|
| Auteur |
Message |
actus
Habitué
Inscrit le: 04 Jan 2008
Message(s): 55
|
 Posté le: 05 Jan 2008 22:31 Sujet du message: |
 |
|
J'ai trouvé le log Combofix3 dans le dossier QooBox (mais l'heure du fichier est antérieure à celle du log Cobofix2 - je présume que 'jai dû appeler celui d'hier soir "2"  )
Je te le mets ci-dessous ainsi que celui du passage que je viens de faire après:
combofix3
ComboFix 08-01-04.1 - Pascal Morin 2008-01-04 18:22:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1515 [GMT 1:00]
Running from: C:\Documents and Settings\Pascal Morin\Desktop\ComboFix(2).exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\Downloaded Program Files\Temp
C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DRIVER
-------\Driver
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.
2008-01-04 17:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 12:33 . 2008-01-04 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 02:41 . 2008-01-04 18:12 <DIR> d-------- C:\Hijackthis
2008-01-04 02:24 . 2008-01-04 02:23 505,382 --a------ C:\HijackThis.exe
2008-01-03 14:05 . 2008-01-04 00:30 3,882 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-03 14:04 . 2008-01-04 00:49 <DIR> d-------- C:\SmitfraudFix
2008-01-03 14:00 . 2008-01-03 14:00 1,129,580 --a------ C:\SmitfraudFix.exe
2008-01-03 13:46 . 2008-01-03 13:46 <DIR> d-------- C:\Program Files\CCleaner
2007-12-28 00:44 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2007-12-17 09:07 . 2007-12-17 09:07 70,656 --a------ C:\Documents and Settings\Pascal Morin\kolenkor.dll
2007-12-12 08:04 . 2007-12-12 08:04 287,232 --a------ C:\Documents and Settings\Pascal Morin\libcurl.dll
2007-12-11 10:48 . 2007-12-11 10:48 <DIR> d-------- C:\Program Files\Sygate
2007-12-11 10:48 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-11 10:48 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-11 10:48 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-10 08:01 . 2007-12-10 08:01 59,392 --a------ C:\WINDOWS\derc32xz.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 17:14 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Skype
2008-01-04 17:01 --------- d-----w C:\Program Files\Plaxo
2008-01-04 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-03 12:05 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-03 09:49 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OrgPlus5
2008-01-01 22:25 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Move Networks
2007-12-17 20:16 --------- d-----w C:\Program Files\GeoGebra
2007-12-12 11:19 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OpenOffice.org2
2007-11-24 19:19 --------- d-----w C:\Program Files\OGSConverter
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\ATI
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-12 14:42 --------- d-----w C:\Program Files\ATI Technologies
2007-11-12 14:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 14:01 --------- d-----w C:\Program Files\Realtek
2007-11-12 14:00 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-12 14:00 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\InstallShield
2007-11-12 13:59 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-11-12 12:49 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-10-29 16:12 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2006-11-26 20:33 495,616 ----a-w C:\Program Files\whosin.mdb
2006-11-26 20:32 23 ----a-w C:\Program Files\whosin.ini
2006-09-26 19:18 2,625,265 ----a-w C:\Program Files\openofficeorg4.cab
2006-09-26 19:17 56,053,978 ----a-w C:\Program Files\openofficeorg3.cab
2006-09-26 19:11 17,831,342 ----a-w C:\Program Files\openofficeorg1.cab
2006-09-26 19:11 15,305,884 ----a-w C:\Program Files\openofficeorg2.cab
2006-09-26 19:09 5,289,984 ----a-w C:\Program Files\openofficeorg20.msi
2006-09-26 19:09 217 ----a-w C:\Program Files\setup.ini
2006-09-01 18:05 299,008 ----a-w C:\Program Files\setup.exe
2006-05-23 08:34 41 ----a-w C:\Program Files\sample-import-file.csv
2006-03-03 11:04 266,714 ----a-w C:\Program Files\setuplog.txt
2004-08-04 17:56 151,552 ----a-w C:\Program Files\scrrun.dll
2004-03-08 23:00 260,880 ----a-w C:\Program Files\msflxgrd.ocx
2004-03-08 23:00 152,848 ----a-w C:\Program Files\comdlg32.ocx
2004-03-08 23:00 132,880 ----a-w C:\Program Files\msinet.ocx
2002-03-11 08:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe
2002-03-11 07:45 1,708,856 ----a-w C:\Program Files\instmsia.exe
2001-08-23 23:00 557,128 ----a-w C:\Program Files\DAO360.DLL
1999-03-25 23:00 101,888 ----a-w C:\Program Files\vb6stkit.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}"= C:\PROGRA~1\ADVFNT~1\tbu46\advfn.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 14:34 1630303]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 13:00 15360]
