Pb de virus (hacktool.rootkit ?)
Forum Sécurité - Virus : Pb de virus (hacktool.rootkit ?)
Bonjour,
je suis désespérément en train d'essayer de sauver ce qu'il reste de mon PC...
En effet, je crois avoir eu hacktool.rootkit (merci NAV...) et donc j'ai fait un scan ad-aware, a2, AVG et spybot et maintenant, mon PC se traîne et des messages d'erreur apparaîssent à chaque manip... et un XPsecuser essaie de s'installer toute les secondes...
Mayday Mayday....
Je joins le log Hijackthis, si qqun peut m'aider je lui en serais reconnaissant
D'avance merci
Logfile of HijackThis v1.99.1
Scan saved at 16:43:23, on 20/06/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\braviax.exe
D:\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\a-squared Anti-Malware\a2service.exe
D:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patator\Bureau\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: (no name) - {B245B1AD-F282-4928-A4E5-0A9DBE0671DD} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NWEReboot] C:\WINDOWS\UNWmaNMix.exe /REMOVE="C:\DOCUME~1\Patator\LOCALS~1\Temp\RarSFX0"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [a-squared] "D:\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [microsoft-software] vvib.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Logiciels\Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://E:\LOGICI~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: NoPopup - {09F0E7C2-01B0-4672-B81C-6471CFAD213E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft. [...] 5951224124
O16 - DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} (AdSignerLCContrl Class) - https://static.impots.gouv.fr/tdir/ [...] DP-1.1.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - D:\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\System32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: FireDaemon Service: eventsec (eventsec) - Unknown owner - C:\winnt\system32\dllcache\FireDaemon.EXE (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: FireDaemon Service: ntsysvers (ntsysvers) - Unknown owner - C:\winnt\system32\dllcache\FireDaemon.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
Bonjour,
Télécharge ComboFix (de sUBs) sur ton Bureau.
- Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
- Double clique sur ComboFix.exe.
- Accepte la licence en cliquant sur Oui.
- Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.
Le rapport se trouve ici : %systemdrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)
Aide : Comment utiliser ComboFix.
Répondre à XmichouX
En tout cas merci pour ton aide car je suis une vraie burne en informatique...
Je viens de faire le scan ComboFix.
Voici le rapport :
ComboFix 08-06-20.4 - Patator 2008-06-21 12:27:25.1 - [color=red]FAT32[/color]x86
Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.62 [GMT 2:00]
Endroit: C:\Documents and Settings\Patator\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
[color=red]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Starware354
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes.bmp
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes.png
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes_foreign_feed.bmp
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes_foreign_feed.png
C:\Documents and Settings\All Users\Application Data\Starware354\buttons\starware_toolbar_icon.bmp
C:\Documents and Settings\All Users\Application Data\Starware354\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware354\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware354\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\Patator\Local Settings\Temporary Internet Files\enyxoz.bat
C:\Documents and Settings\Patator\Local Settings\Temporary Internet Files\kojo.ban
C:\Documents and Settings\Patator\Local Settings\Temporary Internet Files\yvufuwo.vbs
C:\WINDOWS\braviax.exe
C:\WINDOWS\g32.txt
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cru629.dat
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\uninstall.exe
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\ws386.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASPIMGR
-------\Legacy_ROFL
-------\Service_aspimgr
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))))))))
.
