infection avec xp security center et antivirus 2008

[cebecebe]

Bonjour,

Je viens auprès de vour pour m'aider à eradiquer un PC d'un amis qui est infecté par xp security center et antivirus 2008. j'ia essayer d'installer spyware terminator, mais rien ne se passe. J'ai ensuite j'ai essayer n'analyser avec combofix et après avec hijack. Je voie que combofix trouve les virus et le problème semble éradiquer, mais je voulais que vous m'aidiez à analyser s'il faut faire autres chose pour en finir .

Voici les deux rapport

 

Le rapport avec combofix

 

ComboFix 08-08-04.09 - Administrator 2008-08-06 2:46:23.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1033.18.317 [GMT -7:00]

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINDOWS\system32\dllcache\beep.sys

C:\1rfw8hjr.com

C:\Autorun.inf

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp

C:\Documents and Settings\Administrator\Application Data\rhc7j2j0er6q

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\kanok.vbs

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ypahavul.lib

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter

C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk

C:\Program Files\XPSecurityCenter

C:\Program Files\XPSecurityCenter\data\daily.cvd

C:\Program Files\XPSecurityCenter\htmlayout.dll

C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll

C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll

C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll

C:\Program Files\XPSecurityCenter\pthreadVC2.dll

C:\Program Files\XPSecurityCenter\un.ico

C:\Program Files\XPSecurityCenter\unzip32.dll

C:\Program Files\XPSecurityCenter\wscui.cpl

C:\Program Files\XPSecurityCenter\XP_SecurityCenter.cfg

C:\Program Files\XPSecurityCenter\XPSecurityCenter.dll

C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe

C:\WINDOWS\braviax.exe

C:\WINDOWS\buritos.exe

C:\WINDOWS\cru629.dat

C:\WINDOWS\dialerexe.ini

C:\WINDOWS\karina.dat

C:\WINDOWS\svchost.ini

C:\WINDOWS\system32\axrfoiy.dat

C:\WINDOWS\system32\axrfoiy_nav.dat

C:\WINDOWS\system32\axrfoiy_navps.dat

C:\WINDOWS\system32\blphc3j2j0er6q.scr

C:\WINDOWS\system32\buritos.exe

C:\WINDOWS\system32\ckvo.exe

C:\WINDOWS\system32\ckvo0.dll

C:\WINDOWS\system32\cru629.dat

C:\WINDOWS\system32\DelSelf.bat

C:\WINDOWS\system32\drivers\beep.sys

C:\WINDOWS\system32\drivers\Paf27.sys

C:\WINDOWS\system32\euslrpp.dat

C:\WINDOWS\system32\euslrpp_nav.dat

C:\WINDOWS\system32\euslrpp_navps.dat

C:\WINDOWS\system32\karina.dat

C:\WINDOWS\system32\lphc3j2j0er6q.exe

C:\WINDOWS\system32\ntos.exe

C:\WINDOWS\system32\nvs2.inf

C:\WINDOWS\system32\phc3j2j0er6q.bmp

c:\WINDOWS\system32\qaamg.dat

c:\windows\system32\qaamg.exe

c:\WINDOWS\system32\qaamg_nav.dat

C:\WINDOWS\system32\qaamg_navps.dat

C:\WINDOWS\system32\qfuqheay.dat

C:\WINDOWS\system32\qfuqheay_nav.dat

C:\WINDOWS\system32\qfuqheay_navps.dat

C:\WINDOWS\system32\ssezdmw.dat

C:\WINDOWS\system32\ssezdmw_nav.dat

C:\WINDOWS\system32\ssezdmw_navps.dat

C:\WINDOWS\system32\vgutwnlhm.dat

C:\WINDOWS\system32\vgutwnlhm_nav.dat

C:\WINDOWS\system32\vgutwnlhm_navps.dat

C:\WINDOWS\system32\wsnpoem

C:\WINDOWS\system32\wsnpoem\audio.dll

C:\WINDOWS\system32\wsnpoem\video.dll

C:\WINDOWS\tmlpcert2007

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_IPRIP

-------\Legacy_PAF27

-------\Legacy_TCPSR

-------\Service_Paf27

-------\Service_tcpsr

 

 

((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))

.

