generic.botget Hijackthis

tackent · le 28 octobre 2006

Hello,

Au milieu de toutes ces manip, j'ai eu une msgbox m'indiquant system shutdown.

Avec indication erreur c:\winnt\system32\lsass.exe failed ..etc ..et le system a shutdowné.

Bon voici les rapports:

1) blbeta.exe

10/28/06 12:27:25 [info]: BlackLight Engine 1.0.47 initialized

10/28/06 12:27:25 [info]: OS: 5.0 build 2195 (Service Pack 4)

10/28/06 12:27:25 [Note]: 7019 4

10/28/06 12:27:25 [Note]: 7005 0

10/28/06 12:27:27 [Note]: 7006 0

10/28/06 12:27:27 [Note]: 7011 940

10/28/06 12:27:27 [Note]: 7026 0

10/28/06 12:29:03 [Note]: FSRAW library version 1.7.1020

10/28/06 12:30:38 [Note]: 7007 0

2) Silent_runners

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SiS Tray" = "C:\WINNT\system32\sistray.EXE" ["Silicon Integrated Systems Corporation"]

"Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]

"BDMCon" = ""C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg" ["SOFTWIN S.R.L."]

"BDAgent" = ""C:\Program Files\Softwin\BitDefender10\bdagent.exe"" ["SOFTWIN S.R.L."]

"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"msvcc25" = "salvage.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

-> {HKLM...CLSID} = "Shell Extension for CDRW"

\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]

"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Dossier de téléchargement Share-to-Web "

-> {HKLM...CLSID} = "Dossier de téléchargement Share-to-Web "

\InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<<!>> "AppInit_DLLs" = "sockspy.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Disable registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "F:\2004_06_25\IMG_0785.JPG"

Startup items in "Dorella" & "All Users" startup folders:

---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"hp psc 2000 Series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe" ["Hewlett-Packard Co."]

"officejet 6100" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe" ["Hewlett-Packard Co."]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 27

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "blank" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

-> {HKLM...CLSID} = "Yahoo! Toolbar"

\InProcServer32\(Default) = "blank" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

"ButtonText" = "Spyware Doctor"

"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

-> {HKLM...CLSID} = "PCTools Browser Monitor"

\InProcServer32\(Default) = "blank" [file not found]

{85D1F590-48F4-11D9-9669-0800200C9A66}\

"MenuText" = "Uninstall BitDefender Online Scanner v8"

"Exec" = "%windir%\bdoscandel.exe" [null data]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]

BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

BitDefender Virus Shield, VSSERV, ""C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service" ["SOFTWIN S.R.L."]

InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Nero AG"]

PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]

WZCBDL Service, WZCBDLService, ""C:\Program Files\WZCBDL Service\WZCBDLS.exe"" ["D-Link"]

Print Monitors:

---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]

----------

<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 52 seconds, including 4 seconds for message boxes)

Et j'ai encore eu plusieurs fois des messages de bitdefender et avg qu'ils bloquaient

generic.botget.xxxxx (c.bat et \.pif).

En lancant dir 3.pif en ligne de commande, j'ai trouve ce fichiuer "6 .pif".

J'ai donc fait un delete. mais ca n'a pas suffit !!

A plus.

tackent · le 28 octobre 2006

Entre temps, j'ai relancer bitdefender et avg. Bitdefender n'a rien trouvé et avg a trouvé ceci:

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 17:31:41 28.10.2006

+ Scan result:

C:\WINNT\system32\__delete_on_reboot__r_e_c_s_l_._e_x_e_ -> Backdoor.Rbot.aeu : Cleaned with backup (quarantined).

::Report end

C'est vraiment tenace ces p'tites betes !!

A+.

Thanos · le 28 octobre 2006

salut

Le rapport silent runners met en évidence une entrée dnas le registre qui est liée au fameux fichier salvage.exe dont tu parlais. LE fichier semble absent , mais on va virer la valeur dans le registre.

Étape 1:

* Créé un fichier Bloc Notes avec le texte qui se trouve dans l'espace "code" ci-dessous (copie/colle, sans le mot "Code"=>Attention pas de ligne vierge avant REGEDIT4 ) :

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msvcc25"=-

-Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>

-Choisis "Enregistrer sous" et choisis "Bureau"

-Dans le champs "Nom du fichier" en bas de page donne le nom suivant: remove.reg

-Dans le champs"Type" en bas de page ,choisis: "tous les fichiers"

-ensuite clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"

-quitte le Bloc Notes. ne clique pas sur le fichier maintenant!

=>Voici ce à quoi doit ressembler l'icone du fichier reg que tu viens de créer:

si ce n'est pas le cas,reprends les informations ci dessus et recommence!

Étape 2:

*Redémarre le PC, impérativement en mode sans échec,(au démarrage, tapoter immédiatement la touche F8,puis apparaitra un écran avec choix de démarrages : choisir "Mode sans échec" avec les flèches du clavier, puis valider avec "Entrée".

Choisir le compte usuel (et non Administrateur).

en cas de problème pour sélectionner le mode sans échec, appliquer la procédure de Symantec "Comment démarrer l'ordinateur en mode sans échec" http://service1.symantec.com/support/inter...020905112131924

Étape 3:

*Double clique sur le fichier remove.reg pour qu'il s'exécute.Un message te demandera la fusion,accepte.Elimine le fichier reg.

*Recherche le fichier suivant,s'il est présent efface le:

C:\WINNT\system32\salvage.exe

lance ATF-Cleaner

Étape 4:

Redémarre normalement et stp poste un nouveau rapport DiagHelp.

poste aussi un rapport comme ceci =>

Télécharge SmitfraudFix de S!Ri sur ton bureau

Ne double-clic pas dessus !! Fais un clic droit sur le fichier et choisis "extraire tout"
Un nouveau dossier chercher va être créé nommé Smitfraudfix.
Ouvre le et double-clique sur Smitfraudfix.cmd
Une fenêtre va s'ouvrir, choisis l'option 1
Copie/colle le contenu du bloc-note qui s'ouvre dans ton prochain post.

tackent · le 28 octobre 2006

Salut,

Je suis entrain de generer les rapports. Au restart, bitdefender a bloqué Generic.Botget.xxxxx

avec le fichier c:\winnt\system32\i .

Et avant le 1er restart, il m'avait trouve le fichier recsl.exe infecté par le meme virus

qui voulait faire une connexion internet !!

Et je n'ai pas trouvé le fichier salvage.exe ...

