Infection multiple: win32.mutant.yf / trojan.pandex + malware
Forum Sécurité - Virus : Infection multiple: win32.mutant.yf / trojan.pandex + malware
Bonsoir à tous,
Je suis semble-t-il victime d'une infection multiple au trojan.mutant.yf et trojan pandex (identiques ?) ainsi que du malware winctrl32.dll
Malgréplusieurs tentatives je n'arrive pas à me défaire de ces 2 virus qui travaillent coinjointement apparement...
Merci beaucoup de m'aider car je désespère...!
JF
Bonjour,
Télécharge puis installe Hijackthis (Trend Micro)
Poste ensuite un rapport dans ta prochaine réponse.
AIDE : Comment utiliser Hijackthis v2.0.2
Répondre à Angeldark
Merci pour la réponse, voici le rapport (désolé un peu long) :-(
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.17.16, on 07/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Equant\Dialer\EACSvrMngr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\TomTom HOME\TomTomHOME.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Update0809191255.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://goldreloaded/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://goldreloaded/default.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by INTERBULK TRADING SA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.int.itcgr.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.itcgr.net;*goldreloaded*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FAD9CF06-4086-41C2-A18D-3F41E3FDBF78} - C:\WINDOWS\system32\blackbo.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BEWDeactivateSafenet] C:\Programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA355] command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1332] cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB2811] command /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2517] cmd /c del "C:\WINDOWS\system32\WinCtrl32.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SoftRemote.lnk = C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Update0809191255.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://goldreloaded/default.aspx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tec [...] gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 3744461859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\Software\..\Telephony: DomainName = int.itcgr.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = int.itcgr.net
O20 - Winlogon Notify: WinCtrl32 - WinCtrl32.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Programmi\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Programmi\Equant\Dialer\EACSys.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 10660 bytes
Re,
Télécharge MalwareByte's Anti-Malware sur ton Bureau.
Installe-le en double-cliquant sur le fichier Download_mbam-setup.exe.
Une fois l'installation et la mise à jour effectuées, redémarre en mode sans échec.
AIDE : Redémarrer en mode sans échec
- Exécute maintenant MalwareByte's Anti-Malware. Si cela n'est pas déjà fait, sélectionne "Exécuter un examen complet".
- Afin de lancer la recherche, clic sur"Rechercher".
- Une fois le scan terminé, une fenêtre s'ouvre, clic sur OK. Deux possibilités s'offrent à toi :
-- si le programme n'a rien trouvé, appuie sur OK. Un rapport va apparaître, ferme-le.
-- si des infections sont présentes, clic sur "Afficher les résultats" puis sur "Supprimer la sélection". Enregistre le rapport sur ton Bureau afin de le poster dans ta prochaine réponse.
REMARQUE : Si MalwareByte's Anti-Malware a besoin de redémarrer pour terminer la suppression, accepte en cliquant sur Ok.
AIDE : Tuto en images sur MBAM
Répondre à Angeldark
Voici le log de malwarebyte's:
Malwarebytes' Anti-Malware 1.30
Database version: 1373
Windows 5.1.2600 Service Pack 2
07/11/2008 23.38.27
mbam-log-2008-11-07 (23-38-13).txt
Scan type: Full Scan (C:\|)
Objects scanned: 104236
Time elapsed: 2 hour(s), 19 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{fad9cf06-4086-41c2-a18d-3f41e3fdbf78} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fad9cf06-4086-41c2-a18d-3f41e3fdbf78} (Trojan.Agent) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\blackbo.dll (Trojan.Agent) -> No action taken.
Apparement, après redémarrage, les fichiers ont été nettoyés, et ce matin ni symantec, ni spybot ne détecte de fichiers corrompus...
Il semblerait que cela ait marché, à moins que tu n'aies un avis différent, un autre controle à faire ?
En tout cas merci et tiens-moi au courant !
Reposte un rapport Hijackthis.
Répondre à Angeldark
Voici le dernier rapport hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.29.28, on 08/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Programmi\Equant\Dialer\EACSvrMngr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\TomTom HOME\TomTomHOME.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://goldreloaded/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://goldreloaded/default.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by INTERBULK TRADING SA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.int.itcgr.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.itcgr.net;*goldreloaded*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FAD9CF06-4086-41C2-A18D-3F41E3FDBF78} - C:\WINDOWS\system32\blackbo.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BEWDeactivateSafenet] C:\Programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SoftRemote.lnk = C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Update0809191255.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://goldreloaded/default.aspx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tec [...] gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 3744461859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\Software\..\Telephony: DomainName = int.itcgr.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = int.itcgr.net
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Programmi\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Programmi\Equant\Dialer\EACSys.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 10407 bytes
Y-a-t-il encore des trucs à faire, risques ?
Re,
! Désactive tes protections résidentes (antivirus, Spybot-S&D, etc.) !
- Télécharge ComboFix (sUBs) sur ton Bureau.
- Double clique sur ComboFix.exe (le .exe n'est pas forcément visible) afin de le lancer.
- Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport (C:\combofix.txt*) dans ta prochaine réponse.
AIDE : Un guide et un tutoriel sur l'utilisation de ComboFix
* le nom de la partition peut changer
Répondre à Angeldark
Bonjour,
En fait la lecture du tutoriel m'a un peu refroidi, etant donné qu'il s'agit d'un ordi de boulot et qu'il y a toute une série de programme et paramètres par défaut, je ne voudrais pas supprimer des fichiers ou autre qui sont censés etre installés sur mon ordi.
Y-a-t-il un risque à ne pas faire tourner combofix alors que tout à l'air d'etre rentré dans l'ordre ?
Merci!
Il y a des restes. On peut faire autrement si tu as peur.
