Virus ou panne...
Forum Sécurité - Virus : Virus ou panne...
Bonjour,
Voila on vient de me confier un pc qui ne veut plus démarrer en mode normal, il ne démarre qu'en mode sans échec. Le problème est que lorsque l'on veut démarrer en mode normal, une fois que l'icône de chargement Windows est passé, un écran bleu apparaît très succinctement et il redémarre pour m'afficher la page sur laquelle est demandé en quel mode je veux démarrer.
J'ai donc essayé de voir (en mode sans échec) si des périphériques était défaillant mais rien.
Voici le rapport hijackThis :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:42:23, on 30/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.fr/go/page_recherche/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O3 - Toolbar: Barre d'outils MSN Search - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\msntb.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\oberontb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [XP Antispyware 2009] "C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe" /hide
O4 - HKLM\..\Run: [AntiSpywareXP 2009] "C:\Program Files\AntiSpywareXP2009\AntiSpywareXP2009.exe" /hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|DEFAULT=cnx|PARAM=
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Lancement rapide de Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\oberontb.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
--
End of file - 7747 bytes.
Merci de m'aider.
Bonjour,
Télécharge MalwareByte's Anti-Malware sur ton Bureau.
Installe-le en double-cliquant sur le fichier Download_mbam-setup.exe.
Une fois l'installation et la mise à jour effectuées, redémarre en mode sans échec.
AIDE : Redémarrer en mode sans échec
- Exécute maintenant MalwareByte's Anti-Malware. Si cela n'est pas déjà fait, sélectionne "Exécuter un examen complet".
- Afin de lancer la recherche, clic sur"Rechercher".
- Une fois le scan terminé, une fenêtre s'ouvre, clic sur OK. Deux possibilités s'offrent à toi :
-- si le programme n'a rien trouvé, appuie sur OK. Un rapport va apparaître, ferme-le.
-- si des infections sont présentes, clic sur "Afficher les résultats" puis sur "Supprimer la sélection". Enregistre le rapport sur ton Bureau afin de le poster dans ta prochaine réponse.
REMARQUE : Si MalwareByte's Anti-Malware a besoin de redémarrer pour terminer la suppression, accepte en cliquant sur Ok.
AIDE : Tuto en images sur MBAM
Répondre à Angeldark
Voici le rapport mais personnellement je pence que cela vient d'ailleurs car lorsque je démarre en mode sana échec et que je laisse l'écran de veille s'affichait, il est écrit : aucun périphérique compatible Direct3D n'a été détecté (pb carte graphique????)
Malwarebytes' Anti-Malware 1.30
Version de la base de données: 1306
Windows 5.1.2600 Service Pack 3
31/10/2008 07:22:5
mbam-log-2008-10-31 (07-22-55).txt
Type de recherche: Examen complet (C:\|D:\|E:\|)
Eléments examinés: 116684
Temps écoulé: 29 minute(s), 57 second(s)
Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 11
Valeur(s) du Registre infectée(s): 3
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 7
Fichier(s) infecté(s): 22
Processus mémoire infecté(s):
(Aucun élément nuisible détecté)
Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)
Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\oberontb.band (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{ad76633e-e50d-4844-9e7f-4dfbc7c18467} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ec1a2105-5621-440f-987d-27ef428131d9} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6f282b65-56bf-4bd1-a8b2-a4449a05863d} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oberontb.band.1 (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{1a93c934-025b-4c3a-b38e-9654a7003239} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antispywarexp2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.
Valeur(s) du Registre infectée(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{6f282b65-56bf-4bd1-a8b2-a4449a05863d} (Adware.Gamesbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xp antispyware 2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispywarexp 2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.
Dossier(s) infecté(s):
C:\Program Files\AntiSpywareXP2009 (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\data (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cedric Barallon\Local Settings\Temp\NI.UGA6PV_0001_N122M2910 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
Fichier(s) infecté(s):
C:\Program Files\GamesBar\oberontb.dll (Adware.Gamesbar) -> Quarantined and deleted successfully.
