ANTINUL
Forum Sécurité - Virus : ANTINUL
Bonjour à tous,
depuis déjà un moment, y a un virus sur mon pc (antinul.vba), j'ai suivi un peu la demarche a suivre sur le net
- HijackThis --> :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:25:39, on 17/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
e:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\zzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe
E:\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Travaillez plus.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1036
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Au travail !Arrêtez de surfer!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\antinul.vbe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B499D34E-58EF-4927-AB9F-7AF52B2C4C82} - C:\Program Files\Video Add-on\isfmdl.dll (file missing)
O3 - Toolbar: IE Custom Tools - {6CA49FDD-4AEB-4F08-A394-C0A1F82CAA16} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Raccourci vers la page des propriétés de High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVP] "e:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\zzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\Video Add-on\isfmntr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - e:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/micros [...] 9640824281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/micros [...] 9640757156
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - e:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
--
End of file - 8202 bytes
##############################################################"
puis :
j'ai lancé "ComboFix qui m'a généré ce rapport:
ComboFix 09-04-15.08 - zzz 17/04/2009 2:35.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.511.170 [GMT 2:00]
Lancé depuis: c:\documents and settings\zzz\Bureau\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
* Un nouveau point de restauration a été créé
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Menu Démarrer\Online Security Guide.url
c:\documents and settings\All Users\Menu Démarrer\Security Troubleshooting.url
c:\program files\AntiVirGear 3.8
c:\program files\AntiVirGear 3.8\AntiVirGear 3.8.exe
c:\windows\system32\Cache
.
((((((((((((((((((((((((((((( Fichiers créés du 2009-03-17 au 2009-04-17 ))))))))))))))))))))))))))))))))))))
.
2009-04-16 23:19 . 2009-04-16 23:19 -------- d-----w c:\windows\LastGood
2009-04-13 21:54 . 2008-06-14 17:33 272768 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-13 21:48 . 2008-08-14 10:04 138496 -c----w c:\windows\system32\dllcache\afd.sys
2009-04-13 21:41 . 2008-10-16 01:01 670208 -c----w c:\windows\system32\dllcache\wininet.dll
2009-04-13 21:40 . 2008-10-16 01:01 1499648 -c----w c:\windows\system32\dllcache\shdocvw.dll
2009-04-13 21:40 . 2008-10-16 01:01 620544 -c----w c:\windows\system32\dllcache\urlmon.dll
2009-04-13 21:15 . 2008-08-14 13:23 2147328 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-13 21:15 . 2008-08-14 13:23 2068096 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-13 21:15 . 2008-08-14 13:23 2025984 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-13 21:15 . 2008-08-14 13:23 2191232 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-13 21:13 . 2008-12-12 17:02 3088896 -c----w c:\windows\system32\dllcache\mshtml.dll
2009-04-13 20:58 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-13 20:58 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-13 20:49 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-13 20:48 . 2008-05-01 14:36 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-13 20:47 . 2008-04-11 19:05 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-13 20:46 . 2008-10-15 16:35 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-13 20:45 . 2008-09-04 17:16 1106944 -c----w c:\windows\system32\dllcache\msxml3.dll
2009-04-13 20:29 . 2008-10-16 12:06 27496 ----a-w c:\windows\system32\mucltui.dll.mui
2009-04-13 19:08 . 2009-04-13 19:08 -------- d-----w c:\windows\system32\fr-fr
2009-04-13 19:08 . 2009-04-13 19:08 -------- d-----w c:\windows\l2schemas
2009-04-13 19:08 . 2009-04-13 19:08 -------- d-----w c:\windows\system32\fr
2009-04-13 19:08 . 2009-04-13 19:08 -------- d-----w c:\windows\system32\bits
