Calexo
-
Compteur de contenus
11 -
Inscription
-
Dernière visite
Calexo's Achievements
Junior Member (3/12)
0
Réputation sur la communauté
-
Merci ENORMEMENT pour tout cela !!!!!!
-
Le user-agent détecté par Kaper est : "unknown"... Voila : Donc plus rien, à ce niveau là
-
Logfile of The Avenger Version 2.0, © by Swandog46 [url="http://swandog46.geekstogo.com"]http://swandog46.geekstogo.com[/url] Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\hldrrr" not found! Deletion of driver "hldrrr" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\srosa" not found! Deletion of driver "srosa" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\BAN_LIST.txt" not found! Deletion of file "C:\WINDOWS\system32\BAN_LIST.txt" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\SYSTEM32\WINTEMS.EXE" not found! Deletion of file "C:\WINDOWS\SYSTEM32\WINTEMS.EXE" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: "C:\WINDOWS\system32\drivers\down" is a folder, not a file! Deletion of file "C:\WINDOWS\system32\drivers\down" failed! Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY) --> use "Folders to delete:" instead of "Files to delete:" to delete a directory Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\Windows\System32\drivers\hldrrr.exe" not found! Deletion of file "C:\Windows\System32\drivers\hldrrr.exe" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. Donc plus rien... Juste ce "user-agent" bidon...
-
C'est parti ! Pour info, la procédure pour la dernière version de Avenger a changé : - coller le script dans la zone (CTRL+V) - lancer le script - cliquer sur OK pour redémarrer Amicalement,
-
Etrange... Ce webscan ne détecte pas ma version de windows (XP) et refuse du coup de se lancer !!
-
J'espère que c'est bon !! Combo-Fix : ComboFix 08-03-04.5 - acatalif 2008-03-05 15:22:11.4 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.683 [GMT 1:00] Endroit: C:\Combo-Fix.exe Command switches used :: C:\CFScript * Création d'un nouveau point de restauration AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! FILE :: C:\WINDOWS\system32\BAN_LIST.txt C:\WINDOWS\system32\drivers\down C:\Windows\System32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\SYSTEM32\WINTEMS.EXE . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys . ---- Previous Run ------- . C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\down\2251906.exe C:\WINDOWS\system32\drivers\down\2283656.exe C:\WINDOWS\system32\drivers\down\2312656.exe C:\WINDOWS\system32\drivers\down\2333265.exe C:\WINDOWS\system32\drivers\down\2385953.exe C:\WINDOWS\system32\drivers\down\2415406.exe C:\WINDOWS\system32\drivers\down\2443062.exe C:\WINDOWS\system32\drivers\down\2463015.exe C:\WINDOWS\system32\drivers\down\2497187.exe C:\WINDOWS\system32\drivers\down\2537546.exe C:\WINDOWS\system32\drivers\down\2604875.exe C:\WINDOWS\system32\drivers\down\2638250.exe C:\WINDOWS\system32\drivers\down\2671000.exe . --------------- FMove --------------- . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_SROSA -------\srosa ((((((((((((((((((((((((((((( Fichiers créés 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))))))) . 2008-03-05 14:49 . 2008-03-05 13:18 1,580,607 --a------ C:\Combo-Fix.exe 2008-03-05 13:21 . 2008-03-05 13:14 396,288 --a------ C:\HijackThis - Copie.exe 2008-03-05 13:20 . 2008-03-05 15:01 <REP> d-------- C:\ComboFix - Copie 2008-03-05 13:20 . 2008-03-05 13:18 1,580,607 --a------ C:\ComboFix - Copie.exe 2008-03-05 13:19 . 2008-03-05 13:19 1,580,607 --a------ C:\ComboFix.exe 2008-03-05 12:14 . 2008-03-05 12:14 <REP> d-------- C:\Program Files\Emil Andersson 2008-03-05 11:49 . 2008-03-05 11:49 1,312,941 --a------ C:\SDFix.exe 2008-03-05 11:12 . 2008-03-05 11:12 <REP> d-------- C:\Program Files\Trend Micro 2008-03-04 16:56 . 2008-03-04 16:56 <REP> d-------- C:\Program Files\Spb Software House 2008-03-04 11:06 . 