.
2008-11-29 14:42 . 2008-11-29 14:53 <DIR> d-------- c:\program files\Navilog1
2008-11-29 14:41 . 2008-11-29 14:41 <DIR> d-------- c:\program files\Apple Software Update
2008-11-29 14:39 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-11-29 14:39 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-11-29 14:38 . 2008-11-29 14:39 <DIR> d-------- c:\program files\iTunes
2008-11-29 14:38 . 2008-11-29 14:38 <DIR> d-------- c:\program files\iPod
2008-11-29 14:38 . 2008-11-29 14:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-29 14:36 . 2008-11-29 14:37 <DIR> d-------- c:\program files\QuickTime
2008-11-29 14:20 . 2008-11-29 14:20 <DIR> d-------- C:\_OTMoveIt
2008-11-29 14:14 . 2008-11-29 14:14 <DIR> d-------- c:\program files\Bonjour
2008-11-29 14:11 . 2008-11-29 14:38 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-29 14:11 . 2008-11-29 14:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 11:54 . 2008-11-26 12:01 <DIR> d-------- C:\ComboFix
2008-11-26 11:36 . 2008-11-26 11:36 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-11-26 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 10:24 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-26 10:24 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-22 21:40 . 2008-11-22 21:40 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-17 17:02 . 2008-11-17 17:02 <DIR> d-------- c:\program files\Custom-Strike
2008-11-17 17:02 . 1998-06-18 00:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Ventrilo
2008-11-16 12:24 . 2008-11-16 12:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-16 12:24 . 2008-11-16 12:24 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-11 01:50 . 2008-11-11 01:50 <DIR> d-------- C:\ProgramData
2008-11-11 01:50 . 2008-11-11 01:50 4,720 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-11-09 15:52 . 2008-11-09 15:52 <DIR> dr-h----- c:\documents and settings\ElLoKi\Application Data\SecuROM
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts
2008-10-31 18:37 . 2008-10-31 18:37 <DIR> d-------- c:\documents and settings\ElLoKi\Application Data\Red Alert 3
2008-10-31 18:11 . 2008-11-11 00:25 <DIR> d-------- C:\ra3
2008-10-31 15:31 . 2008-10-31 15:31 <DIR> d-------- c:\windows\Logs
2008-10-31 15:31 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-10-31 15:31 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2008-10-31 15:31 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-10-29 14:01 . 2008-10-29 14:03 <DIR> d-------- c:\program files\MessenPass
2008-10-29 14:01 . 2008-10-29 14:01 39,424 --a------ c:\windows\zipinst.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 14:28 81,984 ----a-w c:\windows\system32\bdod.bin
2008-11-29 14:20 --------- d-----w c:\program files\Steam
2008-11-29 13:40 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Apple Computer
2008-11-29 13:23 --------- d-----w c:\program files\Safari
2008-11-28 19:17 --------- d-----w c:\documents and settings\ElLoKi\Application Data\teamspeak2
2008-11-26 11:23 --------- d-----w c:\program files\Azureus
2008-11-26 11:23 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Azureus
2008-11-25 20:03 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Hamachi
2008-11-25 18:28 --------- d-----w c:\documents and settings\ElLoKi\Application Data\OpenOffice.org2
2008-11-22 01:32 --------- d-----w c:\documents and settings\ElLoKi\Application Data\foobar2000
2008-11-17 16:02 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 11:24 --------- d-----w c:\documents and settings\ElLoKi\Application Data\Ventrilo
2008-11-11 00:50 --------- d-----w c:\program files\Electronic Arts
2008-11-04 23:51 --------- d-----w c:\documents and settings\ElLoKi\Application Data\LimeWire
2008-11-04 16:01 --------- d-----w c:\program files\LimeWire
2008-10-20 06:38 --------- d-----w c:\program files\foobar2000
2008-10-08 14:30 --------- d-----w c:\program files\WinGrosMaigre
2008-10-01 13:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-08-29 09:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 08:53 65,536 ----a-w c:\windows\system32\jdns_sd.dll