Télécharge Random's System Information Tool (RSIT) par (random/random) et sauvegarde-le sur le Bureau.
- Double-clique sur RSIT.exe afin de lancer le programme.
- Clique Continue à l'écran Disclaimer.
- Si l'outil HijackThis (version à jour) n'est pas présent ou non détecté sur l'ordinateur, RSIT le téléchargera (autorise l'accès dans ton pare-feu, si demandé) et tu devras accepter la licence.
- Lorsque l'analyse sera terminée, deux fichiers texte s'ouvriront. Poste le contenu de log.txt (affiché)
ainsi que de info.txt (réduit dans la Barre des Tâches).
- Veille bien à poster l'intégralité des rapports. Vérifie qu'ils soient complets une fois que tu les as postés.
NB : Les rapports sont sauvegardés dans le dossier C:\rsit
Répondre à Angeldark
Ok, voici le log info.txt:
info.txt logfile of random's system information tool 1.04 2008-11-09 15:14:52
======Uninstall list======
-->C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\System32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->MsiExec.exe /I{B5D8CCBF-08D8-46C0-8B04-3BC0CAEDA094}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.56 beta-->"C:\Programmi\7-Zip\Uninstall.exe"
Access Companion-->C:\WINDOWS\System32\AcUninst.exe -dm
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 9 - Italiano-->MsiExec.exe /I{AC76BA86-7AD7-1040-7B44-A90000000001}
Agere Systems AC'97 Modem-->agrsmdel
Aggiornamento per Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
All To MP3 Converter 2.15-->"C:\Programmi\LitexMedia\All To MP3 Converter\unins000.exe"
belote 1.2-->C:\WINDOWS\st6unst.exe -n "C:\Programmi\belote 1.2\ST6UNST.LOG"
Belote Bridgée-->C:\WINDOWS\system32\GKSUI16.EXE C:\Programmi\Belote Bridgée\UNINSTAL.DAT
Bluetooth by hp-->MsiExec.exe /X{90535871-81B9-4D99-8A13-A7EE97F2D7FE}
Broadcom Driver Installer-->C:\Programmi\File comuni\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1040
Citrix Presentation Server Client-->MsiExec.exe /I{E89956F9-5B89-470E-818D-BD46102D0A01}
Compatibilità con le versioni precedenti a Microsoft SQL Server 2005-->MsiExec.exe /I{805A39C9-7B32-434A-A3EA-8BC37F861984}
Diagnostici per Windows-->RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{1881AE03-2BD4-11D4-86BF-00508B10AA88}\setup.exe" UNINSTALL
Etisalat USB Modem E170-->C:\Programmi\Etisalat USB Modem E170\uninst.exe
File di supporto dell'installazione di Microsoft SQL Server (Italiano)-->MsiExec.exe /X{6379FD0A-8964-4A50-80A6-B20B65117905}
GTK+ Runtime 2.10.13 rev a (remove only)-->C:\Programmi\Dico\uninst.exe
HijackThis 2.0.2-->"C:\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB909394)-->"C:\WINDOWS\$NtUninstallKB909394$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
HP Integrated Wireless LAN W400-W500 Driver-->RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{5C3DA2A1-03B2-44BD-B5AA-A44BD6E0C0C1}\setup.exe" -l0x10
HP Mobile Printing-->RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{B668CB7B-A9DF-43B6-8876-A373A8E1D438}\setup.exe" -l0x9 AnyText
Intel(R) Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel(R) PROSet for Wireless-->MsiExec.exe /I{5380063E-2909-4d72-BFA3-625881F2E78B}
InterVideo WinDVD-->"C:\Programmi\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LiveUpdate 3.1 (Symantec Corporation)-->"C:\Programmi\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware-->"C:\Programmi\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 - Language Pack (italiano)-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0 Language Pack - ITA\install.exe
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft ActiveSync-->MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Dynamics NAV 5.0 CSIDE Client-->MsiExec.exe /I{00000000-0000-5000-7800-0000836BD2D2}
Microsoft Office 2003 - Componenti Web-->MsiExec.exe /I{90A40410-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110410-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005-->"C:\Programmi\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{E7F4CA4E-0CC1-4FB7-B625-CF3D6C799AAD}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual Studio 2005 Premier Partner Edition - ITA-->MsiExec.exe /I{7E86D124-30EE-4082-B7FB-8E40B4D2333F}
Module de compatibilité pour Microsoft Office System 2007-->MsiExec.exe /X{90120000-0020-040C-0000-0000000FF1CE}
Non Driver CIO Components-->C:\WINDOWS\IsUninst.exe -f"C:\Programmi\HP\Non Driver CIO Components\Uninst.isu"
O2Micro MemoryCardBus Windows Driver-->C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{4CBD31CE-51DF-43C4-B3EC-7CCBAB0CD083} /l1033
Parser MSXML 6.0-->MsiExec.exe /I{EDAED426-FE30-482A-8AA7-87AD7642107F}
Pdf995-->c:\pdf995\setup.exe uninstall
Quick Launch Buttons 5.00 C2-->RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x10 -uninst
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Remote Diagnostics Enabling Agent-->RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{71A470E1-27E7-424E-803A-F9C0D41968D3}\SETUP.EXE" -l0x10
Remote Services Driver-->C:\WINDOWS\uninst.exe -fC:\WINDOWS\swsetup\cpqrs\DeIsL1.isu -c"C:\WINDOWS\swsetup\cpqrs\uninst32.dll
SafeNet SoftRemote-->RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programmi\CoSine Communications\IPSec Dial Client\Setup\Setup.exe" -l0x9
SAP Front End-->"C:\WINDOWS\SapWksta\setup\sapsetup.exe" /uninstall /noRestart
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SoundMAX-->RunDll32 C:\PROGRA~1\FILECO~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Programmi\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x10 -removeonly
SQLXML4-->MsiExec.exe /I{B0B34FF7-4288-4310-A742-40D20C6CC67F}
StarDict (remove only)-->C:\Programmi\StarDict\stardict-uninst.exe
Strumenti di Microsoft SQL Server 2005-->MsiExec.exe /I{B03FBBA3-CCE4-40CC-A0F1-01F952E7EB3E}
Symantec AntiVirus-->MsiExec.exe /I{33CFCF98-F8D6-4549-B469-6F4295676D83}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Programmi\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx20 drivers.-->C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F16F258A-6300-4A1C-BC49-7929EFF455E2}
Texas Instruments PCIxx21/x515 drivers.-->C:\PROGRA~1\FILECO~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FF6F491D-BC82-4DCC-A72F-1824957C6466} /l1040
