Aller au contenu

  • Pas encore inscrit ?

    Pourquoi ne pas vous inscrire ? C'est simple, rapide et gratuit.
    Pour en savoir plus, lisez Les avantages de l'inscription... et la Charte de Zébulon.
    De plus, les messages que vous postez en tant qu'invité restent invisibles tant qu'un modérateur ne les a pas validés. Inscrivez-vous, ce sera un gain de temps pour tout le monde, vous, les helpeurs et les modérateurs ! :wink:

Infection virus-rapport Hijackthis à analyser

machaaa

Par machaaa
dans Analyses et éradication malwares

 Partager

Messages recommandés

oGu Godlike Member

oGu

Posté(e)
Posté(e)

Ok.

 

Envoie-moi le rapport Virtumondebegone , celui de Vundofix et un nouveau log HijackThis.

 

Je ne te cache pas que tu es très infectée, venir à bout des vundos ne suffira pas hélas...

machaaa Junior Member

machaaa

Posté(e)
  • Auteur
Posté(e)

C'est vraiment si grave docteur?

 

vundofix indique que j'ai encore une old version de java, mais je l'ai pourtant mise à jour comme conseillé.

 

meeerciiii pour ton aide!!!

 

voici les rapports:

 

HijackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:31:13, on 13/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\zebulon.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {02F50A32-3119-4186-BD6E-CBF41F5E6390} - C:\WINDOWS\system32\mljge.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {59C945D3-881D-481B-A347-3633DE13CB78} - C:\WINDOWS\system32\geedc.dll (file missing)

O2 - BHO: {59e9cbf6-30c7-786b-a194-478f34e1e167} - {761e1e43-f874-491a-b687-7c036fbc9e95} - C:\WINDOWS\system32\fjufvdmr.dll (file missing)

O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\system32\khfdbya.dll (file missing)

O2 - BHO: (no name) - {A066A570-6FD6-4B1D-A65D-0AE61E5F8D46} - C:\Program Files\MSN Gaming Zone\horevocC:\WINDOWS\system32\uwcee9\renamd83122.exe.dll (file missing)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {D422CDBE-2D38-45A7-B283-8FF3E278F87D} - C:\WINDOWS\system32\ssqpq.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [setIcon] C:\Program Files\Icons\SetIcon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DMX] C:\Program Files\Dell\Media Experience\DMX.exe -sys

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe

O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nmyjpfbp.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

 

--

End of file - 6862 bytes

 

 

VirtumundoBeGone:

 

 

[02/13/2008, 16:45:13] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Marie-Laure Delaby\Bureau\VirtumundoBeGone.exe" )

[02/13/2008, 16:45:23] - Detected System Information:

[02/13/2008, 16:45:23] - Windows Version: 5.1.2600, Service Pack 2

[02/13/2008, 16:45:23] - Current Username: (Admin)

[02/13/2008, 16:45:23] - Windows is in SAFE mode with Networking.

[02/13/2008, 16:45:23] - Searching for Browser Helper Objects:

[02/13/2008, 16:45:23] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)

[02/13/2008, 16:45:23] - BHO 2: {02F50A32-3119-4186-BD6E-CBF41F5E6390} ()

[02/13/2008, 16:45:23] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:45:23] - Checking for HKLM\...\Winlogon\Notify\mljge

[02/13/2008, 16:45:23] - Key not found: HKLM\...\Winlogon\Notify\mljge, continuing.

[02/13/2008, 16:45:23] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[02/13/2008, 16:45:23] - BHO 4: {59C945D3-881D-481B-A347-3633DE13CB78} ()

[02/13/2008, 16:45:23] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:45:23] - Checking for HKLM\...\Winlogon\Notify\geedc

[02/13/2008, 16:45:23] - Key not found: HKLM\...\Winlogon\Notify\geedc, continuing.

[02/13/2008, 16:45:23] - BHO 5: {761e1e43-f874-491a-b687-7c036fbc9e95} ()

[02/13/2008, 16:45:23] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:45:23] - Checking for HKLM\...\Winlogon\Notify\fjufvdmr

[02/13/2008, 16:45:23] - Key not found: HKLM\...\Winlogon\Notify\fjufvdmr, continuing.

[02/13/2008, 16:45:23] - BHO 6: {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} ()

[02/13/2008, 16:45:23] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:45:23] - Checking for HKLM\...\Winlogon\Notify\khfdbya

[02/13/2008, 16:45:23] - Key not found: HKLM\...\Winlogon\Notify\khfdbya, continuing.

[02/13/2008, 16:45:23] - BHO 7: {A066A570-6FD6-4B1D-A65D-0AE61E5F8D46} ()

[02/13/2008, 16:45:23] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:45:23] - Checking for HKLM\...\Winlogon\Notify\renamd83122.exe

[02/13/2008, 16:45:23] - Key not found: HKLM\...\Winlogon\Notify\renamd83122.exe, continuing.

[02/13/2008, 16:45:23] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)

[02/13/2008, 16:45:23] - BHO 9: {D422CDBE-2D38-45A7-B283-8FF3E278F87D} ()

[02/13/2008, 16:45:23] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:45:23] - Checking for HKLM\...\Winlogon\Notify\ssqpq

[02/13/2008, 16:45:23] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.

