guitz

Bonjour j'ai toujours le meme probleme encore sur une blackliste j'ai scanner un pc pôrtable qui entre dans notre reseau regulierement ComboFix 10-07-07.02 - Jean-Pascal 09/07/2010 9:16.1.2 - x86 Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.1014.404 [GMT 2:00] Lancé depuis: c:\documents and settings\Jean-Pascal\Bureau\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Jean-Pascal\Local Settings\Application Data\eaymw_nav.dat c:\program files\webmediaplayer c:\program files\webmediaplayer\Conditions générales.url c:\program files\webmediaplayer\Confidentialité.url c:\program files\webmediaplayer\resources\languages_v2.xml c:\program files\webmediaplayer\resources\webmedias c:\program files\webmediaplayer\skins\classic.skn c:\program files\webmediaplayer\sqlite3.dll c:\program files\webmediaplayer\Website.url c:\windows\system32\nvs2.inf c:\windows\xpsp1hfm.log . ((((((((((((((((((((((((((((( Fichiers créés du 2010-06-09 au 2010-07-09 )))))))))))))))))))))))))))))))))))) . 2010-06-10 12:49 . 2010-05-06 10:33 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\546\AdobeARM.exe 2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\546\AdobeExtractFiles.dll 2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\546\ReaderUpdater.exe 2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\546\AcrobatUpdater.exe . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-08 11:56 . 2008-01-03 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2010-05-26 11:27 . 2010-05-26 11:27 503808 ----a-w- c:\documents and settings\Jean-Pascal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6fd91ccf-n\msvcp71.dll 2010-05-26 11:27 . 2010-05-26 11:27 499712 ----a-w- c:\documents and settings\Jean-Pascal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6fd91ccf-n\jmc.dll 2010-05-26 11:27 . 2010-05-26 11:27 348160 ----a-w- c:\documents and settings\Jean-Pascal\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6fd91ccf-n\msvcr71.dll 2010-05-06 10:33 . 2004-08-19 12:03 916480 ----a-w- c:\windows\system32\wininet.dll 2010-05-02 08:08 . 2004-08-19 12:03 1851392 ----a-w- c:\windows\system32\win32k.sys 2010-04-22 14:51 . 2004-08-19 12:03 85426 ----a-w- c:\windows\system32\perfc00C.dat 2010-04-22 14:51 . 2004-08-19 12:03 519714 ----a-w- c:\windows\system32\perfh00C.dat 2010-04-20 05:30 . 2004-08-19 12:03 285696 ----a-w- c:\windows\system32\atmfd.dll 2007-07-24 18:03 . 2007-07-24 18:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 12:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] "{3EA8D036-C9E7-4721-BCDF-C13D00C4CC39}"= "c:\program files\DevNet\Toolbar\DevNet.dll" [2010-04-23 487248] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CLASSES_ROOT\clsid\{3ea8d036-c9e7-4721-bcdf-c13d00c4cc39}] [HKEY_CLASSES_ROOT\IadahToolbar.IEHook.1] [HKEY_CLASSES_ROOT\TypeLib\{A26CCE4F-8765-482B-A9F5-7D0A1635C08C}] [HKEY_CLASSES_ROOT\IadahToolbar.IEHook] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-06 176128] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936] "ISUSPM Startup"="c:\progra~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-01 30192] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-08 20530] "Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-08 24626] "Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-08 49152] "Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-08 20530] "SSBkgdUpdate"="c:\program files\Fichiers communs\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "WorkFlowTray"="c:\program files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe" [2004-04-13 155747] "Opware14"="c:\program files\ScanSoft\OmniPagePro14.0\Opware14.exe" [2004-03-08 57344] "OpScheduler"="c:\program files\ScanSoft\OmniPagePro14.0\OpScheduler.exe" [2004-03-08 114688] "PDF Converter Registry Controller"="c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\\RegistryController.exe" [2004-01-14 102400] "SSPrnAgent"="c:\program files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe" [2004-03-08 20480] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-06-08 128560] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Edition Découverte\3.0\Apps\apdproxy.exe" [2005-06-23 57344] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-09 2048352] "AppleSyncNotifier"="c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2007-08-30 229481] "MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2007-08-30 49254] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272] "Adobe ARM"="c:\program files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Jean-Pascal\Menu D‚marrer\Programmes\D‚marrage\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000] Raccourci vers ADDROUTE.lnk - C:\ADDROUTE.bat [2007-8-28 326] c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-8-22 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-21 07:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2003-04-08 15:45 24666 ----a-w- c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2008-05-19 13:23 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [10/07/2007 21:08 15448] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/05/2008 16:53 335240] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/02/2009 09:30 297752] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [03/08/2007 16:09 12856] R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [19/07/2007 12:56 11360] R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [29/08/2007 10:18 17232] R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [29/08/2007 10:18 628560] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [29/08/2007 10:18 1882800] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [22/08/2007 18:08 30192] S3 K320bus;Sony Ericsson K320 driver (WDM);c:\windows\system32\drivers\K320bus.sys [22/05/2008 13:35 61504] S3 K320mdfl;Sony Ericsson K320 USB WMC Modem Filter;c:\windows\system32\drivers\K320mdfl.sys [19/12/2008 12:46 9328] S3 K320mdm;Sony Ericsson K320 USB WMC Modem Driver;c:\windows\system32\drivers\K320mdm.sys [19/12/2008 12:46 97056] S3 K320obex;Sony Ericsson K320 USB WMC OBEX Interface;c:\windows\system32\drivers\K320obex.sys [19/12/2008 12:47 86368] S3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [12/07/2007 19:18 11360] S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [18/07/2007 22:11 11904] S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [18/07/2007 22:12 11896] S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [19/07/2007 12:48 11384] S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [19/07/2007 12:56 11360] S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [29/08/2007 10:18 14924] . Contenu du dossier 'Tâches planifiées' 2010-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2010-07-09 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-03 06:44] 2010-07-09 c:\windows\Tasks\User_Feed_Synchronization-{57C14FD1-2627-48DA-9B9F-86AF80B87988}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 02:31] . . ------- Examen supplémentaire ------- . uStart Page = hxxp://wwwgoogle.com/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: Ouvrir le fichier PDF dans Word - c:\program files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /300 TCP: {618BE36F-B472-40D5-89C2-2CC24FABC2C8} = 213.203.124.147,213.30.96.123 . ************************************************************************** Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(1448) c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll - - - - - - - > 'explorer.exe'(944) c:\program files\ScanSoft\OmniPagePro14.0\OpHook14.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Roxio\Drag-to-Disc\Shellex.dll c:\windows\system32\DLAAPI_W.DLL c:\windows\system32\CDRTC.DLL c:\program files\Roxio\Drag-to-Disc\ShellRes.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Autres processus actifs ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKeeper.exe c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\lkcitdl.exe c:\windows\system32\lkads.exe c:\windows\system32\lktsrv.exe c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\National Instruments\Shared\Security\nidmsrv.exe c:\windows\system32\nisvcloc.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe c:\windows\system32\wbem\wmiapsrv.exe c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\windows\system32\wscntfy.exe c:\windows\system32\igfxsrvc.exe c:\windows\stsystra.exe c:\program files\Apoint\HidFind.exe c:\program files\Apoint\Apntex.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe c:\program files\LogMeIn\x86\LMIGuardian.exe . ************************************************************************** . Heure de fin: 2010-07-09 09:27:00 - La machine a redémarré ComboFix-quarantined-files.txt 2010-07-09 07:26 Avant-CF: 61 605 953 536 octets libres Après-CF: 61 966 102 528 octets libres WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect - - End Of File - - 1C9A13EBE47168A6DB0194F06A774CCB je recherche toujours un moyen d'etre sur que mon serveur windows 2003 n'est plus infecté merci de votre attention