Diag help :

C:\WINNT\System32\i -->28.10.2006 21:21:04

C:\WINNT\System32\ikhcore.log -->28.10.2006 21:17:56

C:\WINNT\System32\bdod.bin -->28.10.2006 21:11:14

C:\WINNT\System32\Perflib_Perfdata_2b0.dat -->28.10.2006 12:31:28

C:\WINNT\System32\Uninstall.ico -->27.10.2006 22:04:00

C:\WINNT\System32\Help.ico -->27.10.2006 22:04:00

C:\WINNT\System32\pavas.ico -->27.10.2006 22:04:00

C:\WINNT\System32\scontrol.inf -->22.10.2006 12:28:30

C:\WINNT\System32\divx_xx11.dll -->02.10.2006 21:04:42

C:\WINNT\System32\divx_xx07.dll -->02.10.2006 21:04:42

C:\WINNT\System32\divx_xx0c.dll -->02.10.2006 21:04:42

C:\WINNT\System32\DivX.dll -->02.10.2006 21:04:40

C:\WINNT\System32\SIntfNT.dll -->15.09.2006 18:42:44

C:\WINNT\System32\SIntf32.dll -->15.09.2006 18:42:42

C:\WINNT\System32\SIntf16.dll -->15.09.2006 18:42:40

C:\WINNT\System32\getfile.dat -->04.09.2006 21:25:48

C:\WINNT\System32\dpl100.dll -->11.08.2006 01:04:00

C:\WINNT\System32\dtu100.dll -->11.08.2006 01:03:58

C:\WINNT\System32\lvcoinst.log -->07.08.2006 20:37:54

C:\WINNT\System32\asuninst.exe -->02.08.2006 12:39:06

C:\WINNT\System32\asfiles.txt -->01.08.2006 20:08:42

C:\WINNT\System32\zllictbl.dat -->01.08.2006 17:02:10

C:\WINNT\System32\qt-dx331.dll -->27.07.2006 19:28:44

C:\WINNT\System32\pxcpyi64.exe -->27.07.2006 19:28:34

C:\WINNT\System32\pxcpya64.exe -->27.07.2006 19:28:34

C:\WINNT\twunk_16.exe |Twain Working Group |06/12/1999 21:00:00

C:\WINNT\twunk_32.exe |Twain Working Group |06/12/1999 21:00:00

C:\WINNT\PATCH.EXE |Trend Micro Inc. |01/08/2006 14:15:26

C:\WINNT\runtsckl.exe |Trend Micro Inc. |02/11/2005 18:07:12

C:\WINNT\bdoscandel.exe |COMPANY |25/05/2006 01:22:06

C:\WINNT\sisUSBrg.exe |Silicon Integrated Systems Corp. |10/10/2005 20:53:23

C:\WINNT\CMIUninstall.exe |COMPANY |10/10/2005 20:57:03

C:\WINNT\CmiRmRedundDir.exe |COMPANY |10/10/2005 20:57:03

C:\WINNT\IsUninst.exe |InstallShield Software Corporation |10/10/2005 20:52:04

C:\WINNT\NuNinst.exe |Nero AG |10/10/2005 22:30:16

C:\WINNT\UNNMP.exe |Nero AG |10/10/2005 22:32:18

C:\WINNT\UNNeroVision.exe |Nero AG |10/10/2005 22:42:21

C:\WINNT\IsUn040c.exe |InstallShield Software Corporation |10/10/2005 20:56:36

C:\WINNT\twain.dll |Twain Working Group |06/12/1999 21:00:00

C:\WINNT\twain_32.dll |Twain Working Group |06/12/1999 21:00:00

C:\WINNT\UNZIP.DLL |Trend Micro Inc. |01/08/2006 14:15:27

C:\WINNT\TMUPDATE.DLL |Trend Micro Inc. |01/08/2006 14:15:27

C:\WINNT\loadhttp.dll |Trend Micro Inc. |15/10/2002 14:29:40

C:\WINNT\patchw32.dll |COMPANY |14/12/2001 13:34:46

C:\WINNT\CMIRmDriver.dll |COMPANY |10/10/2005 20:57:03

C:\WINNT\system32\append.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\dfrgfat.exe |Executive Software International, Inc. |08/10/2005 10:43:15

C:\WINNT\system32\dfrgntfs.exe |Executive Software International, Inc. |08/10/2005 10:43:15

C:\WINNT\system32\dmadmin.exe |VERITAS Software Corp. |08/10/2005 10:43:16

C:\WINNT\system32\dmremote.exe |VERITAS Software Corp. |08/10/2005 10:43:16

C:\WINNT\system32\waitwnd.exe |COMPANY |10/10/2005 20:52:06

C:\WINNT\system32\sistray.exe |Silicon Integrated Systems Corporation |10/10/2005 20:52:39

C:\WINNT\system32\debug.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\dosx.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\dvdplay.exe |COMPANY |30/11/1999 23:40:02

C:\WINNT\system32\edlin.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\exe2bin.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\fastopen.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\mem.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\mscdexnt.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\msswchx.exe |Madenta Applications Inc. |08/10/2005 10:43:23

C:\WINNT\system32\nlsfunc.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\nw16.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\redir.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\NeroCheck.exe |Ahead Software Gmbh |10/10/2005 22:29:16

C:\WINNT\system32\setver.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\share.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\vwipxspx.exe |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\asuninst.exe |Panda Software |27/10/2006 22:04:52

C:\WINNT\system32\LVCOMSX.EXE |Logitech Inc. |19/07/2005 17:32:18

C:\WINNT\system32\HPZipm12.exe |HP |03/01/2006 21:54:47

C:\WINNT\system32\HPZinw12.exe |HP |03/01/2006 21:54:47

C:\WINNT\system32\TLIST.EXE |COMPANY |07/08/2006 20:53:51

C:\WINNT\system32\InstMed.exe |COMPANY |29/01/2006 11:42:02

C:\WINNT\system32\pxhpinst.exe |Sonic Solutions |18/10/2006 18:10:52

C:\WINNT\system32\pxinsa64.exe |Sonic Solutions |18/10/2006 18:10:52

C:\WINNT\system32\pxinsi64.exe |Sonic Solutions |18/10/2006 18:10:52

C:\WINNT\system32\pxcpya64.exe |Sonic Solutions |18/10/2006 18:10:52

C:\WINNT\system32\pxcpyi64.exe |Sonic Solutions |18/10/2006 18:10:52

C:\WINNT\system32\DivXsm.exe |COMPANY |12/07/2006 01:40:17

C:\WINNT\system32\DivXCodecUpdateChecker.exe |DivX, Inc. |12/07/2006 00:33:49

C:\WINNT\system32\java.exe |Sun Microsystems, Inc. |03/05/2006 21:11:28

C:\WINNT\system32\javaw.exe |Sun Microsystems, Inc. |03/05/2006 21:11:28

C:\WINNT\system32\javaws.exe |Sun Microsystems, Inc. |03/05/2006 21:11:28

C:\WINNT\system32\xreglib.dll |COMPANY |06/12/2002 17:37:06

C:\WINNT\system32\devenum.dll |COMPANY |10/10/2005 22:39:03

C:\WINNT\system32\sockspy.dll |COMPANY |26/01/2006 20:19:52

C:\WINNT\system32\dfrgsnap.dll |Executive Software International, Inc. |08/10/2005 10:43:15

