Rapport HJT

[Digger]

Ca a marché avec le second lien.

Voici le rapport "vert" OTM:

 

C:\WINNT\web\related.htm moved successfully.

File/Folder C:\Program Files\EoRezo not found.

[Custom Input]

< EmptyTemp >

Temp folders emptied.

IE temp folders emptied.

 

OTMoveIt2 v1.0.20 log created on 03102008_114602

[angelique]

fait pas 36.000 messages , postes tous les rapports d'un seul coup. merci

[Digger]

run this .bat ça marche aussi?

je n'ai pas run this .cmd...

[Digger]

Le rapport OTM:

 

C:\WINNT\web\related.htm moved successfully.

File/Folder C:\Program Files\EoRezo not found.

[Custom Input]

< EmptyTemp >

Temp folders emptied.

IE temp folders emptied.

 

OTMoveIt2 v1.0.20 log created on 03102008_114602

 

Le rapport Orphservices:

 

Services with missing ImagePath value

--------------------------------------

 

None found

 

 

Le rapport SDFIX:

 

SDFix: Version 1.155

 

Run by EKAdmin on lun. 10/03/2008 at 12:41

 

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

 

Checking Services :

 

Name:

DLLHOST32

usbpda

 

Path:

"C:\WINNT\system\dllhost.exe"

%SystemRoot%\System32\svchost.exe -k netsvcs

 

DLLHOST32 - Deleted

usbpda - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\-79662~1 - Deleted

C:\Documents and Settings\Administrator\Application Data\Install.dat - Deleted

C:\WINNT\system32\kr_done1 - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-10 12:47:51

Windows 5.0.2195 Service Pack 4 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ActiveSync]

@=""

"Lock"="WLEventLock"

"Unlock"="WLEventUnlock"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"DllName"="WcesWlgn.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byvwx]

"Asynchronous"=dword:00000001

"DllName"="C:\WINNT\system32\byvwx.dll"

"Impersonate"=dword:00000000

"Startup"="SysLogon"

"Logoff"="SysLogoff"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxwvvs]

"Asynchronous"=dword:00000001

"DllName"="cbxwvvs.dll"

"Impersonate"=dword:00000000

"Logon"="Logon"

"Logoff"="Logoff"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=str(2):"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=str(2):"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\origami]

"a"="4992913023505517"

"b"=dword:0000000b

"DllName"="C:\WINNT\system32\cfgldr.dll"

"Startup"="DllName"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=str(2):"sclgntfy.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Fri 9 Feb 2007 501,605 ..SH. --- "C:\WINNT\system32\xwvyb.bak1"

Sun 11 Feb 2007 502,836 ..SH. --- "C:\WINNT\system32\xwvyb.bak2"

Sun 26 Nov 2006 24,576 ...H. --- "C:\DATA\USERS\EKADMIN\~WRL0999.tmp"

Sun 26 Nov 2006 25,088 ...H. --- "C:\DATA\USERS\EKADMIN\~WRL1105.tmp"

Sun 26 Nov 2006 25,600 ...H. --- "C:\DATA\USERS\EKADMIN\~WRL2102.tmp"

Tue 16 Jan 2007 23,552 ...H. --- "C:\DATA\USERS\EKADMIN\~WRL2882.tmp"

Sun 26 Nov 2006 25,088 ...H. --- "C:\DATA\USERS\EKADMIN\~WRL3640.tmp"

Sun 26 Nov 2006 25,600 ...H. --- "C:\DATA\USERS\EKADMIN\~WRL3894.tmp"

Tue 6 May 2003 20,480 ...H. --- "C:\DATA\USERS\P15750\~WRL0003.tmp"

Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

 

Finished!

 

 

Merci

[angelique]

Un peu de presence de vundo:

 

• supprime c:\SDFix

 

• Télécharge VundoFix.exe (par Atribune) sur ton Bureau.

 

http://www.atribune.org/ccount/click.php?id=4

 

Double-clique VundoFix.exe afin de le lancer.

.

Clique sur le bouton Scan for Vundo.

Lorsque le scan est complété, clique sur le bouton

Fix Vundo.

Une invite te demandera si tu veux supprimer les fichiers, clique YES

Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers.

Tu verras une invite qui t'annonce que ton PC va s'éteindre ("shutdown"); clique OK

Redémarre le pc et Copie/colle le contenu du rapport situé dans C:\vundofix.txt

[Digger]

le rapport est vierge.

les dernières invites ne sont pas "sorties"...

[angelique]

Bon y'a pourtant des traces de Downloader.ConHook

 

• tu desactives temporairement antivir pour executer ComboFix

 

Télécharge combofix.exe (par sUBs) et sauvegarde le sur ton bureau.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

* Double-clique combofix.exe afin de l'exécuter et suis les instructions.