2008-08-29 08:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-07-07 07:44 357 ----a-w c:\documents and settings\ElLoKi\.cb_layout.bin
2007-12-22 15:59 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007122220071223\index.dat
2007-12-22 15:59 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((( snapshot@2008-11-26_12.00.58,54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-29 13:40:37 102,400 ----a-r c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
+ 2008-11-29 13:23:34 307,200 ----a-r c:\windows\Installer\{582D2A53-F426-4C5E-A2E6-43C1AB36B907}\SafariIco.exe
+ 2008-11-29 13:41:22 27,136 ----a-r c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2008-11-29 13:14:11 86,016 ----a-r c:\windows\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe
+ 2008-04-17 12:12:54 107,368 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspi.dll
+ 2008-04-17 12:12:54 15,464 -c--a-w c:\windows\system32\DRVSTORE\GEARAspiWD_D213663B6381F01E45A131159A9DEFE018321CB3\x86\GEARAspiWDM.sys
+ 2008-11-07 13:23:30 32,000 -c--a-w c:\windows\system32\DRVSTORE\usbaapl_246F92BBD6449C86FC3F3F28C40D59AC1F69C558\usbaapl.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"Google Update"="c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-11 133104]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-22 2772992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-10-14 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2007-07-22 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"WheelMouse"="c:\advanc~1\wh_exec.exe" [2007-03-11 86016]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 61440]
"BDAgent"="c:\program files\BitDefender\BitDefender 2008\bdagent.exe" [2008-09-16 368640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2007-10-11 c:\windows\SkyTel.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rkhvex.dll ccxhqc.dll
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^ElLoKi^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\ElLoKi\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-03 14:54 486856 c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-08 08:49 1410296 c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\9loki2\\counter-strike\\hl.exe"=
"c:\\Program Files\\AOE2 on home\\age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 atitray;atitray;\??\c:\program files\Radeon Omega Drivers\v3.8.421\ATI Tray Tools\atitray.sys [2005-11-14 17824]
R3 whfltr2k;WheelMouse USB Lower Filter Driver;c:\windows\system32\DRIVERS\whfltr2k.sys [2007-01-25 6784]
R3 whmice2k;Advanced Wheel Mouse Upper Filter Driver;c:\windows\system32\DRIVERS\whmice2k.sys [2004-04-26 6885]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-22 27904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44a6e1a2-b7c5-11dc-a862-0015af487e60}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\setup\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-11-29 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-11 23:19]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\ElLoKi\Application Data\Mozilla\Firefox\Profiles\hfpz8zn1.default\
FF -: plugin - c:\documents and settings\ElLoKi\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-29 15:28:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-29 15:29:27
ComboFix-quarantined-files.txt 2008-11-29 14:29:21
ComboFix2.txt 2008-11-26 11:08:42
ComboFix3.txt 2008-11-26 11:01:25
Pre-Run: 57 878 687 744 bytes free
Post-Run: 57,921,904,640 bytes free
206
ok fais malwarebyte
puis
Telecharge UsbFix sur ton bureau
http://sd-1.archive-host.com/membres/up/116615172019703188/UsbFix.exe
--> Lance l installation avec les parametres par default
Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) suceptible d avoir été infectés sans les ouvrir
--> Double clic sur le raccourci UsbFix sur ton bureau
--> Le pc va redémarer
-->Apres redémarrage post le rapport UsbFix.txt
Note : le rapport UsbFix.txt est sauvegardé a la racine du disque
Note : Si le Bureau ne réapparait pas presse Ctrl + Alt + Suppr , Onglet "Fichier" , "Nouvelle tâche" , tapes explorer.exe et valides