C:\WINNT\system32\zlcomm.dll |Zone Labs, LLC |19/07/2006 16:08:33

C:\WINNT\system32\zlcommdb.dll |Zone Labs, LLC |19/07/2006 16:08:33

C:\WINNT\system32\dmconfig.dll |VERITAS Software Corp. |08/10/2005 10:43:16

C:\WINNT\system32\dmintf.dll |VERITAS Software Corp. |08/10/2005 10:43:16

C:\WINNT\system32\dmserver.dll |VERITAS Software Corp. |08/10/2005 10:43:16

C:\WINNT\system32\dmutil.dll |VERITAS Software Corp. |08/10/2005 10:43:16

C:\WINNT\system32\setuplib.dll |COMPANY |10/10/2005 20:52:05

C:\WINNT\system32\dxmasf.dll |COMPANY |08/10/2005 10:43:17

C:\WINNT\system32\sisgrv.dll |Silicon Integrated Systems Corporation |10/10/2005 20:52:39

C:\WINNT\system32\sisgl.dll |Silicon Integrated Systems Corporation |10/10/2005 20:52:38

C:\WINNT\system32\LVUI2RC.dll |Logitech Inc. |29/01/2006 11:41:58

C:\WINNT\system32\udaprop.dll |C-Media Corporation |10/10/2005 20:57:26

C:\WINNT\system32\mciqtz32.dll |COMPANY |10/10/2005 22:39:02

C:\WINNT\system32\vsxml.dll |Zone Labs, LLC |26/07/2006 23:57:41

C:\WINNT\system32\dfrgres.dll |Executive Software International, Inc. |06/12/1999 21:00:00

C:\WINNT\system32\dfrgui.dll |Executive Software International, Inc. |06/12/1999 21:00:00

C:\WINNT\system32\HTICONS.DLL |Hilgraeve, Inc. |08/10/2005 10:43:18

C:\WINNT\system32\lvcoinst.dll |Logitech Inc. |29/01/2006 11:41:58

C:\WINNT\system32\W32N50CT.dll |Printing Communications Assoc., Inc. (PCAUSA) |27/12/2005 15:51:56

C:\WINNT\system32\efsadu.dll |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\SiSApCom.dll |Silicon Integrated Systems Corporation |10/10/2005 20:52:38

C:\WINNT\system32\amstream.dll |COMPANY |10/10/2005 22:39:02

C:\WINNT\system32\picn20.dll |Pegasus Imaging Corp. |10/10/2005 22:42:14

C:\WINNT\system32\vsdata.dll |Zone Labs, LLC |19/07/2006 16:07:32

C:\WINNT\system32\iccvid.dll |Radius Inc. |06/12/1999 21:00:00

C:\WINNT\system32\a3d.dll |Sensaura Ltd |10/10/2005 20:57:26

C:\WINNT\system32\hpgtpusd.dll |Hewlett-Packard |03/01/2006 21:54:24

C:\WINNT\system32\hpotscl.dll |COMPANY |03/01/2006 21:54:24

C:\WINNT\system32\SiSParse.dll |Silicon Integrated Systems Corporation |10/10/2005 20:52:38

C:\WINNT\system32\vsutil.dll |Zone Labs, LLC |19/07/2006 16:07:32

C:\WINNT\system32\ir32_32.dll |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\SiSInst.dll |Silicon Integrated Systems Corporation |10/10/2005 20:52:38

C:\WINNT\system32\msdxmlc.dll |COMPANY |08/10/2005 10:43:21

C:\WINNT\system32\hpovst08.dll |Hewlett-Packard Co. |03/01/2006 21:54:25

C:\WINNT\system32\qcap.dll |COMPANY |10/10/2005 22:39:03

C:\WINNT\system32\hpzcon05.dll |Hewlett-Packard Company |23/04/2002 00:13:34

C:\WINNT\system32\hpzcoi05.dll |HP |23/04/2002 00:13:26

C:\WINNT\system32\qdv.dll |COMPANY |10/10/2005 22:39:03

C:\WINNT\system32\qdvd.dll |COMPANY |10/10/2005 22:39:03

C:\WINNT\system32\instFunc.dll |Silicon Integrated Systems Corporation |10/10/2005 20:52:38

C:\WINNT\system32\msswch.dll |Madenta Applications Inc. |08/10/2005 10:43:23

C:\WINNT\system32\libwlan.dll |Alpha Networks Inc. |24/06/2003 12:56:50

C:\WINNT\system32\WZCBDL.dll |Alpha Networks Inc. |06/06/2003 14:23:18

C:\WINNT\system32\msdmo.dll |COMPANY |10/10/2005 22:39:02

C:\WINNT\system32\IPH.dll |D-Link Corp. |26/06/2003 17:56:38

C:\WINNT\system32\oieng400.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:43:26

C:\WINNT\system32\qedit.dll |COMPANY |10/10/2005 22:39:03

C:\WINNT\system32\qedwipes.dll |COMPANY |10/10/2005 22:39:02

C:\WINNT\system32\hpzlnt05.dll |HP |23/04/2002 00:14:44

C:\WINNT\system32\qcut.dll |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\psisdecd.dll |COMPANY |10/10/2005 22:39:04

C:\WINNT\system32\LVUI2.dll |Logitech Inc. |29/01/2006 11:41:58

C:\WINNT\system32\Audio3D.dll |Sensaura Ltd |10/10/2005 20:57:26

C:\WINNT\system32\ImagX7.dll |Pegasus Imaging Corp. |10/10/2005 22:29:16

C:\WINNT\system32\ImagXpr7.dll |Pegasus Imaging Corp. |10/10/2005 22:29:16

C:\WINNT\system32\HPZc3212.dll |Hewlett-Packard Co. |03/01/2006 21:54:25

C:\WINNT\system32\ImagXR7.dll |Pegasus Imaging Corp. |10/10/2005 22:29:16

C:\WINNT\system32\tsd32.dll |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\ImagXRA7.dll |Pegasus Imaging Corp. |10/10/2005 22:29:16

C:\WINNT\system32\TwnLib20.dll |Pegasus Software |10/10/2005 22:29:17

C:\WINNT\system32\TwnLib4.dll |Pegasus Imaging Corp. |10/10/2005 22:42:14

C:\WINNT\system32\win87em.dll |COMPANY |06/12/1999 21:00:00

C:\WINNT\system32\MSRTEDIT.DLL |COMPANY |22/01/1999 20:46:58

C:\WINNT\system32\xcomm.dll |Softwin |13/01/2006 18:05:36

C:\WINNT\system32\ir41_qc.dll |Intel Corporation. |06/12/1999 21:00:00

C:\WINNT\system32\ir41_qcx.dll |Intel Corporation. |06/12/1999 21:00:00

C:\WINNT\system32\ir50_32.dll |Intel Corporation |06/12/1999 21:00:00

C:\WINNT\system32\ir50_qc.dll |Intel Corporation. |06/12/1999 21:00:00

C:\WINNT\system32\ir50_qcx.dll |Intel Corporation. |06/12/1999 21:00:00

C:\WINNT\system32\NIOCApi.dll |D-Link Corporation |30/07/2002 11:14:52

C:\WINNT\system32\EqnClass.Dll |Equinox Systems Inc. |08/10/2005 10:18:58

C:\WINNT\system32\spxcoins.dll |Specialix International Ltd. |08/10/2005 10:18:58

