bureau changé

Syjo · le 12 juin 2008

Bonjour,

J'ai donc lancé SDfix en mode sans échec mais il était tellement long que j'ai fini par fermer la fenêtre (quand on ne connaît pas un logiciel et qu'on voit tout bloqué, on appréhende) en pensant le relancer comme tu m'as dit avec "exécuter" mais en fait il a continué sur sa lancée jusqu'à la finition, donc je ne sais pas si tout s'est déroulé correctement, s'il a bien tout cherché, enfin voici le rapport et un nouvel hijack.

Merci à vous deux.

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-12 17:34:05

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0020ed08caf1]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0020ed08caf1]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"h0"=dword:00000000

"ujdew"=hex:f0,50,53,99,2f,7b,6b,c9,ee,77,71,92,e2,d4,61,45,50,70,50,e3,0a,..

"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0020ed08caf1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:9e359bcf

"s2"=dword:a732bbf0

"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"h0"=dword:00000000

"ujdew"=hex:f0,50,53,99,2f,7b,6b,c9,ee,77,71,92,e2,d4,61,45,50,70,50,e3,0a,..

"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:*:Enabled:Connection Manager"

"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"

"F:\\OUTILS\\spyblocker.exe"="F:\\OUTILS\\spyblocker.exe:*:Enabled:SpyBlocker"

"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"

"C:\\Program Files\\eDonkey2000\\edonkey2000.exe"="C:\\Program Files\\eDonkey2000\\edonkey2000.exe:*:Enabled:eDonkey2000 Application"

"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

Files with Hidden Attributes :

Wed 20 Apr 2005 0 ..SHR --- "C:\WINDOWS\system32\SCardClnt.exe"

Sat 1 Apr 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Mon 27 Mar 2006 180 A..H. --- "C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys"

Tue 10 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!

Hijack :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:46:11, on 12/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\CTSvcCDA.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

F:\OUTILS\Protection PC\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aliceadsl.fr/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Aide pour le lien d'Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Fichiers communs\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - C:\Program Files\EoRezo\EoAdv\EoRezoBHO.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll

O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICE RÉSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [CT Control Settings] CTSVCCD.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [MSN7 Startup] msn7.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Media Software UPdater] sscs.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Windows Compliant] tjjhmc.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [Gta San Andreas] gta.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunServices: [MSN Messenger] msnmsgr.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunServices: [MSN Messenger] msnmsgr.exe (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.realtimeforex.fr

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124442186140

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab

O20 - AppInit_DLLs: ,

O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--

End of file - 7644 bytes

Falkra · le 12 juin 2008

Il y a eu un os, mais ce n'est pas grave, on va procéder différemment, sans SDFix.

Télécharge combofix.exe de sUBs et sauvegarde le sur ton bureau (et pas ailleurs).

Assure toi que tous les programmes sont fermés avant de commencer.
Double-clique combofix.exe afin de l'exécuter.
Clique sur "Oui" au message de Limitation de Garantie qui s'affiche.
Il est possible que ton parefeu te demande si tu acceptes ou non l'accès de nircmd.cfexe à la zone sûre: accepte.
Ne ferme pas la fenêtre qui vient de s'ouvrir, tu te retrouverais avec un bureau vide.
Lorsque l'analyse sera terminée, un rapport apparaîtra.
Copie-colle ce rapport dans ta prochaine réponse.
Le rapport se trouve dans : C:\Combofix.txt (si jamais).
Pour plus d'information et un tuto illustré, voici le seul tuto officiel et autorisé : http://www.bleepingcomputer.com/combofix/f...iliser-combofix

Syjo · le 12 juin 2008

Re-bonjour Falkra

Voici le rapport de Combofix, il a l'air d'avoir nettoyé pas mal de choses, j'ai patienté cette fois ! Je vois des fichiers qui ne me semblent pas "catholiques", je me trompe ?

Là, on va se mettre à table, donc, je te dis à demain ou plus! Et je ne manquerai pas d'aller voir les tutos.

Bonne soirée et merci de ta patience et tes conseils.

ComboFix 08-06-10.5 - freddo 2008-06-12 20:12:34.1 - NTFSx86

Endroit: C:\Documents and Settings\freddo.FRED\Bureau\ComboFix.exe

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\cmesys.exe

C:\WINDOWS\system32\regsvr32.dll

.

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-12 to 2008-06-12 ))))))))))))))))))))))))))))))))))))

.