______________
ensuite remet un hijakhcits et dis tes soucis
puis
Telecharge UsbFix sur ton bureau
http://sd-1.archive-host.com/membres/up/116615172019703188/UsbFix.exe
--> Lance l installation avec les parametres par default
Branche tes sources de données externes à ton PC, (clé USB, disque dur externe, etc...) suceptible d avoir été infectés sans les ouvrir
--> Double clic sur le raccourci UsbFix sur ton bureau
--> Le pc va redémarer
-->Apres redémarrage post le rapport UsbFix.txt
Note : le rapport UsbFix.txt est sauvegardé a la racine du disque
Note : Si le Bureau ne réapparait pas presse Ctrl + Alt + Suppr , Onglet "Fichier" , "Nouvelle tâche" , tapes explorer.exe et valides
______________
ensuite remet un hijakhcits et dis tes soucis
Voici le rapport :)
-------------- UsbFix V2.413.2 ---------------
* User : ElLoKi - LOKI
* Outils mis a jours le 29/11/2008 par Chiquitine29 et Chimay8
* Recherche effectuée à 16:02:18 le 29/11/2008
* Windows Xp - Internet Explorer 7.0.5730.11
--------------- [ Processus actifs ] ----------------
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ElLoKi\LOCALS~1\Temp\1.tmp\b2e.exe
--------------- [ Informations lecteurs ] ----------------
C: - Fixed Drive
D: - CD-ROM Drive
+- Contenu de l'autorun : D:\autorun.inf
[autorun]
icon=data\cdicon.ico
open=autorun.exe
--------------- [ Lecteur C ] ----------------
C: - Fixed Drive
+- Listing des fichiers présents :
[22/12/2007 16:56][--a------] C:\AUTOEXEC.BAT
[03/08/2004 21:38][-rahs----] C:\NTDETECT.COM
[26/11/2008 11:59][-rahs----] C:\boot.ini
[29/11/2008 15:29][--a------] C:\ComboFix.txt
[29/11/2008 15:29][--a------] C:\fixnavi.txt
[29/11/2008 15:29][--a------] C:\UsbFix.txt
[29/11/2008 15:29][--a------] C:\YServer.txt
[22/12/2007 16:56][--a------] C:\CONFIG.SYS
[22/12/2007 16:56][--a------] C:\IO.SYS
[22/12/2007 16:56][--a------] C:\MSDOS.SYS
[22/12/2007 16:56][--a------] C:\pagefile.sys
--------------- [ Lecteur D ] ----------------
D: - CD-ROM Drive
+- Listing des fichiers présents :
[10/01/2001 15:48][-r-------] D:\AUTORUN.EXE
[09/11/2000 18:05][-r-------] D:\AUTORUN.INF
--------------- [ Registre / Startup ] ----------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe
msnmsgr="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
Google Update="C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
EA Core=C:\Program Files\Electronic Arts\EADM\Core.exe -silent
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
HControl=C:\WINDOWS\ATK0100\HControl.exe
RTHDCPL=RTHDCPL.EXE
SkyTel=SkyTel.EXE
IMJPMIG8.1="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
WheelMouse=C:\ADVANC~1\wh_exec.exe
BitDefender Antiphishing Helper="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
BDAgent="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
QuickTime Task="C:\Program Files\QuickTime\QTTask.exe" -atboottime
iTunesHelper="C:\Program Files\iTunes\iTunesHelper.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
NoChange=1
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1
<NO NAME>=
--------------- [ Registre / Mountpoint2 ] ----------------
Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44a6e1a2-b7c5-11dc-a862-0015af487e60}\Shell\AutoRun\command
--------------- [ Nettoyage des disques ] ----------------
Echec de la supression !! - [09/11/2000 18:05] D:\autorun.inf
Echec de la supression !! - [10/01/2001 15:48] D:\autorun.exe
Echec de la supression !! - [09/11/2000 18:05] D:\autorun.inf
Echec de la supression !! - [09/11/2000 18:05] D:\autorun.inf
--------------- [ Resumé ] ----------------
-> /!\ Le resultat doit etre interprété par un spécialiste /!\
[22/12/2007 16:56][--a------] C:\AUTOEXEC.BAT
[03/08/2004 21:38][-rahs----] C:\NTDETECT.COM
[26/11/2008 11:59][-rahs----] C:\boot.ini
[10/01/2001 15:48][-r-------] D:\AUTORUN.EXE
[09/11/2000 18:05][-r-------] D:\AUTORUN.INF
--------------- ! Fin du rapport ! ----------------
-------------- UsbFix V2.413.2 ---------------
* User : ElLoKi - LOKI
* Outils mis a jours le 29/11/2008 par Chiquitine29 et Chimay8
* Recherche effectuée à 16:02:18 le 29/11/2008