[02/13/2008, 16:45:23] - Finished Searching Browser Helper Objects

[02/13/2008, 16:45:23] - Finishing up...

[02/13/2008, 16:45:23] - Nothing found! Exiting...

 

[02/13/2008, 16:49:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Marie-Laure Delaby\Bureau\VirtumundoBeGone.exe" )

[02/13/2008, 16:49:42] - Detected System Information:

[02/13/2008, 16:49:42] - Windows Version: 5.1.2600, Service Pack 2

[02/13/2008, 16:49:42] - Current Username: (Admin)

[02/13/2008, 16:49:42] - Windows is in SAFE mode with Networking.

[02/13/2008, 16:49:42] - Searching for Browser Helper Objects:

[02/13/2008, 16:49:42] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)

[02/13/2008, 16:49:42] - BHO 2: {02F50A32-3119-4186-BD6E-CBF41F5E6390} ()

[02/13/2008, 16:49:42] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:49:42] - Checking for HKLM\...\Winlogon\Notify\mljge

[02/13/2008, 16:49:42] - Key not found: HKLM\...\Winlogon\Notify\mljge, continuing.

[02/13/2008, 16:49:42] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[02/13/2008, 16:49:42] - BHO 4: {59C945D3-881D-481B-A347-3633DE13CB78} ()

[02/13/2008, 16:49:42] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:49:42] - Checking for HKLM\...\Winlogon\Notify\geedc

[02/13/2008, 16:49:42] - Key not found: HKLM\...\Winlogon\Notify\geedc, continuing.

[02/13/2008, 16:49:42] - BHO 5: {761e1e43-f874-491a-b687-7c036fbc9e95} ()

[02/13/2008, 16:49:42] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:49:42] - Checking for HKLM\...\Winlogon\Notify\fjufvdmr

[02/13/2008, 16:49:42] - Key not found: HKLM\...\Winlogon\Notify\fjufvdmr, continuing.

[02/13/2008, 16:49:42] - BHO 6: {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} ()

[02/13/2008, 16:49:42] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:49:42] - Checking for HKLM\...\Winlogon\Notify\khfdbya

[02/13/2008, 16:49:42] - Key not found: HKLM\...\Winlogon\Notify\khfdbya, continuing.

[02/13/2008, 16:49:42] - BHO 7: {A066A570-6FD6-4B1D-A65D-0AE61E5F8D46} ()

[02/13/2008, 16:49:42] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:49:42] - Checking for HKLM\...\Winlogon\Notify\renamd83122.exe

[02/13/2008, 16:49:42] - Key not found: HKLM\...\Winlogon\Notify\renamd83122.exe, continuing.

[02/13/2008, 16:49:42] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)

[02/13/2008, 16:49:42] - BHO 9: {D422CDBE-2D38-45A7-B283-8FF3E278F87D} ()

[02/13/2008, 16:49:42] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 16:49:42] - Checking for HKLM\...\Winlogon\Notify\ssqpq

[02/13/2008, 16:49:42] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.

[02/13/2008, 16:49:42] - Finished Searching Browser Helper Objects

[02/13/2008, 16:49:42] - Finishing up...

[02/13/2008, 16:49:42] - Nothing found! Exiting...

 

[02/13/2008, 17:20:21] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Marie-Laure Delaby\Bureau\VirtumundoBeGone.exe" )

[02/13/2008, 17:20:27] - Detected System Information:

[02/13/2008, 17:20:27] - Windows Version: 5.1.2600, Service Pack 2

[02/13/2008, 17:20:27] - Current Username: (Admin)

[02/13/2008, 17:20:27] - Windows is in SAFE mode with Networking.

[02/13/2008, 17:20:27] - Searching for Browser Helper Objects:

[02/13/2008, 17:20:27] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)

[02/13/2008, 17:20:27] - BHO 2: {02F50A32-3119-4186-BD6E-CBF41F5E6390} ()

[02/13/2008, 17:20:27] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:20:27] - Checking for HKLM\...\Winlogon\Notify\mljge

[02/13/2008, 17:20:27] - Key not found: HKLM\...\Winlogon\Notify\mljge, continuing.

[02/13/2008, 17:20:27] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[02/13/2008, 17:20:27] - BHO 4: {59C945D3-881D-481B-A347-3633DE13CB78} ()

[02/13/2008, 17:20:27] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:20:27] - Checking for HKLM\...\Winlogon\Notify\geedc

[02/13/2008, 17:20:27] - Key not found: HKLM\...\Winlogon\Notify\geedc, continuing.

[02/13/2008, 17:20:27] - BHO 5: {761e1e43-f874-491a-b687-7c036fbc9e95} ()

[02/13/2008, 17:20:27] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:20:27] - Checking for HKLM\...\Winlogon\Notify\fjufvdmr

[02/13/2008, 17:20:27] - Key not found: HKLM\...\Winlogon\Notify\fjufvdmr, continuing.