* Lorsque l'analyse sera complétée, un rapport apparaîtra que tu me posteras.

[Digger]

ComboFix 08-03-09.4 - EKAdmin 10/03/2008 14:41:19.1 - NTFSx86

Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\Program Files\vsadd-in

C:\WINNT\Web\default.htt

 

----- BITS: Possible infected sites -----

 

hxxp://patssus01.ekc2.ekc.kodak.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\LEGACY_MMUPDATE

-------\LEGACY_WINCOM32

-------\mmupdate

 

 

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))

.

 

2008-03-10 14:21 . 08-03-10 14:21 <DIR> d-------- C:\VundoFix Backups

2008-03-10 12:17 . 08-03-10 12:17 <DIR> d-------- C:\WINNT\ERUNT

2008-03-10 11:48 . 08-03-10 12:52 <DIR> d-------- C:\SDFix

2008-03-10 11:46 . 08-03-10 11:46 <DIR> d-------- C:\_OTMoveIt

2008-03-09 17:57 . 08-03-09 17:57 <DIR> d-------- C:\Program Files\Avira

2008-03-09 17:57 . 08-03-09 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-03-08 13:52 . 08-03-08 13:51 691,545 --a------ C:\WINNT\unins000.exe

2008-03-08 13:52 . 08-03-08 13:52 2,547 --a------ C:\WINNT\unins000.dat

2008-03-05 07:59 . 08-03-10 11:25 <DIR> d-------- C:\Hijackthis

2008-03-04 20:00 . 08-03-05 07:30 <DIR> d-------- C:\Program Files\a-squared Anti-Malware

2008-03-04 19:47 . 08-03-04 19:47 <DIR> d-------- C:\Program Files\ToniArts

2008-03-03 14:07 . 08-03-03 14:07 0 --a------ C:\WINNT\3

2008-03-01 14:21 . 08-03-03 12:33 <DIR> d-------- C:\Program Files\Defenza

2008-03-01 14:21 . 96-08-20 20:37 15,840 --a------ C:\WINNT\system32\Machnm1.exe

2008-03-01 14:21 . 05-09-25 16:37 5,632 --a------ C:\WINNT\system32\Machnm64.sys

2008-03-01 14:21 . 08-03-01 14:21 3,120 --a------ C:\WINNT\system32\118290.54

2008-03-01 14:21 . 08-03-01 14:21 3,120 --a------ C:\WINNT\118294.78

2008-03-01 14:21 . 03-08-13 00:27 2,304 --a------ C:\WINNT\system32\Machnm32.sys

2008-03-01 14:08 . 08-03-01 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue

2008-03-01 13:50 . 08-03-01 14:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue

2008-03-01 13:42 . 08-03-01 13:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ItsLabel

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-08 12:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-03-08 12:54 --------- d-----w C:\Program Files\Spybot - Search & Destroy

2008-03-07 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM

2008-03-04 18:47 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-04 18:47 --------- d---a-w C:\Program Files\Common Files\InstallShield

2008-01-21 09:59 --------- d-----w C:\Program Files\Trend Micro

2008-01-21 09:51 102,664 ----a-w C:\WINNT\system32\drivers\tmcomm.sys

2003-09-01 08:38 832 ----a-w C:\Program Files\INSTALL.LOG

2002-01-08 19:10 271 ---ha-w C:\Program Files\desktop.ini

2002-01-08 19:10 21,952 ---ha-w C:\Program Files\folder.htt

1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys

2007-02-09 07:54 501,605 -csh--w C:\WINNT\system32\xwvyb.bak1

2007-02-11 18:02 502,836 --sh--w C:\WINNT\system32\xwvyb.bak2

2007-02-11 08:06 508,108 -csh--w C:\WINNT\system32\xwvyb.ini2

.

 

------- Sigcheck -------

 

01-05-08 01:00 7952 1206706a25c5b32652b4f465ede330e9 C:\WINNT\system32\svchost.exe

99-12-07 13:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c C:\WINNT\system32\dllcache\svchost.exe

 

03-06-19 11:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\ServicePackFiles\i386\winlogon.exe

05-06-03 11:25 191248 5b5c3a13997c536c1ea1956ac7a41db8 C:\WINNT\system32\WINLOGON.EXE

03-06-19 17:05 181008 3980c28d116d438bbb36fb38526fde1a C:\WINNT\system32\dllcache\WINLOGON.EXE

 

03-06-19 11:05 1694080 541daef38c9c82541690aa7e6f52f654 C:\WINNT\ServicePackFiles\i386\ntkrnlpa.exe

07-03-06 05:03 1717056 12e5366b7d7eac583309cdada766b2e9 C:\WINNT\system32\NTKRNLPA.EXE

 

