Torjan en boucles au secours!

[Faby]

Bonjour!

Mon PC est infecté par des virus de type Torjan, que Antivir identifie à chaque demarrager, mais n' arrive pas à supprimer!

Hier j'ai lancé un scan avec combofix mais ce matin SURPISE: encore mise en grade de Antivir que les torjan là .

Que faire? Merci aux experts de m'aider.

Voici le rapport de combofix:

 

ComboFix 08-10-25.01 - GTZ 2008-10-27 14:07:11.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.113 [GMT 1:00]

Lancé depuis: C:\Documents and Settings\GTZ\Bureau\ComboFix.exe

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\instant access

C:\Program Files\instant access\Center\sexe69.lnk

C:\Program Files\instant access\DesktopIcons\sexe69.lnk

C:\Program Files\instant access\Multi\20061116151106\Common\module.php

C:\Program Files\instant access\Multi\20061116151106\dialerexe.ini

C:\Program Files\instant access\Multi\20061116151106\js\js_api_dialer.php

C:\Program Files\instant access\Multi\20061116151106\medias\button1.jpg

C:\Program Files\instant access\Multi\20061116151106\medias\button2.jpg

C:\Program Files\instant access\Multi\20061116151106\medias\button3.jpg

C:\Program Files\instant access\Multi\20061116151106\medias\button4.jpg

C:\Program Files\instant access\Multi\20061116151106\medias\dialer.ico

C:\WINDOWS\dialerexe.ini

 

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_CELINDRV

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2008-09-27 au 2008-10-27 ))))))))))))))))))))))))))))))))))))

.

 

2008-10-24 16:55 . 2008-10-24 16:55 <REP> d-------- C:\Documents and Settings\GTZ\Application Data\zweitgeist

2008-10-23 07:35 . 2007-07-30 18:19 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui

2008-10-15 08:50 . 2008-10-15 08:50 <REP> d-------- C:\Retrospect

2008-10-14 10:23 . 2004-08-03 22:08 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys

2008-10-14 10:23 . 2004-08-03 22:08 25,600 --a--c--- C:\WINDOWS\system32\dllcache\usbser.sys

2008-10-14 10:23 . 2008-10-14 10:23 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2008-10-14 10:23 . 2008-10-14 10:23 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-10-14 07:35 . 2008-10-14 07:35 <REP> d-------- C:\Program Files\Common Files\PCSuite

2008-10-14 07:35 . 2008-10-14 07:35 <REP> d-------- C:\Program Files\Common Files\Nokia

2008-10-14 07:32 . 2008-10-14 07:32 <REP> d-------- C:\Program Files\PC Connectivity Solution

2008-10-14 07:32 . 2007-09-17 14:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys

2008-10-14 07:30 . 2008-05-07 06:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll

2008-10-14 07:30 . 2008-05-07 06:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll

2008-10-14 07:30 . 2008-05-07 06:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys

2008-10-14 07:30 . 2008-05-07 06:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys

2008-10-14 07:30 . 2008-05-07 06:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys

2008-10-14 07:30 . 2008-06-06 08:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys

2008-10-14 07:13 . 2008-10-14 07:13 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations

2008-10-13 10:34 . 2008-10-13 10:34 <REP> d-------- C:\Documents and Settings\Invité\C

2008-10-13 10:34 . 2008-10-13 10:34 <REP> d-------- C:\Documents and Settings\Invité\C

2008-10-08 10:38 . 2008-10-08 10:38 0 --a------ C:\WINDOWS\nsreg.dat

2008-10-04 12:54 . 2008-10-15 07:43 <REP> d-------- C:\Documents and Settings\GTZ\Application Data\Nokia

2008-10-04 12:41 . 2008-10-14 07:32 <REP> d-------- C:\Program Files\DIFX

2008-10-04 12:40 . 2008-10-15 07:43 <REP> d-------- C:\Documents and Settings\GTZ\Application Data\PC Suite

2008-10-04 12:40 . 2008-10-04 12:41 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\PC Suite

2008-10-04 12:39 . 2008-10-14 07:35 <REP> d-------- C:\Program Files\Nokia

2008-10-04 12:39 . 2008-05-07 06:38 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll

2008-10-04 12:37 . 2008-10-14 07:34 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Downloaded Installations

2008-10-02 10:26 . 2008-10-22 07:28 7,680 --ahs---- C:\WINDOWS\system32\Thumbs.db

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-27 13:24 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\RetroExp

2008-10-27 13:17 --------- d-----w C:\Program Files\Symantec AntiVirus

2008-10-21 06:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo!