[02/13/2008, 17:20:27] - BHO 6: {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} ()

[02/13/2008, 17:20:27] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:20:27] - Checking for HKLM\...\Winlogon\Notify\khfdbya

[02/13/2008, 17:20:27] - Key not found: HKLM\...\Winlogon\Notify\khfdbya, continuing.

[02/13/2008, 17:20:27] - BHO 7: {A066A570-6FD6-4B1D-A65D-0AE61E5F8D46} ()

[02/13/2008, 17:20:27] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:20:27] - Checking for HKLM\...\Winlogon\Notify\renamd83122.exe

[02/13/2008, 17:20:27] - Key not found: HKLM\...\Winlogon\Notify\renamd83122.exe, continuing.

[02/13/2008, 17:20:27] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)

[02/13/2008, 17:20:27] - BHO 9: {D422CDBE-2D38-45A7-B283-8FF3E278F87D} ()

[02/13/2008, 17:20:27] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:20:27] - Checking for HKLM\...\Winlogon\Notify\ssqpq

[02/13/2008, 17:20:27] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.

[02/13/2008, 17:20:27] - Finished Searching Browser Helper Objects

[02/13/2008, 17:20:27] - Finishing up...

[02/13/2008, 17:20:27] - Nothing found! Exiting...

 

[02/13/2008, 17:51:04] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Marie-Laure Delaby\Bureau\VirtumundoBeGone.exe" )

[02/13/2008, 17:51:12] - Detected System Information:

[02/13/2008, 17:51:12] - Windows Version: 5.1.2600, Service Pack 2

[02/13/2008, 17:51:12] - Current Username: (Admin)

[02/13/2008, 17:51:12] - Windows is in NORMAL mode.

[02/13/2008, 17:51:12] - Searching for Browser Helper Objects:

[02/13/2008, 17:51:12] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)

[02/13/2008, 17:51:12] - BHO 2: {02F50A32-3119-4186-BD6E-CBF41F5E6390} ()

[02/13/2008, 17:51:12] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:51:12] - Checking for HKLM\...\Winlogon\Notify\mljge

[02/13/2008, 17:51:12] - Key not found: HKLM\...\Winlogon\Notify\mljge, continuing.

[02/13/2008, 17:51:12] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[02/13/2008, 17:51:12] - BHO 4: {59C945D3-881D-481B-A347-3633DE13CB78} ()

[02/13/2008, 17:51:12] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:51:12] - Checking for HKLM\...\Winlogon\Notify\geedc

[02/13/2008, 17:51:12] - Key not found: HKLM\...\Winlogon\Notify\geedc, continuing.

[02/13/2008, 17:51:12] - BHO 5: {761e1e43-f874-491a-b687-7c036fbc9e95} ()

[02/13/2008, 17:51:12] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:51:12] - Checking for HKLM\...\Winlogon\Notify\fjufvdmr

[02/13/2008, 17:51:12] - Key not found: HKLM\...\Winlogon\Notify\fjufvdmr, continuing.

[02/13/2008, 17:51:12] - BHO 6: {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} ()

[02/13/2008, 17:51:12] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:51:12] - Checking for HKLM\...\Winlogon\Notify\khfdbya

[02/13/2008, 17:51:12] - Key not found: HKLM\...\Winlogon\Notify\khfdbya, continuing.

[02/13/2008, 17:51:12] - BHO 7: {A066A570-6FD6-4B1D-A65D-0AE61E5F8D46} ()

[02/13/2008, 17:51:12] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:51:12] - Checking for HKLM\...\Winlogon\Notify\renamd83122.exe

[02/13/2008, 17:51:12] - Key not found: HKLM\...\Winlogon\Notify\renamd83122.exe, continuing.

[02/13/2008, 17:51:12] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)

[02/13/2008, 17:51:12] - BHO 9: {D422CDBE-2D38-45A7-B283-8FF3E278F87D} ()

[02/13/2008, 17:51:12] - WARNING: BHO has no default name. Checking for Winlogon reference.

[02/13/2008, 17:51:12] - Checking for HKLM\...\Winlogon\Notify\ssqpq

[02/13/2008, 17:51:12] - Key not found: HKLM\...\Winlogon\Notify\ssqpq, continuing.

[02/13/2008, 17:51:12] - Finished Searching Browser Helper Objects

[02/13/2008, 17:51:12] - Finishing up...

[02/13/2008, 17:51:12] - Nothing found! Exiting...

 

VundoFix:

 

 

VundoFix V6.7.7

 

Checking Java version...

 

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

 

Scan started at 11:26:48 31/01/2008

 

Listing files found while scanning....