C:\WINNT\system32\dgsetup.dll |Digi International |08/10/2005 10:18:58

C:\WINNT\system32\dgrpsetu.dll |Digi |08/10/2005 10:18:58

C:\WINNT\system32\vsmonapi.dll |Zone Labs, LLC |19/07/2006 16:08:27

C:\WINNT\system32\vspubapi.dll |Zone Labs, LLC |19/07/2006 16:08:27

C:\WINNT\system32\vswmi.dll |Zone Labs, LLC |19/07/2006 16:08:28

C:\WINNT\system32\PCDLIB32.DLL |Eastman Kodak |09/12/1998 03:53:58

C:\WINNT\system32\AcShlExt.dll |UP-Vision Computergraphik GmbH |16/02/2004 19:48:44

C:\WINNT\system32\imgcmn.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:05

C:\WINNT\system32\mbdbjet.dll |mb Software AG |02/03/2001 11:18:08

C:\WINNT\system32\imgshl.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:05

C:\WINNT\system32\jpeg1x32.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:05

C:\WINNT\system32\jpeg2x32.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:05

C:\WINNT\system32\tsccvid.dll |TechSmith Corporation |30/10/2005 09:26:22

C:\WINNT\system32\oiprt400.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:06

C:\WINNT\system32\oissq400.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:06

C:\WINNT\system32\oitwa400.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:06

C:\WINNT\system32\oislb400.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:06

C:\WINNT\system32\xiffr3_0.dll |Scansoft |08/10/2005 10:28:06

C:\WINNT\system32\tifflt.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:06

C:\WINNT\system32\irisco32.dll |COMPANY |20/10/2005 10:49:54

C:\WINNT\system32\W32N50.DLL |Printing Communications Assoc., Inc. (PCAUSA) |28/05/2004 18:48:54

C:\WINNT\system32\CmdLineExt03.dll |COMPANY |12/10/2005 20:03:19

C:\WINNT\system32\HPZidr12.dll |HP |03/01/2006 21:54:47

C:\WINNT\system32\PixologyIRISS005.dll |Pixology Ltd. |27/02/2003 12:22:52

C:\WINNT\system32\dpu11.dll |DivXNetworks |12/07/2006 00:54:31

C:\WINNT\system32\dpuGUI11.dll |DivXNetworks |12/07/2006 00:54:31

C:\WINNT\system32\HPZipr12.dll |HP |03/01/2006 21:54:47

C:\WINNT\system32\HPZisn12.dll |HP |03/01/2006 21:54:47

C:\WINNT\system32\HPZipt12.dll |HP |03/01/2006 21:54:47

C:\WINNT\system32\iyuv_32.dll |Intel® Corporation |07/08/2006 20:37:00

C:\WINNT\system32\msencode.dll |COMPANY |29/08/2002 07:14:40

C:\WINNT\system32\QCKGen.dll |D-Link Corporation |17/03/2002 00:16:38

C:\WINNT\system32\tsbyuv.dll |Toshiba Corporation |07/08/2006 20:37:03

C:\WINNT\system32\DevCtrl.dll |COMPANY |09/06/2002 13:07:30

C:\WINNT\system32\dpus11.dll |DivXNetworks |12/07/2006 00:54:31

C:\WINNT\system32\ZPORT4AS.dll |COMPANY |27/10/2006 22:04:52

C:\WINNT\system32\dpv11.dll |DivXNetworks |12/07/2006 00:54:31

C:\WINNT\system32\dtu100.dll |DivX, Inc. |11/08/2006 01:03:57

C:\WINNT\system32\dpl100.dll |DivX, Inc. |11/08/2006 01:03:58

C:\WINNT\system32\libdivx.dll |The OpenSSL Project, http://www.openssl.org/ |12/07/2006 01:40:00

C:\WINNT\system32\ssldivx.dll |The OpenSSL Project, http://www.openssl.org/ |12/07/2006 01:40:00

C:\WINNT\system32\LVCOMCX.dll |Logitech Inc. |19/07/2005 17:32:18

C:\WINNT\system32\LVMAENUM.dll |Logitech Inc. |19/07/2005 17:32:18

C:\WINNT\system32\LVCodec2.dll |Logitech Inc. |29/01/2006 11:41:58

C:\WINNT\system32\qt-dx331.dll |COMPANY |27/07/2006 19:28:42

C:\WINNT\system32\dpu10.dll |DivXNetworks |12/07/2006 00:54:31

C:\WINNT\system32\dpuGUI10.dll |DivXNetworks |12/07/2006 00:54:34

C:\WINNT\system32\CoPrism.dll |COMPANY |30/01/2006 18:51:28

C:\WINNT\system32\DivX.dll |DivX, Inc. |02/10/2006 21:04:39

C:\WINNT\system32\divx_xx0c.dll |DivX, Inc. |02/10/2006 21:04:40

C:\WINNT\system32\divx_xx07.dll |DivX, Inc. |02/10/2006 21:04:40

C:\WINNT\system32\hypertrm.dll |Hilgraeve, Inc. |08/10/2005 10:28:13

C:\WINNT\system32\oiui400.dll |Eastman Software, Inc., A Kodak Business |08/10/2005 10:28:06

C:\WINNT\system32\divx_xx11.dll |DivX, Inc. |02/10/2006 21:04:40

C:\WINNT\system32\px.dll |Sonic Solutions |18/10/2006 18:10:51

C:\WINNT\system32\pxmas.dll |Sonic Solutions |18/10/2006 18:10:51

C:\WINNT\system32\pxwave.dll |Sonic Solutions |18/10/2006 18:10:51

C:\WINNT\system32\vxblock.dll |Sonic Solutions |18/10/2006 18:10:51

C:\WINNT\system32\pxdrv.dll |Sonic Solutions |18/10/2006 18:10:52

C:\WINNT\system32\DivXWMPExtType.dll |COMPANY |12/07/2006 00:33:49

C:\WINNT\system32\atmfd.dll |Adobe Systems Incorporated |08/10/2005 10:43:13

C:\WINNT\system32\atmlib.dll |Adobe Systems |08/10/2005 10:43:13

C:\WINNT\system32\CNDPTPC.dll |Canon Inc. |16/10/2005 11:18:32

C:\WINNT\system32\CNDPTPU.dll |Canon Inc. |16/10/2005 11:18:32

C:\WINNT\system32\SIntf16.dll |COMPANY |23/03/2006 09:40:12

C:\WINNT\system32\SIntf32.dll |COMPANY |23/03/2006 09:40:12

C:\WINNT\system32\SIntfNT.dll |COMPANY |23/03/2006 09:40:12

C:\WINNT\system32\quartz.dll |COMPANY |10/10/2005 22:39:04

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\WINNT\system

13.06.2002 16:18 24'576 CmiReplaceCnfg.exe

1 File(s) 24'576 bytes

0 Dir(s) 38'114'000'896 bytes free

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\WINNT\system32

19.06.2003 12:05 5'392 CSRSS.EXE

1 File(s) 5'392 bytes

0 Dir(s) 38'114'000'896 bytes free

Contenu de Downloaded Program Files

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\WINNT\Downloaded Program Files

08.10.2005 10:29 <DIR> .