C:\Program Files\ErreurChasseur\SysRep.exe (Rogue.SystemErrorFixer) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareXP2009\Uninstall.exe (Rogue.AntispywareXP) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\AVEngn.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\htmlayout.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\pthreadVC2.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\data\daily.cvd (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cedric Barallon\Local Settings\Temp\NI.UGA6PV_0001_N122M2910\settings.ini (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cedric Barallon\Local Settings\Temp\NI.UGA6PV_0001_N122M2910\setup.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cedric Barallon\Local Settings\Temp\NI.UGA6PV_0001_N122M2910\setup.len (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10802.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cedric Barallon\Application Data\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cedric Barallon\Application Data\oxitukyf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cedric Barallon\Local Settings\Temporary Internet Files\ynogujaziw.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\xrg0.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
On s'occupe de l'infection et après on pourra en conclure.
! Désactive tes protections résidentes (antivirus, Spybot-S&D, etc.) !
- Télécharge ComboFix (sUBs) sur ton Bureau.
- Double clique sur ComboFix.exe (le .exe n'est pas forcément visible) afin de le lancer.
- Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport (C:\combofix.txt*) dans ta prochaine réponse.
AIDE : Un guide et un tutoriel sur l'utilisation de ComboFix
* le nom de la partition peut changer
Répondre à Angeldark
Excuse moi d'avoir pris de ton temps mais la personne a repris son portable.
Donc je ne peux pas continuer.
Merci et encore désolé.
Pas grave.
Répondre à Angeldark
J'ai tout de même pu récupérer le PC et donc voici le rapport :
ComboFix 08-10-31.02 - Cedric Barallon 2008-11-04 8:19:32.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.662 [GMT 1:00]
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrateur\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\Cedric Barallon\Local Settings\Temporary Internet Files\bysito.dl
C:\Documents and Settings\Cedric Barallon\Local Settings\Temporary Internet Files\itenyqor.vbs
C:\Documents and Settings\Cedric Barallon\Local Settings\Temporary Internet Files\ravehu.db
C:\Documents and Settings\Cedric Barallon\Local Settings\Temporary Internet Files\wodorukido.scr
C:\Documents and Settings\Cedric Barallon\Local Settings\Temporary Internet Files\xifuxafib.lib
C:\WINDOWS\system32\drivers\TDSSpqlt.sys
C:\WINDOWS\system32\drivers\TDSSpqxt.sys
C:\WINDOWS\system32\TDSSarxx.dll
C:\WINDOWS\system32\TDSScfmm.dll
C:\WINDOWS\system32\TDSScfum.dll
C:\WINDOWS\system32\TDSSfxwp.dll
C:\WINDOWS\system32\TDSSlxcp.dll
C:\WINDOWS\system32\TDSSmqxt.dll
C:\WINDOWS\system32\TDSSmtve.dat
C:\WINDOWS\system32\TDSSnmxh.log
C:\WINDOWS\system32\TDSSnmxq.dll
C:\WINDOWS\system32\TDSSnrsr.dat
C:\WINDOWS\system32\TDSSoeqh.log
C:\WINDOWS\system32\TDSSoiqh.dll
C:\WINDOWS\system32\TDSSosvn.dll
C:\WINDOWS\system32\TDSSrdym.dll
C:\WINDOWS\system32\TDSSriqp.dll
C:\WINDOWS\system32\TDSSsahc.dll
C:\WINDOWS\system32\TDSSsihc.log
C:\WINDOWS\system32\TDSStkdv.log
C:\WINDOWS\system32\TDSSvoql.dll
C:\WINDOWS\system32\TDSSxhyf.dll
C:\WINDOWS\temp\perflib_perfdata_1cc.dat
.
((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSserv
-------\Legacy_TDSSserv
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((((((( Fichiers créés du 2008-10-04 au 2008-11-04 ))))))))))))))))))))))))))))))))))))
.
