Analyse rapport Hijackthis [RESOLU]

[bullbizar]

Bonjour,

 

C'est le PC des enfants qui s'en servent essentiellement pour jouer, pas connecté au net (PIV, 2,6 GHz, 512 Mo RAM, DD80Go); qui se montre particulièrement lent. De plus en voulant jouer à Need for Speed 2 , Il y'a un fichier tmp dans les processus qui fait monter l'UC à 100 % !!!!!

 

De plus, à chaque démarrage du PC, Antivir me notifie la présence de " Trojan TR/Crypt.XPACK.Gen"!!!!!! sans y remedier!!!!!

 

Je vous joins le log pour une aide ou tout autre conseil serait le bienvenu.....MERCI

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:22:34, on 11/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\VIA\RAID\raid_tool.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\wt\updater\wcmdmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Documents and Settings\user\Bureau\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: Yahoo! Toolbar avec bloqueur de fenêtres pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {1C2DA439-4680-4E85-A22D-EB2385FABF80} - C:\WINDOWS\system32\xxyYoOFx.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Fichiers communs\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RةSEAU')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{0D2E36BE-9B21-4DC5-84AD-FEDDF7FEF1EB}: NameServer = 192.168.1.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{0D2E36BE-9B21-4DC5-84AD-FEDDF7FEF1EB}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{0D2E36BE-9B21-4DC5-84AD-FEDDF7FEF1EB}: NameServer = 192.168.1.1

O20 - Winlogon Notify: xxyYoOFx - C:\WINDOWS\SYSTEM32\xxyYoOFx.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

 

--

End of file - 4621 bytes

 

Merci et à plus tard.

Modifié le 25 novembre 2008 par bullbizar

[bullbizar]

Bonjour à toutes et à tous,

 

Personne pour m'aider........

[angelique]

pas connecté au net , etonnant!! y'a du Vundo+infection support USB

 

•

»branche tous tes support usb sans les ouvrir!!!

 

» desactive temporairement le guard d'antivir , clic droit sur le parapluie dans le systray \decoche antivir guard enable

 

» Télécharge combofix.exe (par sUBs) et sauvegarde le sur ton bureau

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

* Double-clique combofix.exe, accepte le CluF qui s'affiche, afin de l'exécuter et suis les instructions.

* Lorsque l'analyse sera complétée, un rapport apparaîtra que tu me posteras.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

[bullbizar]

Bonjour Angélique,

 

Merci pour ton aide; Je ne pourrais exécuter la procédure conseillée que ce soir en rentrant à la maison (je suis au boulot).

 

Effectivement le PC est non connecté au net, mais je télécharge des jeux pour les enfants que je leur enmeène par clé usb......ceci explique cela, je crois.

 

Donc, dés demain je te poste le rapport.

 

Merci encore et à demain.

[angelique]

ok

[bullbizar]

Bonjour Angélique, Bonjour tout le monde,

 

Désolé pour ce retard.....long retard, du à un problème de réseau au sein de mon entreprise.

 

Voilà, je te joins le rapport demandé.

 

Merci et encore pardon du retard.

 

ComboFix 08-11-13.01 - user 2008-11-15 18:44:14.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.273 [GMT 1:00]

Lancé depuis: c:\documents and settings\user\Bureau\ComboFix.exe

* Un nouveau point de restauration a été créé

 

AVERTISSEMENT - LA CONSOLE DE RةCUPةRATION N'EST PAS INSTALLةE SUR CETTE MACHINE !!

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\autorun.inf

C:\i.exe

c:\windows\system32\amvo.exe

c:\windows\system32\attfd42.dll

D:\Autorun.inf

 

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_POWERMANAGER

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2008-10-15 au 2008-11-15 ))))))))))))))))))))))))))))))))))))

.