Texas Instruments PCIxx21/x515/xx12 drivers.-->C:\Programmi\InstallShield Installation Information\{AD7914E1-6453-4440-AEC7-02C72AD6FE5F}\setup.exe -runfromtemp -l0x0410
TomTom HOME-->C:\Programmi\InstallShield Installation Information\{CE325D55-FCAF-4273-BB79-069BB8747270}\setup.exe -runfromtemp -l0x0010 -removeonly -removeonly
VideoLAN VLC media player 0.8.6d-->C:\Programmi\VideoLAN\VLC\uninstall.exe
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Programmi\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Programmi\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
======Hosts File======
10.40.10.18 int657srv01
10.31.0.37 bwgdev01 bwgdev01.itcgr.net
10.31.0.38 bwgdev02 bwgdev02.itcgr.net
10.31.0.40 itcgr999bwg01 itcgr999bwg01.itcgr.net
10.31.0.41 itcgr999bwg02 itcgr999bwg02.itcgr.net
======Security center information======
AV: Symantec AntiVirus Corporate Edition (outdated)
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programmi\Microsoft SQL Server\80\Tools\Binn\;C:\Programmi\Microsoft SQL Server\90\Tools\binn\;C:\Programmi\Microsoft SQL Server\90\DTS\Binn\;C:\Programmi\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Programmi\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"lib"=C:\Programmi\SQLXML 4.0\bin\
-----------------EOF-----------------
et le log.txt:
Logfile of random's system information tool 1.04 (written by random/random)
Run by U800TORIELLIJ at 2008-11-09 15:14:29
Microsoft Windows XP Professional Service Pack 2
System drive C: has 36 GB (63%) free of 57 GB
Total RAM: 503 MB (52% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.14.47, on 09/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Programmi\Equant\Dialer\EACSvrMngr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\TomTom HOME\TomTomHOME.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\Programmi\Equant\Dialer\EACSys.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Internet Explorer\iexplore.exe
\int657vrt01\Private\u800toriellij\Desktop\RSIT.exe
C:\HijackThis\U800TORIELLIJ.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://goldreloaded/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://goldreloaded/default.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by INTERBULK TRADING SA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.int.itcgr.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.itcgr.net;*goldreloaded*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FAD9CF06-4086-41C2-A18D-3F41E3FDBF78} - C:\WINDOWS\system32\blackbo.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BEWDeactivateSafenet] C:\Programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SoftRemote.lnk = C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Update0809191255.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://goldreloaded/default.aspx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tec [...] gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 3744461859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\Software\..\Telephony: DomainName = int.itcgr.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = int.itcgr.net
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Programmi\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Programmi\Equant\Dialer\EACSys.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 10260 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAD9CF06-4086-41C2-A18D-3F41E3FDBF78}]
C:\WINDOWS\system32\blackbo.dll [2008-10-04 116992]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Programmi\Synaptics\SynTP\SynTPLpr.exe [2004-11-04 98394]
"SynTPEnh"=C:\Programmi\Synaptics\SynTP\SynTPEnh.exe [2004-11-04 688218]
"Cpqset"=C:\Programmi\HPQ\Default Settings\cpqset.exe [2004-03-01 200766]
"PRONoMgr.exe"=c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe [2003-12-10 86016]
"eabconfg.cpl"=C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe [2004-09-17 290816]
"UpdateManager"=C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]
"SoundMAXPnP"=C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe [2004-10-14 1388544]
"SoundMAX"=C:\Programmi\Analog Devices\SoundMAX\Smax4.exe [2004-09-23 860160]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2004-12-21 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2004-12-21 126976]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-08-24 88363]
"BEWDeactivateSafenet"=C:\Programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate []
"ccApp"=C:\Programmi\File comuni\Symantec Shared\ccApp.exe [2006-07-19 52896]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2006-09-27 125168]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-19 143872]
"TomTomHOME.exe"=C:\Programmi\TomTom HOME\TomTomHOME.exe [2007-03-14 3770024]
"QuickTime Task"=C:\Programmi\QuickTime\qttask.exe [2007-11-08 98304]
"SunJavaUpdateSched"=C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"Adobe Reader Speed Launcher"=C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-19 15360]
"H/PC Connection Agent"=C:\Programmi\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"MSMSGS"=C:\Programmi\Messenger\msmsgs.exe [2004-08-19 1667584]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe [2007-06-11 190696]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
BTTray.lnk - C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
SoftRemote.lnk - C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
Update0809191255.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-12-21 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2006-09-27 43760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll [2003-12-16 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winls28.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wintc18.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Winls28.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wintc18.sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Microsoft ActiveSync\rapimgr.exe"="C:\Programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Programmi\Microsoft ActiveSync\wcescomm.exe"="C:\Programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Programmi\Microsoft ActiveSync\WCESMgr.exe"="C:\Programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe:*:Enabled:IreIke"
