Aller au contenu

Saoz

Membres
 Afficher le profil  Afficher son activité

  • Compteur de contenus

    11

  • Inscription

  • Dernière visite

Saoz's Achievements

Junior Member

Junior Member (3/12)

0

Réputation sur la communauté

  1. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    Je vous remercie une nouvelle fois pour cette aide précieuse
  2. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    Bonjour, A moins d'avoir loupé une manip avec toolsCleaner, j'ai encore tous les récents programmes installé sur le bureau. (Peut être faut il cliquer sur suppression lorsque la recherche de toolsCleaner est terminé?) Petite précision: Est ce qu'il serait possible de "nettoyer" en enlevant des 04 qui ne me servent pas, j'ai lu dans truc et astuce que l'on pouvez supprimer les 04 sauf antivirus, puis je avoir des informations à ce sujet et les lignes que je pourrais effacer sans que cela endommage le démarrage?
  3. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    Alors j'ai pu fixchecked : O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL') Center O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing) O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe Mais en ce qui concerne les autres, je ne les trouves pas dans hijackthis, ils sont seulement dans le rapport...:oo Une fois tous ça terminé, je pourrais effacer tous les logiciels installés? Merci encore;)
  4. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:55:53 PM, on 5/17/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16643) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\ENJOY Plus!\ENJOY Plus!.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Program Files\Apoint2K\Apntex.exe C:\Windows\system32\conime.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...O&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVICE LOCAL') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVICE RÉSEAU') O4 - Startup: ENJOY Plus!.lnk = C:\Program Files\ENJOY Plus!\ENJOY Plus!.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files\TeamViewer3\TeamViewer_Host.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 8506 bytes Voilà, je tiens à signaler en tout cas que ma barre windows ne redémarre plus toutes les 5 minutes en tout cas.
  5. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    -->- Recherche: C:\Qoobox: trouvé ! C:\_OtMoveIt: trouvé ! C:\Program Files\Trend Micro\HijackThis: trouvé ! C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: trouvé ! C:\ProgramData\Microsoft\Windows\Start Menu\Programmes\HijackThis: trouvé ! C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HijackThis: trouvé ! C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HijackThis\HijackThis.lnk: trouvé ! C:\Users\All Users\Microsoft\Windows\Start Menu\Programmes\HijackThis: trouvé ! C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HijackThis: trouvé ! C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HijackThis\HijackThis.lnk: trouvé ! C:\Users\SAOZ\AppData\Local\VirtualStore\Program Files\Trend Micro\HijackThis: trouvé ! C:\Users\SAOZ\Desktop\HijackThis.lnk: trouvé ! C:\Users\SAOZ\Desktop\OtMoveIt2.exe: trouvé ! C:\Users\SAOZ\Desktop\ComboFix.exe: trouvé ! Que dois je faire par la suite? Supression, Pt de restauration, corbeille, fichier temp? Pour la suite je n'ai pas d'autre choix de le faire ce sir en rentrant du boulot, car je n'ai plus le temps malheureusement, encore merci pour cette aide précieuse et si bien détaillé
  6. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    DllUnregisterServer procedure not found in C:\Windows\System32\ff_vfw.dll C:\Windows\System32\ff_vfw.dll NOT unregistered. C:\Windows\System32\ff_vfw.dll moved successfully. OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05172008_115412 Malwarebytes' Anti-Malware 1.12 Version de la base de données: 756 Type de recherche: Examen complet (C:\|D:\|E:\|) Eléments examinés: 142480 Temps écoulé: 28 minute(s), 32 second(s) Processus mémoire infecté(s): 0 Module(s) mémoire infecté(s): 0 Clé(s) du Registre infectée(s): 1 Valeur(s) du Registre infectée(s): 0 Elément(s) de données du Registre infecté(s): 0 Dossier(s) infecté(s): 0 Fichier(s) infecté(s): 0 Processus mémoire infecté(s): (Aucun élément nuisible détecté) Module(s) mémoire infecté(s): (Aucun élément nuisible détecté) Clé(s) du Registre infectée(s): HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. Valeur(s) du Registre infectée(s): (Aucun élément nuisible détecté) Elément(s) de données du Registre infecté(s): (Aucun élément nuisible détecté) Dossier(s) infecté(s): (Aucun élément nuisible détecté) Fichier(s) infecté(s): (Aucun élément nuisible détecté) Encore merci pour ton aide précieuse En attendant tes prochaines recommandations