2008-06-12 17:19 . 2008-06-12 17:19 <REP> d-------- C:\WINDOWS\ERUNT

2008-06-12 17:06 . 2008-06-12 17:37 <REP> d-------- C:\SDFix

2008-06-11 06:49 . 2008-04-14 17:52 272,768 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-09 20:39 . 2008-06-09 20:39 <REP> d-------- C:\Program Files\Avira

2008-06-07 21:30 . 2008-06-07 21:53 <REP> d-------- C:\Program Files\PestPatrol

2008-06-07 21:30 . 2008-06-07 21:50 <REP> d-------- C:\Program Files\a2 Free

2008-06-06 17:47 . 2001-10-02 20:17 31,744 --a------ C:\WINDOWS\system32\fxsroute.dll

2008-06-06 17:47 . 2001-10-02 20:17 31,744 --a--c--- C:\WINDOWS\system32\dllcache\fxsroute.dll

2008-06-06 17:47 . 2001-10-02 20:17 11,776 --a------ C:\WINDOWS\system32\fxssend.exe

2008-06-06 17:47 . 2001-10-02 20:17 11,776 --a--c--- C:\WINDOWS\system32\dllcache\fxssend.exe

2008-06-06 17:47 . 2001-10-02 20:17 3,712 --a------ C:\WINDOWS\system32\fxsperf.ini

2008-06-06 17:47 . 2001-10-02 20:17 1,361 --a------ C:\WINDOWS\system32\fxscount.h

2008-06-06 17:46 . 2001-10-02 20:17 141,312 --a------ C:\WINDOWS\system32\fxsclntR.dll

2008-06-06 17:46 . 2001-10-02 20:17 141,312 --a--c--- C:\WINDOWS\system32\dllcache\fxsclntr.dll

2008-06-06 17:46 . 2001-10-02 20:17 113,664 --a------ C:\WINDOWS\system32\fxscfgwz.dll

2008-06-06 17:46 . 2001-10-02 20:17 113,664 --a--c--- C:\WINDOWS\system32\dllcache\fxscfgwz.dll

2008-06-03 16:18 . 2008-06-09 20:39 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira

2008-06-03 14:10 . 2008-06-03 14:10 <REP> d-------- C:\WINDOWS\system32\AVGUARD_492e1194

2008-06-03 11:35 . 2008-06-08 13:04 <REP> d-------- C:\Program Files\Panda Security

2008-05-31 20:38 . 2008-05-31 20:38 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-05-26 20:33 . 2008-05-26 20:34 <REP> d-------- C:\Documents and Settings\All Users\Application Data\tpfmon

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-10 06:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater

2008-06-06 07:56 --------- d-----w C:\Program Files\Audible

2008-06-01 11:12 --------- d-----w C:\Program Files\adslTV

2008-05-30 18:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP

2008-05-30 18:40 --------- d-----w C:\Program Files\SpywareBlaster

2008-05-27 15:34 --------- d-----w C:\Program Files\Security Task Manager

2008-05-08 14:13 --------- d-----w C:\Program Files\Uniblue

2008-05-08 14:13 --------- d-----w C:\Documents and Settings\freddo.FRED\Application Data\Uniblue

2008-05-08 13:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys

2008-05-07 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7

2008-05-07 05:15 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll

2008-04-27 07:03 --------- d-----w C:\Documents and Settings\freddo.FRED\Application Data\albumart

2008-04-21 07:02 663,552 ----a-w C:\WINDOWS\system32\wininet.dll

2008-04-20 08:31 --------- d-----w C:\Program Files\Album Cover Art Downloader

2008-04-20 07:44 --------- d-----w C:\Documents and Settings\freddo.FRED\Application Data\Creative

2008-04-20 06:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative

2008-04-17 15:03 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-17 05:56 --------- d-----w C:\Program Files\Creative

2008-04-17 05:53 --------- d--h--w C:\Program Files\Creative Installation Information

2008-04-17 05:51 --------- d-----w C:\Program Files\Fichiers communs\Creative

2008-04-14 15:52 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:51 194,144 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys

2003-05-07 01:00 45,056 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Hwx.dll

2003-05-05 01:04 65,536 ----a-r C:\Documents and Settings\CtDriverInstTemp\CtCamMgr.dll

2003-05-02 01:00 40,960 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Pin.dll

2003-04-15 01:00 36,864 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Foa.dll

2003-04-10 02:01 73,728 ----a-r C:\Documents and Settings\CtDriverInstTemp\CtDrvIns.exe

2003-04-10 01:00 45,056 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Hw2.dll