"C:\Programmi\CoSine Communications\IPSec Dial Client\ViewLog.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\Programmi\CoSine Communications\IPSec Dial Client\CmonApp.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\Programmi\CoSine Communications\IPSec Dial Client\vpn.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Programmi\Microsoft ActiveSync\rapimgr.exe"="C:\Programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Programmi\Microsoft ActiveSync\wcescomm.exe"="C:\Programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Programmi\Microsoft ActiveSync\WCESMgr.exe"="C:\Programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe:*:Enabled:IreIke"
"C:\Programmi\CoSine Communications\IPSec Dial Client\ViewLog.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog"
"C:\Programmi\CoSine Communications\IPSec Dial Client\CmonApp.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp"
"C:\Programmi\CoSine Communications\IPSec Dial Client\vpn.exe"="C:\Programmi\CoSine Communications\IPSec Dial Client\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{182b8614-be26-11dc-9518-000fb0bcd291}]
shell\AutoRun\command - E:\
shell\explore\command - RECYCLED\INFO.exe
shell\open\command - RECYCLED\INFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f78e792-ec6f-11dc-9544-0015002fad7c}]
shell\AutoRun\command - E:\
shell\explore\command - E:\RECYCLED\INFO.exe
shell\open\command - E:\RECYCLED\INFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bef395f-7804-11dd-95d5-0015002fad7c}]
shell\AutoRun\command - D:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bef3961-7804-11dd-95d5-0015002fad7c}]
shell\AutoRun\command - D:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ac1b6ee-a34e-11dd-9612-0015002fad7c}]
shell\AutoRun\command - D:\AutoRun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ac1b6ef-a34e-11dd-9612-0015002fad7c}]
shell\AutoRun\command - D:\AutoRun.exe
======List of files/folders created in the last 1 months======
2008-11-09 15:14:29 ----D---- C:\rsit
2008-11-09 15:04:58 ----A---- C:\WINDOWS\IE4 Error Log.txt
2008-11-07 20:29:12 ----D---- C:\Documents and Settings\u800toriellij\Dati applicazioni\Malwarebytes
2008-11-07 20:28:46 ----D---- C:\Documents and Settings\All Users\Dati applicazioni\Malwarebytes
2008-11-07 20:28:45 ----D---- C:\Programmi\Malwarebytes' Anti-Malware
2008-11-07 19:16:35 ----D---- C:\HijackThis
2008-11-07 19:15:02 ----A---- C:\HiJackThis.exe
2008-11-05 19:56:27 ----D---- C:\WINDOWS\pss
2008-11-05 19:46:16 ----D---- C:\Programmi\Trend Micro
2008-11-05 19:43:00 ----A---- C:\HJTInstall.exe
2008-11-05 11:11:56 ----A---- C:\WINDOWS\wininit.ini
2008-11-05 10:49:42 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-05 09:21:08 ----D---- C:\Programmi\Spybot - Search & Destroy
2008-11-05 09:21:08 ----D---- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-27 13:09:24 ----A---- C:\WINDOWS\ModemLog_GlobeTrotter 3G+ Modem Interface.txt
2008-10-26 12:08:31 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem #2.txt
2008-10-21 13:34:00 ----D---- C:\Programmi\MSECache
======List of files/folders modified in the last 1 months======
2008-11-09 15:08:10 ----D---- C:\Programmi\Belote Bridgée
2008-11-09 15:08:10 ----A---- C:\WINDOWS\Bbt97.INI
2008-11-09 15:04:58 ----D---- C:\WINDOWS
2008-11-09 14:47:25 ----A---- C:\WINDOWS\TAPECALC.INI
2008-11-09 14:04:29 ----D---- C:\WINDOWS\Temp
2008-11-09 14:04:18 ----D---- C:\WINDOWS\security
2008-11-09 12:01:26 ----D---- C:\Programmi\Symantec AntiVirus
2008-11-08 21:17:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-08 07:25:44 ----D---- C:\WINDOWS\Prefetch
2008-11-07 23:40:23 ----RD---- C:\Programmi
2008-11-07 23:40:23 ----D---- C:\WINDOWS\system32\drivers
2008-11-07 20:37:42 ----D---- C:\WINDOWS\system32
2008-11-07 15:40:01 ----SHD---- C:\RECYCLER
2008-11-07 11:32:19 ----RASH---- C:\boot.ini
2008-11-07 11:32:19 ----A---- C:\WINDOWS\win.ini
2008-11-07 11:32:19 ----A---- C:\WINDOWS\system.ini
2008-11-07 10:39:46 ----D---- C:\Documents and Settings
2008-11-05 16:19:14 ----SHD---- C:\WINDOWS\CSC
2008-11-05 10:57:22 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-05 07:49:13 ----D---- C:\WINDOWS\system32\Restore
2008-11-04 11:40:48 ----SHD---- C:\System Volume Information
2008-11-04 08:30:33 ----D---- C:\Documents and Settings\u800toriellij\Dati applicazioni\U3
2008-11-04 05:27:58 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-03 17:49:18 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-03 15:03:09 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-03 15:02:13 ----HD---- C:\WINDOWS\inf
2008-11-02 10:37:43 ----A---- C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt
2008-10-30 07:10:26 ----D---- C:\Documents and Settings\All Users\Dati applicazioni\pdf995
2008-10-29 11:07:51 ----SD---- C:\Documents and Settings\u800toriellij\Dati applicazioni\Microsoft
2008-10-24 13:51:45 ----A---- C:\WINDOWS\harrapsf.ini
2008-10-21 13:34:50 ----SHD---- C:\WINDOWS\Installer
2008-10-21 13:34:36 ----RSD---- C:\WINDOWS\Fonts
2008-10-21 13:34:28 ----D---- C:\Programmi\Microsoft Office
2008-10-21 13:34:25 ----D---- C:\Programmi\File comuni\Microsoft Shared
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 ClntMgmt.sys;ClntMgmt.sys; C:\WINDOWS\System32\Drivers\ClntMgmt.sys [2002-03-22 54254]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\System32\drivers\EABFiltr.sys []
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Programmi\File comuni\Symantec Shared\EENGINE\eeCtrl.sys []
R1 EQDRV5;EQUANT NDIS 5 Usermode I/O Protocol; C:\WINDOWS\System32\DRIVERS\eqdrv5.sys [2007-10-30 16000]
R1 intelppm;Driver processore Intel; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-19 40192]
R1 IPSECDRV;SafeNet IPSec Plugin; \??\C:\WINDOWS\System32\Drivers\IPSECDRV.sys []
R1 SAVRT;SAVRT; \??\C:\Programmi\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Programmi\Symantec AntiVirus\Savrtpel.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2006-08-07 195776]
R1 WmiAcpi;Strumentazione gestione Microsoft Windows per ACPI; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 cpqdfw;Diagnostics Driver; \??\C:\WINDOWS\System32\drivers\cpqdfw.sys []
R2 cq_mem;Diagnostics Memory Driver; \??\C:\WINDOWS\System32\drivers\cq_mem.sys []
R2 cqcpu;Diagnostics CPU Driver; \??\C:\WINDOWS\System32\drivers\cqcpu.sys []