2008-06-19 21:49 . 2008-06-19 21:49 <REP> d--hs---- C:\FOUND.000
2008-06-19 21:32 . 2008-06-19 21:32 <REP> d-------- C:\Documents and Settings\Patator\Application Data\Grisoft
2008-06-19 21:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-06-19 21:31 . 2008-06-19 21:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-19 21:26 . 2008-06-19 21:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 21:24 . 2008-06-19 21:24 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-06-19 20:31 . 2008-06-19 20:31 <REP> d-------- C:\fsaua.data
2008-06-17 19:42 . 2008-06-17 19:42 19,299 --a------ C:\WINDOWS\perorun.dll
2008-06-17 19:42 . 2008-06-17 19:42 17,769 --a------ C:\WINDOWS\kigymyry.sys
2008-06-17 19:42 . 2008-06-17 19:42 17,578 --a------ C:\WINDOWS\system32\gybyxas.bat
2008-06-17 19:42 . 2008-06-17 19:42 17,472 --a------ C:\WINDOWS\system32\ykylag.scr
2008-06-17 19:42 . 2008-06-17 19:42 16,258 --a------ C:\WINDOWS\igemi.exe
2008-06-17 19:42 . 2008-06-17 19:42 15,883 --a------ C:\WINDOWS\uzaq.bin
2008-06-17 19:42 . 2008-06-17 19:42 14,001 --a------ C:\WINDOWS\system32\yqaxidex.vbs
2008-06-17 19:42 . 2008-06-17 19:42 12,285 --a------ C:\Documents and Settings\All Users\Application Data\uwex.pif
2008-06-17 19:42 . 2008-06-17 19:42 11,545 --a------ C:\WINDOWS\tyna.com
2008-06-17 19:42 . 2008-06-17 19:42 11,082 --a------ C:\WINDOWS\suqyzofiqa.exe
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 17:41 --------- d-----w C:\Program Files\Samsung
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2006-12-28 20:05 17,232 ----a-w C:\Documents and Settings\Patator\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 01:03 1038336]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"microsoft-software"="vvib.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Messenger"="msmsgs.exe" []
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-26 18:06 73728]
"Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2003-01-14 01:43 868352]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"a-squared"="D:\a-squared Anti-Malware\a2guard.exe" [2008-06-03 12:37 2131600]
"!AVG Anti-Spyware"="D:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Messenger"="msmsgs.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30 1491216]
"Windows Messenger"="msmsgs.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows Messenger"="msmsgs.exe" []
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
"microsoft-software"="qtzs.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.ffds"= C:\WINDOWS\system32\ffdshow.ax
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 20:49]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 12:32:40
Windows 5.1.2600 Service Pack 1 FAT NTAPI
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
--------------------- DLLs a charg‚ sous des processus courants ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\System32\NavLogon.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Panicware\Pop-Up Stopper\DPHOOK32.DLL
-> C:\WINDOWS\PANICNT.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
D:\a-squared Anti-Malware\a2service.exe
D:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\NavNT\VPC32.EXE
C:\Program Files\NavNT\vpdn_lu.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
.
**************************************************************************
.
Temps d'accomplissement: 2008-06-21 12:39:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 10:38:52
Pre-Run: 460,029,952 octets libres
Post-Run: 666,681,344 octets libres
161
Autant dire, j'y comprends pas grand chose
Merci encore pour ton aide !
Re,
Sélectionne l'intégralité du cadre ci-dessous :
Collect::
|
Cela va relancer Combofix. Après redémarrage, poste le contenu du rapport ComboFix.txt.
S'il n'y a pas de rédémarrage, poste quand même le rapport.
- Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
- Enregistre le sous sur ton bureau sous le nom de CFScript.txt
- Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme ci-dessous :
- Cela va relancer Combofix. Poste le contenu du rapport ComboFix.txt après redémarrage s'il y en a un.
Répondre à XmichouX
Il n'y a pas eu de redémarrage mais voici le contenu de ComboFix.txt :
ComboFix 08-06-20.4 - Patator 2008-06-21 13:40:59.2 - [color=red]FAT32[/color]x86
Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.51 [GMT 2:00]
Endroit: C:\Documents and Settings\Patator\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Patator\Bureau\CFScript.txt
* Création d'un nouveau point de restauration
[color=red]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\uwex.pif
C:\FOUND.000
C:\FOUND.000\FILE0000.CHK
C:\FOUND.000\FILE0001.CHK
C:\WINDOWS\igemi.exe
C:\WINDOWS\kigymyry.sys
C:\WINDOWS\perorun.dll
C:\WINDOWS\suqyzofiqa.exe
C:\WINDOWS\system32\gybyxas.bat
C:\WINDOWS\system32\ykylag.scr
C:\WINDOWS\system32\yqaxidex.vbs
C:\WINDOWS\tyna.com
C:\WINDOWS\uzaq.bin
.
((((((((((((((((((((((((((((( Fichiers créés 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))))))))
.