 

2008-11-11 18:21 . 2008-11-12 18:21 <REP> d-------- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic

2008-11-11 17:51 . 2008-11-11 18:51 <REP> d-------- c:\program files\Spybot - Search & Destroy

2008-11-11 17:51 . 2008-11-11 18:51 <REP> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-11 17:51 . 2008-11-11 15:33 401,720 --a------ C:\HiJackThis.exe

2008-11-10 13:17 . 2008-11-10 13:17 <REP> d-------- c:\documents and settings\user\Application Data\Absolutist.com

2008-11-10 13:07 . 2004-08-04 05:54 7,027 --a------ c:\windows\system32\winsdateg5.vxk

2008-11-10 13:02 . 2008-11-10 17:26 <REP> d-------- c:\program files\Bomberman vs Digger

2008-11-09 16:52 . 2008-11-14 11:23 <REP> d-------- c:\program files\GrudgeMatchPool

2008-11-09 16:50 . 2008-11-09 18:58 <REP> d-------- c:\program files\Kyodai Mahjongg

2008-11-09 16:40 . 2008-11-09 16:40 <REP> d-------- c:\program files\Realore

2008-11-09 14:06 . 2008-11-10 08:32 <REP> d-------- c:\program files\Battleship Chess

2008-11-09 12:52 . 2008-11-09 12:52 <REP> d-------- c:\program files\AbsoluteLab

2008-11-09 12:10 . 2008-11-13 20:33 <REP> d-------- c:\program files\Alawar

2008-11-08 19:50 . 2008-11-09 18:58 <REP> d-------- c:\program files\Axium

2008-11-08 19:26 . 2008-11-08 19:26 <REP> d-------- c:\program files\Invadazoid

2008-11-06 13:31 . 2008-11-06 13:31 <REP> d-------- c:\program files\Neoact

2008-11-06 13:31 . 2002-07-22 16:11 139,264 --a------ c:\windows\NeoUninstall.exe

2008-11-06 13:31 . 2008-11-06 13:31 26 --a------ c:\windows\NeoSetup.INI

2008-11-06 13:31 . 2008-11-06 13:31 0 --a------ c:\windows\iPool.INI

2008-11-06 13:18 . 2008-11-06 13:18 <REP> d-------- c:\program files\ThePoolClub

2008-11-06 12:26 . 2008-11-06 12:26 0 --a------ c:\windows\LiveBilliards.INI

2008-11-06 10:09 . 1999-12-17 09:13 86,016 --a------ c:\windows\unvise32.exe

2008-11-06 10:08 . 2008-11-06 10:08 <REP> d-------- c:\program files\TerraGame

2008-11-06 09:04 . 2008-11-06 09:04 45,056 --a------ c:\windows\NCUNINST.EXE

2008-11-05 21:18 . 2008-11-15 18:49 <REP> d-------- c:\windows\wt

2008-11-05 21:18 . 2008-11-09 16:34 <REP> d-------- c:\program files\Zone.com Deluxe Games

2008-11-05 21:18 . 2002-09-27 14:47 45,056 --a------ c:\windows\system32\wtcpl.cpl

2008-11-05 21:03 . 2008-11-11 08:45 <REP> d-------- c:\program files\phelios

2008-11-05 20:54 . 2008-11-05 20:54 <REP> d-------- c:\program files\goldminerjoe_full

2008-11-05 20:51 . 2008-11-11 08:45 <REP> d-------- c:\program files\Gravity Gems

2008-11-05 20:51 . 2008-11-09 18:58 <REP> d-------- c:\program files\BFG

2008-11-05 20:34 . 2008-11-05 20:34 <REP> d-------- c:\program files\Dweep Gold

2008-11-05 20:22 . 2008-11-05 20:22 <REP> d-------- c:\program files\BrickShooter

2008-11-05 20:22 . 2000-05-16 10:40 83,968 --a------ c:\windows\UnGins.exe

2008-11-05 20:22 . 2008-11-05 20:23 270 --a------ c:\windows\BS15.INI

2008-11-05 19:00 . 2008-11-11 08:46 <REP> d-------- c:\program files\Zylom Games

2008-11-05 19:00 . 2008-11-09 18:58 <REP> d-------- c:\documents and settings\user\Application Data\Zylom

2008-11-05 18:59 . 2008-11-05 18:59 <REP> d-------- c:\program files\LTank

2008-11-05 18:59 . 1997-11-21 14:35 14,480 --a------ c:\windows\system32\Ctl3d.dll

2008-11-05 18:45 . 2008-11-05 18:45 <REP> d-------- c:\program files\MagicBall

2008-11-05 18:37 . 2008-11-06 08:54 37,473 --a------ c:\windows\system32\muzika.xm

2008-10-28 20:35 . 2008-11-14 21:08 <REP> d-------- c:\program files\Big Kahuna Reef