  7. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    J'ai aussi eu un fichier créer dans /C intitulé "bug"... pushd "C:\327882R2FWJFW\" ============================================= ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\SAOZ\AppData\Roaming cfldr=327882R2FWJFW CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=PC-DE-SAOZ ComSpec=C:\Windows\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Users\SAOZ kmd=CF30845.exe LOCALAPPDATA=C:\Users\SAOZ\AppData\Local LOGONSERVER=\\PC-DE-SAOZ NUMBER_OF_PROCESSORS=1 OnlineServices=Services en ligne OS=Windows_NT Path=C:\327882R2FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PCBRAND=PRESARIO PLATFORM=MCD PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 22 Stepping 1, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=1601 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files PROMPT=$ PUBLIC=C:\Users\Public RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\ SAFEBOOT_OPTION=MINIMAL SESSIONNAME=Console sfxname=C:\Users\SAOZ\Desktop\ComboFix.exe system=C:\Windows\system32 SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Users\SAOZ\AppData\Local\Temp TMP=C:\Users\SAOZ\AppData\Local\Temp USERDOMAIN=PC-de-SAOZ USERNAME=SAOZ USERPART=E: USERPROFILE=C:\Users\SAOZ windir=C:\Windows ============================================= if not defined sfxname goto END Nircmd win close ititle "ComboFix" Access Denied. Administrator permissions are needed to use the selected options. Use an administrator command prompt to complete these tasks. If [] == [] Set "SfxCmd=" if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort if exist "C:\Users\SAOZ\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\Users\SAOZ\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © Ownerchange for "C:\Windows\system32\cmd.exe" to Administrators group was successful copy /y "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF30845.exe" 1 fichier(s) copi‚(s). if not exist "C:\Windows\system32\CF30845.exe" catchme -l nul -c "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF30845.exe" For /F "tokens=*" %g in ("C:\Users\SAOZ\Desktop\ComboFix.exe") do @( set "FileName=%~ng" set "FilePath=%~dpg" ) Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || ( nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" "" goto END ) DIR /AD/B C:\* | FindStr.exe -IVX ComboFix 1>dirname00 FindStr.exe -LIXC:"ComboFix" dirname00 1>nul && call :NameChk If exist dirname0? del /Q dirname0? If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && ( rd /s/q "\ComboFix" If exist "\ComboFix" ( PV -kf findstr.exe *.cfexe rd /s/q "\ComboFix" ) If exist "\ComboFix" ( handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00 for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h del /q temp00 rd /s/q "\ComboFix" ) ) If exist "\ComboFix" rd /s/q "\ComboFix" If exist "\ComboFix" goto :eof VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) || Microsoft Windows [version 6.0.6000] type nul 1>Vista.mac swxcacls "C:\Windows\system32\cmd.exe" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q swxcacls "C:\Windows\system32\cmd.exe" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q swreg query "hkcu\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>MUI00 swreg query "hku\.default\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>>MUI00 SED -r "$!N; /^(.*)\n\1$/!P; D" MUI00 1>MUI01 For /F "tokens=*" %g in (MUI01) do @if exist "C:\Windows\system32\%~g\cmd.exe.mui" ( swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /oa /q swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /p /ga:f /gs:f /gp:x /gu:x /q Copy /y "C:\Windows\system32\%~g\cmd.exe.mui" "C:\Windows\system32\en-us\CF30845.exe.mui" swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q ) SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 © Ownerchange for "C:\Windows\system32\fr-FR\cmd.exe.mui" to Administrators group was successful 1 fichier(s) copi‚(s). GREP -sq . MUI01 && ( del /q MUI0? 2>nul goto :eof ) CD .. Set "comspec=C:\Windows\system32\CF30845.exe" ( echo.md "\ComboFix" echo.Move /y "\327882R2FWJFW\*" "\ComboFix" echo.RD /S/Q "\327882R2FWJFW" echo.Start "." /d"C:\ComboFix" "C:\Windows\system32\CF30845.exe" /k c.bat echo.pv -kf cmd.exe ) 1>Start_.cmd NirCmd exec hide "C:\Windows\system32\CF30845.exe" /f:off /d /c call Start_.cmd NirCmd execmd del "\327882R2FWJFW\prep.cmd" EXIT