 

C:\WINDOWS\system32\AudFile.dll

C:\WINDOWS\system32\khfdbya.dll

C:\WINDOWS\system32\miktokev.dll

C:\WINDOWS\system32\nmyjpfbp.exe

C:\WINDOWS\system32\qpqss.ini

C:\WINDOWS\system32\qpqss.ini2

C:\WINDOWS\system32\ssqpq.dll

C:\WINDOWS\system32\WMAFile.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\AudFile.dll

C:\WINDOWS\system32\AudFile.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\khfdbya.dll

C:\WINDOWS\system32\khfdbya.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\miktokev.dll

C:\WINDOWS\system32\miktokev.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nmyjpfbp.exe

C:\WINDOWS\system32\nmyjpfbp.exe Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\qpqss.ini

C:\WINDOWS\system32\qpqss.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\qpqss.ini2

C:\WINDOWS\system32\qpqss.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\ssqpq.dll

C:\WINDOWS\system32\ssqpq.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\WMAFile.dll

C:\WINDOWS\system32\WMAFile.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.7.7

 

Checking Java version...

 

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

 

Scan started at 12:02:58 31/01/2008

 

Listing files found while scanning....

 

 

VundoFix V6.7.7

 

Checking Java version...

 

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

 

Scan started at 12:48:15 11/02/2008

 

Listing files found while scanning....

 

C:\WINDOWS\system32\cdeeg.ini

C:\WINDOWS\system32\cdeeg.ini2

C:\WINDOWS\system32\geedc.dll

C:\WINDOWS\system32\khfdbya.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\cdeeg.ini

C:\WINDOWS\system32\cdeeg.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\cdeeg.ini2

C:\WINDOWS\system32\cdeeg.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\geedc.dll

C:\WINDOWS\system32\geedc.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\khfdbya.dll

C:\WINDOWS\system32\khfdbya.dll Could not be deleted.

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\khfdbya.dll

C:\WINDOWS\system32\khfdbya.dll Could not be deleted.

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

VundoFix V6.7.7

 

Checking Java version...

 

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

 

Scan started at 16:50:21 13/02/2008

 

Listing files found while scanning....

 

C:\WINDOWS\system32\egjlm.ini

C:\WINDOWS\system32\egjlm.ini2

C:\WINDOWS\system32\fjufvdmr.dll

C:\WINDOWS\system32\khfdbya.dll

C:\WINDOWS\system32\mljge.dll

C:\WINDOWS\system32\rcsvhfsx.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\egjlm.ini

C:\WINDOWS\system32\egjlm.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\egjlm.ini2

C:\WINDOWS\system32\egjlm.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\fjufvdmr.dll

C:\WINDOWS\system32\fjufvdmr.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\khfdbya.dll

C:\WINDOWS\system32\khfdbya.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\mljge.dll

C:\WINDOWS\system32\mljge.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rcsvhfsx.dll

C:\WINDOWS\system32\rcsvhfsx.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\khfdbya.dll

C:\WINDOWS\system32\khfdbya.dll Could not be deleted.

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.7.7

 

Checking Java version...

 

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

 

Scan started at 17:21:23 13/02/2008

 

Listing files found while scanning....

 

C:\WINDOWS\system32\khfdbya.dll

 

Beginning removal...

 

Performing Repairs to the registry.

Done!

 

VundoFix V6.7.7

 

Checking Java version...

 

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

 

Scan started at 17:54:53 13/02/2008

 

Listing files found while scanning....

 

C:\WINDOWS\system32\merde.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\merde.dll

C:\WINDOWS\system32\merde.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

oGu Godlike Member

oGu

Posté(e)
Posté(e)

C'est déjà bien plus propre!

 

*** la dll récalcitrante que tu as renommée est-elle celle-ci:

 

C:\WINDOWS\system32\khfdbya.dll

 

??

 

 

# Télécharge Combofix de sUBs

  • Enregistre-le sur ton bureau.
  • Déconnecte-toi du net et désactive ton antivirus (juste le temps de la procédure).
  • Ferme toutes les fenêtres.
  • Double-clique sur combofix.exe (ne clique pas sur la fenêtre qui s'ouvre).
  • Appuie sur Y pour lancer le scan.
  • A la fin du scan (cela peut prendre du temps), un rapport sera créé.
  • Poste ce rapport dans ton prochain message.
machaaa Junior Member

machaaa

Posté(e)
  • Auteur
Posté(e) (modifié)

hello!

me revoilà (après une semaine de boulot non-stop), je peux enfin m'occuper de ma machine et vous envoyer le rapport de conbo-fix!

j'espère que c'est reparti pour de bon!

et merci encore pour votre aide!!!!

 

ComboFix 08-02-21 - 2008-02-21 11:37:41.1 - NTFSx86

Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.1626 [GMT 1:00]

Endroit: C:\Documents and Settings\...\Bureau\ComboFix.exe

* Création d'un nouveau point de restauration

 

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\inetget2

C:\Program Files\Router

C:\Program Files\Temporary

C:\Temp\1cb

C:\Temp\1cb\syscheck.log

C:\WINDOWS\system32\nGpxx01

C:\WINDOWS\system32\pac.txt

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

.

-------\LEGACY_DOMAINSERVICE

-------\DomainService

 

 

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-01-21 to 2008-02-21 ))))))))))))))))))))))))))))))))))))

.