03-06-19 11:05 1719056 61a2dcfce1abf5340d2128e45b5f52b7 C:\WINNT\ServicePackFiles\i386\ntoskrnl.exe

07-03-06 05:03 1694400 a7ac10f8cea3d5d48e8a38f09462c448 C:\WINNT\system32\NTOSKRNL.EXE

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

"E:\"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [08-03-10 07:06 249896]

"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 C:\WINNT\system32\mobsync.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [01-05-08 01:00 20752 C:\WINNT\system32\internat.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 17:05 186640]

 

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\

ieproxychk.bat [2003-11-17 15:47:06 214]

userdata.bat [2001-09-04 21:41:19 251]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Collect Most Frequent Userid.lnk.disabled [2004-04-16 17:13:38 496]

McAfee Desktop Firewall Tray.lnk.disabled [2004-04-16 17:13:38 745]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 0 (0x0)

"RunLogonScriptSync"= 0 (0x0)

"RunStartupScriptSync"= 1 (0x1)

"SynchronousMachineGroupPolicy"= 1 (0x1)

"SynchronousUserGroupPolicy"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoToolbarCustomize"= 0 (0x0)

"NoBandCustomize"= 0 (0x0)

"NoMSAppLogo5ChannelNotify"= 1 (0x1)

"NoWelcomeScreen"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"Btn_Back"= 0 (0x0)

"Btn_Forward"= 0 (0x0)

"Btn_Stop"= 0 (0x0)

"Btn_Refresh"= 0 (0x0)

"Btn_Home"= 0 (0x0)

"Btn_Search"= 0 (0x0)

"Btn_History"= 0 (0x0)

"Btn_Favorites"= 0 (0x0)

"Btn_Folders"= 0 (0x0)

"Btn_Fullscreen"= 0 (0x0)

"Btn_Tools"= 0 (0x0)

"Btn_MailNews"= 0 (0x0)

"Btn_Size"= 0 (0x0)

"Btn_Print"= 0 (0x0)

"Btn_Edit"= 0 (0x0)

"Btn_Discussions"= 0 (0x0)

"Btn_Cut"= 0 (0x0)

"Btn_Copy"= 0 (0x0)

"Btn_Paste"= 0 (0x0)

"Btn_Encoding"= 0 (0x0)

"Btn_PrintPreview"= 0 (0x0)

"NoFavoritesMenu"= 0 (0x0)

"NoLogoff"= 0 (0x0)

"EnforceShellExtensionSecurity"= 0 (0x0)

"NoDeletePrinter"= 0 (0x0)

"NoAddPrinter"= 0 (0x0)

"NoPrinterTabs"= 0 (0x0)

"Btn_Media"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]

WcesWlgn.dll 05-11-15 19:44 7168 C:\WINNT\system32\WcesWlgn.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byvwx]

C:\WINNT\system32\byvwx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwvvs]

cbxwvvs.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 TivoliAP

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"AGRSMMSG"=AGRSMMSG.exe

"dla"=C:\WINNT\system32\dla\tfswctrl.exe

"lcfep"="C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\lcfep.exe" -x

"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

"pdfFactory Dispatcher v1"=C:\WINNT\System32\spool\DRIVERS\W32X86\2\fppdis1.exe

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

"SwdisUsrPCN.patwlc5528"="C:\apps\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\apps\Tivoli\swdis\1\wdusrpcn.env"

"Synchronization Manager"=mobsync.exe /logon

 

R0 avgntmgr;avgntmgr;C:\WINNT\system32\DRIVERS\avgntmgr.sys [07-07-18 14:21 ]

R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys [07-08-09 13:03 ]

R1 TGrab;Tivoli Remote Control Text Grabber;C:\WINNT\system32\drivers\TGrab.sys [03-04-11 09:05 ]

R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [03-01-17 01:32 ]

R2 MouEx2;Tivoli Remote Control Pointer Filter;C:\WINNT\system32\drivers\MouEx2.sys [03-04-11 09:05 ]

R2 TME10RC;Tivoli Remote Control Service;C:\WINNT\RCSERV.EXE [03-04-11 09:05 ]

R3 Eqnmirdd;Eqnmirdd;C:\WINNT\system32\DRIVERS\Eqnmirdd.sys [03-04-11 09:05 ]

R3 fhlppppoe;PPPOE/ADSL miniport;C:\WINNT\system32\DRIVERS\fhlpppoe.sys [02-11-21 16:35 ]

R3 KeyEx2;Tivoli Remote Control Keyboard Filter;C:\WINNT\system32\drivers\KeyEx2.sys [03-04-11 09:05 ]

R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys [02-07-16 09:07 ]

S2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-04-18 17:12 ]

S2 EKInst;EKInstaller;C:\WINNT\SYSTEM32\srvany.exe []

