Services.exe utilise trop d'UC!
Forum Sécurité - Virus : Services.exe utilise trop d'UC!
Bonjour à tous ,
J'ai remarqué le problème avec services.exe lorsque soudainement mon fan du processeur s'est mis à tourner à fond continuellement, sans raison. J'ai vu que lorsque je suis branché sur internet, services.exe s'emballe et utilise mon UC. J'ai tenté le tout pour le tout en effectuant quelques scans de routine avec notamment AVG Anti-Spyware, Avira Antivir, Combofix, Vundofix et quelques autres, mais sans faire disparaître le problème entièrement.
Voici donc mon rapport hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:22:51, on 2008-02-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\MDC\AEGIS Client\mgr8021x.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Fichiers communs\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Genie-Soft\GBMPro7\GBM7.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pierre-Luc Grenier\Bureau\Hjt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.65.159.182:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {5748461D-C86C-4202-B7A7-FFE9A083823A} - C:\WINDOWS\system32\sstqq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll
O3 - Toolbar: Google Bloc-notes - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GBMPro7Agent] D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Fichiers communs\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Page à noter (Google Bloc-notes) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll/gn_menu1.html
O8 - Extra context menu item: À noter (Google Bloc-notes) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/apple [...] et-epf.cab
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/apple [...] et-epf.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/control [...] loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 9785503234
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b56907.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Contrôleur de DownloadManager) - http://dlm.tools.akamai.com/dlmana [...] .2.1.6.cab
O20 - Winlogon Notify: fjplbqrx - fjplbqrx.dll (file missing)
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\notification.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - D:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\UnivLaval\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
--
End of file - 9231 bytes
Bonjour,
Désactive tes protections résidentes (antivirus, Spybot...) !
- Télécharge Combofix (sUBs) sur ton Bureau.
- Double clique sur combofix.exe afin de le lancer.
- Tape sur la touche 1 (Yes) pour démarrer le scan.
- Lorsque le scan sera complété, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.
Répondre à Angeldark
Merci pour cette réponse rapide!!
Voici mon rapport Combofix :
ComboFix 08-02-17.2 - Pierre-Luc Grenier 2008-02-17 13:45:32.5 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.505 [GMT -5:00]
Endroit: C:\Documents and Settings\Pierre-Luc Grenier\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
[color=red]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/color]
.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-17 to 2008-02-17 ))))))))))))))))))))))))))))))))))))
.
2008-02-16 20:48 . 2008-02-16 20:48 <REP> d-------- C:\Rustbfix
2008-02-16 17:51 . 2008-02-16 17:51 <REP> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-02-16 17:43 . 2008-02-16 17:43 <REP> d-------- C:\Program Files\Avira
2008-02-16 17:43 . 2008-02-16 17:43 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-16 17:31 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-16 14:54 . 2004-08-19 18:09 160,768 --a------ C:\WINDOWS\msconfig.exe
2008-02-14 14:12 . 2008-02-14 14:12 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-14 14:08 . 2008-02-14 14:08 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-13 23:37 . 2008-02-13 23:37 <REP> d-------- C:\Program Files\MDC
2008-02-13 23:37 . 2008-02-13 23:37 45,056 --a------ C:\WINDOWS\system32\bindctl.dll
2008-02-13 23:37 . 2008-02-13 23:37 19,915 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-12 15:49 . 2008-02-12 15:49 14 --a------ C:\WINDOWS\system32\tmpPrst.tgz
2008-02-10 10:38 . 2008-02-10 01:00 1,593,889 --a------ C:\ComboFix.exe
2008-02-10 01:43 . 2008-02-10 01:43 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Grisoft
2008-02-10 01:42 . 2008-02-10 01:42 149 --a------ C:\WINDOWS\wininit.ini
2008-02-10 01:26 . 2008-02-10 01:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 01:26 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 01:25 . 2008-02-10 01:24 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 01:25 . 2008-02-10 01:25 3,462 --a------ C:\WINDOWS\unins000.dat