  8. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    Bon j'ai refait la manip, je vous met le scan: ComboFix 08-05-15.3 - SAOZ 05/16/2008 21:29:07.3 - NTFSx86 MINIMAL Microsoft® Windows Vista™ Édition Familiale Basique 6.0.6000.0.1252.33.1036.18.720 [GMT 2:00] Endroit: C:\Users\SAOZ\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((( Fichiers créés 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))))))) . Pas de nouveau fichier créé dans cet espace de temps . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-16 10:41 --------- d-----w C:\Program Files\Trend Micro 2008-05-14 23:17 --------- d-----w C:\Program Files\Windows Mail 2008-05-14 22:31 --------- d-----w C:\Program Files\PokerStars 2008-05-14 21:45 --------- d-----w C:\Program Files\Bonjour 2008-05-14 18:58 --------- d-----w C:\Users\SAOZ\AppData\Roaming\ENJOY Plus! 2008-05-14 18:58 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy 2008-05-14 18:57 --------- d-----w C:\Program Files\Full Tilt Poker 2008-05-14 18:57 --------- d-----w C:\Program Files\DivX 2008-05-14 18:57 --------- d-----w C:\Program Files\Common Files\Real 2008-05-14 18:47 --------- d-----w C:\Program Files\HP 2008-05-13 10:56 --------- d-----w C:\Program Files\K-Lite Codec Pack 2008-05-10 15:59 --------- d-----w C:\Program Files\SopCast 2008-05-10 11:41 --------- d-----w C:\Users\SAOZ\AppData\Roaming\Apple Computer 2008-05-10 11:28 --------- d-----w C:\Program Files\Common Files\Apple 2008-05-10 11:28 --------- d-----w C:\PROGRA~2\Apple 2008-04-27 12:42 --------- d-----w C:\PROGRA~2\Sonic 2008-04-27 12:09 --------- d-----w C:\Users\SAOZ\AppData\Roaming\Hewlett-Packard 2008-04-22 21:03 --------- d-----w C:\Program Files\GameTimePlus 2008-04-22 19:51 --------- d---a-w C:\PROGRA~2\TEMP 2008-04-22 19:38 --------- d-----w C:\Program Files\poker tracker v2 2008-04-22 09:46 --------- d-----w C:\Users\SAOZ\AppData\Roaming\TeamViewer 2008-04-22 09:46 --------- d-----w C:\Program Files\TeamViewer3 2008-04-16 21:05 --------- d-----w C:\Users\SAOZ\AppData\Roaming\teamspeak2 2008-04-16 12:25 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe 2008-04-06 16:37 --------- d-----w C:\Program Files\PKR 2008-04-03 19:40 --------- d-----w C:\Program Files\Messenger Plus! Live 2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\divx.dll 2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe 2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys 2008-03-28 17:41 7,680 ----a-w C:\Windows\System32\ff_vfw.dll 2008-03-25 16:35 --------- d-----w C:\Users\SAOZ\AppData\Roaming\X-Chat 2 2008-03-22 04:16 --------- d-----w C:\Program Files\Java 2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll 2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll 2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll 2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll 2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll 2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll 2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll 2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll 2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll 2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll 2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll 2008-03-18 14:43 --------- d-----w C:\Program Files\OrangeHSS 2008-03-18 14:31 --------- d-----w C:\Program Files\Securitoo 2008-03-18 14:31 --------- d-----w C:\Program Files\Inventel 2008-03-08 18:19 691,545 ----a-w C:\Windows\unins000.exe 2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll 2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll 2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll 2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe 2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe 2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll 2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll 2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys 2008-02-28 19:44 15,872 ------w C:\Windows\System32\winskfr.dll 2008-02-28 19:44 119,568 ------w C:\Windows\System32\vb6fr.dll 2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll 2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll 2007-12-27 19:43 174 --sha-w C:\Program Files\desktop.ini . ------- Sigcheck ------- . ((((((((((((((((((((((((((((( snapshot@Fri 05-16-2008_14.47.00.82 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-16 10:28:51 67,584 --s-a-w C:\Windows\bootstat.dat + 2008-05-16 19:28:06 67,584 --s-a-w C:\Windows\bootstat.dat - 2008-05-16 10:32:01 1,572,864 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-05-16 19:26:47 1,572,864 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT - 2008-05-16 12:45:10 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-05-16 19:26:47 1,572,864 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT - 2008-05-16 10:33:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-05-16 19:22:48 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-05-16 10:33:40 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-05-16 19:22:48 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-05-16 10:33:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-05-16 19:22:48 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-05-16 10:33:59 7,688 