2008-03-04 11:06 <REP> d-------- C:\Muestras 2008-03-04 10:39 . 2008-03-04 10:39 <REP> d-------- C:\Documents and Settings\acatalif\Application Data\Uniblue 2008-03-04 10:15 . 2008-03-04 10:22 <REP> d-------- C:\WINDOWS\avxoscan 2008-03-03 15:05 . 2005-09-22 04:12 27,136 --a------ C:\WINDOWS\system32\drivers\LADriver.sys 2008-03-03 15:05 . 2005-09-22 03:17 24,064 --a------ C:\WINDOWS\system32\drivers\LDDriver.sys 2008-03-03 15:05 . 2005-09-22 04:21 14,336 --a------ C:\WINDOWS\system32\drivers\LHDriver.sys 2008-03-03 14:19 . 2008-03-03 14:20 <REP> d-------- C:\Program Files\Fichiers communs\Adobe 2008-02-22 17:07 . 2008-02-22 17:07 <REP> d-------- C:\Program Files\Blue Point Studios 2008-02-22 13:44 . 2008-02-22 13:44 <REP> d-------- C:\Program Files\Sprite Software 2008-02-22 13:44 . 2008-02-22 13:44 <REP> d-------- C:\Documents and Settings\acatalif\Application Data\Sprite Software 2008-02-21 15:11 . 2008-02-21 15:34 <REP> d-------- C:\Program Files\KeePass Password Safe 2008-02-21 14:27 . 2008-02-21 14:27 <REP> d-------- C:\Program Files\Dnote Software 2008-02-21 10:10 . 2008-02-21 10:10 <REP> d-------- C:\Program Files\PHM 2008-02-19 17:43 . 2008-02-19 17:43 <REP> d-------- C:\Garmin 2008-02-18 08:18 . 2007-12-18 10:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-05 14:31 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware 2008-03-05 14:31 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware 2008-03-05 14:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware 2008-03-04 16:00 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-03-03 16:27 --------- d-----w C:\Documents and Settings\acatalif\Application Data\OpenOffice.org2 2008-03-03 07:10 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-02-22 16:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-22 12:44 --------- d-----w C:\Program Files\Fichiers communs\InstallShield 2008-02-21 15:08 --------- d-----w C:\Program Files\Formule Dé 2008-02-19 13:01 --------- d-----w C:\Documents and Settings\acatalif\Application Data\VMware 2008-01-31 14:34 --------- d-----w C:\Documents and Settings\acatalif\Application Data\gtk-2.0 2008-01-31 09:48 --------- d-----w C:\Documents and Settings\acatalif\Application Data\Notepad++ 2008-01-30 15:47 --------- d-----w C:\Documents and Settings\acatalif\Application Data\FileZilla 2008-01-23 08:41 --------- d-----w C:\Program Files\Notepad++ 2008-01-16 12:33 --------- d-----w C:\Program Files\PDFCreator 2008-01-16 12:18 --------- d-----w C:\Program Files\qFreeFax 2008-01-16 11:57 --------- d-----w C:\Program Files\OpenOffice.org 2.3 2008-01-16 11:56 --------- d-----w C:\Program Files\Java 2008-01-08 10:52 --------- d-----w C:\Program Files\RSS Xpress 2008-01-08 10:51 --------- d-----w C:\Documents and Settings\acatalif\Application Data\Bull . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN] @={30351346-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN] @={30351347-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN] @={30351348-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN] @={3035134B-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN] @={3035134C-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN] @={3035134D-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN] @={3035134E-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:07 1289000] "Copernic Desktop Search 2"="C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" [2007-08-01 19:26 1514016] "SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2005-02-19 06:09 643072] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:09 15360] "RSS Xpress"="C:\Program Files\RSS Xpress\RSS Xpress.exe" [2005-02-19 06:09 643072] "SpriteService"="" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51 118784] "ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2008-03-05 14:12 53408] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-03-05 12:00 643072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:09 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisallowRun"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "1"= Kazaa.