2009-04-13 19:02 . 2009-04-13 19:09 -------- d-----w c:\windows\ServicePackFiles
2009-04-13 17:15 . 2004-08-05 12:00 773 -c----w c:\windows\system32\dllcache\cnth.gif
2009-04-13 16:40 . 2008-10-16 12:09 35864 ----a-w c:\windows\system32\wucltui.dll.mui
2009-04-13 16:40 . 2008-10-16 12:08 27672 ----a-w c:\windows\system32\wuaucpl.cpl.mui
2009-04-13 16:40 . 2008-10-16 12:07 19992 ----a-w c:\windows\system32\wuaueng.dll.mui
2009-04-13 16:40 . 2008-10-16 12:08 27672 ----a-w c:\windows\system32\wuapi.dll.mui
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 00:39 . 2007-06-05 10:07 98646048 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-17 00:39 . 2007-06-05 10:07 98646048 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-17 00:39 . 2007-12-25 22:37 -------- d-----w c:\documents and settings\zzz\Application Data\Skype
2009-04-17 00:39 . 2007-06-05 10:07 332064 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-17 00:39 . 2007-06-05 10:07 332064 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-16 23:57 . 2009-04-16 23:57 -------- d-----w c:\program files\Trend Micro
2009-04-16 23:31 . 2009-01-19 21:37 13036 --sha-w c:\windows\system32\antinul.vbe
2009-04-16 23:31 . 2009-01-19 21:37 13036 --sha-w c:\windows\system32\antinul.vbe
2009-04-16 23:15 . 2007-12-25 22:38 -------- d-----w c:\documents and settings\zzz\Application Data\skypePM
2009-04-16 21:42 . 2007-06-05 10:07 1324508 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-16 21:42 . 2007-06-05 10:07 116120 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-15 19:48 . 2007-05-11 14:16 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 19:31 . 2004-08-05 12:00 630260 ----a-w c:\windows\system32\perfh00C.dat
2009-04-15 19:31 . 2004-08-05 12:00 135170 ----a-w c:\windows\system32\perfc00C.dat
2009-04-14 10:17 . 2007-05-11 14:30 -------- d-----w c:\program files\Microsoft SQL Server
2009-04-13 23:35 . 2009-04-13 23:35 -------- d-----w c:\program files\MSXML 4.0
2009-04-13 20:31 . 2007-05-11 18:38 -------- d-----w c:\program files\MSN Messenger
2009-04-13 19:12 . 2007-05-10 10:18 86331 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-13 18:57 . 2004-08-05 12:00 252240 --sha-r C:\ntldr
2009-03-31 22:06 . 2007-06-09 01:35 268 ---ha-w C:\sqmdata19.sqm
2009-03-31 22:06 . 2007-06-09 01:35 244 ---ha-w C:\sqmnoopt19.sqm
2009-03-31 21:48 . 2007-06-08 14:46 268 ---ha-w C:\sqmdata18.sqm
2009-03-31 21:48 . 2007-06-08 14:46 244 ---ha-w C:\sqmnoopt18.sqm
2009-03-16 23:04 . 2007-05-24 15:03 268 ---ha-w C:\sqmdata17.sqm
2009-03-16 23:04 . 2007-05-24 15:03 244 ---ha-w C:\sqmnoopt17.sqm
2009-03-01 12:11 . 2007-05-24 13:30 268 ---ha-w C:\sqmdata16.sqm
2009-03-01 12:11 . 2007-05-24 13:30 244 ---ha-w C:\sqmnoopt16.sqm
2009-03-01 07:39 . 2007-05-19 12:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-01 06:43 . 2009-03-01 06:43 -------- d-----w c:\documents and settings\zzz\Application Data\Samsung
2009-02-28 23:42 . 2009-02-28 23:15 5632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2009-02-28 23:14 . 2009-02-28 23:14 -------- d-----w c:\program files\Samsung
2009-02-13 07:44 . 2007-05-24 13:29 268 ---ha-w C:\sqmdata15.sqm
2009-02-13 07:44 . 2007-05-24 13:29 244 ---ha-w C:\sqmnoopt15.sqm
2009-02-12 17:28 . 2007-05-24 10:19 268 ---ha-w C:\sqmdata14.sqm
2009-02-12 17:28 . 2007-05-24 10:19 244 ---ha-w C:\sqmnoopt14.sqm
2009-02-10 20:58 . 2007-05-24 08:51 268 ---ha-w C:\sqmdata13.sqm
2009-02-10 20:58 . 2007-05-24 08:51 244 ---ha-w C:\sqmnoopt13.sqm
2009-02-09 16:52 . 2007-05-23 08:12 268 ---ha-w C:\sqmdata12.sqm
2009-02-09 16:52 . 2007-05-23 08:12 244 ---ha-w C:\sqmnoopt12.sqm
2009-02-09 14:05 . 2004-08-05 12:00 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-08 21:19 . 2007-05-22 08:26 268 ---ha-w C:\sqmdata11.sqm
2009-02-08 21:19 . 2007-05-22 08:26 244 ---ha-w C:\sqmnoopt11.sqm
2009-02-08 06:12 . 2007-05-21 01:06 268 ---ha-w C:\sqmdata10.sqm
2009-02-08 06:12 . 2007-05-21 01:06 244 ---ha-w C:\sqmnoopt10.sqm
2009-02-07 20:43 . 2007-05-19 23:37 268 ---ha-w C:\sqmdata09.sqm
2009-02-07 20:43 . 2007-05-19 23:37 244 ---ha-w C:\sqmnoopt09.sqm