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-65691010-4235296002-871970959-1000_UserData.bin + 2008-05-16 19:23:28 7,688 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-65691010-4235296002-871970959-1000_UserData.bin - 2008-05-16 10:33:58 56,266 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-05-16 19:23:27 56,368 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-05-16 10:32:28 44,080 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-05-16 19:22:50 44,238 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 11:13 AM 1232896] "LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [04/19/2007 01:26 PM 484904] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM 2097488] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM 5724184] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 02:34 PM 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [07/06/2007 06:14 AM 1006264] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/25/2007 05:44 AM 212992] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [03/28/2007 05:45 PM 176128] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [06/11/2007 08:57 AM 184320] "HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [03/12/2007 11:54 AM 50696] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 01:18 PM 472776] "WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 04:12 PM 317128] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM 144784] "IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/02/2008 06:07 PM 141848] "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [01/02/2008 06:06 PM 166424] "Persistence"="C:\Windows\system32\igfxpers.exe" [01/02/2008 06:07 PM 133656] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 07:37 PM 79224] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM 54840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="%WINDIR%\SMINST\launcher.exe" [ ] "GrpConv"="grpconv -o" [] C:\Users\SAOZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ENJOY Plus!.lnk - C:\Program Files\ENJOY Plus!\ENJOY Plus!.exe [12/28/2007 2:42:43 AM 1263616] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [10/23/2006 12:01:50 AM 734872] Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [10/23/2006 1:48:20 AM 40048] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{D8D6B963-6A57-484A-A1BF-A36E84E12582}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play "{CAAA23D5-CF96-4B77-A368-F13B61A891F4}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program "TCP Query User{112421DF-EDD6-4A7C-A733-1D449E682F4F}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "UDP Query User{BFC92C14-E5AB-46AB-9771-6C7CFDEA5114}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "TCP Query User{BB94469C-3495-4FCC-9422-ADC84C764705}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{30388CC2-80E9-4892-A6AA-31231261332F}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{EC3C1792-EF24-4D0B-AF20-DE14F108CAC9}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client "UDP Query User{BBEE2972-4D0A-43DA-A804-A378D389BFE7}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client "TCP Query User{E9BF427E-679C-419F-88BE-1EBFE68B33C7}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer "UDP Query User{BD7396CF-F090-4D81-885E-6151198C4079}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer "TCP Query User{5B44E9B9-4835-4790-8503-6555955BBCDA}C:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver "UDP Query User{00F366E9-CCE0-41D4-9526-A8294C7C125C}C:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver "TCP Query User{83CAB489-647F-4BE5-86C5-9F72C85C5F72}C:\\program files\\sopcast\\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application "UDP Query User{BFDAAB10-5680-4DA7-8ABC-14B7CD983C4D}C:\\program files\\sopcast\\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application "TCP Query User{90B1DAA9-EFB2-4BCD-A72A-0888E7B59674}C:\\program files\\sopcast\\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod "UDP Query User{52EB84EA-BC43-4F42-AC71-4AFE1EB8F596}C:\\program files\\sopcast\\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod "{537FBDC5-5F7A-4926-89CF-D7E820CE7D1C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "TCP Query User{F219A8D5-5212-4C4B-989C-63165E6116B5}C:\\program files\\tvants\\tvants.exe"= UDP:C:\program files\tvants\tvants.exe:TVAnts "UDP Query User{FBC02C29-EBAA-493B-9C29-10F6499CEE23}C:\\program files\\tvants\\tvants.exe"= TCP:C:\program files\tvants\tvants.exe:TVAnts "TCP Query User{ABA1FD35-BB58-4530-A80F-6C9126E3CDA7}C:\\program files\\emule\\emule.exe"= Disabled:UDP:C:\program files\emule\emule.exe:eMule "UDP Query User{1C775823-8E25-44B6-AD31-A03135FC0187}C:\\program files\\emule\\emule.exe"= Disabled:TCP:C:\program files\emule\emule.exe:eMule "TCP Query User{73B2EE18-DD4D-40F4-8CD7-DDC9CED81C1F}C:\\program