08.10.2005 10:29 <DIR> ..

27.12.2005 15:49 65 desktop.ini

20.01.2000 15:25 1'162 Microsoft XML Parser for Java.osd

30.06.2006 16:02 1'562'360 ICSScan.dll

30.06.2006 14:03 470 ICSScanner.inf

31.05.2006 04:15 10 oscan81.ocx_x

14.03.2005 13:38 126 live.ini

14.03.2005 13:58 7'073 scanoptions.tsi

16.03.2005 11:34 7'407 lang.ini

01.03.2005 14:08 53'248 ipsupd.dll

01.03.2005 14:08 118'784 bdupd.dll

07.12.2004 16:07 32 libfn.dll

07.12.2004 16:07 32 bdcore.dll

01.06.2006 02:54 471'040 oscan8.ocx

01.06.2006 02:57 1'331 oscan8.inf

26.05.2005 04:19 293 muweb.inf

02.09.2005 10:05 578 kavwebscan.inf

02.11.2005 18:07 435'712 xscan53.ocx

02.11.2005 18:01 1'777 xscan.inf

24.08.2006 08:28 141'424 asinst.dll

22.08.2006 09:06 537 asinst.inf

20 File(s) 2'803'461 bytes

Total Files Listed:

20 File(s) 2'803'461 bytes

2 Dir(s) 38'114'000'896 bytes free

Recherche de rootkit! (Merci S!Ri)

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\Program Files

24.12.2002 11:23 <DIR> .

24.12.2002 11:23 <DIR> ..

24.12.2002 11:23 <DIR> Plus!

13.06.2004 19:05 <DIR> CASIO

24.12.2002 11:23 <DIR> CHAT

24.12.2002 11:27 <DIR> Publication Web

24.12.2002 11:23 <DIR> NetMeeting

24.12.2002 11:23 <DIR> Accessoires

24.12.2002 11:23 <DIR> Fichiers communs

24.12.2002 11:23 <DIR> Internet Explorer

24.12.2002 11:23 <DIR> Outlook Express

24.12.2002 11:23 <DIR> Windows Media Player

24.12.2002 11:26 <DIR> Services en ligne

24.12.2002 11:33 <DIR> DirectX

24.12.2002 11:46 <DIR> SiS_Compatible_VGA_V2.07k

24.12.2002 11:54 <DIR> C-Media Audio

24.12.2002 14:18 <DIR> Ahead

24.12.2002 14:38 <DIR> CyberLink

24.12.2002 14:29 <DIR> Microsoft Office

29.12.2002 16:17 <DIR> ReadIris

31.12.2002 15:11 <DIR> vanBasco's Karaoke Player

29.12.2002 16:15 <DIR> Hewlett-Packard

30.12.2002 15:08 <DIR> WinZip

11.01.2003 22:38 <DIR> freesurf

23.05.2005 19:02 <DIR> SSMM 3.7

21.04.2005 19:48 <DIR> Microsoft FrontPage

21.04.2005 19:49 <DIR> Microsoft Visual Studio

13.06.2005 19:59 <DIR> CDRIPMP3

29.06.2005 20:55 <DIR> Adobe

20.09.2005 19:48 <DIR> D-Link

20.09.2005 19:48 <DIR> NIOC Service

29.06.2005 21:08 <DIR> WZCBDL Service

08.10.2005 10:19 <DIR> Common Files

08.10.2005 10:28 <DIR> Windows NT

08.10.2005 10:28 <DIR> Accessories

08.10.2005 10:29 <DIR> ComPlus Applications

10.10.2005 20:52 <DIR> SiS Compatible VGA V2.07k

10.10.2005 21:00 <DIR> SiSLan

16.10.2005 11:14 <DIR> Canon

29.10.2005 17:36 <DIR> Bluewin

30.10.2005 08:10 <DIR> Anuman Interactive

29.01.2006 11:41 <DIR> Logitech

29.01.2006 11:47 <DIR> Messenger

29.01.2006 11:47 <DIR> MSN Messenger

24.02.2006 22:13 <DIR> Microsoft Visual Studio 8

24.02.2006 22:18 <DIR> HTML Help Workshop

24.02.2006 22:18 <DIR> Microsoft.NET

24.02.2006 22:18 <DIR> CE Remote Tools

24.02.2006 22:30 <DIR> MSBuild

24.02.2006 22:39 <DIR> Microsoft SQL Server 2005 Mobile Edition

24.02.2006 22:39 <DIR> Microsoft Device Emulator

24.02.2006 22:40 <DIR> Microsoft SQL Server

25.02.2006 13:27 <DIR> MSDN

26.04.2006 21:08 <DIR> Curl Corporation

01.05.2006 21:16 <DIR> Skype

03.05.2006 21:10 <DIR> Java

03.05.2006 21:12 <DIR> BSW

03.07.2006 23:11 <DIR> Lavasoft

04.07.2006 21:52 <DIR> DoctorCleaner

04.07.2006 21:56 <DIR> Registry Mechanic

04.07.2006 22:01 <DIR> BeClean

12.07.2006 18:28 <DIR> Agnitum

12.07.2006 21:30 <DIR> CCleaner

23.07.2006 14:44 <DIR> Google

25.07.2006 22:07 <DIR> Softwin

03.08.2006 19:02 457 INSTALL.LOG

26.07.2006 20:19 <DIR> VoipCheapCom

31.07.2006 23:05 <DIR> PKWARE

01.08.2006 17:16 <DIR> ESET

01.08.2006 20:16 <DIR> unzip

08.10.2006 11:59 <DIR> Yahoo!

08.10.2006 12:11 <DIR> Mozilla Firefox

08.10.2006 12:13 <DIR> Spyware Doctor

18.10.2006 18:10 <DIR> DivX

18.10.2006 18:15 <DIR> Grisoft

1 File(s) 457 bytes

74 Dir(s) 38'114'000'896 bytes free

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\Program Files\fichiers communs

24.12.2002 11:23 <DIR> .

24.12.2002 11:23 <DIR> ..

24.12.2002 14:29 <DIR> ODBC

24.12.2002 11:23 <DIR> SYSTEM

24.12.2002 11:25 <DIR> SERVICES

24.12.2002 11:37 <DIR> InstallShield

24.12.2002 11:23 <DIR> Microsoft Shared

24.12.2002 14:30 <DIR> Designer

29.12.2002 16:15 <DIR> MSSoap

29.12.2002 16:16 <DIR> Hewlett-Packard

13.06.2005 18:25 <DIR> Ahead

12.01.2003 22:56 <DIR> Adaptec Shared

29.06.2005 20:55 <DIR> Adobe

0 File(s) 0 bytes

13 Dir(s) 38'114'000'896 bytes free

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\Program Files\fichiers communs\Microsoft Shared\Web Folders

24.12.2002 11:25 <DIR> .