S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINNT\system32\DRIVERS\ipsecw2k.sys []

S2 lcfd;Tivoli Endpoint;"C:\apps\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE" []

S2 MsaSvc;Microsoft authenticate service;C:\WINNT\system32\msasvc.exe []

S2 mside;Microsoft Sata emulation;"C:\WINNT\system\mside.exe" []

S2 Ndiskio;Ndiskio;C:\VIRUSfighter\Nse\bin\NDISKIO.SYS []

S2 wsmv;wsmv(wsmv);"C:\WINNT\system32\wmsv.exe" []

S3 Eacfilt;Eacfilt Miniport;C:\WINNT\system32\DRIVERS\eacfilt.sys []

S3 FireProx;%pgpnetMP_Desc%;C:\WINNT\system32\DRIVERS\fireprox.sys []

S3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINNT\system32\DRIVERS\ipsecw2k.sys []

S3 nvcfsr;nvcfsr;C:\VIRUSfighter\Nvc\bin\nvcfsr.sys []

S3 nvcoafl5;nvcoafl5;C:\VIRUSfighter\Nvc\bin\nvcoafl5.sys []

S3 nvcoaft5;nvcoaft5;C:\VIRUSfighter\Nvc\bin\nvcoaft5.sys []

S3 nvcoarc5;nvcoarc5;C:\VIRUSfighter\Nvc\bin\nvcoarc5.sys []

S3 nvcoas;Norman Virus Control on-access component;C:\VIRUSfighter\Nvc\bin\nvcoas.exe []

S3 NVCScheduler;Norman Virus Control Scheduler;C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE []

S3 usb_rndisy;USB RNDIS Adapter;C:\WINNT\system32\DRIVERS\usb8023y.sys [05-10-25 09:02 ]

 

*Newly Created Service* - IPNAT

*Newly Created Service* - RASAUTO

*Newly Created Service* - SHAREDACCESS

.

Contents of the 'Scheduled Tasks' folder

"2007-06-15 18:02:40 C:\WINNT\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2006-09-11 06:40:49 C:\WINNT\Tasks\BMMTask.job"

- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE

"2008-03-03 11:29:38 C:\WINNT\Tasks\Uniblue SpyEraser Nag.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

"2008-03-01 13:09:32 C:\WINNT\Tasks\Uniblue SpyEraser.job"

- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-10 14:46:39

Windows 5.0.2195 Service Pack 4 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]

"E:\\"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EKInst]

"ImagePath"=multi:"C:\WINNT\SYSTEM32\srvany.exe\00\00"

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\EKInst]

"ImagePath"=multi:"C:\WINNT\SYSTEM32\srvany.exe\00\00"

.

------------------------ Other Running Processes ------------------------

.

C:\WINNT\System32\ibmpmsvc.exe

C:\Program Files\a-squared Anti-Malware\a2service.exe

C:\WINNT\System32\Ati2evxx.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

.

**************************************************************************

.

Completion time: 2008-03-10 14:48:44 - machine was rebooted

ComboFix-quarantined-files.txt 2008-03-10 13:48:40

[angelique]

• clic droit sur http://www.mvps.org/winhelp2002/DelDomains.inf

 

et fait installer

 

• ouvre ton bloc note[executer--notepad] et copies/colles le contenu du cadre ci dessous:

 

Driver::
Ndiskio
wsmv
nvcfsr
nvcoafl5
nvcoas
nvcoarc5
NVCScheduler
MsaSvc
aswMon
mside
EKInst
mmupdate

File::
C:\WINNT\system32\xwvyb.bak1
C:\WINNT\system32\xwvyb.bak2
C:\WINNT\system32\xwvyb.ini2
C:\WINNT\system32\wmsv.exe
C:\WINNT\system32\msasvc.exe
C:\WINNT\system32\drivers\aswMon.sys
C:\WINNT\system\mside.exe
C:\WINNT\SYSTEM32\srvany.exe

Folder::
C:\VundoFix Backups
C:\SDFix
C:\_OTMoveIt
C:\VIRUSfighter

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byvwx]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxwvvs]

 

[*]Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>

[*]Choisis "Enregistrer sous" et choisis "Bureau"

[*]Dans le champs "Nom du fichier" en bas de page donne le nom suivant:CFScript en fichier .txt

[*]Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"

[*]Quitte le Bloc Notes.

[*]Fait un glisser/déposer de ce fichier CFScript.txt sur le fichier ComboFix.exe comme sur la capture

 

 

 

 

* suis les instructions

* Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

 

• reposte avec un nouveau rapport HJT

[Digger]

Je dois m'absenter.

Je ne pourrai faire cela que ce soir.

 

A tout à l'heure.

merci de ton attention et de ton temps.

 

On progresse, on progresse...