files\\xchat\\xchat.exe"= UDP:C:\program files\xchat\xchat.exe:XChat IRC Client "UDP Query User{BE5AC407-E514-4B71-ACE6-A32D7952F4A9}C:\\program files\\xchat\\xchat.exe"= TCP:C:\program files\xchat\xchat.exe:XChat IRC Client "TCP Query User{94F2F340-AACD-4738-8FD4-6B28451CD58A}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{50E85BAC-D2E5-4161-80D4-CB5365AB62E0}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{84A32ADA-F531-4987-BB23-A24FFBBDFDB8}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{586A550D-5FBE-4920-A121-002365E9AE61}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent "TCP Query User{2F98DE04-FC62-4EF4-952D-2C876F458DBA}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "UDP Query User{5E939B47-AD56-4537-B494-89677662F8AE}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "{D1D4FFF5-969B-465B-BCDC-0D175591F19D}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{AC5488CE-B4F6-4F12-8170-92FB42FC5E02}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\OrangeHSS\\Connectivity\\ConnectivityManager.exe"= C:\Program Files\OrangeHSS\Connectivity\ConnectivityManager.exe:*:enabled:CSS "C:\\Program Files\\xchat\\xchat.exe"= C:\Program Files\xchat\xchat.exe:*:Enabled:XChat IRC Client S1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [03/29/2008 07:31 PM] S2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [03/29/2008 07:35 PM] S2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [03/29/2008 07:32 PM] S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [08/31/2007 05:46 PM] S2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service [] S2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [07/10/2007 07:27 AM] S3 BCM43XV;Pilote de la carte réseau extensible Broadcom 802.11;C:\Windows\system32\DRIVERS\bcmwl6.sys [01/03/2007 05:43 PM] S3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [01/02/2008 05:48 PM] S3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [05/11/2007 08:09 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc *Newly Created Service* - ECACHE [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-16 21:31:54 Windows 6.0.6000 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... Scan terminé avec succès Les fichiers cachés: 0 ************************************************************************** . Temps d'accomplissement: 05/16/2008 21:32:45 ComboFix-quarantined-files.txt 2008-05-16 19:32:40 ComboFix2.txt 2008-05-16 19:11:29 ComboFix3.txt 2008-05-16 12:47:40 Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application. Le texte du message associé au numéro 0x2379 est introuvable dans le fichier de messages pour Application. 210 --- E O F --- 2008-05-16 10:27:27 Quel est la procédure à suivre ensuite? En vous remerciant.
  9. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    ComboFix 08-05-15.3 - SAOZ 05/16/2008 14:39:30.1 - NTFSx86 Microsoft® Windows Vista™ Édition Familiale Basique 6.0.6000.0.1252.33.1036.18.171 [GMT 2:00] Endroit: C:\Users\SAOZ\Desktop\ComboFix.exe * Création d'un nouveau point de restauration . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Users\SAOZ\AppData\Local\vixkpmajc.dat C:\Users\SAOZ\AppData\Local\vixkpmajc_nav.dat C:\Users\SAOZ\AppData\Local\vixkpmajc_navps.dat C:\Windows\system32\x64 . ((((((((((((((((((((((((((((( Fichiers créés 2008-04-16 to 2008-05-16 )))))))))))))))))))))))))))))))))))) . Pas de nouveau fichier créé dans cet espace de temps . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-16 10:41 --------- d-----w C:\Program Files\Trend Micro 2008-05-14 23:17 --------- d-----w C:\Program Files\Windows Mail 2008-05-14 22:31 --------- d-----w C:\Program Files\PokerStars 2008-05-14 21:45 --------- d-----w C:\Program Files\Bonjour 2008-05-14 18:58 --------- d-----w C:\Users\SAOZ\AppData\Roaming\ENJOY Plus! 2008-05-14 18:58 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy 2008-05-14 18:57 --------- d-----w C:\Program Files\Full Tilt Poker 2008-05-14 18:57 --------- d-----w C:\Program Files\DivX 2008-05-14 18:57 --------- d-----w C:\Program Files\Common Files\Real 2008-05-14 18:47 --------- d-----w C:\Program Files\HP 2008-05-13 10:56 --------- d-----w C:\Program Files\K-Lite Codec Pack 2008-05-10 15:59 --------- d-----w C:\Program Files\SopCast 2008-05-10 11:41 --------- d-----w C:\Users\SAOZ\AppData\Roaming\Apple Computer 2008-05-10 11:28 --------- d-----w C:\Program Files\Common Files\Apple 2008-05-10 11:28 --------- d-----w C:\PROGRA~2\Apple 2008-04-27 12:42 --------- d-----w C:\PROGRA~2\Sonic 2008-04-27 12:09 --------- d-----w C:\Users\SAOZ\AppData\Roaming\Hewlett-Packard 2008-04-22 21:03 --------- d-----w C:\Program Files\GameTimePlus 2008-04-22 19:51 --------- d---a-w C:\PROGRA~2\TEMP 2008-04-22 19:38 --------- d-----w C:\Program Files\poker tracker v2 2008-04-22 09:46 --------- d-----w