"KITCO"="C:\Program Files\Kitco\Kcast\Kcast" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 12:31 22880040]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Pascal Morin\Application Data\Mozilla\Firefox\Profiles\6jh3qy59.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"FlashIcon"="C:\Program Files\\USB 2.0 Card Reader Driver v2.2\FlashIcon.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-11 21:10 344064]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-06-04 18:57 188416]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 16:41 249896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 01:58 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-15 19:39 155648]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-07-22 01:10 577602]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 08:50 28672]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18 57344]
"Adobe Reader Speed Launcher"="D:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"frun"="C:\WINDOWS\derc32xz.exe" [2007-12-10 08:01 59392]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-12 01:29 443968]
C:\Documents and Settings\Pascal Morin\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe [2007-12-11 23:34:48]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-04-14 16:15:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-08-26 10:58 49152]
R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2007-09-10 16:45]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-10 16:45]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-13 05:24]
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-11-12 14:59]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2001-11-09 04:13]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2001-11-09 04:13]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 18:25:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-04 18:26:05
ComboFix-quarantined-files.txt 2008-01-04 17:26:03
.
2008-01-04 02:00:58 --- E O F ---
Combofix 05-01-2008-21h21
ComboFix 08-01-04.1 - Pascal Morin 2008-01-05 21:17:27.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1382 [GMT 1:00]
Running from: C:\Documents and Settings\Pascal Morin\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.
2008-01-05 08:31 . 2008-01-05 08:31 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-04 22:01 . 2008-01-04 22:01 <DIR> d-------- C:\Deckard
2008-01-04 17:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 12:33 . 2008-01-04 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 02:41 . 2008-01-04 22:03 <DIR> d-------- C:\Hijackthis
2008-01-04 02:24 . 2008-01-04 02:23 505,382 --a------ C:\HijackThis.exe
2008-01-03 14:05 . 2008-01-04 00:30 3,882 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-03 14:04 . 2008-01-04 00:49 <DIR> d-------- C:\SmitfraudFix
2008-01-03 14:00 . 2008-01-03 14:00 1,129,580 --a------ C:\SmitfraudFix.exe
2008-01-03 13:46 . 2008-01-03 13:46 <DIR> d-------- C:\Program Files\CCleaner
2007-12-28 00:44 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2007-12-17 09:07 . 2007-12-17 09:07 70,656 --a------ C:\Documents and Settings\Pascal Morin\kolenkor.dll
2007-12-12 08:04 . 2007-12-12 08:04 287,232 --a------ C:\Documents and Settings\Pascal Morin\libcurl.dll
2007-12-11 10:48 . 2007-12-11 10:48 <DIR> d-------- C:\Program Files\Sygate
2007-12-11 10:48 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-11 10:48 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-11 10:48 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-10 08:01 . 2007-12-10 08:01 59,392 --a------ C:\WINDOWS\derc32xz.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-05 20:08 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-05 19:50 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Skype
2008-01-05 09:22 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OrgPlus5
2008-01-05 07:29 --------- d-----w C:\Program Files\Plaxo
2008-01-04 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 22:25 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Move Networks
2007-12-17 20:16 --------- d-----w C:\Program Files\GeoGebra
2007-12-12 11:19 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OpenOffice.org2
2007-11-24 19:19 --------- d-----w C:\Program Files\OGSConverter
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\ATI
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-12 14:42 --------- d-----w C:\Program Files\ATI Technologies
2007-11-12 14:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 14:01 --------- d-----w C:\Program Files\Realtek