2007-12-21 21:12 . 2007-12-21 21:12 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-11-04 22:43 . 2007-10-16 23:07 84624 -c--a-w c:\documents and settings\zzz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 08:32 . 2007-05-11 14:27 84624 -c--a-w c:\documents and settings\Administrateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-21 09:2007-05-11 09:20 46:08 . c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 09:2007-05-11 09:20 46:09 . c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 09:2008-08-02 10:52 46:10 . c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 09:2008-08-02 10:52 46:14 . c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 09:2007-05-11 09:20 46:15 . c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"Google Update"="c:\documents and settings\zzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-19 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-28 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-04-15 708697]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2008-08-26 185896]
"LogitechCommunicationsManager"="c:\program files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"snpstd"="c:\windows\vsnpstd.exe" [2004-06-10 286720]
"Raccourci vers la page des propriétés de High Definition Audio"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-06-21 90112]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-07-13 2806272]
"SMSERIAL"="sm56hlpr.exe" - c:\windows\sm56hlpr.exe [2004-12-29 544768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"e:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\adslTV\\adsltv.exe"=
"c:\\Documents and Settings\\zzz\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\zzz\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);e:\mssql.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2005-10-14 14552]
R3 fbxusb;Carte réseau virtuelle FreeBox USB;c:\windows\system32\DRIVERS\fbxusb32.sys [2004-10-20 21344]
R4 msvsmon80;Débogueur distant Visual Studio 2005;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{068f8826-330a-11dc-a8c5-0013cef31ea0}]
\Shell\AutoRun\command - wscript.exe antinul.vbe
\Shell\open\Command - wscript.exe antinul.vbe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4340f82f-e345-11dd-a1af-0013cef31ea0}]
\Shell\AutoRun\command - wscript.exe antinul.vbe
\Shell\open\Command - wscript.exe antinul.vbe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5eb0a305-d376-11dd-a18d-0013cef31ea0}]
\Shell\AutoRun\command - WD_Windows_Tools\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e8e917c-6863-11dc-a91b-0013cef31ea0}]
\Shell\Auto\command - setup.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
.
Contenu du dossier 'Tâches planifiées'
2009-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-1563985344-682003330-1030.job
- c:\documents and settings\zzz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-19 20:56]
.
.
------- Examen supplémentaire -------
.
uStart Page = Travaillez plus.com
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1036
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\zzz\Application Data\Mozilla\Firefox\Profiles\1olyyfzw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 02:39
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="e:\mssql.1\MSSQL\Binn\msftesql.exe -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll
.
Heure de fin: 2009-04-17 2:41
ComboFix-quarantined-files.txt 2009-04-17 00:41
Avant-CF: 489 275 392 octets libres
Après-CF: 2 198 700 032 octets libres
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect
208 --- E O F --- 2009-04-15 19:49
##################################################
Pouvez vous me dire qu'est ce que je dois faire a present?
merci d'avance pour votre aide et bonne soirée
Aigle
Bonjour,
Télécharge ComboFix (de sUBs) sur ton Bureau.
- Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
- Double clique sur ComboFix.exe.
- Accepte la licence en cliquant sur Oui.
- Le programme va te demander si tu souhaites installer la Console de Récupération. C'est une précaution, au cas où l'ordinateur tomberait en panne. Je te conseille donc de l'installer, ça ne coûte rien, et ça pourrait potentiellement servir !
- Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.
Le rapport se trouve ici : %SystemDrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)
Aide : Comment utiliser ComboFix.
Répondre à Angeldark
Il y a 924 utilisateurs connus et inconnus. Pour voir la liste des connectés connus, cliquez ici.