 

2008-08-06 02:48 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys

2008-08-05 19:37 . 2008-08-05 19:36 60,928 --a------ C:\WINDOWS\system32\70.tmp

2008-08-05 19:37 . 2008-08-05 19:37 19,959 --a------ C:\Documents and Settings\All Users\Application Data\enydyvym.pif

2008-08-05 19:37 . 2008-08-05 19:37 18,520 --a------ C:\WINDOWS\system32\zotypuv.vbs

2008-08-05 19:37 . 2008-08-05 19:37 18,367 --a------ C:\WINDOWS\system32\ogik.com

2008-08-05 19:37 . 2008-08-05 19:37 18,360 --a------ C:\WINDOWS\system32\yhor.lib

2008-08-05 19:37 . 2008-08-05 19:37 17,873 --a------ C:\WINDOWS\ocorid.dll

2008-08-05 19:37 . 2008-08-05 19:37 17,718 --a------ C:\Program Files\Common Files\ubiqicorew.exe

2008-08-05 19:37 . 2008-08-05 19:37 15,348 --a------ C:\WINDOWS\itily.bin

2008-08-05 19:37 . 2008-08-05 19:37 13,267 --a------ C:\WINDOWS\jodysynow.db

2008-08-05 19:37 . 2008-08-05 19:37 12,878 --a------ C:\WINDOWS\ohih.vbs

2008-08-05 19:37 . 2008-08-05 19:37 12,864 --a------ C:\Documents and Settings\Administrator\Application Data\obilyn.sys

2008-08-05 19:37 . 2008-08-05 19:37 11,435 --a------ C:\WINDOWS\qiwez.scr

2008-08-05 19:35 . 2008-08-06 02:39 89,494 -r-hs---- C:\svdioajm.cmd

2008-08-03 19:37 . 2008-08-03 19:36 89,885 -r-hs---- C:\xqf.com

2008-07-31 19:44 . 2008-07-31 19:44 89,037 -r-hs---- C:\e.com

2008-07-30 20:03 . 2008-07-30 19:45 60,928 --a------ C:\WINDOWS\system32\23B.tmp

2008-07-30 19:48 . 2008-07-30 23:41 88,890 -r-hs---- C:\kn6jhgc.cmd

2008-07-29 23:47 . 2008-07-29 23:57 <DIR> d-------- C:\Program Files\Lyad Messenger

2008-07-28 02:42 . 2008-08-05 20:22 <DIR> d-------- C:\Program Files\WinClamAVShield

2008-07-27 19:33 . 2008-07-27 19:33 <DIR> d-------- C:\22a14a3451532899cb0e69

2008-07-25 00:25 . 2008-08-05 20:10 <DIR> d-------- C:\Program Files\Spyware Terminator

2008-07-25 00:25 . 2008-07-31 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator

2008-07-25 00:25 . 2008-08-05 20:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator

2008-07-25 00:25 . 2008-07-25 00:25 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys

2008-07-24 22:32 . 2008-08-06 02:39 84,992 -r-hs---- C:\WINDOWS\system32\ckvo1.dll

2008-07-24 22:29 . 2008-07-24 22:30 <DIR> d-------- C:\Program Files\Crawler

2008-07-24 22:29 . 2008-07-24 22:32 87,297 -r-hs---- C:\g2pfnid.com

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-28 09:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-07-28 09:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-07-28 09:31 --------- d-----w C:\Program Files\Symantec

2008-07-25 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-07-23 09:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Roxio

2008-07-04 06:17 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AdobeUM

2008-06-30 03:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser

2008-06-30 03:07 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX

2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-09 05:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{55c1486a-9ecc-4729-88d4-55dd6aa5bc24}"= "C:\Program Files\Barre_Algerie_Chat\tbBar1.dll" [2007-11-28 08:21 1502232]

 

[HKEY_CLASSES_ROOT\clsid\{55c1486a-9ecc-4729-88d4-55dd6aa5bc24}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{55c1486a-9ecc-4729-88d4-55dd6aa5bc24}"= "C:\Program Files\Barre_Algerie_Chat\tbBar1.dll" [2007-11-28 08:21 1502232]

 

[HKEY_CLASSES_ROOT\clsid\{55c1486a-9ecc-4729-88d4-55dd6aa5bc24}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{55C1486A-9ECC-4729-88D4-55DD6AA5BC24}"= "C:\Program Files\Barre_Algerie_Chat\tbBar1.dll" [2007-11-28 08:21 1502232]

 

[HKEY_CLASSES_ROOT\clsid\{55c1486a-9ecc-4729-88d4-55dd6aa5bc24}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:00 15360]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-27 16:19 4670704]

"Lyad"="C:\Program Files\Lyad Messenger\lyad_messenger.exe" [2007-02-06 07:07 774144]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-09-30 09:41 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-09-30 09:37 126976]

"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2006-01-03 23:30 219648]

"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 11:01 525824]

"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 19:44 65536]

"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-12-09 19:24 868352]

"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 13:38 319488]

"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2008-07-25 00:25 2957824]

"MAKTray"="MAKTray.exe" [2005-01-17 16:12 287232 C:\WINDOWS\MAKTray.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:00 15360]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 11:59:36 806912]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]