2007-11-12 14:00 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-12 14:00 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\InstallShield
2007-11-12 13:59 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-11-12 12:49 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-10-29 16:12 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2006-11-26 20:33 495,616 ----a-w C:\Program Files\whosin.mdb
2006-11-26 20:32 23 ----a-w C:\Program Files\whosin.ini
2006-09-26 19:18 2,625,265 ----a-w C:\Program Files\openofficeorg4.cab
2006-09-26 19:17 56,053,978 ----a-w C:\Program Files\openofficeorg3.cab
2006-09-26 19:11 17,831,342 ----a-w C:\Program Files\openofficeorg1.cab
2006-09-26 19:11 15,305,884 ----a-w C:\Program Files\openofficeorg2.cab
2006-09-26 19:09 5,289,984 ----a-w C:\Program Files\openofficeorg20.msi
2006-09-26 19:09 217 ----a-w C:\Program Files\setup.ini
2006-09-01 18:05 299,008 ----a-w C:\Program Files\setup.exe
2006-05-23 08:34 41 ----a-w C:\Program Files\sample-import-file.csv
2006-03-03 11:04 266,714 ----a-w C:\Program Files\setuplog.txt
2004-08-04 17:56 151,552 ----a-w C:\Program Files\scrrun.dll
2004-03-08 23:00 260,880 ----a-w C:\Program Files\msflxgrd.ocx
2004-03-08 23:00 152,848 ----a-w C:\Program Files\comdlg32.ocx
2004-03-08 23:00 132,880 ----a-w C:\Program Files\msinet.ocx
2002-03-11 08:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe
2002-03-11 07:45 1,708,856 ----a-w C:\Program Files\instmsia.exe
2001-08-23 23:00 557,128 ----a-w C:\Program Files\DAO360.DLL
1999-03-25 23:00 101,888 ----a-w C:\Program Files\vb6stkit.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}"= C:\PROGRA~1\ADVFNT~1\tbu46\advfn.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 14:34 1630303]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 13:00 15360]
"KITCO"="C:\Program Files\Kitco\Kcast\Kcast" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 12:31 22880040]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Pascal Morin\Application Data\Mozilla\Firefox\Profiles\6jh3qy59.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"FlashIcon"="C:\Program Files\\USB 2.0 Card Reader Driver v2.2\FlashIcon.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-11 21:10 344064]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-06-04 18:57 188416]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 16:41 249896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 01:58 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-15 19:39 155648]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-07-22 01:10 577602]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 08:50 28672]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18 57344]
"Adobe Reader Speed Launcher"="D:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"frun"="C:\WINDOWS\derc32xz.exe" [2007-12-10 08:01 59392]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-12 01:29 443968]
C:\Documents and Settings\Pascal Morin\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe [2007-12-11 23:34:48]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-04-14 16:15:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-08-26 10:58 49152]
R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2007-09-10 16:45]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-10 16:45]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-13 05:24]
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-11-12 14:59]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2001-11-09 04:13]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2001-11-09 04:13]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys []
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 21:20:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-05 21:21:00
ComboFix-quarantined-files.txt 2008-01-05 20:20:58
ComboFix2.txt 2008-01-04 20:59:18
ComboFix3.txt 2008-01-04 17:26:06
.
2008-01-05 07:31:24 --- E O F ---
J'espère que tout est OK maintenant 
A+ |
|
| Revenir en haut de page |
|
 |
APC
Invité
|
| Posté le: 06 Jan 2008 16:43 Sujet du message: |
|
|
Hello,
« actus » a écrit: J'espère que tout est OK maintenant
Non c'est loin d'être Ok, les fichiers qui auraient dûs être supprimés avec CF sont toujours là.
- Télécharge SDFix de AndyManchesta et sauvegarde le sur ton bureau.
- Double clique sur SDFix.exe et choisis Install pour l'extraire sur le bureau.
- Redémarre en mode sans échec
- Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.cmd pour lancer le script,
- Appuie sur Y pour commencer le processus de nettoyage,
- Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
- Appuie sur une touche pour redémarrer le PC.
 Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
- Après le chargement du Bureau, l'outil terminera son travail et affichera Finished. Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
- Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
 Désactive ton antivirus et tes autres protections (Sygate) pour que Combofix puisse s'éxécuter normalement[/align]
- Ouvre le bloc notes et enregistre la totalité du texte ci-dessous :
Citation: File::
C:\WINDOWS\system32\actskn45.ocx
C:\Documents and Settings\Pascal Morin\libcurl.dll
C:\Documents and Settings\Pascal Morin\kolenkor.dll
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\system32\sol718.txt
Enregistre le fichier en le nommant CFScript.txt et fais un glisser/déposer du fichier vers Combofix comme sur l'image ci-dessous :
Double-clique Combofix.exe et laisse le s'exécuter (ne touche à rien pendant toute la durée du scan)
Une fois le scan terminé un rapport Combofix.log va apparaître, enregistre-le sur ton Bureau pour pouvoir le retrouver plus facilement.
Poste le rapport de SDFix et le dernier rapport de Combofix sur ta prochaine réponse.
@+ |
|
| Revenir en haut de page |
|
|
actus
Habitué
Inscrit le: 04 Jan 2008
Message(s): 55
|
| Posté le: 06 Jan 2008 20:42 Sujet du message: |
|
|
Je me suis aperçu (je ne l'avais jamais remarqué) que le firewall de windows était on; c'est peut-être ce qui a empêché combofix de supprimer les fichiers dont tu as parlé. Voici les rapports:
SDFix
SDFix: Version 1.124
Run by Pascal Morin on 06/01/2008 at 18:57
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\Program Files\Setup.exe - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 19:12:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"D:\\BitComet\\BitComet.exe"="D:\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Sun 16 Sep 2007 5,903,928 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 21 Jan 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 3 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 17 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0089cd1ec7c03d0a52caa6b6ea801507\BIT1.tmp"
Wed 19 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp"
Sun 21 May 2006 11,899,904 A..H. --- "C:\Documents and Settings\Pascal Morin\Application Data\Microsoft\Word\~WRL0458.tmp"
Sun 21 May 2006 11,899,904 A..H. --- "C:\Documents and Settings\Pascal Morin\Application Data\Microsoft\Word\~WRL0592.tmp"
Finished!
Combofix
ComboFix 08-01-04.1 - Pascal Morin 2008-01-06 19:23:09.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1428 [GMT 1:00]
Running from: C:\Documents and Settings\Pascal Morin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pascal Morin\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Documents and Settings\Pascal Morin\kolenkor.dll
C:\Documents and Settings\Pascal Morin\libcurl.dll
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\sol718.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Pascal Morin\kolenkor.dll
C:\Documents and Settings\Pascal Morin\libcurl.dll
C:\WINDOWS\derc32xz.exe
C:\WINDOWS\system32\actskn45.ocx
.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.
2008-01-06 18:56 . 2008-01-06 18:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-04 22:01 . 2008-01-04 22:01 <DIR> d-------- C:\Deckard
2008-01-04 17:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 12:33 . 2008-01-04 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 02:41 . 2008-01-04 22:03 <DIR> d-------- C:\Hijackthis
2008-01-04 02:24 . 2008-01-04 02:23 505,382 --a------ C:\HijackThis.exe
2008-01-03 14:05 . 2008-01-04 00:30 3,882 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-03 14:04 . 2008-01-04 00:49 <DIR> d-------- C:\SmitfraudFix
2008-01-03 14:00 . 2008-01-03 14:00 1,129,580 --a------ C:\SmitfraudFix.exe
2008-01-03 13:46 . 2008-01-03 13:46 <DIR> d-------- C:\Program Files\CCleaner
2007-12-11 10:48 . 2007-12-11 10:48 <DIR> d-------- C:\Program Files\Sygate
2007-12-11 10:48 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-11 10:48 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-11 10:48 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 18:18 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Skype
2008-01-06 18:16 --------- d-----w C:\Program Files\Plaxo
2008-01-06 11:10 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-05 09:22 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OrgPlus5
2008-01-04 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 22:25 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Move Networks
2007-12-17 20:16 --------- d-----w C:\Program Files\GeoGebra
2007-12-12 11:19 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OpenOffice.org2
2007-11-24 19:19 --------- d-----w C:\Program Files\OGSConverter
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\ATI
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-12 14:42 --------- d-----w C:\Program Files\ATI Technologies
2007-11-12 14:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 14:01 --------- d-----w C:\Program Files\Realtek