R2 Crypto;Crypto; C:\WINDOWS\system32\drivers\Crypto.sys [2004-11-10 521786]
R2 irda;Protocollo IrDA; C:\WINDOWS\System32\DRIVERS\irda.sys [2004-08-03 87424]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.2.1.0; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2007-10-30 14037]
R2 s24trans;WLAN Transport; C:\WINDOWS\System32\DRIVERS\s24trans.sys [2003-09-15 11258]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-11-08 127744]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2004-08-24 1268204]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\System32\DRIVERS\b57xp32.sys [2004-11-16 190592]
R3 CmBatt;Driver scheda AC Microsoft; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\System32\DRIVERS\dne2000.sys [2003-09-05 139604]
R3 DniVap;SafeNet WAN Miniport (VA); C:\WINDOWS\System32\DRIVERS\vap.sys [2001-12-14 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Programmi\File comuni\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GTIPCI21;GTIPCI21; C:\WINDOWS\System32\DRIVERS\gtipci21.sys [2005-05-31 87936]
R3 HidUsb;Driver di classe HID Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-12-21 776349]
R3 mouhid;Driver di mouse HID; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-30 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\20080409.009\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\20080409.009\navex15.sys []
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 sdbus;sdbus; C:\WINDOWS\System32\DRIVERS\sdbus.sys [2004-08-03 67584]
R3 SMCIRDA;Driver periferica Miniport SMC IrCC; C:\WINDOWS\System32\DRIVERS\smcirda.sys [2001-08-30 36937]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-10-13 259840]
R3 SymEvent;SymEvent; \??\C:\Programmi\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2006-08-07 24768]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2004-11-04 186016]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-06-23 162176]
R3 usbehci;Driver Miniport controller enhanced host USB 2.0 Microsoft; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Driver hub USB standard Microsoft; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Driver Miniport Controller Universal Host USB Microsoft; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 w29n51;Driver di Intel(R) PRO/Wireless 2200BG Network Connection Driver per Windows XP; C:\WINDOWS\System32\DRIVERS\w29n51.sys [2008-01-07 2216064]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S1 kbdhid;Driver di tastiera HID; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-19 14848]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2004-06-02 53816]
S3 dot4;Driver MS IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Driver classe Print per IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 dot4usb;Filtro Dot4USB Dot4USB Filter; C:\WINDOWS\System32\DRIVERS\dot4usb.sys [2001-08-30 23936]
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 GTF32BUS;GT F32 BUS; C:\WINDOWS\System32\DRIVERS\gtf32bus.sys [2007-10-30 32640]
S3 GTPTSER;GT PT SER; C:\WINDOWS\System32\DRIVERS\gtptser.sys [2007-10-30 8064]
S3 GTSCSER;GT SC SER; C:\WINDOWS\System32\DRIVERS\gtscser.sys [2007-10-30 19328]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2005-10-21 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2005-10-21 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2005-10-21 21568]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2008-03-17 101376]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2005-10-21 12800]
S3 usbccgp;Driver principale generico USB Microsoft; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbstor;Driver archiviazione di massa USB; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 w22n51;Driver per Intel(R) PRO/Wireless 2200 Adapter; C:\WINDOWS\System32\DRIVERS\w22n51.sys [2004-03-22 1657344]
S3 W8335XP;Marvell Libertas 802.11b/g Driver for Windows XP (8335); C:\WINDOWS\System32\DRIVERS\Mrvw125.sys [2007-10-30 282752]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Driver filtro Ripristino configurazione di sistema; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-19 73472]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 btwdins;Bluetooth Service; C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe [2004-06-03 163840]
R2 ccEvtMgr;Symantec Event Manager; C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe [2006-07-19 192160]
R2 ccSetMgr;Symantec Settings Manager; C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe [2006-07-19 169632]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Programmi\Symantec AntiVirus\DefWatch.exe [2006-09-27 31472]
R2 DfwWebAgent;Remote Diagnostics Enabling Agent; C:\WINDOWS\Cpqdiag\Cpqdfwag.exe [2003-03-13 212992]
R2 EACSvrMngr;(Equant Access Companion) Services Manager; C:\Programmi\Equant\Dialer\EACSvrMngr.exe [2007-02-08 151552]
R2 IPSECMON;SafeNet Monitor Service; C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe [2005-02-24 65590]
R2 IreIKE;SafeNet IKE Service; C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe [2005-02-24 360498]
R2 Irmon;Monitor infrarossi; C:\WINDOWS\System32\svchost.exe [2004-08-19 14336]
R2 MDM;Machine Debug Manager; C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 RegSrvc;RegSrvc; C:\WINDOWS\System32\RegSrvc.exe [2003-12-16 122880]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\WINDOWS\System32\S24EvMon.exe [2003-12-16 311363]
R2 SavRoam;SAVRoam; C:\Programmi\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-04-11 1160848]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Programmi\Symantec AntiVirus\Rtvscan.exe [2006-09-27 1813232]
R3 EACSys;(Equant Access Companion) Devices and Services Monitoring; C:\Programmi\Equant\Dialer\EACSys.exe [2007-02-08 229376]
R3 hpqwmi;HP WMI Interface; C:\Programmi\HPQ\SHARED\HPQWMI.exe [2004-07-27 98304]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe [2006-08-07 214720]
S3 WMPNetworkSvc;Servizio di condivisione in rete Windows Media Player; C:\Programmi\Windows Media Player\WMPNetwk.exe [2006-11-02 918528]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-19 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Programmi\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-12-09 2799808]
-----------------EOF-----------------
Re,
Tu as touché au fichiers Hosts ?