* Windows Xp - Internet Explorer 7.0.5730.11
--------------- [ Processus actifs ] ----------------
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ElLoKi\LOCALS~1\Temp\1.tmp\b2e.exe
--------------- [ Informations lecteurs ] ----------------
C: - Fixed Drive
D: - CD-ROM Drive
+- Contenu de l'autorun : D:\autorun.inf
[autorun]
icon=data\cdicon.ico
open=autorun.exe
--------------- [ Lecteur C ] ----------------
C: - Fixed Drive
+- Listing des fichiers présents :
[22/12/2007 16:56][--a------] C:\AUTOEXEC.BAT
[03/08/2004 21:38][-rahs----] C:\NTDETECT.COM
[26/11/2008 11:59][-rahs----] C:\boot.ini
[29/11/2008 15:29][--a------] C:\ComboFix.txt
[29/11/2008 15:29][--a------] C:\fixnavi.txt
[29/11/2008 15:29][--a------] C:\UsbFix.txt
[29/11/2008 15:29][--a------] C:\YServer.txt
[22/12/2007 16:56][--a------] C:\CONFIG.SYS
[22/12/2007 16:56][--a------] C:\IO.SYS
[22/12/2007 16:56][--a------] C:\MSDOS.SYS
[22/12/2007 16:56][--a------] C:\pagefile.sys
--------------- [ Lecteur D ] ----------------
D: - CD-ROM Drive
+- Listing des fichiers présents :
[10/01/2001 15:48][-r-------] D:\AUTORUN.EXE
[09/11/2000 18:05][-r-------] D:\AUTORUN.INF
--------------- [ Registre / Startup ] ----------------
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
CTFMON.EXE=C:\WINDOWS\system32\ctfmon.exe
msnmsgr="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
Google Update="C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
EA Core=C:\Program Files\Electronic Arts\EADM\Core.exe -silent
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
HControl=C:\WINDOWS\ATK0100\HControl.exe
RTHDCPL=RTHDCPL.EXE
SkyTel=SkyTel.EXE
IMJPMIG8.1="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
WheelMouse=C:\ADVANC~1\wh_exec.exe
BitDefender Antiphishing Helper="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
BDAgent="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
QuickTime Task="C:\Program Files\QuickTime\QTTask.exe" -atboottime
iTunesHelper="C:\Program Files\iTunes\iTunesHelper.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
NoChange=1
Installed=1
<NO NAME>=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1
<NO NAME>=
--------------- [ Registre / Mountpoint2 ] ----------------
Supprimé ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{44a6e1a2-b7c5-11dc-a862-0015af487e60}\Shell\AutoRun\command
--------------- [ Nettoyage des disques ] ----------------
Echec de la supression !! - [09/11/2000 18:05] D:\autorun.inf
Echec de la supression !! - [10/01/2001 15:48] D:\autorun.exe
Echec de la supression !! - [09/11/2000 18:05] D:\autorun.inf
Echec de la supression !! - [09/11/2000 18:05] D:\autorun.inf
--------------- [ Resumé ] ----------------
-> /!\ Le resultat doit etre interprété par un spécialiste /!\
[22/12/2007 16:56][--a------] C:\AUTOEXEC.BAT
[03/08/2004 21:38][-rahs----] C:\NTDETECT.COM
[26/11/2008 11:59][-rahs----] C:\boot.ini
[10/01/2001 15:48][-r-------] D:\AUTORUN.EXE
[09/11/2000 18:05][-r-------] D:\AUTORUN.INF
--------------- ! Fin du rapport ! ----------------
Voici le rapport hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:03, on 29/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
c:\program files\steam\steamapps\9loki2\counter-strike\hl.exe
C:\Program Files\Steam\GameOverlayUI.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WheelMouse] C:\ADVANC~1\wh_exec.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: rkhvex.dll ccxhqc.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:03, on 29/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Ventrilo\Ventrilo.exe
c:\program files\steam\steamapps\9loki2\counter-strike\hl.exe
C:\Program Files\Steam\GameOverlayUI.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://runonce.msn.com/runonce3.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WheelMouse] C:\ADVANC~1\wh_exec.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\ElLoKi\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - AppInit_DLLs: rkhvex.dll ccxhqc.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Service de l’iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