2007-11-12 14:00 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-12 14:00 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\InstallShield
2007-11-12 13:59 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-11-12 12:49 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-10-29 16:12 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2006-11-26 20:33 495,616 ----a-w C:\Program Files\whosin.mdb
2006-11-26 20:32 23 ----a-w C:\Program Files\whosin.ini
2006-09-26 19:18 2,625,265 ----a-w C:\Program Files\openofficeorg4.cab
2006-09-26 19:17 56,053,978 ----a-w C:\Program Files\openofficeorg3.cab
2006-09-26 19:11 17,831,342 ----a-w C:\Program Files\openofficeorg1.cab
2006-09-26 19:11 15,305,884 ----a-w C:\Program Files\openofficeorg2.cab
2006-09-26 19:09 5,289,984 ----a-w C:\Program Files\openofficeorg20.msi
2006-09-26 19:09 217 ----a-w C:\Program Files\setup.ini
2006-05-23 08:34 41 ----a-w C:\Program Files\sample-import-file.csv
2006-03-03 11:04 266,714 ----a-w C:\Program Files\setuplog.txt
2004-08-04 17:56 151,552 ----a-w C:\Program Files\scrrun.dll
2004-03-08 23:00 260,880 ----a-w C:\Program Files\msflxgrd.ocx
2004-03-08 23:00 152,848 ----a-w C:\Program Files\comdlg32.ocx
2004-03-08 23:00 132,880 ----a-w C:\Program Files\msinet.ocx
2002-03-11 08:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe
2002-03-11 07:45 1,708,856 ----a-w C:\Program Files\instmsia.exe
2001-08-23 23:00 557,128 ----a-w C:\Program Files\DAO360.DLL
1999-03-25 23:00 101,888 ----a-w C:\Program Files\vb6stkit.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-04_18.25.45.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-06 17:56:50 11,603,968 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-06 17:56:50 409,600 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-06 17:56:30 11,603,968 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-06 17:56:31 409,600 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}"= C:\PROGRA~1\ADVFNT~1\tbu46\advfn.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 14:34 1630303]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 13:00 15360]
"KITCO"="C:\Program Files\Kitco\Kcast\Kcast" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 12:31 22880040]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Pascal Morin\Application Data\Mozilla\Firefox\Profiles\6jh3qy59.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"FlashIcon"="C:\Program Files\\USB 2.0 Card Reader Driver v2.2\FlashIcon.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-11 21:10 344064]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-06-04 18:57 188416]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 16:41 249896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 01:58 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-15 19:39 155648]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-07-22 01:10 577602]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 08:50 28672]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18 57344]
"Adobe Reader Speed Launcher"="D:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"frun"="C:\WINDOWS\derc32xz.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-12 01:29 443968]
C:\Documents and Settings\Pascal Morin\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe [2007-12-11 23:34:48]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-04-14 16:15:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-08-26 10:58 49152]
R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2007-09-10 16:45]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-10 16:45]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-13 05:24]
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-11-12 14:59]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2001-11-09 04:13]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2001-11-09 04:13]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 10:37:20 C:\WINDOWS\Tasks\TB.job"
- C:\Documents and Settings\Pascal Morin\Desktop\TB.txt
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 19:24:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-06 19:24:34
ComboFix-quarantined-files.txt 2008-01-06 18:24:32
ComboFix2.txt 2008-01-05 20:21:01
ComboFix3.txt 2008-01-04 20:59:18
ComboFix4.txt 2008-01-04 17:26:06
.
2008-01-06 08:09:13 --- E O F ---
Voilà; j'espère que tout sera OK maintenant.
Merci.
A+
P.S. J'ai lu le tuto sur la façon de naviguer sur internet sans être admnistrateur. Est-il possible de mettre comme défaut un utilsateur X non-admin lors démarrage du PC? |
|
| Revenir en haut de page |
|
|
APC
Invité
|
| Posté le: 06 Jan 2008 22:04 Sujet du message: |
|
|
Bonsoir,
Ca a l'air mieux déjà, juste encore quelque chose à supprimer avec Combofix :
Désactive de nouveau tes protections.
- Copie ce texte dans le bloc notes :
Citation: Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"frun"=-
Enregistre le fichier en le nommant CFScript.txt et fais un glisser/déposer du fichier vers Combofix, comme précedemment, ce qui écrasera le premier script,
Une fois le scan terminé un rapport Combofix.log va apparaître, enregistre-le sur ton Bureau pour pouvoir le retrouver plus facilement.