Télécharge OTMoveIt3 (OldTimer). Sauvegarde-le sur ton Bureau.
Copie (Ctrl+C) le texte se situant dans le cadre ci-dessous :
:files
|
Double clique sur OTMoveIt3.exe afin de le lancer.
Colle (ou Ctrl+V) le texte précédemment copié dans le cadre Paste Instructions for Items to be Moved.
Clique maintenant sur le bouton MoveIt! puis ferme OTMoveIt3.
Si un fichier ou dossier ne peut pas être supprimé immédiatement, le logiciel te demandera de redémarrer.
Accepte en cliquant sur YES.
Poste le rapport situé dans ce dossier : C:\_OTMoveIt\MovedFiles\
Le nom du rapport correspond au moment de sa création : date_heure.log
Répondre à Angeldark
Je ne sais pas ce que sont les fichiers Hosts, mais le fichier:
C:\WINDOWS\system32\blackbo.dll
a été supprimé par malwarebytes' en temps que Trojan (cf log de malwarebytes.
Si je le remets,ca va me recoller un virus non ? (désolé pour mon ignorance, mais je ne comprends pas grand chose à tout ce que je fais !) :-)
En tout cas, j'ai tenté à maintes reprises (sans succès jusqu'à l'utilisation de malwarebyte) de supprimer une clé du regedit (sur instruction du service informatique de ma boite).
Message édité par jftorielli le 09-11-2008 à 19:26:01
Fais ce que j'ai dit. Le fichier est apparemment là (voir log Hijackthis de RSTI)
Répondre à Angeldark
Voici le log the OTMoveit:
========== FILES ==========
C:\WINDOWS\system32\blackbo.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\blackbo.dll scheduled to be moved on reboot.
========== REGISTRY ==========
Unable to delete registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAD9CF06-4086-41C2-A18D-3F41E3FDBF78}\\ .
OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11102008_060913
Apparement ca n'a pas marché, le fichier blackbo.dll est encore présent sur mon C:\ en suivant le parcours indiqué... Tout comme la clé de registre. Je vais réessayer en mode safeboot.
Pas de succès non plus en safe mode.... Décidemment ce virus est coriace... Peut-on essayer de supprimer la clé manuellement peut-etre ?
Reposte un rapport Hijackthis pour voir.
Répondre à Angeldark
Malheureusement, il y est encore... Manifestement les 2 sont liés:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.26.07, on 10/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Programmi\Equant\Dialer\EACSvrMngr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\TomTom HOME\TomTomHOME.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Update0809191255.exe
C:\Programmi\StarDict\stardict.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Programmi\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://goldreloaded/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://goldreloaded/default.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by INTERBULK TRADING SA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.int.itcgr.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.itcgr.net;*goldreloaded*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FAD9CF06-4086-41C2-A18D-3F41E3FDBF78} - C:\WINDOWS\system32\blackbo.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BEWDeactivateSafenet] C:\Programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SoftRemote.lnk = C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Update0809191255.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://goldreloaded/default.aspx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tec [...] gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 3744461859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\Software\..\Telephony: DomainName = int.itcgr.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = int.itcgr.net
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Programmi\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Programmi\Equant\Dialer\EACSys.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 10308 bytes
Re,
! Désactive tes protections résidentes (antivirus, Spybot-S&D, etc.) !
- Télécharge ComboFix (sUBs) sur ton Bureau.
- Double clique sur ComboFix.exe (le .exe n'est pas forcément visible) afin de le lancer.
- Lorsque la recherche sera terminée, un rapport apparaîtra. Poste ce rapport (C:\combofix.txt*) dans ta prochaine réponse.
AIDE : Un guide et un tutoriel sur l'utilisation de ComboFix
* le nom de la partition peut changer
Répondre à Angeldark
J'ai désinstallé spybot, mais je n'arrive pas à désactiver symantec qui est fourni, comme mon ordi par ma boite... Comment faire avant de lancer combofix ?
Bon c'est bon j'ai réussi, voici le log combo fix + le dernier hijack (message suivant):
ComboFix 08-11-10.01 - interbulk 2008-11-11 10.36.51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.99 [GMT 1:00]
Eseguito da: c:\documents and settings\interbulk\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\interbulk\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
* Creato nuovo punto di ripristino
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\IE4 Error Log.txt
.