C:\Users\SAOZ\AppData\Roaming\TeamViewer 2008-04-22 09:46 --------- d-----w C:\Program Files\TeamViewer3 2008-04-16 21:05 --------- d-----w C:\Users\SAOZ\AppData\Roaming\teamspeak2 2008-04-16 12:25 29,952 ----a-w C:\Windows\Help\OEM\scripts\HPScript.exe 2008-04-06 16:37 --------- d-----w C:\Program Files\PKR 2008-04-03 19:40 --------- d-----w C:\Program Files\Messenger Plus! Live 2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\divx.dll 2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe 2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys 2008-03-28 17:41 7,680 ----a-w C:\Windows\System32\ff_vfw.dll 2008-03-25 16:35 --------- d-----w C:\Users\SAOZ\AppData\Roaming\X-Chat 2 2008-03-22 04:16 --------- d-----w C:\Program Files\Java 2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll 2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll 2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll 2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll 2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll 2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll 2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll 2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll 2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll 2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll 2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll 2008-03-18 14:43 --------- d-----w C:\Program Files\OrangeHSS 2008-03-18 14:31 --------- d-----w C:\Program Files\Securitoo 2008-03-18 14:31 --------- d-----w C:\Program Files\Inventel 2008-03-08 18:19 691,545 ----a-w C:\Windows\unins000.exe 2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll 2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll 2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll 2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe 2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe 2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll 2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll 2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys 2008-02-28 19:44 15,872 ------w C:\Windows\System32\winskfr.dll 2008-02-28 19:44 119,568 ------w C:\Windows\System32\vb6fr.dll 2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll 2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll 2007-12-27 19:43 174 --sha-w C:\Program Files\desktop.ini . ------- Sigcheck ------- . ((((((((((((((((((((((((((((((((( Point de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/09/2008 11:13 AM 1232896] "LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [04/19/2007 01:26 PM 484904] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 12:43 PM 2097488] "msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM 5724184] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 02:34 PM 201728] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [07/06/2007 06:14 AM 1006264] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [10/25/2007 05:44 AM 212992] "QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [03/28/2007 05:45 PM 176128] "QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [06/11/2007 08:57 AM 184320] "HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [03/12/2007 11:54 AM 50696] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [03/01/2007 01:18 PM 472776] "WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/10/2007 04:12 PM 317128] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM 144784] "IgfxTray"="C:\Windows\system32\igfxtray.exe" [01/02/2008 06:07 PM 141848] "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [01/02/2008 06:06 PM 166424] "Persistence"="C:\Windows\system32\igfxpers.exe" [01/02/2008 06:07 PM 133656] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/2008 07:37 PM 79224] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 04:24 PM 54840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "Launcher"="%WINDIR%\SMINST\launcher.exe" [ ] C:\Users\SAOZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ENJOY Plus!.lnk - C:\Program Files\ENJOY Plus!\ENJOY Plus!.exe [12/28/2007 2:42:43 AM 1263616] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [10/23/2006 12:01:50 AM 734872] Lancement rapide d'Adobe Reader.