24.12.2002 11:25 <DIR> ..

05.05.1999 22:22 532'537 MSONSEXT.DLL

18.03.1999 05:37 593'977 RAGENT.DLL

08.04.1999 20:49 127'032 MSOWS40C.dll

17.03.1999 21:22 122'936 MSOWS409.DLL

4 File(s) 1'376'482 bytes

2 Dir(s) 38'114'000'896 bytes free

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\Program Files\common files

08.10.2005 10:19 <DIR> .

08.10.2005 10:19 <DIR> ..

08.10.2005 10:19 <DIR> Microsoft Shared

08.10.2005 10:19 <DIR> ODBC

08.10.2005 10:29 <DIR> System

08.10.2005 10:29 <DIR> Services

08.10.2005 10:48 <DIR> InstallShield

10.10.2005 21:57 <DIR> Adobe

10.10.2005 22:29 <DIR> Ahead

11.10.2005 19:14 <DIR> Designer

20.10.2005 10:44 <DIR> MSSoap

20.10.2005 10:46 <DIR> Hewlett-Packard

20.09.1995 16:16 456'976 dao3032.dll

29.01.2006 11:41 <DIR> Logitech

24.02.2006 22:18 <DIR> Merge Modules

03.05.2006 21:10 <DIR> Java

25.07.2006 22:07 <DIR> Softwin

1 File(s) 456'976 bytes

16 Dir(s) 38'114'000'896 bytes free

Volume in drive C is LOCAL DISK

Volume Serial Number is 2A68-12E5

Directory of C:\

24.05.2001 12:59 162'304 UNWISE.EXE

1 File(s) 162'304 bytes

0 Dir(s) 38'114'000'896 bytes free

c:\Documents and Settings\Dorella\Desktop\ATF-Cleaner.exe

c:\Documents and Settings\Dorella\Desktop\avgas-setup-7.5.0.50.exe

c:\Documents and Settings\Dorella\Desktop\blbeta.exe

c:\Documents and Settings\Dorella\Desktop\DivXPlay.exe

c:\Documents and Settings\Dorella\Desktop\dxwebsetup.exe

c:\Documents and Settings\Dorella\Desktop\f-bot.exe

c:\Documents and Settings\Dorella\Desktop\FixSbr.exe

c:\Documents and Settings\Dorella\Desktop\HijackThis.exe

c:\Documents and Settings\Dorella\Desktop\KillBox.exe

c:\Documents and Settings\Dorella\Desktop\mwav.exe

c:\Documents and Settings\Dorella\Desktop\nod32.exe

c:\Documents and Settings\Dorella\Desktop\stng260.exe

Smitfraudfix

SmitFraudFix v2.115

Scan done at 21:29:10.54, sam. 28.10.2006

Run from C:\SmitfraudFix

OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dorella

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dorella\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DORELLA\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="sockspy.dll"

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Bonne nuit ..

Thanos · le 29 octobre 2006

salut

Résistant ce malware!!

-1) Met AVG Anti-Spyware à jour et quitte le programme.

-2) Redémarre en mode sans échec et assure toi d'avoir accès à tous les fichiers,certains fichiers/dossiers sont cachés!! =>

Démarrer, Poste de travail ou autre dossier, Menu Outils, Option des dossiers, onglet Affichage :

Cocher la case : Afficher les fichiers et dossiers cachés

Décocher la case : Masquer les extensions des fichiers dont le type est connu

Décocher la case : Masquer les fichiers protégés du système d'exploitation

cliquer sur "Appliquer"

cliquer sur le bouton "Appliquer à tous les dossiers" / OK

-3) Elimine les fichiers suivants =>

C:\WINNT\System32\i

C:\WINNT\System32\scontrol.inf

-4) Double-clique sur ATF-Cleaner.exe afin de lancer le programme.

Sous l'onglet Main, choisis : Select All
Clique sur le bouton Empty Selected
Clique Exit, du menu prinicipal, afin de fermer le programme.

-5) Relance AVG AS puis choisis l'onglet "Analyse"

Puis l'onglet "Paramètres

Sous la question "Comment réagir ?", clique sur "Actions recommandées" et choisis "Quarantaine"

Re-clique sur l'onglet "Analyse" puis réalise une "Analyse complète du système"

/!\ Si un fichier est infecté détécté en fin d'analyse /!\

Clique sur "Appliquer toutes les actions "

Clique sur "Enregistrer le rapport" puis sur "Enregistrer le rapport sous"

Enregistre ce fichier texte sur ton bureau.

-6) Redémarre normalement et poste les rapports suivants stp :

*Renomme hijackthis.exe en tackent.exe puis fait un rapport comme ceci =>

Ouvre HijackThis.
Clique sur Open Misc Tools Section
Assure toi que les deux cases de droite sont bien cochées:
* List all minor sections(Full)
* List Empty Sections(Complete)
Clique sur Generate StartupList Log
Click sur "oui" lorsque l'on te le demande.
Cela va générer un rapport,copie le et poste le ici.

Ouvre le dossier DiagHelp et double-clique sur go.cmd (le .cmd peut ne pas apparaître)
Une fenêtre va s'ouvrir, choisis l'option 2
L'analyse va commencer, ceci peut durer quelques minutes, laisse faire et appuie sur une touche quand on te le demande
Copie/colle le contenu du bloc-note qui s'ouvre dans ton prochain post.

Allez courage! on va en venir à bout

tackent · le 29 octobre 2006

Salut,

-juste avant de transmettre le rapport, j'ai encore eu une alerte avec

Generic.botget.xxxx avec le fichier

c:\winnt\system32\\ii

(ca c'est tout nouveau !!)

Voici le premier rapport :

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]

InProcServer32 = C:\WINNT\system32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll

CODEBASE = http://webscanner.kaspersky.fr/kavwebscan_unicode.cab

[Windows Genuine Advantage Validation Tool]

InProcServer32 = C:\WINNT\system32\LegitCheckControl.DLL

CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[bDSCANONLINE Control]

InProcServer32 = C:\WINNT\DOWNLO~1\oscan8.ocx

CODEBASE = http://www.bitdefender.fr/scan8/oscan8.cab

[MUWebControl Class]

InProcServer32 = C:\WINNT\system32\muweb.dll

CODEBASE = http://update.microsoft.com/microsoftupdat...b?1154378515194

[HouseCall Control]

InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx

CODEBASE = http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab

[iCSScanner Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\ICSScan.dll

CODEBASE = http://download.zonelabs.com/bin/promotion...canner37900.cab

[ActiveScan Installer Class]

InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll

CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[MsnMessengerSetupDownloadControl Class]

InProcServer32 = blank

CODEBASE = http://messenger.msn.com/download/msnmesse...pdownloader.cab

[Lycos File Upload Component]