2008-06-19 21:32 . 2008-06-19 21:32 <REP> d-------- C:\Documents and Settings\Patator\Application Data\Grisoft
2008-06-19 21:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-06-19 21:31 . 2008-06-19 21:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-19 21:26 . 2008-06-19 21:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 21:24 . 2008-06-19 21:24 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-06-19 20:31 . 2008-06-19 20:31 <REP> d-------- C:\fsaua.data
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 18:12 13,270,549 ------w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 17:41 --------- d-----w C:\Program Files\Samsung
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2006-12-28 20:05 17,232 ----a-w C:\Documents and Settings\Patator\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-06-21_12.36.41.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2008-06-21 10:18:34 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-21 10:39:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 01:03 1038336]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-26 18:06 73728]
"Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2003-01-14 01:43 868352]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"a-squared"="D:\a-squared Anti-Malware\a2guard.exe" [2008-06-03 12:37 2131600]
"!AVG Anti-Spyware"="D:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30 1491216]
C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Microsoft Office.lnk - E:\Logiciels\Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.ffds"= C:\WINDOWS\system32\ffdshow.ax
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
S2 eventsec;FireDaemon Service: eventsec;C:\winnt\system32\dllcache\FireDaemon.EXE []
S2 ntsysvers;FireDaemon Service: ntsysvers;C:\winnt\system32\dllcache\FireDaemon.EXE []
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 20:49]
*Newly Created Service* - MCHINJDRV
*Newly Created Service* - NAVAP
*Newly Created Service* - NAVENG
*Newly Created Service* - NAVEX15
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 13:44:42
Windows 5.1.2600 Service Pack 1 FAT NTAPI
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
.
--------------------- DLLs a chargé sous des processus courants ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\System32\NavLogon.dll
.
Temps d'accomplissement: 2008-06-21 13:46:01
ComboFix-quarantined-files.txt 2008-06-21 11:45:54
ComboFix2.txt 2008-06-21 10:39:08
Pre-Run: 621,961,216 octets libres
Post-Run: 622,243,840 octets libres
111
Re,
Sélectionne l'intégralité du cadre ci-dessous :
Driver::
|
Cela va relancer Combofix. Après redémarrage, poste le contenu du rapport ComboFix.txt.
S'il n'y a pas de rédémarrage, poste quand même le rapport.
- Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
- Enregistre le sous sur ton bureau sous le nom de CFScript.txt
- Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme ci-dessous :
- Cela va relancer Combofix. Poste le contenu du rapport ComboFix.txt après redémarrage s'il y en a un.
Répondre à XmichouX
C'est fait !
Merci pour ta patience !