2008-10-27 18:04 . 2008-10-27 18:12 <REP> d-------- c:\program files\Bud Redhead

2008-10-26 21:25 . 2008-10-30 16:34 <REP> d-------- c:\program files\Luxor

2008-10-26 21:20 . 2008-11-09 12:54 <REP> d-------- c:\program files\GameHouse

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-14 10:25 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-13 20:06 --------- d-----w c:\program files\TrackMania Nations ESWC

2008-11-12 17:39 --------- d-----w c:\program files\Panda Craze

2008-11-11 16:13 --------- d-----w c:\program files\Tropix

2008-11-11 07:45 --------- d-----w c:\program files\Insaniquarium Deluxe

2008-11-10 08:05 724,992 -c--a-w c:\windows\iun6002.exe

2008-11-09 17:30 --------- d-----w c:\program files\EA Games

2008-11-09 15:35 --------- d-----w c:\program files\PopCap Games

2008-11-06 09:08 --------- d-----w c:\program files\Common Files

2008-11-06 08:02 --------- d-----w c:\program files\Fichiers communs\SWF Studio

2008-11-05 17:09 --------- d-----w c:\program files\Sega

2008-11-05 17:09 --------- d-----w c:\program files\Atari

2008-11-05 17:04 --------- d-----w c:\program files\MotoGP2

2008-11-05 17:00 --------- d--h--w c:\program files\Zero G Registry

2008-10-31 18:15 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

2008-10-17 14:46 --------- d-----w c:\program files\My Worst Day WW2

2008-10-17 14:41 --------- d-----w c:\program files\Devastation Zone Troopers

2008-10-16 09:55 --------- d-----w c:\program files\Bid For Power

2008-10-16 09:33 --------- d-----w c:\program files\GameSpy Arcade

2008-10-12 18:27 --------- d-----w c:\program files\Jurassic Realm

2008-10-10 14:40 142 ----a-w C:\Delapp.bat

2008-09-29 12:00 --------- d-----w c:\program files\Star Defender 4

2008-09-23 20:01 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania

2008-09-23 19:57 --------- d-----w c:\program files\TmNationsForever

2008-09-18 07:49 --------- d-----w c:\program files\iWin.com

2008-09-17 19:54 325,632 ----a-w c:\windows\system32\EAREMOVE.EXE

2008-09-17 19:53 304,128 -c--a-w c:\windows\unin040c.exe

2008-09-17 19:53 299,520 -c--a-w c:\windows\uninst.exe

2008-09-17 19:53 294,912 -c----r c:\windows\alcupd.exe

2008-09-17 19:53 200,704 -c----r c:\windows\alcrmv.exe

2008-09-17 19:24 308,224 -c--a-w c:\windows\IsUn040c.exe

2008-09-12 13:09 753,664 -c--a-w c:\windows\system32\nvcplui.exe

2008-09-11 10:03 56,834,127 ----a-w C:\CookingAcademySetup.exe

2008-08-23 17:52 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2DA439-4680-4E85-A22D-EB2385FABF80}]

2008-07-20 19:22 25088 --a------ c:\windows\system32\xxyYoOFx.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2005-09-25 94208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]

"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]

"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]

"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 327720]

"SiSPower"="SiSPower.dll" [2005-06-09 c:\windows\system32\SiSPower.dll]

"SoundMan"="SOUNDMAN.EXE" [2005-06-20 c:\windows\soundman.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{1C2DA439-4680-4E85-A22D-EB2385FABF80}"= "c:\windows\system32\xxyYoOFx.dll" [2008-07-20 25088]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyYoOFx]

2008-07-20 19:22 25088 c:\windows\system32\xxyYoOFx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.VP31"= vp31vfw.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^user^Menu Démarrer^Programmes^Démarrage^Product Registration.lnk]

path=c:\documents and settings\user\Menu Démarrer\Programmes\Démarrage\Product Registration.lnk

backup=c:\windows\pss\Product Registration.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^user^Menu Démarrer^Programmes^Démarrage^Reboot.exe]

path=c:\documents and settings\user\Menu Démarrer\Programmes\Démarrage\Reboot.exe

backup=c:\windows\pss\Reboot.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^user^Menu Démarrer^Programmes^Démarrage^Sid Registration.lnk]

path=c:\documents and settings\user\Menu Démarrer\Programmes\Démarrage\Sid Registration.lnk

backup=c:\windows\pss\Sid Registration.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 01:07 1667584 c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2005-09-25 19:11 155648 c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]