 

2008-01-31 11:26 . 2008-02-13 19:41 <REP> d-------- C:\VundoFix Backups

2008-01-27 23:29 . 2008-01-27 23:29 <REP> d-------- C:\Program Files\Avira

2008-01-27 23:29 . 2008-01-27 23:29 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-01-27 22:33 . 2008-01-27 22:33 <REP> d-------- C:\Program Files\Trend Micro

2008-01-26 23:20 . 2008-01-27 23:43 <REP> d-------- C:\Program Files\Dot1XCfg

2008-01-26 23:08 . 2008-01-26 23:08 <REP> d-------- C:\WINDOWS\system32\uwcee9

2008-01-26 23:08 . 2008-01-26 23:08 <REP> d-------- C:\Temp\gTiis19

2008-01-26 23:07 . 2008-01-26 23:08 <REP> d-------- C:\WINDOWS\system32\aee1

2008-01-26 23:07 . 2008-01-26 23:07 <REP> d-------- C:\Temp\cXzz9

2008-01-26 23:07 . 2008-02-21 11:37 <REP> d-------- C:\Temp

2008-01-24 13:31 . 2008-01-26 14:28 <REP> d-------- C:\Documents and Settings\...\Application Data\DivX

2008-01-23 23:31 . 2008-01-04 22:58 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2008-01-23 23:31 . 2008-01-04 22:58 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-01-23 23:31 . 2008-01-04 22:58 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-21 10:44 --------- d-----w C:\Documents and Settings\...\Application Data\OpenOffice.org2

2008-02-19 07:52 --------- d-----w C:\Documents and Settings\...\Application Data\AdobeUM

2008-02-11 12:56 --------- d-----w C:\Program Files\Free Easy Burner

2008-01-23 22:31 --------- d-----w C:\Program Files\DivX

2008-01-11 18:30 --------- d-----w C:\Program Files\Last.fm

2008-01-09 22:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-01-06 18:34 --------- d-----w C:\Program Files\iTunes

2008-01-06 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm

2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys

2007-02-03 13:10 1,931 ----a-w C:\Program Files\README_WINPCAP.txt

2007-02-01 14:12 7,975,963 ----a-w C:\Program Files\packetgarden_1.0_setup.exe

2006-09-25 12:24 467,181 ----a-w C:\Program Files\winpcap_3.1.exe

2006-02-24 16:39 52,855,506 ----a-w C:\Program Files\openofficeorg3.cab

2006-02-24 16:39 2,352,893 ----a-w C:\Program Files\openofficeorg4.cab

2006-02-24 16:34 14,868,750 ----a-w C:\Program Files\openofficeorg2.cab

2006-02-24 16:33 18,306,767 ----a-w C:\Program Files\openofficeorg1.cab

2006-02-24 16:32 5,223,424 ----a-w C:\Program Files\openofficeorg20.msi

2006-02-24 16:32 217 ----a-w C:\Program Files\setup.ini

2006-02-08 11:01 266,240 ----a-w C:\Program Files\setup.exe

2002-03-11 09:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe

2002-03-11 08:45 1,708,856 ----a-w C:\Program Files\instmsia.exe

.

 

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02F50A32-3119-4186-BD6E-CBF41F5E6390}]

C:\WINDOWS\system32\mljge.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C945D3-881D-481B-A347-3633DE13CB78}]

C:\WINDOWS\system32\geedc.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761e1e43-f874-491a-b687-7c036fbc9e95}]

C:\WINDOWS\system32\fjufvdmr.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A066A570-6FD6-4B1D-A65D-0AE61E5F8D46}]

C:\Program Files\MSN Gaming Zone\horevocC:\WINDOWS\system32\uwcee9\renamd83122.exe.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D422CDBE-2D38-45A7-B283-8FF3E278F87D}]

C:\WINDOWS\system32\ssqpq.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 12:00 15360]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

"DMX"="C:\Program Files\Dell\Media Experience\DMX.exe" [ ]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [ ]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-08-21 16:37 20053032]

"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

"Router"="C:\Program Files\Router\Router.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 00:20 339968 C:\WINDOWS\stsystra.exe]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]

"ISUSPM Startup"="C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]

"ISUSScheduler"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]

"AME_CSA"="csa.cpl" [2003-06-12 11:42 757760 C:\WINDOWS\system32\CSA.cpl]

"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-22 16:33 1732608]

"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-11-05 20:07 180269]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 20:50 196608]

"SetIcon"="C:\Program Files\Icons\SetIcon.exe" [2002-12-16 10:02 39936]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-27 23:31 249896]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 12:00 15360]

 

S3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2003-04-04 18:13]

S3 AtmElan;Réseau émulant ATM;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-05 12:00]

S3 AtmLane;Émulation réseau ATM;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-05 12:00]

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

\Shell\Auto\command - AdobeR.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL AdobeR.exe e

 

.

Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'

"2008-01-12 13:59:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-21 11:45:33

Windows 5.1.2600 Service Pack 2 NTFS

 

Balayage processus cach‚s ...

 

Balayage cach‚ autostart entries ...

 

Balayage des fichiers cach‚s ...

 

Scan termin‚ avec succŠs

Les fichiers cach‚s: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\NotifyPhoneBook.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Last.fm\LastFMHelper.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe

.

**************************************************************************

.