Bonjour, j'ai toujours le meme probleme : http://forum.zebulon.fr/infecte-par-un-rootkit-spambot-t177506.html je passe régulierment sur les blacklistes anti spam ! j'aurai besoin d'aide pour eradiquer la source du probleme merci

Bonjour je me permet de remonter mon post car hier encore je suis repassé sur la blackliste CBL Gmer m'a permis de "nettoyer" le serveur windows 2003 mais si une personne connais un moyen d'en être sur je suis preneur. j'ai donc quand même scanner avec combofix les autres Pc du réseau je mets le log combofix d'un pc qui m'a semblé suspect ComboFix 10-06-30.03 - Laurence 01/07/2010 9:32.1.1 - x86 Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.511.260 [GMT 2:00] Lancé depuis: c:\documents and settings\Laurence\Bureau\ComboFix.exe AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C} . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Laurence\Application Data\Dossier de téléchargement Share-to-Web c:\program files\Helper c:\windows\system32\Cache c:\windows\system32\dumphive.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\tmp.reg c:\windows\system32\VCCLSID.exe c:\windows\system32\WS2Fix.exe c:\windows\xpsp1hfm.log . ((((((((((((((((((((((((((((( Fichiers créés du 2010-06-01 au 2010-07-01 )))))))))))))))))))))))))))))))))))) . Pas de nouveau fichier créé dans ce laps de temps . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-01 07:46 . 2003-07-22 16:07 576720 ----a-w- c:\windows\system32\perfh00C.dat 2010-07-01 07:46 . 2003-07-22 16:07 101824 ----a-w- c:\windows\system32\perfc00C.dat 2010-07-01 07:43 . 2010-07-01 07:43 -------- d-----w- c:\documents and settings\Laurence\Application Data\Dossier de téléchargement Share-to-Web 2010-07-01 07:43 . 2010-07-01 07:43 -------- d-----w- c:\documents and settings\Laurence\Application Data\Dossier de téléchargement Share-to-Web 2010-06-25 09:14 . 2010-06-25 09:14 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb128.tmp.exe 2010-05-25 18:00 . 2010-05-25 18:00 503808 ----a-w- c:\documents and settings\Laurence\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e2937b7-n\msvcp71.dll 2010-05-25 18:00 . 2010-05-25 18:00 499712 ----a-w- c:\documents and settings\Laurence\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e2937b7-n\jmc.dll 2010-05-25 18:00 . 2010-05-25 18:00 348160 ----a-w- c:\documents and settings\Laurence\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-3e2937b7-n\msvcr71.dll 2010-05-05 08:10 . 2009-04-22 08:37 -------- d-----w- c:\program files\RegisterEx 2010-05-04 17:17 . 2006-02-24 13:21 832512 ----a-w- c:\windows\system32\wininet.dll 2010-05-04 17:17 . 2004-08-19 23:09 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-05-04 17:17 . 2003-07-22 15:50 17408 ----a-w- c:\windows\system32\corpol.dll 2010-05-04 07:57 . 2010-05-04 07:57 766 ----a-r- c:\documents and settings\Laurence\Application Data\Microsoft\Installer\{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}\Rnbo.exe 2010-05-04 07:54 . 2009-04-21 09:30 0 ----a-w- c:\windows\system32\_r_a_p_.tmp 2010-05-04 07:26 . 2009-04-21 09:38 1897 ----a-w- c:\windows\W32RegistryState.dat 2010-05-04 07:13 . 2010-05-04 07:13 -------- d-----w- c:\program files\Fichiers communs\PC SOFT 2010-05-02 08:08 . 2003-07-22 16:18 1851392 ----a-w- c:\windows\system32\win32k.sys 2010-04-20 05:30 . 2003-07-22 15:49 285696 ----a-w- c:\windows\system32\atmfd.dll 2010-04-14 17:44 . 2009-11-10 07:40 79488 ----a-w- c:\documents and settings\Laurence\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2008-09-29 10:29 . 2007-08-13 08:25 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll 2007-11-28 19:41 . 2006-12-06 09:36 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll 2007-11-28 19:41 . 2006-12-06 09:36 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2007-11-28 19:41 . 2007-02-02 11:05 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll 2007-11-28 19:41 . 2007-02-02 11:05 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll 2007-11-28 19:41 . 2006-12-06 09:36 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIModeChange"="Ati2mdxx.exe" [2002-09-03 28672] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 290816] "MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2010-04-05 476480] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416] "HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160] "HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "LVCOMS"="c:\program files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 90112] "LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 155648] "LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 45056] "JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2005-11-01 151552] "MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2005-05-31 40960] "Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-02-20 49152] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-29 29744] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "TkBellExe"="c:\program files\Fichiers communs\Real\Update_OB\realsched.exe" [2007-09-13 185632] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2001-05-08 20530] "Client Access Help Update"="c:\program files\IBM\Client