2003-03-31 04:47 6,656 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Wrp.dll

2003-03-31 04:47 5,632 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Sti.dll

2003-03-31 04:47 46,048 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Vid.sys

2003-03-31 04:47 42,784 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Buk.sys

2003-03-31 04:47 2,560 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Twn.dll

2003-03-31 04:47 114,688 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Jpg.dll

2003-03-26 12:47 39,424 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Wia.dll

2003-03-21 01:00 24,576 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Swa.dll

2003-03-10 01:00 126,976 ----a-r C:\Documents and Settings\CtDriverInstTemp\P1160Vfw.dll

2001-11-23 12:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\audio3d.dll

2001-10-04 02:26 200,968 ----a-r C:\Documents and Settings\CtDriverInstTemp\Vfwupd.exe

2001-08-18 06:00 1,700,352 ----a-r C:\Documents and Settings\CtDriverInstTemp\GdiPlus.dll

2005-04-20 11:09 0 -csh--r C:\WINDOWS\system32\SCardClnt.exe

.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2002-01-12 03:47 401496]

"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 09:20 222080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"C-Media Echo Control"="C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe" [2001-12-05 16:47 147456]

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-12-27 20:43 81920]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 01:09 15360]

"MSN Messenger"="msnmsgr.exe" []

"Y0xmRiM8Q"="wpnpy.exe" []

"CT Control Settings"="CTSVCCD.EXE" []

"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-09-23 09:51 49152]

"MSN7 Startup"="msn7.exe" []

"Media Software UPdater"="sscs.exe" []

"Windows Compliant"="tjjhmc.exe" []

"Gta San Andreas"="gta.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]

"MSN Messenger"="msnmsgr.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 0 (0x0)

"NoSMMyPictures"= 0 (0x0)

"NoStartMenuMyMusic"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoInstrumentation"= 0 (0x0)

"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoFavoritesMenu"= 0 (0x0)

"NoSMMyPictures"= 0 (0x0)

"NoStartMenuMyMusic"= 0 (0x0)

"NoRecentDocsNetHood"= 0 (0x0)

"NoUserNameInStartMenu"= 0 (0x0)

"NoInstrumentation"= 0 (0x0)

"NoStartMenuPinnedList"= 0 (0x0)

"ForceStartMenuLogoff"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.PIM1"= PCLEPIM1.dll

"MSVIDEO"= pctvcap.dll

"MSACM.CEGSM"= mobilev.acm

"VIDC.JPEG"= P1160Jpg.dll

"VIDC.MJPG"= P1160Jpg.dll

"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Keyboard Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SCardClnt]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Ostu"=C:\Documents and Settings\freddo.FRED\Application Data\hwoa.exe

"Eceu"=C:\Documents and Settings\freddo.FRED\Application Data\suhs.exe

"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

"FreeBrowser"=C:\Program Files\FreeBrowser\FreeBrowser\FreeBrowser.exe

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

"Aood"=C:\Documents and Settings\freddo.FRED\Application Data\aoai.exe

"iPlusAgent"="C:\Program Files\iriver\iriver plus\iAgent.exe"

"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

"ATI Remote Control"=C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe

"AXVenore"="C:\Program Files\AXVenore\AXVenore.exe"

"PECarlin"="C:\Program Files\PECarlin\PECarlin.exe"

"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

"C-Media Mixer"=Mixer.exe /startup

"AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" -lang 1033

"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe

"BDOESRV"=C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe

"BDNewsAgent"=C:\Program Files\Softwin\BitDefender8\\bdnagent.exe

"BDSwitchAgent"=C:\Program Files\Softwin\BitDefender8\\bdswitch.exe

"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe

"K!IR.exe"=D:\K!tv 2.3\K!IR.exe

"eDonkey2000"=D:\Edonkey\eDonkey2000\eDonkey2000.exe -t

"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

"nwiz"=nwiz.exe /install

"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

"Device Detector"="C:\Program Files\Fichiers communs\ACD Systems\FR\DevDetect.exe" -autorun

"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

"BDMCon"=C:\Program Files\Softwin\BitDefender8\\bdmcon.exe

"EPSON Stylus DX3800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"

"EoTraduction"=

"EoEngine"=

"Disk Monitor"=C:\Program Files\Generic\USB Card Reader Driver v2.2\Disk_Monitor.exe

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=

"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"=

"C:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 d344bus;d344bus;C:\WINDOWS\system32\DRIVERS\d344bus.sys [2003-12-27 20:42]