2008-10-20 08:14 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-10-02 13:41 --------- d-----w C:\Documents and Settings\GTZ\Application Data\AdobeUM

2008-10-02 06:33 --------- d-----w C:\Program Files\Google

2008-09-16 06:38 --------- d-----w C:\Documents and Settings\LocalService.AUTORITE NT\Application Data\Softland

2008-09-15 08:26 --------- d-----w C:\Program Files\Softland

2008-09-08 14:06 --------- d-----w C:\Documents and Settings\GTZ\Application Data\vlc

2008-09-08 13:08 --------- d-----w C:\Program Files\VideoLAN

2008-08-28 11:10 21,656 ----a-w C:\WINDOWS\system32\dopdfmn6.dll

2008-08-28 11:10 18,072 ----a-w C:\WINDOWS\system32\dopdfmi6.dll

2008-08-28 10:09 --------- d-----w C:\Program Files\Retrospect

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 15360]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-08 68856]

"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]

"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-20 729178]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-21 155648]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-21 126976]

"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-09-07 213054]

"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]

"UpdateManager"="C:\Program Files\Fichiers communs\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-04-27 122941]

"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-09 790528]

"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]

"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]

"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-04 1695744]

"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]

"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-11 188416]

"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]

"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2005-04-18 48752]

"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-05-09 85088]

"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-21 266497]

"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2007-01-22 9385504]

"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 C:\WINDOWS\AGRSMMSG.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-05 C:\WINDOWS\system32\bthprops.cpl]

 

C:\Documents and Settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\

Assistant d'Acrobat.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2005-12-09 184320]

 

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=ztepri.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\MSN Messenger\\livecall.exe"=

"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\Retrospect.exe"=

"C:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\retrorun.exe"=

"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=

 

R3 EraserUtilDrvI7;EraserUtilDrvI7;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [2008-09-17 99376]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{012a40c4-11cb-11dd-942a-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\rdsfk.com

\Shell\explore\Command - E:\rdsfk.com

\Shell\open\Command - E:\rdsfk.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0551a68b-2b28-11dd-944f-0012f0d3ad4d}]

\Shell\Autoexec\command - wscript "The_Cars.vbs"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "The_Cars.vbs"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2887c68a-1e80-11dc-92d0-0012f0d3ad4d}]

\Shell\Auto\command - wscript "esta ig.vbs"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "esta ig.vbs"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d0385e2-0881-11dc-92ba-0012f0d3ad4d}]

\Shell\Auto\command - E:\Cn911.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4085ffe4-ffef-11dc-9410-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\6l6w8.com

\Shell\explore\Command - E:\6l6w8.com

\Shell\open\Command - E:\6l6w8.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{408c6734-dc65-11db-9285-0012f0d3ad4d}]

\Shell\Auto\command - E:\bittorrent.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fb6e7dc-333e-11db-91c8-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\setupSNK.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c368e30-1c06-11dd-943b-0012f0d3ad4d}]

\Shell\Autoexec\command - wscript "The_Cars.vbs"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "The_Cars.vbs"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96b75dd8-9355-11dc-9366-0012f0d3ad4d}]

\Shell\1\Command - RUNAUT~1\autorun.pif

\Shell\2\Command - RUNAUT~1\autorun.pif

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a305f5a-ff85-11db-92b4-0012f0d3ad4d}]

\Shell\Auto\command - wscript "Sex City.jpg.wsf"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "Sex City.jpg.wsf"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4631ac1-2d43-11dd-9456-0012f0d3ad4d}]

\Shell\Autoexec\command - wscript "The_Cars.vbs"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "The_Cars.vbs"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a986818c-de80-11db-928a-0012f0d3ad4d}]

\Shell\Auto\command - E:\Cn911.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c31f86cc-2cc8-11dd-9454-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\2.bat

\Shell\explore\Command - E:\2.bat

\Shell\open\Command - E:\2.bat

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c31f86ce-2cc8-11dd-9454-0012f0d3ad4d}]

\Shell\AutoRun\command - cl.bat

\Shell\explore\Command - cl.bat

\Shell\open\Command - cl.bat

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9ff9abf-3042-11dc-92e6-0012f0d3ad4d}]

\Shell\Auto\command - E:\Cn911.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4703206-baa5-11da-9137-0012f0d3ad4d}]

\Shell\Autoexec\command - wscript "The_Cars.vbs"

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "The_Cars.vbs"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d78be294-e28f-11db-928e-0012f0d3ad4d}]

\Shell\Auto\command - E:\Cn911.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df2e49de-ee84-11dc-93fc-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\v.com

\Shell\explore\Command - E:\v.com

\Shell\open\Command - E:\v.com

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2fb75bd-7587-11dc-933f-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\LaunchU3.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2fb75be-7587-11dc-933f-0012f0d3ad4d}]

\Shell\AutoOpen\command - F:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e61534d2-336c-11dc-92eb-0012f0d3ad4d}]

\Shell\Auto\command - E:\Cn911.exe

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e768be56-bce2-11db-925a-0012f0d3ad4d}]

\Shell\Auto\command - bittorrent.exe e

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebc7926d-ac85-11dc-9385-0012f0d3ad4d}]

\Shell\1\Command - E:\RUNAUT~1\autorun.pif

\Shell\2\Command - E:\RUNAUT~1\autorun.pif

\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNAUT~1\autorun.pif

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe1fcfb0-0160-11dd-9414-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\uqhqx1.cmd

\Shell\explore\Command - E:\uqhqx1.cmd

\Shell\open\Command - E:\uqhqx1.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fee35660-2896-11dd-944a-0012f0d3ad4d}]

\Shell\AutoRun\command - E:\2.bat

\Shell\explore\Command - E:\2.bat

\Shell\open\Command - E:\2.bat

.