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=\\sagefr.adinternal.com\SysVol\sagefr.adinternal.com\scripts\Annecy - admin ou.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-162531612-839522115-20740\Scripts\Logon\0\0] "Script"=OCS_Inventory.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-162531612-839522115-26666\Scripts\Logon\0\0] "Script"=OCS_Inventory.bat [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 LADriver;LADriver;C:\WINDOWS\system32\drivers\LADriver.sys [2005-09-22 04:12] R1 LDDriver;LDDriver;C:\WINDOWS\system32\drivers\LDDriver.sys [2005-09-22 03:17] R1 LHDriver;LHDriver;C:\WINDOWS\system32\drivers\LHDriver.sys [2005-09-22 04:21] R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2007-09-06 14:40] S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 18:34] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-05 15:33:40 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\system32\rdpclip.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe . ************************************************************************** . Temps d'accomplissement: 2008-03-05 15:43:50 - machine was rebooted [acatalif] ComboFix-quarantined-files.txt 2008-03-05 14:43:47 ComboFix2.txt 2008-03-05 09:55:15 . 2008-02-18 07:35:16 --- E O F --- Elibagla : Wed Mar 05 15:19:51 2008 EliBagle v11.09 ©2008 S.G.H. / Satinfo S.L. ---------------------------------------------- Lista de Acciones (por Acción Directa): et HijackThis, que j'ai fait travailler un peu : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:46:40, on 05/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Server\vmserverdWin32.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://intranet.adx/abel/proxy.pac R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand201013011.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray O4 - HKCU\..\Run: [superCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RSS Xpress] C:\Program Files\RSS Xpress\RSS Xpress.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: EasyPHP.lnk = Applis\Dev\EP\EasyPHP.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5E5AA5CA-2712-44CC-BD3D-A0AD8FB77E33} (WrapRichTxt.TestRichTxt) - http://aytrad.acy.adx:18880/adxweb/X3_CLIE...WrapRichTxt.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab O16 - DPF: {B3C01F93-F06A-4792-AC24-F4B4489B0E93} (Acxfmt Control) - http://asdweb01:4031/adxweb/X3_CLIENT/CAB/acxfmt.cab O16 - DPF: {BB2A66DD-0738-40D9-BC7D-F08E6AB72ADF} (HookOcx Control) - http://aytrad.acy.adx:18880/adxweb/X3_CLIENT/CAB/hookocx.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sagefr.adinternal.com O17 - HKLM\Software\..\Telephony: DomainName = sagefr.adinternal.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sagefr.adinternal.com O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe -- End of file - 7794 bytes Puis après suppression des BHo, etc... : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:52:15, on 05/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Server\vmserverdWin32.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://intranet.adx/abel/proxy.pac R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand201013011.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray O4 - HKCU\..\Run: [superCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe O4 - HKCU\..\Run: [RSS Xpress] C:\Program Files\RSS Xpress\RSS Xpress.exe O4 - Startup: EasyPHP.lnk = Applis\Dev\EP\EasyPHP.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {5E5AA5CA-2712-44CC-BD3D-A0AD8FB77E33} (WrapRichTxt.TestRichTxt) - http://aytrad.acy.adx:18880/adxweb/X3_CLIE...WrapRichTxt.cab O16 - DPF: {B3C01F93-F06A-4792-AC24-F4B4489B0E93} (Acxfmt Control) - http://asdweb01:4031/adxweb/X3_CLIENT/CAB/acxfmt.cab O16 - DPF: {BB2A66DD-0738-40D9-BC7D-F08E6AB72ADF} (HookOcx Control) - http://aytrad.acy.adx:18880/adxweb/X3_CLIENT/CAB/hookocx.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sagefr.adinternal.com O17 - HKLM\Software\..\Telephony: DomainName = sagefr.adinternal.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sagefr.adinternal.com O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe -- End of file - 6243 bytes Qu'en pensez-vous ? Amicalement,