Ci joint le rapport ComboFix :
ComboFix 08-06-20.4 - Patator 2008-06-21 15:31:23.3 - [color=red]FAT32[/color]x86
Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.58 [GMT 2:00]
Endroit: C:\Documents and Settings\Patator\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Patator\Bureau\CFScript.txt
* Création d'un nouveau point de restauration
[color=red]AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !![/color]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\NavNT
C:\Program Files\NavNT\_ISNAVNT.ULG
C:\Program Files\NavNT\AMS2\_INST32I.EX_
C:\Program Files\NavNT\AMS2\12520437.CP_
C:\Program Files\NavNT\AMS2\12520850.CP_
C:\Program Files\NavNT\AMS2\AMS.DL_
C:\Program Files\NavNT\AMS2\AMS2.CA_
C:\Program Files\NavNT\AMS2\AMS2.CFG
C:\Program Files\NavNT\AMS2\AMS2INST.DLL
C:\Program Files\NavNT\AMS2\AMSDB.DL_
C:\Program Files\NavNT\AMS2\AMSDB.MD_
C:\Program Files\NavNT\AMS2\AMSLIB.DL_
C:\Program Files\NavNT\AMS2\AMSTRANS.DL_
C:\Program Files\NavNT\AMS2\AMSUI.DL_
C:\Program Files\NavNT\AMS2\BCSTHNDL.DL_
C:\Program Files\NavNT\AMS2\CACONFIG.EX_
C:\Program Files\NavNT\AMS2\CADB.DL_
C:\Program Files\NavNT\AMS2\CASVC.EX_
C:\Program Files\NavNT\AMS2\CASVC.MD_
C:\Program Files\NavNT\AMS2\CAUNINST.DLL
C:\Program Files\NavNT\AMS2\CBA.CA_
C:\Program Files\NavNT\AMS2\CBA.DL_
C:\Program Files\NavNT\AMS2\CBADB.MD_
C:\Program Files\NavNT\AMS2\CBATL.MD_
C:\Program Files\NavNT\AMS2\CBAXFR.DL_
C:\Program Files\NavNT\AMS2\CLUTIL_S.DL_
C:\Program Files\NavNT\AMS2\CMNRC.DL_
C:\Program Files\NavNT\AMS2\CSL.DL_
C:\Program Files\NavNT\AMS2\CSSM32S.DL_
C:\Program Files\NavNT\AMS2\CSSM32S.SI_
C:\Program Files\NavNT\AMS2\CSSMS_IN.DL_
C:\Program Files\NavNT\AMS2\CTINST.EXE
C:\Program Files\NavNT\AMS2\CTL3D32.DL_
C:\Program Files\NavNT\AMS2\DS16GT.DL_
C:\Program Files\NavNT\AMS2\DS32GT.DL_
C:\Program Files\NavNT\AMS2\ENUAMS.LR_
C:\Program Files\NavNT\AMS2\ENUAMS2.CN_
C:\Program Files\NavNT\AMS2\ENUAMS2.HL_
C:\Program Files\NavNT\AMS2\ENUAMSUI.LR_
C:\Program Files\NavNT\AMS2\ENUCACRC.LR_
C:\Program Files\NavNT\AMS2\ENUCAIN.DL_
C:\Program Files\NavNT\AMS2\ENUCAMGR.CN_
C:\Program Files\NavNT\AMS2\ENUCAMGR.CNT
C:\Program Files\NavNT\AMS2\ENUCAMGR.HL_
C:\Program Files\NavNT\AMS2\ENUCAMGR.HLP
C:\Program Files\NavNT\AMS2\ENUCASRC.LR_
C:\Program Files\NavNT\AMS2\ENUCMNRC.LR_
C:\Program Files\NavNT\AMS2\ENUINST.DLL
C:\Program Files\NavNT\AMS2\ENUPDSRC.LR_
C:\Program Files\NavNT\AMS2\ENUSAT.CN_
C:\Program Files\NavNT\AMS2\ENUSAT.HL_
C:\Program Files\NavNT\AMS2\ENUSAT.LR_
C:\Program Files\NavNT\AMS2\ENUXFRRC.LR_
C:\Program Files\NavNT\AMS2\FRAAMS.LR_
C:\Program Files\NavNT\AMS2\FRAAMS2.CN_
C:\Program Files\NavNT\AMS2\FRAAMS2.HL_
C:\Program Files\NavNT\AMS2\FRAAMSUI.LR_
C:\Program Files\NavNT\AMS2\FRACACRC.LR_
C:\Program Files\NavNT\AMS2\FRACAIN.DL_
C:\Program Files\NavNT\AMS2\FRACAMGR.CN_
C:\Program Files\NavNT\AMS2\FRACAMGR.HL_
C:\Program Files\NavNT\AMS2\FRACASRC.LR_
C:\Program Files\NavNT\AMS2\frainst.dll
C:\Program Files\NavNT\AMS2\FRAPDSRC.LR_
C:\Program Files\NavNT\AMS2\FRASAT.CN_
C:\Program Files\NavNT\AMS2\FRASAT.HL_
C:\Program Files\NavNT\AMS2\FRASAT.LR_