((((((((((((((((((((((((( Files Creati Da 2008-10-11 al 2008-11-11 )))))))))))))))))))))))))))))))))))
.
2008-11-11 07:23 . 2004-08-03 23:01 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-11-11 07:23 . 2004-08-03 23:01 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-11-11 06:41 . 2008-11-11 06:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-10 06:09 . 2008-11-10 06:09 <DIR> d-------- C:\_OTMoveIt
2008-11-10 06:08 . 2008-11-09 19:16 334,848 --a------ C:\OTMoveIt3.exe
2008-11-10 06:05 . 2008-11-10 06:08 <DIR> d-------- C:\i_OTMoveIt
2008-11-09 15:14 . 2008-11-09 15:14 <DIR> d-------- C:\rsit
2008-11-07 20:39 . 2008-11-07 20:39 <DIR> d-------- c:\documents and settings\interbulk\Dati applicazioni\Malwarebytes
2008-11-07 20:29 . 2008-11-07 20:29 <DIR> d-------- c:\documents and settings\u800toriellij\Dati applicazioni\Malwarebytes
2008-11-07 20:28 . 2008-11-07 20:28 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-11-07 19:16 . 2008-11-11 06:55 <DIR> d-------- C:\HijackThis
2008-11-07 19:15 . 2008-11-07 19:15 401,720 --a------ C:\HiJackThis.exe
2008-11-07 15:46 . 2008-11-07 15:51 16,896 --------- c:\windows\system32\dwzxqzmp.muq
2008-11-07 13:39 . 2008-11-07 13:39 16,896 --------- c:\windows\system32\onvepeoo.gqz
2008-11-07 10:39 . 2007-10-30 11:21 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2008-11-07 10:39 . 2007-10-30 11:21 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2008-11-07 10:39 . 2007-10-30 11:21 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2008-11-07 10:39 . 2007-10-30 11:29 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2008-11-07 10:39 . 2007-10-30 11:21 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2008-11-07 10:39 . 2008-11-11 10:40 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2008-11-07 10:39 . 2007-10-30 11:21 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2008-11-07 10:39 . 2007-10-30 11:21 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2008-11-07 10:39 . 2008-11-07 10:39 <DIR> d-------- c:\documents and settings\Administrator
2008-11-05 19:58 . 2008-11-07 13:13 16,896 --------- c:\windows\system32\oiyqwwno.kwc
2008-11-05 19:46 . 2008-11-05 19:46 <DIR> d-------- c:\programmi\Trend Micro
2008-11-05 19:43 . 2008-11-05 19:43 812,344 --a------ C:\HJTInstall.exe
2008-11-05 11:11 . 2008-11-07 19:10 505 --a------ c:\windows\wininit.ini
2008-11-05 09:21 . 2008-11-08 20:57 <DIR> d-------- c:\programmi\Spybot - Search & Destroy
2008-11-05 09:21 . 2008-11-08 20:55 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-11-04 05:28 . 2008-11-04 05:29 101,999,934 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-11-03 13:23 . 2008-11-07 18:33 <DIR> dr------- c:\documents and settings\LocalService\Preferiti
2008-10-21 13:34 . 2008-10-21 13:34 <DIR> d-------- c:\programmi\MSECache
2008-10-14 09:46 . 2008-11-11 08:31 16,517 --a------ c:\windows\system32\FAX_410.HLP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 09:37 --------- d-----w c:\programmi\Symantec AntiVirus
2008-11-11 05:41 --------- d-----w c:\programmi\Java
2008-11-10 12:34 --------- d-----w c:\programmi\Belote Bridgée
2008-11-04 07:30 --------- d-----w c:\documents and settings\u800toriellij\Dati applicazioni\U3
2008-10-30 06:10 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\pdf995
2008-10-04 14:53 116,992 ----a-w c:\windows\system32\blackbo.dll
2008-09-23 11:15 --------- d-----w c:\programmi\NOS
2008-09-23 11:15 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\NOS
2008-09-23 09:13 --------- d-----w c:\programmi\File comuni\Adobe
2008-09-19 13:26 --------- d-----w c:\documents and settings\u800toriellij\Dati applicazioni\StarDict
2008-09-18 14:02 7,291,184 ----a-w C:\12.0.4.0_X_Drivers[1].zip
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAD9CF06-4086-41C2-A18D-3F41E3FDBF78}]
2008-10-04 15:53 116992 --a------ c:\windows\system32\blackbo.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"HP Mobile Printing"="c:\programmi\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 630784]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BEWDeactivateSafenet"="c:\programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate" [X]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"Cpqset"="c:\programmi\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"PRONoMgr.exe"="c:\programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2003-12-10 86016]
"eabconfg.cpl"="c:\programmi\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"UpdateManager"="c:\programmi\File comuni\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SoundMAXPnP"="c:\programmi\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-12-21 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-12-21 126976]
"ccApp"="c:\programmi\File comuni\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-19 143872]
"TomTomHOME.exe"="c:\programmi\TomTom HOME\TomTomHOME.exe" [2007-03-14 3770024]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2007-11-08 98304]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-11-11 136600]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 c:\windows\AGRSMMSG.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="c:\windows\Cpqdiag\CpqDfwAg.exe" [2003-03-13 212992]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Software Bluetooth\BTTray.exe [2004-06-02 565309]
SoftRemote.lnk - c:\programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe [2007-10-30 69684]
Update0809191255.exe [2008-09-19 24064]
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 16:49 110592 c:\windows\system32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\wcescomm.exe"= c:\programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\CoSine Communications\\IPSec Dial Client\\IreIKE.exe"=
"c:\programmi\CoSine Communications\IPSec Dial Client\ViewLog.exe"= c:\programmi\CoSine Communications\IPSec Dial Client\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\programmi\CoSine Communications\IPSec Dial Client\CmonApp.exe"= c:\programmi\CoSine Communications\IPSec Dial Client\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\programmi\CoSine Communications\IPSec Dial Client\vpn.exe"= c:\programmi\CoSine Communications\IPSec Dial Client\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 gplvgzip;gplvgzip;c:\windows\system32\drivers\fopnhjpe.dat [ ]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\System32\Drivers\IPSECDRV.sys [2005-02-24 129592]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2004-11-10 521786]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\DRIVERS\vap.sys [2001-12-14 36188]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]
S3 GTF32BUS;GT F32 BUS;c:\windows\system32\DRIVERS\gtf32bus.sys [2007-10-30 32640]
S3 GTPTSER;GT PT SER;c:\windows\system32\DRIVERS\gtptser.sys [2007-10-30 8064]
S3 GTSCSER;GT SC SER;c:\windows\system32\DRIVERS\gtscser.sys [2007-10-30 19328]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\programmi\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-12-09 2799808]
*Newly Created Service* - PROCEXP90
.