-
Ok, c'est parti. Pour info, quelle est l'utilité du script, par rapport à le lancer sans paramètre ? Sinon, Combofix a deja tourné une fois, mais le ver est revenu quelque minutes plus tard. Je soupconne le BHO "GoogleBarNotifier" rapporté par HijackThis... Qu'en pensez-vous ? Amicalement,
-
Wed Mar 05 12:11:29 2008 EliBagle v11.09 ©2008 S.G.H. / Satinfo S.L. ---------------------------------------------- Lista de Acciones (por Acción Directa): Por favor, envienos una muestra del fichero C:\Muestras\SROSA.SYS.Muestra EliBagle v11.09 a "[email protected]". Gracias. C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle Acceso Denegado. Por favor, envienos una muestra del fichero C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.09 a "[email protected]". Gracias. C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle Acceso Denegado. Restaurada Clave: "SafeBoot\Minimal y Network" Reinicie para Completar la Limpieza. Wed Mar 05 12:11:38 2008 EliBagle v11.09 ©2008 S.G.H. / Satinfo S.L. ---------------------------------------------- Lista de Acciones (por Exploración): Explorando Unidad C:\ Nº Total de Directorios: 13102 Nº Total de Ficheros: 98057 Nº de Ficheros Analizados: 9951 Nº de Ficheros Infectados: 0 Nº de Ficheros Limpiados: 0 Exploración Detenida por el Usuario.
-
J'ai tout de meme relancé Elibagla. Il détecte bien les fichiers, mais ne les supprime pas... Seul Combifix avait supprimé ces fichiers... Amicalement,
-
Sucess apparait, bien que ces deux fichiers soient toujours présents... Mais ils ne sont pas visibles du poste infecté, seulement via un autre PC, en accedant à \\pcinfecté\c$ ...
-
Bonjour, Hier, j'ai été infecté par Bagle NM (détecté par NOD32). J'ai donc lancé Elibagle, suivi de Combifix puis enfin HiJeckThis. Voici le compte rendu de Combifix: ComboFix 08-03-04.5 - acatalif 2008-03-05 9:17:40.2 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.618 [GMT 1:00] Endroit: C:\Documents and Settings\acatalif\Local Settings\Temporary Internet Files\Content.IE5\FHJLUJ3L\ComboFix[1].exe * Création d'un nouveau point de restauration AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\down\1023093.exe C:\WINDOWS\system32\drivers\down\1911640.exe C:\WINDOWS\system32\drivers\down\1940125.exe C:\WINDOWS\system32\drivers\down\1958765.exe C:\WINDOWS\system32\drivers\down\1993265.exe C:\WINDOWS\system32\drivers\down\2012968.exe C:\WINDOWS\system32\drivers\down\2046250.exe C:\WINDOWS\system32\drivers\down\2078390.exe C:\WINDOWS\system32\drivers\down\2111765.exe C:\WINDOWS\system32\drivers\down\2148015.exe C:\WINDOWS\system32\drivers\down\2183437.exe C:\WINDOWS\system32\drivers\down\2205859.exe C:\WINDOWS\system32\drivers\down\2233375.exe C:\WINDOWS\system32\drivers\down\2263015.exe C:\WINDOWS\system32\drivers\down\333031.exe C:\WINDOWS\system32\drivers\down\400843.exe C:\WINDOWS\system32\drivers\down\501921.exe C:\WINDOWS\system32\drivers\down\584078.exe C:\WINDOWS\system32\drivers\down\648390.exe C:\WINDOWS\system32\drivers\down\677312.exe C:\WINDOWS\system32\drivers\down\711156.exe C:\WINDOWS\system32\drivers\down\789031.exe C:\WINDOWS\system32\drivers\down\854359.exe C:\WINDOWS\system32\drivers\down\895375.exe C:\WINDOWS\system32\drivers\down\961671.exe C:\WINDOWS\system32\drivers\down\993718.exe C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys . ---- Previous Run ------- . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\WINDOWS\system32\drivers\down C:\WINDOWS\system32\drivers\down\1005031.exe C:\WINDOWS\system32\drivers\down\1010406.exe C:\WINDOWS\system32\drivers\down\1024406.exe C:\WINDOWS\system32\drivers\down\1037796.exe C:\WINDOWS\system32\drivers\down\1041328.exe C:\WINDOWS\system32\drivers\down\1065265.exe C:\WINDOWS\system32\drivers\down\1068171.exe C:\WINDOWS\system32\drivers\down\1073140.exe C:\WINDOWS\system32\drivers\down\1105453.exe C:\WINDOWS\system32\drivers\down\1130890.exe C:\WINDOWS\system32\drivers\down\1130953.exe C:\WINDOWS\system32\drivers\down\1144406.exe C:\WINDOWS\system32\drivers\down\1144421.exe C:\WINDOWS\system32\drivers\down\1175453.exe C:\WINDOWS\system32\drivers\down\1178578.exe C:\WINDOWS\system32\drivers\down\1210171.exe C:\WINDOWS\system32\drivers\down\1248875.exe C:\WINDOWS\system32\drivers\down\1332281.exe C:\WINDOWS\system32\drivers\down\1370968.exe C:\WINDOWS\system32\drivers\down\1403406.exe C:\WINDOWS\system32\drivers\down\231890.exe C:\WINDOWS\system32\drivers\down\232437.exe C:\WINDOWS\system32\drivers\down\241718.exe C:\WINDOWS\system32\drivers\down\25799156.exe C:\WINDOWS\system32\drivers\down\25860093.exe C:\WINDOWS\system32\drivers\down\289515.exe C:\WINDOWS\system32\drivers\down\326640.exe C:\WINDOWS\system32\drivers\down\330734.exe C:\WINDOWS\system32\drivers\down\330750.exe C:\WINDOWS\system32\drivers\down\359921.exe C:\WINDOWS\system32\drivers\down\417312.exe C:\WINDOWS\system32\drivers\down\472421.exe C:\WINDOWS\system32\drivers\down\503265.exe C:\WINDOWS\system32\drivers\down\518578.exe C:\WINDOWS\system32\drivers\down\536593.exe C:\WINDOWS\system32\drivers\down\543781.exe C:\WINDOWS\system32\drivers\down\573828.exe C:\WINDOWS\system32\drivers\down\582609.exe C:\WINDOWS\system32\drivers\down\584484.exe C:\WINDOWS\system32\drivers\down\584515.exe C:\WINDOWS\system32\drivers\down\586328.exe C:\WINDOWS\system32\drivers\down\614109.exe C:\WINDOWS\system32\drivers\down\618515.exe C:\WINDOWS\system32\drivers\down\624796.exe C:\WINDOWS\system32\drivers\down\644562.exe C:\WINDOWS\system32\drivers\down\646718.exe C:\WINDOWS\system32\drivers\down\650562.exe C:\WINDOWS\system32\drivers\down\653875.exe C:\WINDOWS\system32\drivers\down\653890.exe C:\WINDOWS\system32\drivers\down\675546.exe C:\WINDOWS\system32\drivers\down\675765.exe C:\WINDOWS\system32\drivers\down\676734.exe C:\WINDOWS\system32\drivers\down\703125.exe C:\WINDOWS\system32\drivers\down\715687.exe C:\WINDOWS\system32\drivers\down\732156.exe C:\WINDOWS\system32\drivers\down\742312.exe C:\WINDOWS\system32\drivers\down\748765.exe C:\WINDOWS\system32\drivers\down\757656.exe C:\WINDOWS\system32\drivers\down\770296.exe C:\WINDOWS\system32\drivers\down\776265.exe C:\WINDOWS\system32\drivers\down\786875.exe C:\WINDOWS\system32\drivers\down\821375.exe C:\WINDOWS\system32\drivers\down\822421.exe C:\WINDOWS\system32\drivers\down\834984.exe C:\WINDOWS\system32\drivers\down\866406.exe C:\WINDOWS\system32\drivers\down\875218.exe C:\WINDOWS\system32\drivers\down\884750.exe C:\WINDOWS\system32\drivers\down\885250.exe C:\WINDOWS\system32\drivers\down\920062.exe C:\WINDOWS\system32\drivers\down\925296.exe C:\WINDOWS\system32\drivers\down\938671.exe C:\WINDOWS\system32\drivers\down\938703.exe C:\WINDOWS\system32\drivers\down\950812.exe C:\WINDOWS\system32\drivers\down\972328.exe C:\WINDOWS\system32\drivers\down\975593.exe C:\WINDOWS\system32\drivers\down\981359.exe C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\srosa.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_SROSA -------\srosa -------\LEGACY_SROSA -------\srosa ((((((((((((((((((((((((((((( Fichiers créés 2008-02-05 to 2008-03-05 )))))))))))))))))))))))))))))))))))) . 2008-03-04 16:56 . 