Access\cwbinhlp.exe" [2001-05-08 24626] "Client Access Check Version"="c:\program files\IBM\Client Access\cwbckver.exe" [2001-05-08 49152] "Client Access Express Welcome"="c:\program files\IBM\Client Access\cwbwlwiz.exe" [2001-05-08 20530] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Consille\Menu D‚marrer\Programmes\D‚marrage\ Raccourci vers ADDROUTE.lnk - C:\ADDROUTE.bat [2009-4-21 326] c:\documents and settings\Consille\Menu D‚marrer\Programmes\D‚marrage\ Raccourci vers ADDROUTE.lnk - C:\ADDROUTE.bat [2009-4-21 326] c:\documents and settings\Laurence\Menu D‚marrer\Programmes\D‚marrage\ Raccourci vers ADDROUTE.lnk - C:\ADDROUTE.bat [2009-4-21 326] c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\ Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-5-6 169472] c:\documents and settings\Consille\Menu D‚marrer\Programmes\D‚marrage\ Raccourci vers ADDROUTE.lnk - C:\ADDROUTE.bat [2009-4-21 326] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"= "c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"= "c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Sybase\\win32\\dbeng7.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [22/10/2008 10:33 28544] R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [26/05/2008 10:04 14144] R2 myAgtSvc;Service McAfee de protection antivirus et antispyware;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [04/05/2006 19:52 282824] S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [02/02/2010 12:40 135664] S3 BzSpIDer;BzSpIDer;\??\n:\opiron\BzSpIDer.sys --> n:\opiron\BzSpIDer.sys [?] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\magix\Common\Database\bin\fbserver.exe [15/11/2006 12:54 1527900] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [06/12/2006 11:32 29744] S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [13/05/2006 16:34 14924] S3 UPnPService;UPnPService;c:\program files\Fichiers communs\MAGIX Shared\UPnPService\UPnPService.exe [15/11/2006 12:51 647242] . Contenu du dossier 'Tâches planifiées' 2010-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 10:40] 2010-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 10:40] 2010-07-01 c:\windows\Tasks\HP Usg Daily.job - c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50] 2010-07-01 c:\windows\Tasks\HP Usg Login.job - c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50] . . ------- Examen supplémentaire ------- . uStart Page = hxxp://www.google.com/ IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html Trusted Zone: //about.htm/ Trusted Zone: //Exclude.htm/ Trusted Zone: //LanguageSelection.htm/ Trusted Zone: //Message.htm/ Trusted Zone: //MyAgttryCmd.htm/ Trusted Zone: //MyAgttryNag.htm/ Trusted Zone: //MyNotification.htm/ Trusted Zone: //NOCLessUpdate.htm/ Trusted Zone: //quarantine.htm/ Trusted Zone: //ScanNow.htm/ Trusted Zone: //strings.vbs/ Trusted Zone: //Template.htm/ Trusted Zone: //Update.htm/ Trusted Zone: //VirFound.htm/ Trusted Zone: mcafee.com\* Trusted Zone: mcafeeasap.com\betavscan Trusted Zone: mcafeeasap.com\vs Trusted Zone: mcafeeasap.com\www TCP: {DF52E5A7-72D5-4ADC-AA3F-4029BF2DF42D} = 172.25.59.2,172.25.59.1 DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} - hxxps://static.impots.gouv.fr/tdir/static/adpform/AdSignerADP.cab FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHELINS SUPPRIMES - - - - HKLM-Run-McAfee Managed Services Tray - c:\program files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe AddRemove-kswiooq - c:\documents and settings\consille\local settings\application data\kswiooq.exe AddRemove-MultiMedia Software - c:\program files\Video Add-on\uninst.exe AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url=http://www.gmer.net]GMER - Rootkit Detector and Remover[/url] Rootkit scan 2010-07-01 09:43 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************** . --------------------- CLES DE REGISTRE BLOQUEES --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:ôwjY*] "DisplayName"="\09" "DeviceDesc"="\09" "ProviderName"="" "MFG"="?" "ReinstallString"="2002, 6.13.10.6143" "DeviceInstanceIds"=multi:"\00" . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'explorer.exe'(2156) c:\program files\ScanSoft\OmniPageSE\ophook32.dll c:\windows\system32\eappprxy.dll c:\windows\system32\WPDShServiceObj.dll c:\program files\Microsoft Office\OFFICE11\msohev.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Autres processus actifs ------------------------ . c:\windows\System32\inetsrv\inetinfo.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Fichiers communs\LightScribe\LSSrvc.exe c:\progra~1\McAfee\MANAGE~1\VScan\McShield.exe c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe c:\program files\Java\jre6\bin\jucheck.exe . ************************************************************************** . Heure de fin: 2010-07-01 09:51:34 - La machine a redémarré ComboFix-quarantined-files.txt 2010-07-01 07:51 Avant-CF: 115 571 666 944 octets libres Après-CF: 117 567 344 640 octets libres WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /fastdetect - - End Of File - - 95566A7F5A4341E8D2D6DF9B5DB88B5D voila je remercie d'avance la personne qui prendra de son temps pour y jetter un oeil