2008-02-10 00:32 . 2008-02-10 00:34 <REP> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-02-10 00:04 . 2008-02-10 00:04 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-09 23:35 . 2008-02-16 18:22 <REP> d-------- C:\VundoFix Backups
2008-02-09 22:04 . 2008-02-09 22:04 54,764 --a------ C:\WINDOWS\system32\4fdw.dll
2008-02-09 22:04 . 2008-02-09 22:04 2 --a------ C:\1275973434
2008-02-09 21:59 . 2008-02-09 21:59 <REP> dr------- C:\Documents and Settings\NetworkService\Favoris
2008-02-09 21:59 . 2008-02-10 01:41 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-09 21:44 . 2008-02-09 21:58 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Download Manager
2008-02-09 20:59 . 2008-02-09 21:02 318 --ahs---- C:\WINDOWS\system32\bcbeg.ini
2008-02-09 20:58 . 2008-02-15 23:28 <REP> d-------- C:\Program Files\Drmupgds
2008-02-09 20:54 . 2008-02-10 02:08 <REP> d-------- C:\WINDOWS\system32\ver2
2008-02-09 20:54 . 2008-02-09 20:54 <REP> d-------- C:\WINDOWS\system32\jap8
2008-02-09 20:54 . 2008-02-16 18:02 <REP> d-------- C:\WINDOWS\system32\hlp6
2008-02-09 20:54 . 2008-02-10 14:04 <REP> d--hs---- C:\WINDOWS\R3Jlbmllcg
2008-02-09 20:54 . 2008-02-16 11:15 <REP> d-------- C:\Temp
2008-02-09 20:54 . 2008-02-09 20:57 <REP> d-------- C:\Program Files\RABCO
2008-02-09 16:39 . 2008-02-09 16:39 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Nitro PDF
2008-01-28 20:26 . 2008-01-28 20:27 <REP> d-------- C:\Program Files\SML
2008-01-17 15:52 . 2008-01-17 15:52 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\vlc
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 05:35 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2008-02-10 05:31 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-06 01:01 --------- d-----w C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Azureus
2008-02-02 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-14 21:31 --------- d-----w C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Elluminate
2008-01-08 09:48 --------- d-----w C:\Program Files\MSN Messenger
2007-12-24 03:49 --------- d-----w C:\Documents and Settings\Pierre-Luc Grenier\Application Data\CyberLink
2007-12-24 03:48 --------- d-----w C:\Program Files\Cyberlink
2007-12-24 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-24 03:17 --------- d-----w C:\Program Files\Zoom Player
2005-09-09 23:55 35 ----a-w C:\Program Files\SCSSDist.ini
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5748461D-C86C-4202-B7A7-FFE9A083823A}]
C:\WINDOWS\system32\sstqq.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Le Petit Robert Hyperappel"="D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe" [2001-10-11 11:11 22560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"GBMPro7Agent"="D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" [2007-02-27 08:09 204800]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"Acronis Scheduler2 Service"="C:\Program Files\Fichiers communs\Acronis\Schedule2\schedhlp.exe" [2007-02-16 17:49 149024]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-16 17:57 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fjplbqrx]
fjplbqrx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mdc]
notification.dll 2005-05-16 14:51 294912 C:\WINDOWS\system32\notification.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^C2CMonitor.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\C2CMonitor.lnk
backup=C:\WINDOWS\pss\C2CMonitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Client Push.LNK]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Client Push.LNK
backup=C:\WINDOWS\pss\Client Push.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Acrobat.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Acrobat.lnk
backup=C:\WINDOWS\pss\Lancement rapide d'Adobe Acrobat.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Universite Laval Client VPN ULaval.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Universite Laval Client VPN ULaval.lnk
backup=C:\WINDOWS\pss\Universite Laval Client VPN ULaval.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Pierre-Luc Grenier^Menu Démarrer^Programmes^Démarrage^Anapod Manager.lnk]
path=C:\Documents and Settings\Pierre-Luc Grenier\Menu Démarrer\Programmes\Démarrage\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Pierre-Luc Grenier^Menu Démarrer^Programmes^Démarrage^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\Pierre-Luc Grenier\Menu Démarrer\Programmes\Démarrage\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c0dcf95]
C:\WINDOWS\system32\hqyeyaaj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 17:57 1945960 D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CalendaMail]