InProcServer32 = blank

CODEBASE = http://f010.mail.caramail.lycos.fr/app/upl...ileUploader.cab

[shockwave Flash Object]

InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash8.ocx

CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\system32\webcheck.dll

SysTray: stobject.dll

--------------------------------------------------

End of report, 7'272 bytes

Report generated in 0.291 seconds

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Et le deuxieme :

FPort v2.0 - TCP/IP Process to Port Mapper

http://www.foundstone.com

Pid Process Port Proto Path

568 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe

8 System -> 139 TCP

8 System -> 445 TCP

416 svchost -> 135 TCP C:\WINNT\system32\svchost.exe

1044 vsserv -> 10025 TCP C:\Program Files\Softwin\BitDefender10\vsserv.exe

1044 vsserv -> 10080 TCP C:\Program Files\Softwin\BitDefender10\vsserv.exe

1044 vsserv -> 10110 TCP C:\Program Files\Softwin\BitDefender10\vsserv.exe

1044 vsserv -> 1028 TCP C:\Program Files\Softwin\BitDefender10\vsserv.exe

8 System -> 137 UDP

8 System -> 138 UDP

8 System -> 445 UDP

236 lsass -> 4500 UDP C:\WINNT\system32\lsass.exe

236 lsass -> 500 UDP C:\WINNT\system32\lsass.exe

224 services -> 68 UDP C:\WINNT\system32\services.exe

PsList 1.26 - Process Information Lister

Sysinternals - www.sysinternals.com

Process information for PC1:

Name Pid Pri Thd Hnd VM WS Priv

Idle 0 0 1 0 0 16 0

System 8 8 37 128 1672 220 32

smss 148 11 6 36 5252 584 1076

winlogon 172 13 17 365 37868 4892 5808

services 224 9 32 476 33340 5532 2740

svchost 416 8 8 218 25532 4368 1612

hpgs2wnf 1128 8 4 88 28444 3660 1056

spoolsv 440 8 12 146 28372 4664 2704

guard 468 8 8 84 44484 10392 17772

svchost 484 8 15 230 36392 6296 1952

InCDsrv 504 8 10 143 23420 3656 1304

MSTask 568 8 7 122 26248 3500 1188

sdhelp 616 8 6 88 29136 4336 1500

stisvc 660 8 5 79 23596 3548 1044

WinMgmt 716 8 5 122 24760 352 1084

WZCBDLS 740 8 3 57 26100 3060 1136

xcommsvr 752 8 2 142 18596 256 548

bdss 764 8 7 250 113912 12768 29848

livesrv 868 8 3 158 28456 784 1304

vsserv 1044 8 15 353 71380 1700 16196

lsass 236 9 16 255 29436 1192 2664

csrss 176 13 10 386 24760 2980 1612

notepad 580 8 3 53 26112 260 1572

Explorer 980 8 16 319 58216 1644 6948

sistray 1092 8 1 42 24752 2776 824

hpgs2wnd 1096 8 3 89 27416 3656 1048

bdmcon 1132 8 14 314 75704 2312 10700

bdagent 1156 8 2 160 31700 140 1756

avgas 1268 8 18 165 84764 8236 27060

hpobnz08 1296 8 5 108 35944 6340 2860

hposol08 1360 8 5 106 35772 6084 2796

cmd 1596 8 1 40 18956 2288 804

pslist 808 13 2 105 23140 2444 1176

ListDLLs v2.25 - DLL lister for Win9x/NT

Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------

Explorer.EXE pid: 980

Command line: C:\WINNT\Explorer.EXE

Base Size Version Path

0x00400000 0x3e000 5.00.3700.6690 C:\WINNT\Explorer.EXE

0x77f80000 0x7b000 5.00.2195.6685 C:\WINNT\system32\ntdll.dll

0x7c2d0000 0x62000 5.00.2195.6710 C:\WINNT\system32\ADVAPI32.DLL

0x7c4e0000 0xb9000 5.00.2195.6688 C:\WINNT\system32\KERNEL32.DLL

0x77d30000 0x6f000 5.00.2195.7085 C:\WINNT\system32\RPCRT4.DLL

0x77f40000 0x3c000 5.00.2195.7073 C:\WINNT\system32\GDI32.DLL

0x77e10000 0x65000 5.00.2195.6688 C:\WINNT\system32\USER32.dll

0x70a70000 0x66000 6.00.2800.1740 C:\WINNT\system32\SHLWAPI.DLL

0x78000000 0x45000 6.01.9844.0000 C:\WINNT\system32\msvcrt.dll

0x71710000 0x84000 5.81.4916.0400 C:\WINNT\system32\COMCTL32.DLL

0x732e0000 0x25000 5.00.2195.6717 C:\WINNT\system32\shim.dll

0x23000000 0x56000 5.00.2195.6717 C:\WINNT\AppPatch\AcLayers.DLL

0x5a000000 0x1f000 3.06.0000.2079 C:\Program Files\Spyware Doctor\tools\swpg.dat

0x779b0000 0x9b000 2.40.4522.0000 C:\WINNT\system32\oleaut32.dll

0x7ce20000 0xef000 5.00.2195.7059 C:\WINNT\system32\ole32.dll

0x690a0000 0xb000 5.00.2134.0001 C:\WINNT\system32\PSAPI.DLL

0x7cf30000 0x246000 5.00.3900.7080 C:\WINNT\system32\SHELL32.dll

0x7c950000 0x8f000 2000.02.3529.0000 C:\WINNT\system32\CLBCATQ.DLL

0x77840000 0x3e000 5.00.2195.6705 C:\WINNT\system32\cscui.dll

0x770c0000 0x23000 5.00.2195.6713 C:\WINNT\system32\CSCDLL.DLL

0x00eb0000 0x14a000 6.00.2800.1849 C:\WINNT\system32\SHDOCVW.DLL

0x71500000 0xfc000 6.00.2800.1692 C:\WINNT\system32\browseui.dll

0x76710000 0x9000 5.00.2195.7069 C:\WINNT\system32\LINKINFO.DLL

0x76fa0000 0xf000 5.00.2134.0001 C:\WINNT\system32\ntshrui.dll

0x773e0000 0x15000 3.00.9435.0000 C:\WINNT\system32\ATL.DLL

0x7cdc0000 0x50000 5.00.2195.7105 C:\WINNT\system32\NETAPI32.DLL

0x7c340000 0xf000 5.00.2195.6695 C:\WINNT\system32\Secur32.dll

0x77bf0000 0x11000 5.00.2195.6666 C:\WINNT\system32\NTDSAPI.dll

0x77980000 0x24000 5.00.2195.6680 C:\WINNT\system32\DNSAPI.DLL

0x75050000 0x8000 5.00.2195.6603 C:\WINNT\system32\WSOCK32.DLL

0x75030000 0x14000 5.00.2195.6601 C:\WINNT\system32\WS2_32.DLL

0x75020000 0x8000 5.00.2134.0001 C:\WINNT\system32\WS2HELP.DLL

0x77950000 0x2a000 5.00.2195.6666 C:\WINNT\system32\WLDAP32.DLL

0x751c0000 0x6000 5.00.2134.0001 C:\WINNT\system32\NETRAP.dll

0x75150000 0xf000 5.00.2195.6666 C:\WINNT\system32\SAMLIB.dll

0x76620000 0x11000 5.00.2195.6611 C:\WINNT\system32\MPR.DLL

0x7c0f0000 0x62000 5.00.2195.6711 C:\WINNT\system32\USERENV.DLL

0x75160000 0xc000 5.00.2195.6601 C:\WINNT\System32\ntlanman.dll

0x75210000 0x15000 5.00.2195.6601 C:\WINNT\System32\NETUI0.DLL

0x751d0000 0x38000 5.00.2134.0001 C:\WINNT\System32\NETUI1.DLL

0x76f20000 0x77000 5.00.2195.6604 C:\WINNT\system32\NETSHELL.dll

0x70340000 0x41000 6.00.2800.1106 C:\WINNT\system32\webcheck.dll

0x766d0000 0x18000 5.00.2195.6601 C:\WINNT\system32\stobject.dll

0x76740000 0x8000 5.00.3502.6601 C:\WINNT\system32\BATMETER.DLL

0x77880000 0x8e000 5.00.2195.6622 C:\WINNT\system32\SETUPAPI.DLL

0x766f0000 0x7000 5.00.3502.6601 C:\WINNT\system32\POWRPROF.DLL

0x77570000 0x30000 5.00.2161.0001 C:\WINNT\system32\WINMM.DLL

0x77560000 0x8000 5.00.2195.6673 C:\WINNT\system32\wdmaud.drv

0x77400000 0x8000 5.00.2134.0001 C:\WINNT\system32\msacm32.drv

0x77410000 0x13000 5.00.2134.0001 C:\WINNT\system32\MSACM32.dll

0x745e0000 0x2c6000 3.01.4000.2435 C:\WINNT\system32\MSI.DLL

0x76290000 0x3e000 2000.02.3529.0000 C:\WINNT\System32\es.dll

0x6de80000 0x64000 2000.02.3529.0000 C:\WINNT\System32\TxfAux.Dll

0x01ed0000 0x22000 10.00.0000.0000 C:\Program Files\Softwin\BitDefender10\bdoe.dll

0x01f00000 0x15000 1.08.0011.0000 C:\WINNT\system32\XCOMM.dll

0x77820000 0x7000 5.00.2195.6623 C:\WINNT\system32\VERSION.dll

0x759b0000 0x6000 5.00.2195.6611 C:\WINNT\system32\LZ32.DLL

0x01f20000 0xb000 10.00.0000.0004 C:\Program Files\Softwin\BitDefender10\BDUtils.dll

0x01f30000 0x103000 7.10.3077.0000 C:\WINNT\system32\MFC71.DLL

0x02040000 0x56000 7.10.3052.0004 C:\WINNT\system32\MSVCR71.dll

0x7c3a0000 0x7b000 7.10.3077.0000 C:\WINNT\system32\MSVCP71.dll

0x5d360000 0xe000 7.10.3077.0000 C:\WINNT\system32\MFC71ENU.DLL

0x63000000 0x95000 6.00.2800.1548 C:\WINNT\system32\WININET.dll

0x77440000 0x78000 5.131.2195.6661 C:\WINNT\system32\CRYPT32.dll

0x77430000 0x10000 5.00.2195.6666 C:\WINNT\system32\MSASN1.DLL

0x71f00000 0x4d000 5.00.2178.0001 C:\WINNT\System32\docprop2.dll

0x6a8f0000 0x20000 5.00.2195.6612 C:\WINNT\System32\MSVFW32.DLL

0x02330000 0x16000 5.00.2195.6612 C:\WINNT\System32\AVIFIL32.DLL

0x10000000 0x174000 1.01.0001.0001 C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll

0x70020000 0x5000 5.00.2134.0001 C:\WINNT\system32\faxshell.dll

0x02c60000 0x13000 7.05.0000.0047 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

0x02d60000 0x12000 1.00.0000.0002 C:\Program Files\Softwin\BitDefender10\bdshelxt.dll

0x16200000 0x6000 4.01.0000.0000 C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

0x379b0000 0x8c000 9.00.0000.3503 C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

0x03110000 0x20000 7.05.0000.0049 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll

0x71960000 0x12000 6.00.2800.1106 C:\WINNT\system32\browselc.dll

0x03320000 0x8000 1.00.0000.0001 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

0x1a400000 0x7d000 6.00.2800.1550 C:\WINNT\system32\urlmon.dll

0x718c0000 0x84000 6.00.2800.1106 C:\WINNT\system32\shdoclc.dll

0x03420000 0x25000 2.06.0000.0161 C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL

0x03460000 0x5000 2.06.0000.0161 C:\Program Files\Hewlett-Packard\HP Share-to-Web\S2WNSRES.DLL

0x034b0000 0x6000 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnfps.dll

0x75d40000 0x6000 5.00.2134.0001 C:\WINNT\system32\msadp32.acm

ListDLLs v2.25 - DLL lister for Win9x/NT

Sysinternals - www.sysinternals.com

No matching processes were found.

ListDLLs v2.25 - DLL lister for Win9x/NT

Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------

winlogon.exe pid: 172

Command line: winlogon.exe

Base Size Version Path

0x01000000 0x2e000 \??\C:\WINNT\system32\winlogon.exe

0x77f80000 0x7b000 5.00.2195.6685 C:\WINNT\system32\ntdll.dll

0x78000000 0x45000 6.01.9844.0000 C:\WINNT\system32\MSVCRT.DLL

0x7c4e0000 0xb9000 5.00.2195.6688 C:\WINNT\system32\KERNEL32.dll

0x7c2d0000 0x62000 5.00.2195.6710 C:\WINNT\system32\ADVAPI32.DLL

0x77d30000 0x6f000 5.00.2195.7085 C:\WINNT\system32\RPCRT4.DLL

0x77f40000 0x3c000 5.00.2195.7073 C:\WINNT\system32\GDI32.DLL

0x77e10000 0x65000 5.00.2195.6688 C:\WINNT\system32\USER32.dll

0x7c0f0000 0x62000 5.00.2195.6711 C:\WINNT\system32\USERENV.DLL

0x769a0000 0x7000 5.00.2195.6661 C:\WINNT\system32\NDDEAPI.DLL

0x76980000 0x1b000 5.00.2195.6673 C:\WINNT\system32\SFC.DLL

0x68010000 0xf0000 5.00.2195.6717 C:\WINNT\system32\sfcfiles.dll

0x7c340000 0xf000 5.00.2195.6695 C:\WINNT\system32\SECUR32.DLL

0x690f0000 0xb000 5.00.2195.6610 C:\WINNT\system32\PROFMAP.DLL

0x7cdc0000 0x50000 5.00.2195.7105 C:\WINNT\system32\NETAPI32.dll