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [10/23/2006 1:48:20 AM 40048] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{D8D6B963-6A57-484A-A1BF-A36E84E12582}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play "{CAAA23D5-CF96-4B77-A368-F13B61A891F4}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program "TCP Query User{112421DF-EDD6-4A7C-A733-1D449E682F4F}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "UDP Query User{BFC92C14-E5AB-46AB-9771-6C7CFDEA5114}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "TCP Query User{BB94469C-3495-4FCC-9422-ADC84C764705}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{30388CC2-80E9-4892-A6AA-31231261332F}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{EC3C1792-EF24-4D0B-AF20-DE14F108CAC9}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client "UDP Query User{BBEE2972-4D0A-43DA-A804-A378D389BFE7}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client "TCP Query User{E9BF427E-679C-419F-88BE-1EBFE68B33C7}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer "UDP Query User{BD7396CF-F090-4D81-885E-6151198C4079}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer "TCP Query User{5B44E9B9-4835-4790-8503-6555955BBCDA}C:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver "UDP Query User{00F366E9-CCE0-41D4-9526-A8294C7C125C}C:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:C:\program files\sopcast\adv\sopadver.exe:SopCast Adver "TCP Query User{83CAB489-647F-4BE5-86C5-9F72C85C5F72}C:\\program files\\sopcast\\sopcast.exe"= UDP:C:\program files\sopcast\sopcast.exe:SopCast Main Application "UDP Query User{BFDAAB10-5680-4DA7-8ABC-14B7CD983C4D}C:\\program files\\sopcast\\sopcast.exe"= TCP:C:\program files\sopcast\sopcast.exe:SopCast Main Application "TCP Query User{90B1DAA9-EFB2-4BCD-A72A-0888E7B59674}C:\\program files\\sopcast\\sopvod.exe"= UDP:C:\program files\sopcast\sopvod.exe:sopvod "UDP Query User{52EB84EA-BC43-4F42-AC71-4AFE1EB8F596}C:\\program files\\sopcast\\sopvod.exe"= TCP:C:\program files\sopcast\sopvod.exe:sopvod "{537FBDC5-5F7A-4926-89CF-D7E820CE7D1C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "TCP Query User{F219A8D5-5212-4C4B-989C-63165E6116B5}C:\\program files\\tvants\\tvants.exe"= UDP:C:\program files\tvants\tvants.exe:TVAnts "UDP Query User{FBC02C29-EBAA-493B-9C29-10F6499CEE23}C:\\program files\\tvants\\tvants.exe"= TCP:C:\program files\tvants\tvants.exe:TVAnts "TCP Query User{ABA1FD35-BB58-4530-A80F-6C9126E3CDA7}C:\\program files\\emule\\emule.exe"= Disabled:UDP:C:\program files\emule\emule.exe:eMule "UDP Query User{1C775823-8E25-44B6-AD31-A03135FC0187}C:\\program files\\emule\\emule.exe"= Disabled:TCP:C:\program files\emule\emule.exe:eMule "TCP Query User{73B2EE18-DD4D-40F4-8CD7-DDC9CED81C1F}C:\\program files\\xchat\\xchat.exe"= UDP:C:\program files\xchat\xchat.exe:XChat IRC Client "UDP Query User{BE5AC407-E514-4B71-ACE6-A32D7952F4A9}C:\\program files\\xchat\\xchat.exe"= TCP:C:\program files\xchat\xchat.exe:XChat IRC Client "TCP Query User{94F2F340-AACD-4738-8FD4-6B28451CD58A}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox "UDP Query User{50E85BAC-D2E5-4161-80D4-CB5365AB62E0}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox "TCP Query User{84A32ADA-F531-4987-BB23-A24FFBBDFDB8}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent "UDP Query User{586A550D-5FBE-4920-A121-002365E9AE61}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent "TCP Query User{2F98DE04-FC62-4EF4-952D-2C876F458DBA}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "UDP Query User{5E939B47-AD56-4537-B494-89677662F8AE}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client "{D1D4FFF5-969B-465B-BCDC-0D175591F19D}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour "{AC5488CE-B4F6-4F12-8170-92FB42FC5E02}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\Program Files\\OrangeHSS\\Connectivity\\ConnectivityManager.exe"= C:\Program Files\OrangeHSS\Connectivity\ConnectivityManager.exe:*:enabled:CSS "C:\\Program Files\\xchat\\xchat.exe"= C:\Program Files\xchat\xchat.exe:*:Enabled:XChat IRC Client R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [03/29/2008 07:31 PM] R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [03/29/2008 07:35 PM] R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [03/29/2008 07:32 PM] R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [08/31/2007 05:46 PM] R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service [] R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [07/10/2007 07:27 AM] R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [01/02/2008 05:48 PM] S3 BCM43XV;Pilote de la carte réseau extensible Broadcom 802.11;C:\Windows\system32\DRIVERS\bcmwl6.sys [01/03/2007 05:43 PM] S3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [05/11/2007 08:09 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc *Newly Created Service* - CATCHME [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-16 14:45:17 Windows 6.0.6000 NTFS Balayage processus cachés ... Balayage caché autostart entries ... Balayage des fichiers cachés ... C:\Users\SAOZ\AppData\Local\Microsoft\Messenger\neitsabes38@hotmail.fr\SharingMetadata\Working\database_3FE8_19A2_6AB7_6173\$db_clean$ 0 bytes Scan terminé avec succès Les fichiers cachés: 1 ************************************************************************** . J'en suis à ce niveau mais après je ss bloqué... :oo
  10. Saoz