--a------ 2006-02-13 15:38 685186 D:\Program Files\Emula Soft\CalendaMail\CalendaMail.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2005-05-19 08:47 57344 D:\Program Files\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-19 18:09 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 09:57 133016 D:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drmupgds]
C:\Program Files\Drmupgds\Drmupgds.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-06-10 04:21 217088 C:\Program Files\Microsoft IntelliPoint\point32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 D:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-01-08 22:17 52256 D:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
C:\WINDOWS\system32\regscan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-03-14 21:01 71216 D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 17:45 1169776 D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2005-06-10 04:24 196608 C:\Program Files\Microsoft IntelliType Pro\type32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC6Player]
C:\Program Files\HHVcdV6Sys\VC6Play.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]
c:\exujd.exe
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 14:18]
S2 Apache2.2;Apache2.2;"D:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" []
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys [2002-11-28 20:23]
S3 msftesql$GRENIER;SQL Server FullText Search (GRENIER);"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe" -s:MSSQL.2 []
S3 MSSQL$GRENIER;SQL Server (GRENIER);"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" [2005-10-14 03:51]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-09 10:44]
S3 SQLAgent$GRENIER;SQL Server Agent (GRENIER);"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" [2005-10-14 03:51]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"D:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 06:01]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;D:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR []
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-19 18:09]
.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-02-17 18:25:08 C:\WINDOWS\Tasks\GBMPro7 Task - Data.job"
- D:\Program Files\Genie-Soft\GBMPro7\GBM7.exe
"2008-02-17 18:52:11 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- D:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-26 08:56:52 C:\WINDOWS\Tasks\XoftSpySE.job"
- D:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 13:53:11
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Le Petit Robert Hyperappel = D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????\??? /??\??????????????????????|? ??\???Q??|x???m??|????????\??????|Z????????????,K????????????
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$GRENIER]
"ImagePath"="\"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:GRENIER"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-17 13:57:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 18:56:59
ComboFix2.txt 2008-02-16 17:48:41
ComboFix3.txt 2008-02-16 16:40:12
ComboFix4.txt 2008-02-10 15:56:02
ComboFix5.txt 2008-02-10 06:16:57
Re,
Télécharge Gmer.
Dézippe le dans un dossier ou sur ton bureau.
Déconnecte toi d'Internet puis et ferme tous les programmes.
Double-clique sur Gmer.exe.
IMPORTANT: Si une alerte de ton antivirus apparaît pour le fichier gmer.sys ou gmer.exe, laisse le s'executer.
Clique sur l'onglet rootkit.
A droite, coche Files et Services.
Clique maintenant sur Scan.
Lorsque le scan est terminé, clique sur Copy.
Ouvre le Bloc-notes puis clique sur le Menu Edition / Coller.
Le rapport doit alors apparaître.
Enregistre le fichier sur ton bureau et copie/colle le contenu ici.
Répondre à Angeldark
Re,
Voici le rapport Gmer :
GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-17 14:30:14
Windows 5.1.2600 Service Pack 2
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\4fdw.dll (*** hidden *** ) [SYSTEM] 4fdw <-- ROOTKIT !!!
Service system32\DRIVERS\obvious.sys (*** hidden *** ) [SYSTEM] obvious <-- ROOTKIT !!!
---- EOF - GMER 1.0.14 ----
Re,
Désactive tes protections résidentes (antivirus...) !
Copie (Ctrl+C) le texte se situant dans le cadre ci-dessous :
File::
|
Ouvre le Bloc-Notes puis colle (Ctrl+V) le texte précedemment copié.
Sauvegarde ce fichier sous le nom de CFScript.txt.
Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ci-dessous :
Cela va relancer Combofix, tape sur 1 puis valide. Après redémarrage, poste le contenu du rapport Combofix.txt accompagné d'un rapport Hijackthis.
NOTE : S'il n'y a pas de rédémarrage, poste quand même les rapports demandés.