Temps d'accomplissement: 2008-02-21 11:47:21 - machine was rebooted

ComboFix-quarantined-files.txt 2008-02-21 10:47:18

.

2008-02-21 09:56:47 --- E O F ---

Modifié par machaaa
oGu Godlike Member

oGu

Posté(e)
Posté(e)

Merci.

 

Tu n'as pas répondu à une question:

 

*** la dll récalcitrante que tu as renommée puis supprimée est-elle celle-ci:

 

C:\WINDOWS\system32\khfdbya.dll

 

Envoie-moi également un nouveau log hijackThis.

machaaa Junior Member

machaaa

Posté(e)
  • Auteur
Posté(e)

Hello Ogu,

oui c'était bien cette dll là.

 

merci pour la suite!

 

voici le nouveau rapport hijack-this:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:06:25, on 25/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\HijackThis\zebulon.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {02F50A32-3119-4186-BD6E-CBF41F5E6390} - C:\WINDOWS\system32\mljge.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {59C945D3-881D-481B-A347-3633DE13CB78} - C:\WINDOWS\system32\geedc.dll (file missing)

O2 - BHO: {59e9cbf6-30c7-786b-a194-478f34e1e167} - {761e1e43-f874-491a-b687-7c036fbc9e95} - C:\WINDOWS\system32\fjufvdmr.dll (file missing)

O2 - BHO: (no name) - {A066A570-6FD6-4B1D-A65D-0AE61E5F8D46} - C:\Program Files\MSN Gaming Zone\horevocC:\WINDOWS\system32\uwcee9\renamd83122.exe.dll (file missing)

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {D422CDBE-2D38-45A7-B283-8FF3E278F87D} - C:\WINDOWS\system32\ssqpq.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [setIcon] C:\Program Files\Icons\SetIcon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DMX] C:\Program Files\Dell\Media Experience\DMX.exe -sys

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe

O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

 

--

End of file - 6579 bytes

oGu Godlike Member

oGu

Posté(e)
Posté(e)

Salut Machaa!

 

Ca avance bien me semble-t-il.

 

Voici la suite de la procédure.

 

 

1-SUPPRESSION DES TRACES DE VUNDO et de SD

  • Relance HijackThis
  • Sélectionne "Do a scan only"
  • Coche les lignes suivantes:

    O2 - BHO: (no name) - {02F50A32-3119-4186-BD6E-CBF41F5E6390} - C:\WINDOWS\system32\mljge.dll (file missing)
     
    O2 - BHO: (no name) - {59C945D3-881D-481B-A347-3633DE13CB78} - C:\WINDOWS\system32\geedc.dll (file missing)
     
    O2 - BHO: {59e9cbf6-30c7-786b-a194-478f34e1e167} - {761e1e43-f874-491a-b687-7c036fbc9e95} - C:\WINDOWS\system32\fjufvdmr.dll (file missing)
     
    O2 - BHO: (no name) - {A066A570-6FD6-4B1D-A65D-0AE61E5F8D46} - C:\Program Files\MSN Gaming Zone\horevocC:\WINDOWS\system32\uwcee9\renamd83122.exe.dll (file missing)
     
    O2 - BHO: (no name) - {D422CDBE-2D38-45A7-B283-8FF3E278F87D} - C:\WINDOWS\system32\ssqpq.dll (file missing)
     
     
  • Clique en bas sur "Fix checked"

 

2-COMBOFIX

 

  • Déconnecte-toi du net et désactive ton antivirus (juste le temps de la procédure !)
  • Ouvre le bloc-note et colle les lignes ci-dessous (Big UP à Angélique !):
     
     
    File::
    C:\WINDOWS\system32\nGpxx01
    C:\WINDOWS\system32\pac.txt
     
    Folder::
    C:\Program Files\inetget2
    C:\Program Files\Temporary
    C:\Temp
    C:\WINDOWS\system32\aee1
    C:\WINDOWS\system32\uwcee9
    C:\VundoFix Backups
     
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02F50A32-3119-4186-BD6E-CBF41F5E6390}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59C945D3-881D-481B-A347-3633DE13CB78}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761e1e43-f874-491a-b687-7c036fbc9e95}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A066A570-6FD6-4B1D-A65D-0AE61E5F8D46}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D422CDBE-2D38-45A7-B283-8FF3E278F87D}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]


     
     
    * Attention, ce code a été rédigé spécialement pour Machaa, prière de ne pas le ré-utiliser dans d'autres cas !
     
     

  • Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>
  • Choisis "Enregistrer sous" et choisis "Bureau"
  • Dans le champs "Nom du fichier" en bas de page donne le nom suivant:CFScript en fichier .txt
  • Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"
  • Quitte le Bloc-note
  • Fais un glisser/déposer de ce fichier CFScript.txt sur le fichier ComboFix.exe comme sur la capture
     
    CFScript.gif
     
     
  • Une fenêtre bleue va apparaitre: au message qui apparait ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.
  • Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!
    Ne touche à rien tant que le scan n'est pas terminé.
  • Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
  • Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

3-SDFix

Je te conseille d'imprimer cette procédure pour pouvoir la suivre hors connexion internet, une fois en sans échec.