R0 d344prt;d344prt;C:\WINDOWS\system32\Drivers\d344prt.sys [2003-12-27 02:38]

R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-11-11 20:52]

S1 pctvNT;Studio PCTV;C:\WINDOWS\system32\DRIVERS\pctvW2k.sys []

S3 P1160COM;Creative PC-CAM 880 (Camera);C:\WINDOWS\system32\DRIVERS\P1160Buk.sys []

S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\H10USB.sys [2004-06-24 06:52]

S3 TESTCAP;Studio PCTV (Audio);C:\WINDOWS\system32\DRIVERS\PCTVAud.sys []

S4 Dnscache;Client DNS;C:\WINDOWS\System32\svchost.exe [2004-08-20 01:10]

S4 SCardClnt;Smart Card Client;C:\WINDOWS\System32\notepaad.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{016bb320-2235-11dc-adae-004005859f09}]

\Shell\AutoRun\command - K:\RavMon.exe

\Shell\explore\Command - K:\RavMon.exe -e

\Shell\open\Command - K:\RavMon.exe

.

Contenu du dossier 'Scheduled Tasks/Tƒches planifi‚es'

"2008-05-08 12:57:26 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"

- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

"2008-05-08 12:57:26 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"

- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-12 20:17:46

Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cach‚s ...

Balayage cach‚ autostart entries ...

Balayage des fichiers cach‚s ...

Scan termin‚ avec succŠs

Les fichiers cach‚s: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\system32\Ctsvccda.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

.

**************************************************************************

.

Temps d'accomplissement: 2008-06-12 20:23:47 - machine was rebooted

ComboFix-quarantined-files.txt 2008-06-12 18:23:40

Pre-Run: 668,196,864 octets libres

Post-Run: 579,235,840 octets libres

229 --- E O F --- 2008-06-11 05:38:40

Falkra · le 12 juin 2008

Tu as sans doute une clé USB ou un disque dur amovible infecté (K:\) ne t'en sers pas tout de suite.

Suite du programme, et là ça se complique un peu.

** -- Désactive temporairement ton antivirus. -- **

Ouvre le bloc notes. Copie colle ceci dedans :

File::
C:\WINDOWS\system32\CTSVCCD.EXE

C:\WINDOWS\system32\MSN7.EXE

C:\WINDOWS\system32\msnmsgr.exe

C:\WINDOWS\system32\sscs.exe

C:\WINDOWS\system32\tjjhmc.exe

C:\WINDOWS\system32\gta.exe

Registry::

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSN Messenger"=-

"Y0xmRiM8Q"=-

"CT Control Settings"=-

"MSN7 Startup"=-

"Media Software UPdater"=-

"Windows Compliant"=-

"Gta San Andreas"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]

"MSN Messenger"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Ostu"=-

"Eceu"=-

"Aood"=-

"AXVenore"=-

"PECarlin"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"EoTraduction"=-

"EoEngine"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{016bb320-2235-11dc-adae-004005859f09}]

Folder::

C:\Program Files\AXVenore

C:\Program Files\PECarlin

Dirlook::

C:\Documents and Settings\All Users\Application Data\SecTaskMan

Sauvegarde cela comme fichier texte nommé CFScript, sur le bureau.
Fais un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture

Une fenêtre bleue va apparaître: au message qui apparaît (Type 1 to continue, or 2 to abort) , tape 1 puis valide.
Patiente le temps du scan. Le bureau va disparaître à plusieurs reprises: c'est normal ! Ne touche à rien tant que le scan n'est pas terminé.
Une fois le scan achevé, un rapport va s'afficher: poste son contenu.
Si le fichier ne s'ouvre pas, il se trouve ici > C:\ComboFix.txt

@ toute

Syjo · le 13 juin 2008

Bonsoir,

Voici le rapport fait avec tes indications.

A plus

ComboFix 08-06-10.5 - freddo 2008-06-13 19:36:37.2 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1093 [GMT 2:00]

Endroit: C:\Documents and Settings\freddo.FRED\Bureau\ComboFix.exe

Command switches used :: C:\Documents and Settings\freddo.FRED\Bureau\CFScript.txt

* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

FILE ::

C:\WINDOWS\system32\CTSVCCD.EXE

C:\WINDOWS\system32\gta.exe

C:\WINDOWS\system32\MSN7.EXE

C:\WINDOWS\system32\msnmsgr.exe

C:\WINDOWS\system32\sscs.exe

C:\WINDOWS\system32\tjjhmc.exe

.

((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-13 to 2008-06-13 ))))))))))))))))))))))))))))))))))))