Répondre à Angeldark
Re,
Voici le rapport Combofix :
ComboFix 08-02-17.2 - Pierre-Luc Grenier 2008-02-17 15:37:16.6 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.496 [GMT -5:00]
Endroit: C:\Documents and Settings\Pierre-Luc Grenier\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pierre-Luc Grenier\Bureau\CFScript.txt
* Création d'un nouveau point de restauration
[color=red]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/color]
FILE ::
C:\WINDOWS\system32\hqyeyaaj.dll
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\4fdw.dll
C:\WINDOWS\system32\DRIVERS\obvious.sys
.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-17 to 2008-02-17 ))))))))))))))))))))))))))))))))))))
.
2008-02-17 15:42 . 2008-02-17 15:42 73 --a------ C:\WINDOWS\system32\ssprs.dll
2008-02-17 15:42 . 2008-02-17 15:42 0 --a------ C:\WINDOWS\system32\tmpPrst.dll
2008-02-17 15:42 . 2008-02-17 15:42 0 --a------ C:\WINDOWS\system32\lsprst7.dll
2008-02-17 14:23 . 2008-02-17 14:24 250 --a------ C:\WINDOWS\gmer.ini
2008-02-16 20:48 . 2008-02-16 20:48 <REP> d-------- C:\Rustbfix
2008-02-16 17:51 . 2008-02-16 17:51 <REP> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-02-16 17:43 . 2008-02-16 17:43 <REP> d-------- C:\Program Files\Avira
2008-02-16 17:43 . 2008-02-16 17:43 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-16 17:31 . 2007-01-18 07:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-02-16 14:54 . 2004-08-19 18:09 160,768 --a------ C:\WINDOWS\msconfig.exe
2008-02-14 14:12 . 2008-02-14 14:12 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-14 14:08 . 2008-02-14 14:08 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-13 23:37 . 2008-02-13 23:37 <REP> d-------- C:\Program Files\MDC
2008-02-13 23:37 . 2008-02-13 23:37 45,056 --a------ C:\WINDOWS\system32\bindctl.dll
2008-02-13 23:37 . 2008-02-13 23:37 19,915 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-02-12 15:49 . 2008-02-12 15:49 14 --a------ C:\WINDOWS\system32\tmpPrst.tgz
2008-02-10 10:38 . 2008-02-10 01:00 1,593,889 --a------ C:\ComboFix.exe
2008-02-10 01:43 . 2008-02-10 01:43 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Grisoft
2008-02-10 01:42 . 2008-02-10 01:42 149 --a------ C:\WINDOWS\wininit.ini
2008-02-10 01:26 . 2008-02-10 01:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-10 01:26 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-10 01:25 . 2008-02-10 01:24 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-10 01:25 . 2008-02-10 01:25 3,462 --a------ C:\WINDOWS\unins000.dat
2008-02-10 00:32 . 2008-02-10 00:34 <REP> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-02-10 00:04 . 2008-02-10 00:04 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-09 23:35 . 2008-02-16 18:22 <REP> d-------- C:\VundoFix Backups
2008-02-09 22:04 . 2008-02-09 22:04 2 --a------ C:\1275973434
2008-02-09 21:59 . 2008-02-09 21:59 <REP> dr------- C:\Documents and Settings\NetworkService\Favoris
2008-02-09 21:59 . 2008-02-10 01:41 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-09 21:44 . 2008-02-09 21:58 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Download Manager
2008-02-09 20:59 . 2008-02-09 21:02 318 --ahs---- C:\WINDOWS\system32\bcbeg.ini
2008-02-09 20:58 . 2008-02-15 23:28 <REP> d-------- C:\Program Files\Drmupgds
2008-02-09 20:54 . 2008-02-10 02:08 <REP> d-------- C:\WINDOWS\system32\ver2
2008-02-09 20:54 . 2008-02-09 20:54 <REP> d-------- C:\WINDOWS\system32\jap8
2008-02-09 20:54 . 2008-02-16 18:02 <REP> d-------- C:\WINDOWS\system32\hlp6
2008-02-09 20:54 . 2008-02-10 14:04 <REP> d--hs---- C:\WINDOWS\R3Jlbmllcg
2008-02-09 20:54 . 2008-02-16 11:15 <REP> d-------- C:\Temp
2008-02-09 20:54 . 2008-02-09 20:57 <REP> d-------- C:\Program Files\RABCO
2008-02-09 16:39 . 2008-02-09 16:39 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Nitro PDF
2008-01-28 20:26 . 2008-01-28 20:27 <REP> d-------- C:\Program Files\SML
2008-01-17 15:52 . 2008-01-17 15:52 <REP> d-------- C:\Documents and Settings\Pierre-Luc Grenier\Application Data\vlc
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 01:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-10 05:35 --------- d-----w C:\Program Files\Fichiers communs\Adobe
2008-02-10 05:31 --------- d-----w C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-02-06 01:01 --------- d-----w C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Azureus
2008-02-02 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-14 21:31 --------- d-----w C:\Documents and Settings\Pierre-Luc Grenier\Application Data\Elluminate
2008-01-08 09:48 --------- d-----w C:\Program Files\MSN Messenger
2007-12-24 03:49 --------- d-----w C:\Documents and Settings\Pierre-Luc Grenier\Application Data\CyberLink
2007-12-24 03:48 --------- d-----w C:\Program Files\Cyberlink
2007-12-24 03:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-24 03:17 --------- d-----w C:\Program Files\Zoom Player