2008-10-31 08:37 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-10-31 08:36 . 2008-10-31 08:36 <REP> d-------- C:\Program Files\Direct3D
2008-10-31 08:11 . 2008-10-31 08:11 <REP> d-------- C:\NVIDIA
2008-10-31 06:49 . 2008-10-31 06:49 <REP> d-------- C:\Documents and Settings\Cedric Barallon\Application Data\Malwarebytes
2008-10-31 06:49 . 2008-10-31 06:49 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-29 11:52 . 2008-10-29 11:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-10-29 11:17 . 2008-10-29 11:17 19,724 --a------ C:\Documents and Settings\All Users\Application Data\acygabesup.bat
2008-10-29 11:17 . 2008-10-29 11:17 18,782 --a------ C:\WINDOWS\ylar.reg
2008-10-29 11:17 . 2008-10-29 11:17 17,476 --a------ C:\WINDOWS\system32\yvujefi.dll
2008-10-29 11:17 . 2008-10-29 11:17 17,016 --a------ C:\WINDOWS\ixyhyqyc.pif
2008-10-29 11:17 . 2008-10-29 11:17 13,873 --a------ C:\WINDOWS\system32\cytiwas.lib
2008-10-29 11:17 . 2008-10-29 11:17 13,631 --a------ C:\Documents and Settings\All Users\Application Data\rycutiba.com
2008-10-29 11:17 . 2008-10-29 11:17 12,987 --a------ C:\Documents and Settings\All Users\Application Data\wenogykit.dat
2008-10-29 11:17 . 2008-10-29 11:17 12,769 --a------ C:\Documents and Settings\Cedric Barallon\Application Data\efamoly.exe
2008-10-29 11:17 . 2008-10-29 11:17 11,985 --a------ C:\Documents and Settings\Cedric Barallon\Application Data\odum.sys
2008-10-29 11:17 . 2008-10-29 11:17 10,684 --a------ C:\Program Files\Fichiers communs\ijuheq.sys
2008-10-29 11:17 . 2008-10-29 11:17 10,485 --a------ C:\WINDOWS\system32\wudetut.bin
2008-10-29 11:17 . 2008-10-29 11:17 10,249 --a------ C:\WINDOWS\system32\efiku.dl
2008-10-24 11:16 . 2008-10-15 17:35 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-20 20:42 . 2008-10-20 20:42 19,132 --a------ C:\WINDOWS\enovimez.inf
2008-10-20 20:42 . 2008-10-20 20:42 18,306 --a------ C:\Documents and Settings\Cedric Barallon\Application Data\soluziw.dll
2008-10-20 20:42 . 2008-10-20 20:42 18,191 --a------ C:\WINDOWS\yhum.bin
2008-10-20 20:42 . 2008-10-20 20:42 17,457 --a------ C:\WINDOWS\ywasaly.sys
2008-10-20 20:42 . 2008-10-20 20:42 16,995 --a------ C:\WINDOWS\system32\ehefesuh.db
2008-10-20 20:42 . 2008-10-20 20:42 16,575 --a------ C:\WINDOWS\izixizo.bat
2008-10-20 20:42 . 2008-10-20 20:42 16,516 --a------ C:\WINDOWS\system32\ygyqyju._sy
2008-10-20 20:42 . 2008-10-20 20:42 16,476 --a------ C:\WINDOWS\popoc.reg
2008-10-20 20:42 . 2008-10-20 20:42 14,599 --a------ C:\WINDOWS\ugugiju.reg
2008-10-20 20:42 . 2008-10-20 20:42 14,141 --a------ C:\Documents and Settings\All Users\Application Data\cynin.scr
2008-10-20 20:42 . 2008-10-20 20:42 11,521 --a------ C:\WINDOWS\epuwy.lib
2008-10-20 20:42 . 2008-10-20 20:42 11,511 --a------ C:\Program Files\Fichiers communs\ahimej.dat
2008-10-20 20:42 . 2008-10-20 20:42 10,436 --a------ C:\Documents and Settings\All Users\Application Data\akagine.com
2008-10-17 12:08 . 2008-10-20 16:50 <REP> d-------- C:\Program Files\NOS
2008-10-17 12:08 . 2008-10-20 16:50 <REP> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-15 10:39 . 2008-09-08 11:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 10:38 . 2008-09-15 16:26 1,846,528 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 10:37 . 2008-08-14 14:23 2,191,232 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 10:37 . 2008-08-14 14:23 2,147,328 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 10:37 . 2008-08-14 14:23 2,068,096 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 10:37 . 2008-08-14 14:23 2,025,984 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-10 18:52 . 2008-10-11 11:59 <REP> d-------- C:\Documents and Settings\Cedric Barallon\Application Data\JewelMatch2
2008-10-07 09:29 . 2008-10-07 09:29 <REP> d-------- C:\Documents and Settings\Cedric Barallon\Application Data\Icone
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 07:26 --------- d-----w C:\Program Files\Wanadoo
2008-10-31 06:22 --------- d-----w C:\Program Files\GamesBar
2008-10-31 06:22 --------- d-----w C:\Program Files\ErreurChasseur
2008-10-22 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\GamesBar