Poste le résultat avec un nouveau log HijackThis renommé.
« actus » a écrit: P.S. J'ai lu le tuto sur la façon de naviguer sur internet sans être admnistrateur. Est-il possible de mettre comme défaut un utilsateur X non-admin lors démarrage du PC?
Par défaut, non, sauf si tu as un seul compte sur ta machine (le tiens), et que tu n'utilises pas de mot de passe à l'ouverture de session.
Il y a combien d'utilisateurs sur la machine ? Combien de comptes limités et combien de comptes admin ?
++ |
|
| Revenir en haut de page |
|
|
actus
Habitué
Inscrit le: 04 Jan 2008
Message(s): 55
|
| Posté le: 06 Jan 2008 22:54 Sujet du message: |
|
|
Bonsoir,
Voici les derniers logs (je me suis aperçu que bitorrent fonctionnait en même temps combofix: j'espère que ce n'est pas un problème).
Combofix
ComboFix 08-01-04.1 - Pascal Morin 2008-01-06 21:43:47.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1241 [GMT 1:00]
Running from: C:\Documents and Settings\Pascal Morin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pascal Morin\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.
2008-01-06 20:05 . 2008-01-06 20:05 <DIR> d-------- C:\FxTrading
2008-01-06 18:56 . 2008-01-06 18:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-04 22:01 . 2008-01-04 22:01 <DIR> d-------- C:\Deckard
2008-01-04 17:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 12:33 . 2008-01-04 12:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 02:41 . 2008-01-04 22:03 <DIR> d-------- C:\Hijackthis
2008-01-04 02:24 . 2008-01-04 02:23 505,382 --a------ C:\HijackThis.exe
2008-01-03 14:05 . 2008-01-04 00:30 3,882 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-03 14:04 . 2008-01-04 00:49 <DIR> d-------- C:\SmitfraudFix
2008-01-03 14:00 . 2008-01-03 14:00 1,129,580 --a------ C:\SmitfraudFix.exe
2008-01-03 13:46 . 2008-01-03 13:46 <DIR> d-------- C:\Program Files\CCleaner
2007-12-11 10:48 . 2007-12-11 10:48 <DIR> d-------- C:\Program Files\Sygate
2007-12-11 10:48 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-11 10:48 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-11 10:48 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-12-11 10:48 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 20:21 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-06 20:21 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Skype
2008-01-06 18:16 --------- d-----w C:\Program Files\Plaxo
2008-01-05 09:22 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OrgPlus5
2008-01-04 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-01 22:25 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\Move Networks
2007-12-17 20:16 --------- d-----w C:\Program Files\GeoGebra
2007-12-12 11:19 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\OpenOffice.org2
2007-11-24 19:19 --------- d-----w C:\Program Files\OGSConverter
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\ATI
2007-11-12 14:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-12 14:42 --------- d-----w C:\Program Files\ATI Technologies
2007-11-12 14:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 14:01 --------- d-----w C:\Program Files\Realtek
2007-11-12 14:00 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-11-12 14:00 --------- d-----w C:\Documents and Settings\Pascal Morin\Application Data\InstallShield
2007-11-12 13:59 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-11-12 12:49 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-10-29 16:12 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2006-11-26 20:33 495,616 ----a-w C:\Program Files\whosin.mdb
2006-11-26 20:32 23 ----a-w C:\Program Files\whosin.ini
2006-09-26 19:18 2,625,265 ----a-w C:\Program Files\openofficeorg4.cab
2006-09-26 19:17 56,053,978 ----a-w C:\Program Files\openofficeorg3.cab
2006-09-26 19:11 17,831,342 ----a-w C:\Program Files\openofficeorg1.cab
2006-09-26 19:11 15,305,884 ----a-w C:\Program Files\openofficeorg2.cab
2006-09-26 19:09 5,289,984 ----a-w C:\Program Files\openofficeorg20.msi
2006-09-26 19:09 217 ----a-w C:\Program Files\setup.ini
2006-05-23 08:34 41 ----a-w C:\Program Files\sample-import-file.csv
2006-03-03 11:04 266,714 ----a-w C:\Program Files\setuplog.txt