    [rootkit] Help

    Saoz a répondu à un(e) sujet de Saoz dans Analyses et éradication malwares

    Je te remercie pour ta réponse qui à l'air très complète, je vais suivre tes conseils au pied de la lettre en rentrant du boulot ce soir encore merci. En espérant ne pas avoir trop de soucis à accomplir tes taches :oo
  11. Saoz
    Bonjour à tous, suite à une demande d'aide, on m'a conseillé de venir sur ce site afin de vous soumettre mon problème. Alors voilà depuis quelques temps mon pc s'est mis à ramer assez violemment, puis à me redémarrer ma barre windows toutes les 5-10 minutes... Et aujourd'hui mon anti virus m'annonce qu'il a trouvé un virus: Nom du fichier: C:\Users\SAOZ\AppData\Local\Temp\pdttmrba.dll Nom du logociel malveillant: Win32:Rootkit-gen [Rtk] Type de logiciel malveillant: Rootkit On m'a conseillé d'installer hijack this afin de vous soumettre un scan, chose que je fais immédiatement. Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\rundll32.exe C:\Program Files\ENJOY Plus!\ENJOY Plus!.exe C:\PROGRA~1\Mozilla Firefox\firefox.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Windows\System32\mobsync.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Program Files\Apoint2K\Apntex.exe C:\Windows\system32\conime.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Windows\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\WerCon.exe J'espère avoir fais les bonnes manip sur ce scann car je ne connaissais pas ce log... Petite info, je suis sur vista et sur un ordi portable Intel Celeron; Compaq . Voilà j'espère avoir été clair et vous remercie de l'éventuel aide que vous pourriez m'apportez.
×
×
  • Créer...