Bonjour ! je me permet de relancer mon post http://forum.zebulon.fr/infecte-par-un-rootkit-spambot-t177506.html je cherche un moyen de me debarasser d'un rootkit sur un serveur windows sbs 2003 merci

Bonjour Mon post est aussi sans nouvelle réponse. http://forum.zebulon.fr/infecte-par-un-rootkit-spambot-t177506.html merci

Merci beaucoup d'avoir repondu si rapidement mais il y a un soucis ! combofix n'est pas compatible windows server sbs 2003 et Gmer, le logiciel qui m'a permis de trouver le pc infecté quand je le lance il fait un petit scan, tout va bien mais si je lance une "vrai" analyse, le serveur plante sois il bloque et ne repond plus , sois c'est ecran bleu

Bonjour suite a un black listages de mon adresse ip j'ai enqueter pour savoir de quoi pouvait venir le probleme sur un de ses sites de black liste on me dit que je suis infecté par le spambot Rustock mon reseau est constitué de 15 postes que j'ai scanné sans rien trouver et un serveur sbs 2003 , ou j'ai trouver grace au logiciel Gmer un spambot j'ai supprimé la ligne en rouge du logiciel puis redémarré mais le probleme de blacklistage continue je viens chercher de l'aide ici pour nettoyer le plus proprement possible mon serveur sans le faire planter ! voila le rapport de Hijackthis