2004-08-04 17:56 151,552 ----a-w C:\Program Files\scrrun.dll
2004-03-08 23:00 260,880 ----a-w C:\Program Files\msflxgrd.ocx
2004-03-08 23:00 152,848 ----a-w C:\Program Files\comdlg32.ocx
2004-03-08 23:00 132,880 ----a-w C:\Program Files\msinet.ocx
2002-03-11 08:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe
2002-03-11 07:45 1,708,856 ----a-w C:\Program Files\instmsia.exe
2001-08-23 23:00 557,128 ----a-w C:\Program Files\DAO360.DLL
1999-03-25 23:00 101,888 ----a-w C:\Program Files\vb6stkit.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-04_18.25.45.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-01-06 17:56:50 11,603,968 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-06 17:56:50 409,600 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-05 05:57:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-01-06 17:56:30 11,603,968 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-06 17:56:31 409,600 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{6CE062EA-B8FB-47C0-BCD7-1470A1063D7E}"= C:\PROGRA~1\ADVFNT~1\tbu46\advfn.dll [ ]
[HKEY_CLASSES_ROOT\clsid\{6ce062ea-b8fb-47c0-bcd7-1470a1063d7e}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793.1]
[HKEY_CLASSES_ROOT\TypeLib\{A67AEBCA-11FC-49df-85BA-4E8CE0BFD67A}]
[HKEY_CLASSES_ROOT\XBTB01793.XBTB01793]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 14:34 1630303]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 13:00 15360]
"KITCO"="C:\Program Files\Kitco\Kcast\Kcast" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-11-30 21:49 4662776]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe" [2007-12-11 17:21 227914]
"ProxyWay"="C:\Program Files\ProxyWay\proxyway.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 12:31 22880040]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FFTI"="C:\Documents and Settings\Pascal Morin\Application Data\Mozilla\Firefox\Profiles\6jh3qy59.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"FlashIcon"="C:\Program Files\\USB 2.0 Card Reader Driver v2.2\FlashIcon.EXE" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-11 21:10 344064]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-06-04 18:57 188416]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-10 16:41 249896]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-15 01:58 180269]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-15 19:39 155648]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-07-22 01:10 577602]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-07-09 08:50 28672]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 01:36 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18 57344]
"Adobe Reader Speed Launcher"="D:\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 13:00 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-12 01:29 443968]
C:\Documents and Settings\Pascal Morin\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe [2007-12-11 23:34:48]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-04-14 16:15:08]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-08-26 10:58 49152]
R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2007-09-10 16:45]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-10 16:45]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-13 05:24]
S3 atidgllk;atidgllk;C:\Program Files\ASUS\SmartDoctor\atidgllk.sys []
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-11-12 14:59]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 18:31]
S3 tj2knd5;Terayon Cable Modem (NDIS);C:\WINDOWS\system32\DRIVERS\tj2knd5.sys [2001-11-09 04:13]
S3 tj2kunic;Terayon Cable Modem (WDM);C:\WINDOWS\system32\DRIVERS\tj2kunic.sys [2001-11-09 04:13]
S3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D.sys []
.
Contents of the 'Scheduled Tasks' folder
"2008-01-06 10:37:20 C:\WINDOWS\Tasks\TB.job"
- C:\Documents and Settings\Pascal Morin\Desktop\TB.txt
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 21:44:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-06 21:45:01
ComboFix-quarantined-files.txt 2008-01-06 20:44:59
ComboFix2.txt 2008-01-06 18:24:35
ComboFix3.txt 2008-01-05 20:21:01
ComboFix4.txt 2008-01-04 20:59:18
ComboFix5.txt 2008-01-04 17:26:06
.