C:\Program Files\NavNT\AMS2\FRAXFRRC.LR_
C:\Program Files\NavNT\AMS2\HARDWARE.CD_
C:\Program Files\NavNT\AMS2\HARDWARE.DB_
C:\Program Files\NavNT\AMS2\HNDLRSVC.EX_
C:\Program Files\NavNT\AMS2\IAO.EX_
C:\Program Files\NavNT\AMS2\INDSM_S.DL_
C:\Program Files\NavNT\AMS2\InstallAMS.dll
C:\Program Files\NavNT\AMS2\ITMLHNDL.DL_
C:\Program Files\NavNT\AMS2\IX509CLS.DL_
C:\Program Files\NavNT\AMS2\JPNAMS2.CN_
C:\Program Files\NavNT\AMS2\JPNAMS2.HL_
C:\Program Files\NavNT\AMS2\JPNCAMGR.CNT
C:\Program Files\NavNT\AMS2\JPNCAMGR.HLP
C:\Program Files\NavNT\AMS2\LCFINST.EX_
C:\Program Files\NavNT\AMS2\LCFINST.PK_
C:\Program Files\NavNT\AMS2\LOC32VC0.DL_
C:\Program Files\NavNT\AMS2\LOC32VC0.DLL
C:\Program Files\NavNT\AMS2\MFC42.DL_
C:\Program Files\NavNT\AMS2\MFC42ENU.DL_
C:\Program Files\NavNT\AMS2\MFC42FRA.DL_
C:\Program Files\NavNT\AMS2\MODEMCFG.EX_
C:\Program Files\NavNT\AMS2\MODEMS.CD_
C:\Program Files\NavNT\AMS2\MODEMS.DB_
C:\Program Files\NavNT\AMS2\MSBXHNDL.DL_
C:\Program Files\NavNT\AMS2\MSCPXL32.DL_
C:\Program Files\NavNT\AMS2\MSGSYS.DL_
C:\Program Files\NavNT\AMS2\MSGSYS.EX_
C:\Program Files\NavNT\AMS2\MSJET35.DL_
C:\Program Files\NavNT\AMS2\MSJINT35.DL_
C:\Program Files\NavNT\AMS2\MSJTER35.DL_
C:\Program Files\NavNT\AMS2\MSLTUS35.DL_
C:\Program Files\NavNT\AMS2\MSRD2X35.DL_
C:\Program Files\NavNT\AMS2\MSVCIRT.DL_
C:\Program Files\NavNT\AMS2\MSVCRT.DL_
C:\Program Files\NavNT\AMS2\MSVCRT20.DL_
C:\Program Files\NavNT\AMS2\MSVCRT40.DL_
C:\Program Files\NavNT\AMS2\MSVCRT40.DLL
C:\Program Files\NavNT\AMS2\MTXDM.DL_
C:\Program Files\NavNT\AMS2\NTELHNDL.DL_
C:\Program Files\NavNT\AMS2\NTS.DL_
C:\Program Files\NavNT\AMS2\ODBC16GT.DL_
C:\Program Files\NavNT\AMS2\ODBC32.DL_
C:\Program Files\NavNT\AMS2\ODBC32GT.DL_
C:\Program Files\NavNT\AMS2\ODBCAD32.EX_
C:\Program Files\NavNT\AMS2\ODBCCP32.CP_
C:\Program Files\NavNT\AMS2\ODBCCP32.DL_
C:\Program Files\NavNT\AMS2\ODBCCR32.DL_
C:\Program Files\NavNT\AMS2\ODBCINST.CN_
C:\Program Files\NavNT\AMS2\ODBCINST.HL_
C:\Program Files\NavNT\AMS2\ODBCINT.DL_
C:\Program Files\NavNT\AMS2\ODBCJET.CN_
C:\Program Files\NavNT\AMS2\ODBCJET.HL_
C:\Program Files\NavNT\AMS2\ODBCJI32.DL_
C:\Program Files\NavNT\AMS2\ODBCJT32.DL_
C:\Program Files\NavNT\AMS2\ODBCTL32.DL_
C:\Program Files\NavNT\AMS2\ODBCTRAC.DL_
C:\Program Files\NavNT\AMS2\ORIGREG.DL_
C:\Program Files\NavNT\AMS2\ORIGREG.IL_
C:\Program Files\NavNT\AMS2\OSSAPI.DL_
C:\Program Files\NavNT\AMS2\OSSMEM.DL_
C:\Program Files\NavNT\AMS2\PAGEHNDL.DL_
C:\Program Files\NavNT\AMS2\PAGESVC.IN_
C:\Program Files\NavNT\AMS2\PDS.DL_
C:\Program Files\NavNT\AMS2\PDS.EX_
C:\Program Files\NavNT\AMS2\PRGXHNDL.DL_
C:\Program Files\NavNT\AMS2\SERVICES.CD_
C:\Program Files\NavNT\AMS2\SERVICES.DB_
C:\Program Files\NavNT\AMS2\SNMPAT.EX_
C:\Program Files\NavNT\AMS2\SNMPAT.LD_
C:\Program Files\NavNT\AMS2\SNMPHNDL.DL_
C:\Program Files\NavNT\AMS2\SOEDPER.DL_
C:\Program Files\NavNT\AMS2\VBAJET32.DL_
C:\Program Files\NavNT\AMS2\VBAR332.DL_
C:\Program Files\NavNT\AMS2\vssver.scc
C:\Program Files\NavNT\AMS2\WSDLL32.DL_
C:\Program Files\NavNT\AMS2\XFR.EX_
C:\Program Files\NavNT\chan32i.dll