--a------ 2008-03-26 18:41 1232896 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

--a------ 2008-03-28 11:20 1079296 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a--c--- 2007-09-17 01:07 1626112 c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"RasMan"=3 (0x3)

"Netman"=3 (0x3)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\RY's GAMES\\Serious Sam\\Bin\\SeriousSam.exe"=

"c:\\Program Files\\EA Games\\MOHAA\\MOHAA.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Pc Gamer\\Serious Sam 2\\Bin\\Sam2.exe"=

"c:\\Program Files\\Duke Nukem - Manhattan Project\\prism3d.exe"=

"c:\\Program Files\\TmNationsForever\\TmForever.exe"=

"c:\\Program Files\\Raven\\SOF GOLD\\SoF.exe"=

"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=

"c:\\Program Files\\GameTop.com\\Extreme Racers\\Extreme Racers.exe"=

"d:\\Nexuiz\\nexuiz.exe"=

"c:\\Program Files\\www.SmallGames.ws\\Beach Head - Desert War\\BH2Game\\BH2.exe"=

"c:\\Program Files\\Sierra\\SWAT 4\\Content\\System\\Swat4.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II The Conquerors Expansion Trial\\age2_x1t.exe"=

 

S3 FXDRV;FXDRV;E:\Fxdrv.sys [ ]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24bbf54c-f352-11dc-a846-f0e7d4063a67}]

\Shell\AutoRun\command - G:\i.exe

\Shell\explore\Command - G:\i.exe

\Shell\open\Command - G:\i.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{783faafc-9e51-11dc-bd43-0016ec5681ab}]

\Shell\AutoRun\command - G:\i.exe

\Shell\explore\Command - G:\i.exe

\Shell\open\Command - G:\i.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a95023e1-a777-11dd-a528-dfe4f7ba576b}]

\Shell\AutoRun\command - G:\i.exe

\Shell\explore\Command - G:\i.exe

\Shell\open\Command - G:\i.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5261508-4453-11dd-921a-f9d97bc13465}]

\Shell\AutoRun\command - G:\i.exe

\Shell\explore\Command - G:\i.exe

\Shell\open\Command - G:\i.exe

.

.

------- Examen supplémentaire -------

.

R0 -: HKCU-Main,Start Page = hxxp://www.google.com/

O8 -: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O17 -: HKLM\CCS\Interface\{0D2E36BE-9B21-4DC5-84AD-FEDDF7FEF1EB}: NameServer = 192.168.1.1

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-15 18:49:26

Windows 5.1.2600 Service Pack 2 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

PROCESSUS: c:\windows\system32\winlogon.exe

-> c:\windows\system32\xxyYoOFx.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\rundll32.exe

c:\windows\wt\updater\wcmdmgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Heure de fin: 2008-11-15 18:53:48 - La machine a redémarré

ComboFix-quarantined-files.txt 2008-11-15 17:53:41

 

Avant-CF: 10 720 506 368 octets libres

Après-CF: 10,665,769,984 octets libres

 

235

[angelique]

• ouvre ton bloc note[executer--notepad] et copies/colles le contenu du cadre ci dessous:

 

File::
c:\windows\system32\xxyYoOFx.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C2DA439-4680-4E85-A22D-EB2385FABF80}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{1C2DA439-4680-4E85-A22D-EB2385FABF80}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyYoOFx]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24bbf54c-f352-11dc-a846-f0e7d4063a67}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{783faafc-9e51-11dc-bd43-0016ec5681ab}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a95023e1-a777-11dd-a528-dfe4f7ba576b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5261508-4453-11dd-921a-f9d97bc13465}]

 

[*]Va en haut de la page et clique sur le menu"Fichier" , une liste apparait=>

[*]Choisis "Enregistrer sous" et choisis "Bureau"

[*]Dans le champs "Nom du fichier" en bas de page donne le nom suivant:CFScript

[*]Clique sur le bouton "Enregistrer" à droite du champs "nom du fichier"

[*]Quitte le Bloc Notes.

[*]Fait un glisser/déposer de ce fichier CFScript sur le fichier ComboFix.exe comme sur la capture

 

 

 

 

* suis les instructions

* Patiente le temps du scan.Le bureau va disparaitre à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

* Une fois le scan achevé, un rapport va s'afficher: poste son contenu.