2008-01-06 08:09:13 --- E O F ---
Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 21:46:35, on 06/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kitco\Kcast\Kcast.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Hijackthis\actus.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - d:\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: ADVFN Toolbar - {6CE062EA-B8FB-47C0-BCD7-1470A1063D7E} - C:\PROGRA~1\ADVFNT~1\tbu46\advfn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FlashIcon] C:\Program Files\\USB 2.0 Card Reader Driver v2.2\FlashIcon.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [KITCO] C:\Program Files\Kitco\Kcast\Kcast
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.13.1.3\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Pascal Morin\Application Data\Mozilla\Firefox\Profiles\6jh3qy59.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Pascal Morin\Application Data\Mozilla\Firefox\Profiles/6jh3qy59.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgets.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://d:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://d:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://d:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - d:\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://ca.moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162983257093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170807373890
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
Généralement il n'y a que moi sur le PC, mais mon épouse l'utilise de temps en temps, ayant un problème d'impression avec le sien qui est sur le réseau (j'ai ouvert un sujet dans la rubrique appropriée, n'ayant pas réussi à résoudre le problème seul).
Mon fils l'utilise rarement, sauf quand il a un problème pour accéder le réseau via le routeur WiFi (il a un laptop), ce uiq est le cas depuis +/- 3 semaines (des problèmes de connexion au réseau; parfois ça fonctionne, mais souvent, ça ne fonctionne pas), alors que tout était OK auparavant (mais ceci fera peut-être l'objet d'un nouveau sujet si je n'arriv e aps à le résoudre la semaine prochaine)
Bonne soirée.
++ |
|
| Revenir en haut de page |
|
|
APC
Invité
|
| Posté le: 07 Jan 2008 18:00 Sujet du message: |
|
|
Hello,
Les rapports sont cleans cette fois. 
Il reste quelques failles de sécurité à corriger et ce sera ok.
Avant, je vais te demander de faire un scan en ligne avec KAV et de me poster le rapport obtenu.
Il y avait un ver sur la machine, il vaut mieux s'assurer que tous les fichiers infectieux sont bien partis. 
Citation: Généralement il n'y a que moi sur le PC, mais mon épouse l'utilise de temps en temps, ayant un problème d'impression avec le sien qui est sur le réseau (j'ai ouvert un sujet dans la rubrique appropriée, n'ayant pas réussi à résoudre le problème seul).
Mon fils l'utilise rarement, sauf quand il a un problème pour accéder le réseau via le routeur WiFi (il a un laptop), ce uiq est le cas depuis +/- 3 semaines (des problèmes de connexion au réseau; parfois ça fonctionne, mais souvent, ça ne fonctionne pas), alors que tout était OK auparavant (mais ceci fera peut-être l'objet d'un nouveau sujet si je n'arriv e aps à le résoudre la semaine prochaine)
Ca répond que partiellement à ma question. Je ne te demandais pas qui utilise ce PC, mais combien de comptes utilisateurs il y a dessus (nombre de sessions).
Et à propos du P2P et des ses dangers, je te conseille de lire ceci, ça t'aurait sans doute éviter une infection par un ver en plus de l'infection Smitfraud.
++ |
|
| Revenir en haut de page |
|
|
actus
Habitué
Inscrit le: 04 Jan 2008
Message(s): 55
|
| Posté le: 08 Jan 2008 1:56 Sujet du message: |
|
|
Bonsoir, euh... bonne nuit!
Voici le KAV log; j'ai noté qu'il restait quelques virus et trojan:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 08, 2008 12:42:32 AM
Système d'exploitation : Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version : 5.0.83.0
Dernière mise à jour de la base antivirus Kaspersky : 7/01/2008
Enregistrements dans la base antivirus Kaspersky : 470671
-------------------------------------------------------------------------------
Paramètres d'analyse:
Analyser avec la base antivirus suivante: standard
Analyser les archives: vrai
Analyser les bases de messagerie: vrai
Cible de l'analyse - Dossiers:
C:\
D:\
Statistiques de l'analyse:
Total d'objets analysés: 148752
Nombre de virus trouvés: 3
Nombre d'objets infectés: 4 / 0
Nombre d'objets suspects: 0
Durée de l'analyse: 02:48:00
Nom de l'objet infecté / Nom du virus / Dernière action
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\d8r6maez.default\Mail\pop.gmail-1.com\Inbox.msf L'objet est verrouillé ignoré
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\d8r6maez.default\Mail\pop.gmail-1.com\Trash.msf L'objet est verrouillé ignoré
C:\Documents and Settings\Administrator\Application Data\Thunderbird\Profiles\d8r6ma | | |
FAQ
Charte
Rechercher
Membres
S'enregistrer
Profil
Vérifier ses messages privés
Connexion