C:\Program Files\NavNT\Cliproxy.dll
C:\Program Files\NavNT\Cliscan.dll
C:\Program Files\NavNT\clninst.bat
C:\Program Files\NavNT\country.dat
C:\Program Files\NavNT\Ctl3d.dll
C:\Program Files\NavNT\dec2.dll
C:\Program Files\NavNT\dec2amg.dll
C:\Program Files\NavNT\dec2arj.dll
C:\Program Files\NavNT\dec2id.dll
C:\Program Files\NavNT\dec2lha.dll
C:\Program Files\NavNT\dec2lz.dll
C:\Program Files\NavNT\dec2mime.dll
C:\Program Files\NavNT\Dec2RTF.dll
C:\Program Files\NavNT\Dec2SS.dll
C:\Program Files\NavNT\Dec2UUE.dll
C:\Program Files\NavNT\dec2zip.dll
C:\Program Files\NavNT\Defannty.dll
C:\Program Files\NavNT\default.hst
C:\Program Files\NavNT\DEFLOC.DAT
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\dwhwizrd.exe
C:\Program Files\NavNT\enuact.cnt
C:\Program Files\NavNT\enucore.hlp
C:\Program Files\NavNT\enuctls.hlp
C:\Program Files\NavNT\enudlgs.hlp
C:\Program Files\NavNT\enugloss.hlp
C:\Program Files\NavNT\enulotus.hlp
C:\Program Files\NavNT\enuopt.cnt
C:\Program Files\NavNT\enutask.hlp
C:\Program Files\NavNT\enuview.hlp
C:\Program Files\NavNT\enuvpc32.cnt
C:\Program Files\NavNT\enuvpc32.GID
C:\Program Files\NavNT\enuvpui.hlp
C:\Program Files\NavNT\enuxchng.hlp
C:\Program Files\NavNT\filter.dat
C:\Program Files\NavNT\i2ldvp3.dll
C:\Program Files\NavNT\ldvpreg.exe
C:\Program Files\NavNT\luawrap.exe
C:\Program Files\NavNT\luhstedt.dll
C:\Program Files\NavNT\N32call.dll
C:\Program Files\NavNT\N32vlist.dll
C:\Program Files\NavNT\navap.sys
C:\Program Files\NavNT\navap32.dll
C:\Program Files\NavNT\Navapel.sys
C:\Program Files\NavNT\navapi32.dll
C:\Program Files\NavNT\navcust2.dll
C:\Program Files\NavNT\NavInsNT.dll
C:\Program Files\NavNT\navlu.dll
C:\Program Files\NavNT\navntutl.dll
C:\Program Files\NavNT\NAVRoam.exe
C:\Program Files\NavNT\navustub.exe
C:\Program Files\NavNT\nnewdefs.dll
C:\Program Files\NavNT\patch32i.dll
C:\Program Files\NavNT\platform.dat
C:\Program Files\NavNT\qscomm32.dll
C:\Program Files\NavNT\qsinfo.dll
C:\Program Files\NavNT\qspak32.dll
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\s32luhl1.dll
C:\Program Files\NavNT\S32NAVQ.DLL
C:\Program Files\NavNT\scancfg.dat
C:\Program Files\NavNT\SCANDLVR.DLL
C:\Program Files\NavNT\scandres.dll
C:\Program Files\NavNT\sdflt32i.dll
C:\Program Files\NavNT\sdpck32i.dll
C:\Program Files\NavNT\sdsnd32i.dll
C:\Program Files\NavNT\sdsok32i.dll
C:\Program Files\NavNT\sdstp32i.dll
C:\Program Files\NavNT\Smstr32i.dll
C:\Program Files\NavNT\symamg32.dll
C:\Program Files\NavNT\SymClnUp.exe
C:\Program Files\NavNT\symlha.dll
C:\Program Files\NavNT\vpc32.exe
C:\Program Files\NavNT\vpdebug.log
C:\Program Files\NavNT\vpdn_lu.exe
C:\Program Files\NavNT\vpmsece.dll
C:\Program Files\NavNT\vptray.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_EVENTSEC
-------\Legacy_NAVAP
-------\Legacy_NAVENG
-------\Legacy_NAVEX15
-------\Legacy_NTSYSVERS
-------\Service_eventsec
-------\Service_NAVAP
-------\Service_NAVENG
-------\Service_NAVEX15
-------\Service_ntsysvers
-------\Legacy_DefWatch
-------\Service_DefWatch
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))))))))
.