2008-03-04 16:56 <REP> d-------- C:\Program Files\Spb Software House 2008-03-04 11:06 . 2008-03-04 11:06 <REP> d-------- C:\Muestras 2008-03-04 10:39 . 2008-03-04 10:39 <REP> d-------- C:\Documents and Settings\acatalif\Application Data\Uniblue 2008-03-04 10:15 . 2008-03-04 10:22 <REP> d-------- C:\WINDOWS\avxoscan 2008-03-03 15:05 . 2005-09-22 04:12 27,136 --a------ C:\WINDOWS\system32\drivers\LADriver.sys 2008-03-03 15:05 . 2005-09-22 03:17 24,064 --a------ C:\WINDOWS\system32\drivers\LDDriver.sys 2008-03-03 15:05 . 2005-09-22 04:21 14,336 --a------ C:\WINDOWS\system32\drivers\LHDriver.sys 2008-03-03 14:19 . 2008-03-03 14:20 <REP> d-------- C:\Program Files\Fichiers communs\Adobe 2008-02-22 17:07 . 2008-02-22 17:07 <REP> d-------- C:\Program Files\Blue Point Studios 2008-02-22 13:44 . 2008-02-22 13:44 <REP> d-------- C:\Program Files\Sprite Software 2008-02-22 13:44 . 2008-02-22 13:44 <REP> d-------- C:\Documents and Settings\acatalif\Application Data\Sprite Software 2008-02-21 15:11 . 2008-02-21 15:34 <REP> d-------- C:\Program Files\KeePass Password Safe 2008-02-21 14:27 . 2008-02-21 14:27 <REP> d-------- C:\Program Files\Dnote Software 2008-02-21 10:10 . 2008-02-21 10:10 <REP> d-------- C:\Program Files\PHM 2008-02-19 17:43 . 2008-02-19 17:43 <REP> d-------- C:\Garmin 2008-02-18 08:18 . 2007-12-18 10:51 179,584 -----c--- C:\WINDOWS\system32\dllcache\mrxdav.sys . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-05 09:41 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\VMware 2008-03-05 09:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware 2008-03-05 09:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware 2008-03-04 16:00 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-03-03 16:27 --------- d-----w C:\Documents and Settings\acatalif\Application Data\OpenOffice.org2 2008-03-03 07:10 --------- d-----w C:\Program Files\Symantec AntiVirus 2008-02-22 16:07 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-22 12:44 --------- d-----w C:\Program Files\Fichiers communs\InstallShield 2008-02-21 15:08 --------- d-----w C:\Program Files\Formule Dé 2008-02-19 13:01 --------- d-----w C:\Documents and Settings\acatalif\Application Data\VMware 2008-01-31 14:34 --------- d-----w C:\Documents and Settings\acatalif\Application Data\gtk-2.0 2008-01-31 09:48 --------- d-----w C:\Documents and Settings\acatalif\Application Data\Notepad++ 2008-01-30 15:47 --------- d-----w C:\Documents and Settings\acatalif\Application Data\FileZilla 2008-01-23 08:41 --------- d-----w C:\Program Files\Notepad++ 2008-01-16 12:33 --------- d-----w C:\Program Files\PDFCreator 2008-01-16 12:18 --------- d-----w C:\Program Files\qFreeFax 2008-01-16 11:57 --------- d-----w C:\Program Files\OpenOffice.org 2.3 2008-01-16 11:56 --------- d-----w C:\Program Files\Java 2008-01-08 10:52 --------- d-----w C:\Program Files\RSS Xpress 2008-01-08 10:51 --------- d-----w C:\Documents and Settings\acatalif\Application Data\Bull . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN] @={30351346-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN] @={30351347-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN] @={30351348-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN] @={3035134B-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN] @={3035134C-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN] @={3035134D-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN] @={3035134E-7B7D-4FCC-81B4-1E394CA267EB} [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}] 2007-08-26 11:40 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:07 1289000] "Copernic Desktop Search 2"="C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" [2007-08-01 19:26 1514016] "SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2005-02-19 06:09 643072] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:09 15360] "RSS Xpress"="C:\Program Files\RSS Xpress\RSS Xpress.exe" [2005-02-19 06:09 643072] "SpriteService"="" [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 11:51 118784] "ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2008-03-05 09:51 53408] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-03-05 09:51 125072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:09 15360] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "DisallowRun"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "1"= Kazaa.