- - - - ORPHELINS SUPPRIMES - - - -

 

HKLM-Run-Cn911 - C:\WINDOWS\system32\ODBCJET.exe

HKLM-Explorer_Run-scrnsave - C:\WINDOWS\system32\scrnsave.exe

ShellExecuteHooks-{51351752-5628-1547-FFAB-BADC13512AF5} - C:\WINDOWS\system32\ztepri.dll

ShellExecuteHooks-{252D2432-37A2-324F-2A54-21BF5CF2F1A2} - C:\WINDOWS\system32\jhapri.dll

Notify-WgaLogon - (no file)

 

 

.

------- Examen supplémentaire -------

.

FireFox -: Profile - C:\Documents and Settings\GTZ\Application Data\Mozilla\Firefox\Profiles\biyiboxx.default\

FF -: plugin - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll

FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-27 14:19:16

Windows 5.1.2600 Service Pack 2 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????4?3?6?6??????? ???B???????????????B? ??????

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

------------------------ Autres processus actifs ------------------------

.

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe

C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Retrospect\Retrospect Express HD 2.0\retrorun.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe

C:\Program Files\Retrospect\Retrospect Express HD 2.0\Retrospect.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe

.

**************************************************************************

.

Heure de fin: 2008-10-27 14:32:17 - La machine a redémarré [GTZ]

ComboFix-quarantined-files.txt 2008-10-27 13:31:59

 

Avant-CF: 15,169,593,344 octets libres

Après-CF: 15,335,399,424 octets libres

 

275 --- E O F --- 2007-07-24 16:06:00

[pear]

erreur, désolé

Modifié le 28 octobre 2008 par pear

[pear]

Bonjour,

 

2)Combo, Nettoyage

# Déconnectez-vous du net et désactivez l'antivirus (juste le temps de la procédure !)

Dans certaines circonstances , le Mode sans échec peut être nécessaire

Connecter tous les disques amovibles (disque dur externe, clé USB…).

Ouvrez Combofix

# Dans le bloc-note ,copiez-collez ces lignes :

Killall::

file::

C:\WINDOWS\nsreg.dat

C:\WINDOWS\system32\Thumbs.db

E:\rdsfk.com

E:\Cn911.exe

E:\6l6w8.com

E:\bittorrent.exe e

E:\setupSNK.exe

C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "The_Cars.vbs"

C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript "Sex City.jpg.wsf"

E:\2.bat

cl.bat

E:\v.com

E:\RUNAUT~1\autorun.pif

E:\uqhqx1.cmd

 

 

registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=""

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{012a40c4-11cb-11dd-942a-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0551a68b-2b28-11dd-944f-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2887c68a-1e80-11dc-92d0-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d0385e2-0881-11dc-92ba-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4085ffe4-ffef-11dc-9410-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{408c6734-dc65-11db-9285-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4fb6e7dc-333e-11db-91c8-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c368e30-1c06-11dd-943b-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96b75dd8-9355-11dc-9366-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9a305f5a-ff85-11db-92b4-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4631ac1-2d43-11dd-9456-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a986818c-de80-11db-928a-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c31f86cc-2cc8-11dd-9454-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c31f86ce-2cc8-11dd-9454-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c9ff9abf-3042-11dc-92e6-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4703206-baa5-11da-9137-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d78be294-e28f-11db-928e-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df2e49de-ee84-11dc-93fc-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2fb75be-7587-11dc-933f-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e61534d2-336c-11dc-92eb-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e768be56-bce2-11db-925a-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebc7926d-ac85-11dc-9385-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe1fcfb0-0160-11dd-9414-0012f0d3ad4d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fee35660-2896-11dd-944a-0012f0d3ad4d}]

 

* Attention, ce code a été rédigé spécialement pour cet utilisateur, il serait dangereux de le réutiliser dans d'autres cas !

Enregistrez-le en lui donnant le nom CFScript.txt

* Faire un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe

* Au message qui apparait dans une fenêtre bleue ( Type 1 to continue, or 2 to abort) , taper 1 puis valider.

* Patienter le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne toucher à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher: poster son contenu.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

[Faby]

Merci beaucoup.

Pour le moment je n'ai pas vu les trojans comme d'habitude

Porvu que ça dure!

Merci

[pear]

Bonsoir,

 

our le moment je n'ai pas vu les trojans comme d'habitude

 

Tant mieux.

Cependant,j'aurais souhaité avoir le rapport Combofix.

C'est un outil trop puissant pour qu'il soit utilisé en aveugle .

Modifié le 29 octobre 2008 par pear