2005-09-09 23:55 35 ----a-w C:\Program Files\SCSSDist.ini
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-08-26 10:40 536576 --a------ D:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Le Petit Robert Hyperappel"="D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe" [2001-10-11 11:11 22560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 18:09 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"GBMPro7Agent"="D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" [2007-02-27 08:09 204800]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 20:05 344064]
"Acronis Scheduler2 Service"="C:\Program Files\Fichiers communs\Acronis\Schedule2\schedhlp.exe" [2007-02-16 17:49 149024]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-16 17:57 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="" []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fjplbqrx]
fjplbqrx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mdc]
notification.dll 2005-05-16 14:51 294912 C:\WINDOWS\system32\notification.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^C2CMonitor.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\C2CMonitor.lnk
backup=C:\WINDOWS\pss\C2CMonitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Client Push.LNK]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Client Push.LNK
backup=C:\WINDOWS\pss\Client Push.LNKCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Acrobat.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Acrobat.lnk
backup=C:\WINDOWS\pss\Lancement rapide d'Adobe Acrobat.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Universite Laval Client VPN ULaval.lnk]
path=C:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage\Universite Laval Client VPN ULaval.lnk
backup=C:\WINDOWS\pss\Universite Laval Client VPN ULaval.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Pierre-Luc Grenier^Menu Démarrer^Programmes^Démarrage^Anapod Manager.lnk]
path=C:\Documents and Settings\Pierre-Luc Grenier\Menu Démarrer\Programmes\Démarrage\Anapod Manager.lnk
backup=C:\WINDOWS\pss\Anapod Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Pierre-Luc Grenier^Menu Démarrer^Programmes^Démarrage^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\Pierre-Luc Grenier\Menu Démarrer\Programmes\Démarrage\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 17:57 1945960 D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CalendaMail]
--a------ 2006-02-13 15:38 685186 D:\Program Files\Emula Soft\CalendaMail\CalendaMail.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2005-05-19 08:47 57344 D:\Program Files\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-19 18:09 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 09:57 133016 D:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drmupgds]
C:\Program Files\Drmupgds\Drmupgds.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2005-06-10 04:21 217088 C:\Program Files\Microsoft IntelliPoint\point32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 09:36 256576 D:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-01-08 22:17 52256 D:\Program Files\CyberLink\PowerDVD\Language\Language.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-02-16 10:54 282624 D:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
C:\WINDOWS\system32\regscan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-03-14 21:01 71216 D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 17:45 1169776 D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2005-06-10 04:24 196608 C:\Program Files\Microsoft IntelliType Pro\type32.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VC6Player]
C:\Program Files\HHVcdV6Sys\VC6Play.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]
c:\exujd.exe
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 02:53]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 14:18]
S1 4fdw;4fdw;C:\WINDOWS\system32\4fdw.dll []
S2 Apache2.2;Apache2.2;"D:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" []
S3 ICDUSB2;Sony IC Recorder (P);C:\WINDOWS\system32\Drivers\ICDUSB2.sys [2002-11-28 20:23]
S3 msftesql$GRENIER;SQL Server FullText Search (GRENIER);"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe" -s:MSSQL.2 []
S3 MSSQL$GRENIER;SQL Server (GRENIER);"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" [2005-10-14 03:51]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2003-04-09 10:44]
S3 SQLAgent$GRENIER;SQL Server Agent (GRENIER);"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" [2005-10-14 03:51]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"D:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 06:01]
S4 OracleOraDb10g_home1TNSListener;OracleOraDb10g_home1TNSListener;D:\oracle\product\10.1.0\Db_1\BIN\TNSLSNR []
S4 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-19 18:09]
.
Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'
"2008-02-17 18:25:08 C:\WINDOWS\Tasks\GBMPro7 Task - Data.job"
- D:\Program Files\Genie-Soft\GBMPro7\GBM7.exe
"2008-02-17 20:42:03 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- D:\Program Files\XoftSpySE\XoftSpy.exe
"2008-01-26 08:56:52 C:\WINDOWS\Tasks\XoftSpySE.job"
- D:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 15:42:51
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Le Petit Robert Hyperappel = D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe??????????????????????????????????????????????????????????????????????????????????????????????????????????\??? /??\??????????????????????|? ??\???Q??|x???m??|????????\??????|Z????????????,K????????????
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$GRENIER]
"ImagePath"="\"D:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:GRENIER"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-02-17 15:46:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-17 20:46:55
ComboFix2.txt 2008-02-17 18:57:03
ComboFix3.txt 2008-02-16 17:48:41
ComboFix4.txt 2008-02-16 16:40:12
ComboFix5.txt 2008-02-10 15:56:02
Et le rapport Hijackthis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:58:24, on 2008-02-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Fichiers communs\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Pierre-Luc Grenier\Bureau\Hjt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll
O3 - Toolbar: Google Bloc-notes - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GBMPro7Agent] D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Fichiers communs\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] D:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O8 - Extra context menu item: Convertir les liens sélectionnés en fichier Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Page à noter (Google Bloc-notes) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll/gn_menu1.html
O8 - Extra context menu item: À noter (Google Bloc-notes) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-1661562677.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - D:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/apple [...] et-epf.cab
O16 - DPF: TruePass EPF 7,0,100,730 - https://blrscr3.egs-seg.gc.ca/apple [...] et-epf.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/control [...] loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 9785503234
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/bina [...] b56907.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (Contrôleur de DownloadManager) - http://dlm.tools.akamai.com/dlmana [...] .2.1.6.cab
O20 - Winlogon Notify: fjplbqrx - fjplbqrx.dll (file missing)
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\notification.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Fichiers communs\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - D:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Fichiers communs\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\UnivLaval\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Fichiers communs\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - D:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - D:\Program.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
--
End of file - 8771 bytes
Mieux ?
Répondre à Angeldark
Oui vraiment, services.exe utilise beaucoup moins d'espace mémoire et son UC est à 0!
Je vais continuer d'observer si je ne vois pas d'autres comportements bizzares.
Question, c'est quelle genre d'attaque au juste? Est-ce que je peux m'être fait voler des informations ou autres? De ce que j'ai constaté, c'est comme si des données était transféré par internet via services.exe, puisque lorsque celui-ci s'emballait, mon down/up augmentait aussi.
Dans tous les cas, je te remercie vraiment pour ton aide efficace!
A+
Tu étais victime de deux rootkits. Tiens moi au courant.
Répondre à Angeldark
Re,
J'ai refait un scan avec GMER et un des deux rootkit semble toujours présent :
GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-02-18 13:00:21
Windows 5.1.2600 Service Pack 2
---- Services - GMER 1.0.14 ----
Service system32\DRIVERS\obvious.sys (*** hidden *** ) [SYSTEM] obvious <-- ROOTKIT !!!
---- EOF - GMER 1.0.14 ----
Refais un scan Combofix.
Répondre à Angeldark
Il y a 1082 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