- - - - ORFÃOS REMOVIDOS - - - -
SafeBoot-Winls28.sys
SafeBoot-Wintc18.sys
.
------- Supplementare di scansione -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.hp.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.hp.com/
R1 -: HKCU-Internet Settings,ProxyServer = proxy.int.itcgr.net:8080
O8 -: E&sporta in Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 -: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 10:40:44
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmi\HPQ\Default Settings\cpqset.exe???????????????????|?@???? ???B???????????????B????????
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\gplvgzip]
"ImagePath"="system32\drivers\fopnhjpe.dat"
.
Ora fine scansione: 2008-11-11 10.42.08
ComboFix-quarantined-files.txt 2008-11-11 09:42:00
Pre-Run: 37.256.990.720 byte disponibili
Post-Run: 37,566,025,728 byte disponibili
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
167
Le log hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.47.18, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Programmi\Equant\Dialer\EACSvrMngr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\TomTom HOME\TomTomHOME.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\internet explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.int.itcgr.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FAD9CF06-4086-41C2-A18D-3F41E3FDBF78} - C:\WINDOWS\system32\blackbo.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BEWDeactivateSafenet] C:\Programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Programmi\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SoftRemote.lnk = C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O4 - Global Startup: Update0809191255.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://goldreloaded/default.aspx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tec [...] gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 3744461859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/down [...] leId=24931
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\Software\..\Telephony: DomainName = int.itcgr.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = int.itcgr.net
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Programmi\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Programmi\Equant\Dialer\EACSys.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 10436 bytes
Je voulais juste signaler que le problème est réglé, je me suis fais aidé pour créer une commande combofix de destruction et le problème est réglé. Je tenais à te remercier très sincèrement pour le soutien et les solutions apportées pour ce(s) coriace(s) virus.
Merci encore, amitiés.
PS: voici le dernier log hijack:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.26.23, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\TomTom HOME\TomTomHOME.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
C:\Programmi\Equant\Dialer\EACSvrMngr.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\explorer.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\internet explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.int.itcgr.net:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Programmi\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BEWDeactivateSafenet] C:\Programmi\CoSine Communications\IPSec Dial Client\vpn -deactivate
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Programmi\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: SoftRemote.lnk = C:\Programmi\CoSine Communications\IPSec Dial Client\SafeCfg.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6 [...] vSniff.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tec [...] gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wi [...] 3744461859
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6 [...] /cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/down [...] leId=24931
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\Software\..\Telephony: DomainName = int.itcgr.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = int.itcgr.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = int.itcgr.net
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Programmi\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Programmi\Equant\Dialer\EACSys.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Programmi\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
--
End of file - 10294 bytes
L'infection est coriace. J'ai demandé de désactiver les protections, pas de désinstaller 
! Désactive tes protections résidentes (antivirus, Spybot-S&D, etc.) !
Copie (Ctrl+C) le texte se situant dans le cadre ci-dessous :
Rootkit::
|
Ouvre le Bloc-Notes puis colle (Ctrl+V) le texte précédemment copié.
Sauvegarde ce fichier sous le nom de "CFScript.txt" (les guillemets sont importantes).
Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme dans l'image ci-dessous :
Cela va relancer ComboFix. Après redémarrage, poste le contenu du rapport (C:\combofix.txt*) accompagné d'un rapport HijackThis.
NOTE : S'il n'y a pas de redémarrage, poste quand même les rapports demandés.
* le nom de la partition peut changer
Répondre à Angeldark
Bonsoir,
Comme expliqué dans mon post précédent le problème a été réglé (d'ailleurs par la meme méthode que la tienne) et mon dernier rapport hijack le montre. ;-)
Merci beaucoup pour l'aide efficace, car il a été particulièrement coriace... Infection multiple et résistante, il fallait des antibiotiques puissants !
Juste une petite question d'éventuelles informations sur la nature des virus et de leurs conséquences?
Encore merci!
| Citation : Juste une petite question d'éventuelles informations sur la nature des virus et de leurs conséquences? |
Bah tout dépend desquels.
Répondre à Angeldark
Eh bien en l'occurence, ceux qui m'avaient infectés: blackbo.dll et winctrl32.dll (si tant est que ce sont les virus, ou du moins les fichiers de fonctionnement).
A la lecture des logs (entre le 1er et le dernier) combien y-a-t-il de trojans, virus supprimés ?
C'est MBAM qui a supprimé le gros de l'infection, suffit de voir le rapport 
Répondre à Angeldark
Il y a 2061 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