"1"= Regedit.exe

"2"= MSConfig.exe

"3"= taskmgr.exe

"4"= MMC.exe

"5"= gpedit.msc

"6"= Cmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\French\\setup.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3587:TCP"= 3587:TCP:Groupement homologue Windows

"3540:UDP"= 3540:UDP:Protocole PNRP (Peer Name Resolution Protocol)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

 

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-07-25 00:25]

S3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys []

S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]

S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]

S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]

S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 01:00]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bee0224-b208-11db-b1ed-000ffe3a68a1}]

\Shell\AutoRun\command - F:\g83816.com

\Shell\explore\Command - F:\g83816.com

\Shell\open\Command - F:\g83816.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35b7b874-2173-11db-b0e7-d8cb9e598ee5}]

\Shell\Auto\command - bittorrent.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3aa8c106-587a-11dd-b4fb-000ffe3a68a1}]

\Shell\AutoRun\command - F:\e9ehn1m8.com

\Shell\explore\Command - F:\e9ehn1m8.com

\Shell\open\Command - F:\e9ehn1m8.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46f9fd58-2f43-11dc-b312-000ffe3a68a1}]

\Shell\Auto\command - E:\bittorrent.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4920e84c-84c2-11dc-b3ac-000ffe3a68a1}]

\Shell\AutoRun\command - E:\e.com

\Shell\explore\Command - E:\e.com

\Shell\open\Command - E:\e.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a59161f-a900-11dc-b3e4-000ffe3a68a1}]

\Shell\auto\command - E:\SVCH0ST.EXE e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SVCH0ST.EXE e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63458672-1553-11db-b0d3-000ffe3a68a1}]

\Shell\AutoRun\command - E:\svdioajm.cmd

\Shell\explore\Command - E:\svdioajm.cmd

\Shell\open\Command - E:\svdioajm.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6385485a-2e3c-11db-b104-96dab64bdcb6}]

\Shell\AutoRun\command - E:\g2pfnid.com

\Shell\explore\Command - E:\g2pfnid.com

\Shell\open\Command - E:\g2pfnid.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{807d9739-4046-11dc-b32e-000ffe3a68a1}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCIER/system.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c71d8fe-facd-11dc-b47e-000ffe3a68a1}]

\Shell\AutoRun\command - E:\RavMon.exe

\Shell\explore\Command - E:\RavMon.exe -e

\Shell\open\Command - E:\RavMon.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9deec9-5e32-11dc-b364-000ffe3a68a1}]

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCIER/system.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab8075ea-3c23-11db-b11b-000ffe3a68a1}]

\Shell\AutoRun\command - F:\LaunchU3.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c582d163-d827-11dc-b43a-000ffe3a68a1}]

\Shell\Auto\command - wscript "Sex City.jpg.wsf"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "Sex City.jpg.wsf"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7286cea-b079-11db-b1e8-000ffe3a68a1}]

\Shell\Auto\command - wscript "Sex City.jpg.wsf"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "Sex City.jpg.wsf"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3c7322c-9eb0-11dc-b3d2-000ffe3a68a1}]

\Shell\Auto\command - wscript "Sex City.jpg.wsf"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "Sex City.jpg.wsf"

.

Contents of the 'Scheduled Tasks' folder

 

2008-08-06 C:\WINDOWS\Tasks\Symantec NetDetect.job

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 18:32]

.

- - - - ORPHANS REMOVED - - - -

 

HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe

HKLM-Run-lphc3j2j0er6q - C:\WINDOWS\system32\lphc3j2j0er6q.exe

HKLM-Run-XP SecurityCenter - C:\Program Files\XPSecurityCenter\xpsecuritycenter.exe

HKLM-Run-buritos - buritos.exe

Notify-NavLogon - (no file)

MSConfigStartUp-System12 - C:\WINDOWS\system32\ne0kS.exe

MSConfigStartUp-System64 - C:\WINDOWS\system32\ne0kS.dll.wsf

 

 

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.com

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

R0 -: HKLM-Main,Start Page = hxxp://www.google.com

R1 -: HKCU-SearchURL,(Default) = hxxp://fr.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://fr.search.yahoo.com

O8 -: Crawler Search - tbr:iemenu

O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O18 -: Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} -

 

 

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-06 02:50:41

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\MAKHkey.exe

C:\Program Files\PDF Complete\pdfsaver.exe

C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2008-08-06 2:52:27 - machine was rebooted

ComboFix-quarantined-files.txt 2008-08-06 09:52:22

 

Pre-Run: 63,192,334,336 bytes free

Post-Run: 63,682,383,872 bytes free

 

312 --- E O F --- 2008-07-28 10:00:18

 

 

Le rapport avec hijack

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:56:56 AM, on 8/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Safe mode