2008-06-19 21:32 . 2008-06-19 21:32 <REP> d-------- C:\Documents and Settings\Patator\Application Data\Grisoft
2008-06-19 21:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-06-19 21:31 . 2008-06-19 21:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-19 21:26 . 2008-06-19 21:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-19 21:24 . 2008-06-19 21:24 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-06-19 20:31 . 2008-06-19 20:31 <REP> d-------- C:\fsaua.data
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 17:41 --------- d-----w C:\Program Files\Samsung
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2006-12-28 20:05 17,232 ----a-w C:\Documents and Settings\Patator\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-06-21_12.36.41.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-21 10:31:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-21 13:38:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
+ 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
- 2008-06-21 10:18:34 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-21 10:39:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 01:03 1038336]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [ ]
"Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2003-01-14 01:43 868352]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"a-squared"="D:\a-squared Anti-Malware\a2guard.exe" [2008-06-03 12:37 2131600]
"!AVG Anti-Spyware"="D:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30 1491216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
"vidc.ffds"= C:\WINDOWS\system32\ffdshow.ax
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 20:49]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 15:38:57
Windows 5.1.2600 Service Pack 1 FAT NTAPI
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
--------------------- DLLs a charg‚ sous des processus courants ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
-> C:\WINDOWS\System32\NavLogon.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Panicware\Pop-Up Stopper\DPHOOK32.DLL
-> C:\WINDOWS\PANICNT.dll
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
D:\a-squared Anti-Malware\a2service.exe
D:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-06-21 15:45:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 13:45:02
ComboFix3.txt 2008-06-21 10:39:08
ComboFix2.txt 2008-06-21 11:46:04
Pre-Run: 587,309,056 octets libres
Post-Run: 505,491,456 octets libres
341
Re,
Poste un nouveau rapport HijackThis.
Répondre à XmichouX
Ci joint le nouveau rapport HijackThis :
Logfile of HijackThis v1.99.1
Scan saved at 18:09:00, on 22/06/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\a-squared Anti-Malware\a2guard.exe
D:\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\System32\alg.exe
D:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patator\Bureau\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: (no name) - {B245B1AD-F282-4928-A4E5-0A9DBE0671DD} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [a-squared] "D:\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Logiciels\Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://E:\LOGICI~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: NoPopup - {09F0E7C2-01B0-4672-B81C-6471CFAD213E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft. [...] 5951224124
O16 - DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} (AdSignerLCContrl Class) - https://static.impots.gouv.fr/tdir/ [...] DP-1.1.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - D:\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
Re,
Ouvre Spybot , clique sur l'onglet Mode et choisis Mode Avancé
Ne tiens pas compte de l'avertissement
En bas à gauche , clique sur Outils
Toujours dans la colonne de gauche , clique sur Résident ( pas dans la fenêtre centrale )
Et décoche l'option Resident "TeaTimer" (Tu pourras la recocher lorsque nous aurons terminé)
***********
Relance HijackThis (clique droit -> lancer en tant qu'adminstrateur sous Vista), do a system scan only, coche ces lignes (si toujours présentes) :
O3 - Toolbar: (no name) - {B245B1AD-F282-4928-A4E5-0A9DBE0671DD} - (no file)
|
Ferme toutes les applications en cours (particulièrement ton navigateur Internet).
Puis Fix Checked !
************
Télécharge et exécute : http://service1.symantec.com/SUPPO [...] 4110429924
Répondre à XmichouX
Il y a 1226 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