2008-10-20 19:42 14,596 ----a-w C:\Program Files\Fichiers communs\ebiq.ban
2008-10-11 11:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-10 17:51 --------- d-----w C:\Program Files\Oberon Media
2008-10-05 17:37 --------- d-----w C:\Documents and Settings\Cedric Barallon\Application Data\Flood Light Games
2008-10-05 17:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-10-02 18:17 --------- d-----w C:\Program Files\Gamenext
2008-09-29 15:59 --------- d-----w C:\Program Files\Applications
2008-09-15 14:31 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"WOOKIT"="C:\PROGRA~1\Wanadoo\Shell.exe" [2004-08-23 122880]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-01 7557120]
"NVRotateSysTray"="C:\WINDOWS\system32\nvsysrot.dll" [2006-05-01 49152]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"LtMoh"="C:\Program Files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"Tvs"="C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="C:\Program Files\TOSHIBA\Utilitaire de zoom TOSHIBA\SmoothView.exe" [2005-05-17 118784]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"WOOWATCH"="C:\PROGRA~1\Wanadoo\Watch.exe" [2004-08-23 20480]
"WOOTASKBARICON"="C:\PROGRA~1\Wanadoo\GestMaj.exe" [2004-10-14 32768]
"nwiz"="nwiz.exe" [2006-05-01 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2005-08-03 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\Cedric Barallon\Menu D‚marrer\Programmes\D‚marrage\
Lancement rapide de Microsoft Office OneNote 2003.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-04-19 64864]
C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Adobe Gamma Loader.lnk - C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-28 113664]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2008-01-15 315392]
Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-26 257752]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys [2005-11-28 7040]
S3 SG760_XP;SAGEM 802.11g XG760 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2005-07-13 260608]
.
- - - - ORPHELINS SUPPRIMES - - - -
SafeBoot-TDSSpqlt.sys
.
------- Examen supplémentaire -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.wanadoo.fr/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
R0 -: HKCU-Main,Search Bar = hxxp://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-SearchURL,(Default) = hxxp://g.msn.fr/0SEFRFR/SAOS01?FORM=TOOLBR
O8 -: &MSN Search - C:\Program Files\MSN Toolbar Suite\msntb.dll/search.htm
O8 -: E&xporter vers Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 08:24:17
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
PROCESSUS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Autres processus actifs ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\FTRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\PROGRA~1\COMMON~1\X10\Common\X10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Commandes TOSHIBA\TFncKy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\ConfigFree\CFSServ.exe
C:\PROGRA~1\Wanadoo\TaskBarIcon.exe
C:\Program Files\Toshiba\ConfigFree\CFXFER.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Heure de fin: 2008-11-04 8:29:24 - La machine a redémarré
ComboFix-quarantined-files.txt 2008-11-04 07:29:20
Avant-CF: 83,087,728,640 octets libres
Après-CF: 83,515,490,304 octets libres
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
238 --- E O F --- 2008-10-24 10:30:50
Merci
Re,
! Désactive tes protections résidentes (antivirus, Spybot-S&D, etc.) !
Copie (Ctrl+C) le texte se situant dans le cadre ci-dessous :
File::
|
Ouvre le Bloc-Notes puis colle (Ctrl+V) le texte précédemment copié.
Sauvegarde ce fichier sous le nom de "CFScript.txt" (les guillemets sont importantes).
Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme dans l'image ci-dessous :
Cela va relancer ComboFix. Après redémarrage, poste le contenu du rapport (C:\combofix.txt*) accompagné d'un rapport HijackThis.
NOTE : S'il n'y a pas de redémarrage, poste quand même les rapports demandés.
* le nom de la partition peut changer
Répondre à Angeldark
Il y a 770 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