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://fr.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: Com Algerie Toolbar - {55c1486a-9ecc-4729-88d4-55dd6aa5bc24} - C:\Program Files\Barre_Algerie_Chat\tbBar1.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Com Algerie Toolbar - {55c1486a-9ecc-4729-88d4-55dd6aa5bc24} - C:\Program Files\Barre_Algerie_Chat\tbBar1.dll

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [MAKTray] MAKTray.exe

O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"

O4 - HKLM\..\Run: [setRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [spywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Lyad] C:\Program Files\Lyad Messenger\lyad_messenger.exe autostart

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: Crawler Search - tbr:iemenu

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/Jul%2004%202006%20(D)/photos/ipc-military-congo.jpg

O24 - Desktop Component 1: (no name) - http://fr.f279.mail.yahoo.com/y5/s/viewpho...Wo&partid=2

 

--

End of file - 5076 bytes

 

si quelqu'un peut m'aider je le remercie d'avance.

[morron2]

bonjour

 

pour antivirus2008 j'ai trouvé ça

 

 

désolé pour le lien que j'avais mis j'ai cru trop vite qu'il était fait pour supprimer ce faux antivirus

aprés la modif d'angélique j'ai cherché et trouvé ceci

http://assiste.com.free.fr/p/craptheque/spyhunter.html

Modifié le 7 août 2008 par morron2
si c'est pour coller un lien vers spyhunter!! faut pas abuser quand meme.

[pear]

Bonjour,

 

Combo, Nettoyage

# Déconnectez-vous du net et désactivez l'antivirus (juste le temps de la procédure !)

Dans certaines circonstances , le Mode sans échec peut être nécessaire

Ouvrez Combofix

# Dans le bloc-note ,copiez-collez ces lignes :

KillAll::

file::

C:\Documents and Settings\All Users\Application Data\enydyvym.pif

C:\WINDOWS\system32\zotypuv.vbs

C:\WINDOWS\system32\ogik.com

C:\WINDOWS\system32\yhor.lib

C:\WINDOWS\ocorid.dll

C:\Program Files\Common Files\ubiqicorew.exe

C:\WINDOWS\itily.bin

C:\WINDOWS\jodysynow.db

C:\WINDOWS\ohih.vbs

C:\Documents and Settings\Administrator\Application Data\obilyn.sys

C:\WINDOWS\qiwez.scr

C:\svdioajm.cmd

C:\xqf.com

C:\WINDOWS\system32\23B.tmp

C:\kn6jhgc.cmd

C:\g2pfnid.com

 

 

 

 

registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bee0224-b208-11db-b1ed-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3aa8c106-587a-11dd-b4fb-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a59161f-a900-11dc-b3e4-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63458672-1553-11db-b0d3-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6385485a-2e3c-11db-b104-96dab64bdcb6}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{807d9739-4046-11dc-b32e-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c71d8fe-facd-11dc-b47e-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa9deec9-5e32-11dc-b364-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c582d163-d827-11dc-b43a-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7286cea-b079-11db-b1e8-000ffe3a68a1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3c7322c-9eb0-11dc-b3d2-000ffe3a68a1}]

[-HKEY_CLASSES_ROOT\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]

"1"=-

"2"=-

"3"=-

"4"=-

"5"=-

"6"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

 

 

 

 

 

* Attention, ce code a été rédigé spécialement pour cet utilisateur, il serait dangereux de le réutiliser dans d'autres cas !

Enregistrez-le en lui donnant le nom CFScript.txt

* Faire un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe

http://i261.photobucket.com/albums/ii49/Ma...te/CFScript.gif

 

*

* Au message qui apparait dans une fenêtre bleue ( Type 1 to continue, or 2 to abort) , taper 1 puis valider.

* Patienter le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne toucher à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher: poster son contenu.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

 

et un nouvel hijackthis, svp.

Modifié le 7 août 2008 par pear

[cebecebe]

Bonjour Pear,

je m'excuse mais je n'ai pas compris cette procedure. Je ne sais pas si c'est pour moi (cebecebe) sur le poste que j'ai fait le matin. Je voulais avoir de confirmation avant de faire que que ce soit.

Merci

[pear]

Bonjour,

 

Vous avez posté un rapport Combofix avec un appel à l'aide.

je voulais que vous m'aidiez à analyser s'il faut faire autres chose pour en finir .

C'est une réponse .

[ipl_001]

Bonjour moron2, cebecebe, pear,

bonjour

 

pour antivirus2008 j'ai trouvé ça

 

 

désolé pour le lien que j'avais mis j'ai cru trop vite qu'il était fait pour supprimer ce faux antivirus

aprés la modif d'angélique j'ai cherché et trouvé ceci

http://assiste.com.free.fr/p/craptheque/spyhunter.html

 

Cebecebe, pear, veuillez m'excuser d'intervenir et de perturber ce sujet ...

 

Moron2, j'ai posté un message à ton intention -> Message à morron2