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0] "Script"=\\sagefr.adinternal.com\SysVol\sagefr.adinternal.com\scripts\Annecy - admin ou.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-162531612-839522115-20740\Scripts\Logon\0\0] "Script"=OCS_Inventory.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1004336348-162531612-839522115-26666\Scripts\Logon\0\0] "Script"=OCS_Inventory.bat [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 LADriver;LADriver;C:\WINDOWS\system32\drivers\LADriver.sys [2005-09-22 04:12] R1 LDDriver;LDDriver;C:\WINDOWS\system32\drivers\LDDriver.sys [2005-09-22 03:17] R1 LHDriver;LHDriver;C:\WINDOWS\system32\drivers\LHDriver.sys [2005-09-22 04:21] R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe [2007-09-06 14:40] S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 18:34] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-05 10:47:00 Windows 5.1.2600 Service Pack 2 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\system32\rdpclip.exe . ************************************************************************** . Temps d'accomplissement: 2008-03-05 10:55:15 - machine was rebooted [acatalif] ComboFix-quarantined-files.txt 2008-03-05 09:55:12 . 2008-02-18 07:35:16 --- E O F --- Et celui de HijackThis : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:12:57, on 05/03/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE C:\oracle\ora92\bin\omtsreco.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Server\vmserverdWin32.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\rdpclip.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\logon.scr C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://intranet.adx/abel/proxy.pac R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand201013011.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray O4 - HKCU\..\Run: [superCopier2.exe] C:\Program Files\SuperCopier2\SuperCopier2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RSS Xpress] C:\Program Files\RSS Xpress\RSS Xpress.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: EasyPHP.lnk = Applis\Dev\EP\EasyPHP.exe O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5E5AA5CA-2712-44CC-BD3D-A0AD8FB77E33} (WrapRichTxt.TestRichTxt) - http://aytrad.acy.adx:18880/adxweb/X3_CLIE...WrapRichTxt.cab O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/fr/fr/importer/ImageUploader4.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.inoculer.com/antivirus/Msie/bitdefender.cab O16 - DPF: {B3C01F93-F06A-4792-AC24-F4B4489B0E93} (Acxfmt Control) - http://asdweb01:4031/adxweb/X3_CLIENT/CAB/acxfmt.cab O16 - DPF: {BB2A66DD-0738-40D9-BC7D-F08E6AB72ADF} (HookOcx Control) - http://aytrad.acy.adx:18880/adxweb/X3_CLIENT/CAB/hookocx.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sagefr.adinternal.com O17 - HKLM\Software\..\Telephony: DomainName = sagefr.adinternal.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sagefr.adinternal.com O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Fichiers communs\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe -- End of file - 7567 bytes -------------------------------------------------------------------- Je ne vois plus rien d'anormal... Mais au bout de quelques minutes, les fichiers du ver reviennent : hldrrr.exe et srosa.sys, dans %system32%\drivers Je ne sais plus quoi faire... Un grand merci pour votre aide ! Amicalement,