  • Télécharge SDFix (créé par AndyManchesta) et sauvegarde le sur ton Bureau.
     
    ***
http://download.bleepingcomputer.com/andymanchesta/SDFix.exe ***
 
 
Double clique sur SDFix.exe et choisis Install pour l'extraire dans un dossier dédié sur le Bureau.
 
Puis redémarre ton ordinateur en mode sans échec en suivant la procédure que voici :

  • Redémarre ton ordinateur
  • Après avoir entendu l'ordinateur biper lors du démarrage, mais avant que l'icône Windows apparaisse, tapote la touche F8 (une pression par seconde).
  • A la place du chargement normal de Windows, un menu avec différentes options devrait apparaître.
  • Choisis la première option, pour exécuter Windows en mode sans échec, puis appuie sur "Entrée".
  • Choisis ton compte.
     
    Suis la liste des instructions ci-dessous :

  • Ouvre le dossier SDFix qui vient d'être créé dans le répertoire C:\ et double clique sur RunThis.bat pour lancer le script.
  • Appuie sur Y pour commencer le processus de nettoyage.
  • Il va supprimer les services et les entrées du Registre de certains trojans trouvés puis te demandera d'appuyer sur une touche pour redémarrer.
  • Appuie sur une touche pour redémarrer le PC.
  • Ton système sera plus long pour redémarrer qu'à l'accoutumée car l'outil va continuer à s'exécuter et supprimer des fichiers.
  • Après le chargement du Bureau, l'outil terminera son travail et affichera Finished.
  • Appuie sur une touche pour finir l'exécution du script et charger les icônes de ton Bureau.
  • Les icônes du Bureau affichées, le rapport SDFix s'ouvrira à l'écran et s'enregistrera aussi dans le dossier SDFix sous le nom Report.txt.
  • Enfin, copie/colle le contenu du fichier Report.txt dans ta prochaine réponse sur le forum, avec un nouveau log Hijackthis

(Merci à Wawaseb pour le canned)

 

 

 

4-RAPPORTS:

 

Une fois ces manip' effectuées, poste-moi:

 

- le rapport ComboFix

- le rapport SDFix

- un nouveau rapport Hijackthis qu'on fasse le point.

 

A+!

machaaa Junior Member

machaaa

Posté(e)
  • Auteur
Posté(e)

hi!

 

merci pour tout ce travail! Et à Angélique!

 

voici les derniers scan:

 

rapport conboFix:

 

ComboFix 08-02-21 - MD 2008-02-26 22:19:40.2 - NTFSx86

Microsoft Windows XP Édition familiale 5.1.2600.2.1252.33.1036.18.1637 [GMT 1:00]

Endroit: C:\Documents and Settings\MD\Bureau\ComboFix.exe

Command switches used :: C:\Documents and Settings\MD\Bureau\CFScript.txt

* Création d'un nouveau point de restauration

 

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

 

FILE ::

C:\WINDOWS\system32\nGpxx01

C:\WINDOWS\system32\pac.txt

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Temp

C:\Temp\gTiis19\lTig.log

C:\VundoFix Backups

C:\VundoFix Backups\merde.dll.bad

C:\WINDOWS\system32\aee1

C:\WINDOWS\system32\uwcee9

C:\WINDOWS\system32\uwcee9\renamd83122.exe

 

.

((((((((((((((((((((((((((((( Fichiers créés 2008-01-26 to 2008-02-26 ))))))))))))))))))))))))))))))))))))

.

 

2008-02-26 22:12 . 2008-02-25 15:14 <REP> d-------- C:\SDFix

2008-01-27 23:29 . 2008-01-27 23:29 <REP> d-------- C:\Program Files\Avira

2008-01-27 23:29 . 2008-01-27 23:29 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-01-27 22:33 . 2008-01-27 22:33 <REP> d-------- C:\Program Files\Trend Micro

2008-01-26 23:20 . 2008-01-27 23:43 <REP> d-------- C:\Program Files\Dot1XCfg

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-02-26 20:59 --------- d-----w C:\Documents and Settings\MD\Application Data\OpenOffice.org2

2008-02-19 07:52 --------- d-----w C:\Documents and Settings\MD\Application Data\AdobeUM

2008-02-11 12:56 --------- d-----w C:\Program Files\Free Easy Burner

2008-01-26 13:28 --------- d-----w C:\Documents and Settings\MD\Application Data\DivX

2008-01-23 22:31 --------- d-----w C:\Program Files\DivX

2008-01-11 18:30 --------- d-----w C:\Program Files\Last.fm

2008-01-09 22:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-01-06 18:34 --------- d-----w C:\Program Files\iTunes

2008-01-06 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Last.fm

2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe

2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys

2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll

2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-01-04 21:58 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-01-04 21:58 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-01-04 21:58 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll

2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll

2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll

2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll

2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll

2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll

2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll

2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll

2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll

2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll

2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll

2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe

2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll

2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys

2007-12-07 14:37 3,080,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll

2007-12-06 13:07 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe

2007-12-04 18:41 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll

2007-12-04 18:41 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll

2007-02-03 13:10 1,931 ----a-w C:\Program Files\README_WINPCAP.txt

2007-02-01 14:12 7,975,963 ----a-w C:\Program Files\packetgarden_1.0_setup.exe

2006-09-25 12:24 467,181 ----a-w C:\Program Files\winpcap_3.1.exe

2006-02-24 16:39 52,855,506 ----a-w C:\Program Files\openofficeorg3.cab

2006-02-24 16:39 2,352,893 ----a-w C:\Program Files\openofficeorg4.cab

2006-02-24 16:34 14,868,750 ----a-w C:\Program Files\openofficeorg2.cab

2006-02-24 16:33 18,306,767 ----a-w C:\Program Files\openofficeorg1.cab

2006-02-24 16:32 5,223,424 ----a-w C:\Program Files\openofficeorg20.msi

2006-02-24 16:32 217 ----a-w C:\Program Files\setup.ini

2006-02-08 11:01 266,240 ----a-w C:\Program Files\setup.exe

2002-03-11 09:06 1,822,520 ----a-w C:\Program Files\instmsiw.exe

2002-03-11 08:45 1,708,856 ----a-w C:\Program Files\instmsia.exe

2001-03-28 10:02 122,880 ----a-w C:\WINDOWS\inf\Agfa\message.exe

.

 

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 12:00 15360]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

"DMX"="C:\Program Files\Dell\Media Experience\DMX.exe" [ ]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe" [ ]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-08-21 16:37 20053032]

"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

"Router"="C:\Program Files\Router\Router.exe" [ ]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 00:20 339968 C:\WINDOWS\stsystra.exe]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05 344064]

"ISUSPM Startup"="C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]

"ISUSScheduler"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]

"AME_CSA"="csa.cpl" [2003-06-12 11:42 757760 C:\WINDOWS\system32\CSA.cpl]

"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-22 16:33 1732608]

"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2005-11-05 20:07 180269]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 20:50 196608]

"SetIcon"="C:\Program Files\Icons\SetIcon.exe" [2002-12-16 10:02 39936]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 08:18 270648]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-27 23:31 249896]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-05 12:00 15360]

 

C:\Documents and Settings\MD\Menu D‚marrer\Programmes\D‚marrage\

Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-01-06 19:33:46 106496]

OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-01-25 17:42:22 61440]

 

S3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2003-04-04 18:13]

S3 AtmElan;Réseau émulant ATM;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-05 12:00]

S3 AtmLane;Émulation réseau ATM;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-05 12:00]

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]

 

.

Contenu du dossier 'Scheduled Tasks/Tâches planifiées'

"2008-01-12 13:59:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-26 22:21:48

Windows 5.1.2600 Service Pack 2 NTFS

 

Balayage processus cachés ...

 

Balayage caché autostart entries ...

 

Balayage des fichiers cachés ...

 

Scan terminé avec succès

Les fichiers cachés: 0

 

**************************************************************************

.

Temps d'accomplissement: 2008-02-26 22:22:12

ComboFix-quarantined-files.txt 2008-02-26 21:22:10

ComboFix2.txt 2008-02-21 10:47:21

.

2008-02-26 07:46:52 --- E O F ---

 

 

 

Rapport SDFix

 

 

SDFix: Version 1.147

 

Run by MD on mar. 26/02/2008 at 22:29

 

Microsoft Windows XP [version 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\Program Files\Setup.exe - Deleted

 

 

 

Folder C:\Program Files\Dot1XCfg - Removed

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-02-26 22:33:25

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

 

Finished!

 

 

 

Et le dernier Rapport HijackThis!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:39:12, on 26/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\NotifyPhoneBook.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Icons\SetIcon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Last.fm\LastFMHelper.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\zebulon.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/default....;l=fr&s=gen

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AME_CSA] rundll32 csa.cpl,RUN_DLL

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [setIcon] C:\Program Files\Icons\SetIcon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DMX] C:\Program Files\Dell\Media Experience\DMX.exe -sys

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

 

--

End of file - 7160 bytes

oGu Godlike Member

oGu

Posté(e)
Posté(e) (modifié)

Yo!

 

Ton rapport HijackThis semble propre, bon travail :P !

 

On va refaire un scan ComboFix pour voir s'il reste des éléments dont il faut se débarasser:

  • Déconnecte-toi du net et désactive ton antivirus (juste le temps de la procédure).
  • Ferme toutes les fenêtres.
  • Double-clique sur combofix.exe (ne clique pas sur la fenêtre qui s'ouvre).
  • Appuie sur Y pour lancer le scan.
  • A la fin du scan (cela peut prendre du temps), un rapport sera créé.
  • Poste ce rapport dans ton prochain message.

Modifié par oGu

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.
Remarque : votre message nécessitera l’approbation d’un modérateur avant de pouvoir être visible.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
 Partager
Aller sur la liste des sujets

  • En ligne récemment   0 membre est en ligne

    • Aucun utilisateur enregistré regarde cette page.
×
×
  • Créer...