* Si le fichier n'apparait pas, il se trouve ici > C:\ComboFix.txt

 

• Il te faut maintenant nettoyer tes clefs USB/disques dur externes, pour cela :

 

SURTOUT ne pas double-cliquer sur le disque dans le poste de travail

 

Ouvre le poste de travail

Clic sur le menu outils en haut à droite puis options des dossiers

Dans la nouvelle fenêtre, clic sur l'onglet Affichage en haut

Coche dans la liste "Afficher les fichiers cachés"

Décoche "masquer les fichier proteger du systeme d exploitation (recommandée)"\appliquer

Tu vas recevoir un message qui te dit que cela peut endommager le système, n'en tiens pas compte.

Ouvrez le poste de travail

Pour chaque disque dans le poste de travail : Fais un clic droit sur le disque dur - surtout ne double-clic pas dessus!!!

Choisis ouvrir dans le menu déroulant.

Cherche un fichier autorun.inf et des fichiers : i.exe , Adober.exe ou RavMonE.exe ou MS32DLL.DLL.VBS ou autorun.vbs ou UFO.exe ......

Si présents, supprimez le en faisant un clic droit puis supprimer.

Répétez l'opération sur tous les disques se trouvant dans le poste de travail.

Tu remasques fichiers et dossiers cachés si tu le souhaites.

 

• fait un scan avec antivir , s'il couine sur c:\qoobox , c'est normal c'est la quarantaine de ComboFix , donc quarantaine et poste le rapport.

 

met le à jour manuellement quand meme en telechargeant IVDF (unicode)

tuto:: http://www.libellules.ch/dotclear/index.ph...re-les-serveurs

[bullbizar]

Merci Angélique,

 

Je le ferais ce soir, aussitôt entré à la maison.

Je te posterais les nouveaux rapports demain...........je l'espère .

 

Bonne journée et merci encore.

[angelique]

ok

[bullbizar]

Bonjour Angélique, Bonjour à toutes et à tous,

 

Comme convenu, je te poste les deux rapports demandés.

 

Merci pour ton aide et à plus.......

 

ComboFix 08-11-13.01 - user 2008-11-22 17:58:17.2 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.249 [GMT 1:00]

Lancé depuis: H:\ComboFix.exe

Commutateurs utilisés :: c:\documents and settings\user\Bureau\CFScript.txt

* Un nouveau point de restauration a été créé

 

AVERTISSEMENT - LA CONSOLE DE RةCUPةRATION N'EST PAS INSTALLةE SUR CETTE MACHINE !!

 

FILE ::

c:\windows\system32\xxyYoOFx.dll

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\xxyYoOFx.dll

 

.

((((((((((((((((((((((((((((( Fichiers créés du 2008-10-22 au 2008-11-22 ))))))))))))))))))))))))))))))))))))

.

 

2008-11-11 18:21 . 2008-11-12 18:21 <REP> d-------- c:\documents and settings\All Users\Application Data\AntiVir PersonalEdition Classic

2008-11-11 17:51 . 2008-11-11 18:51 <REP> d-------- c:\program files\Spybot - Search & Destroy

2008-11-11 17:51 . 2008-11-11 18:51 <REP> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-11 17:51 . 2008-11-11 15:33 401,720 --a------ C:\HiJackThis.exe

2008-11-10 13:17 . 2008-11-10 13:17 <REP> d-------- c:\documents and settings\user\Application Data\Absolutist.com

2008-11-10 13:07 . 2004-08-04 05:54 7,027 --a------ c:\windows\system32\winsdateg5.vxk

2008-11-10 13:02 . 2008-11-10 17:26 <REP> d-------- c:\program files\Bomberman vs Digger

2008-11-09 16:52 . 2008-11-14 11:23 <REP> d-------- c:\program files\GrudgeMatchPool

2008-11-09 16:50 . 2008-11-09 18:58 <REP> d-------- c:\program files\Kyodai Mahjongg

2008-11-09 16:40 . 2008-11-09 16:40 <REP> d-------- c:\program files\Realore

2008-11-09 14:06 . 2008-11-10 08:32 <REP> d-------- c:\program files\Battleship Chess

2008-11-09 12:52 . 2008-11-09 12:52 <REP> d-------- c:\program files\AbsoluteLab

2008-11-09 12:10 . 2008-11-13 20:33 <REP> d-------- c:\program files\Alawar

2008-11-08 19:50 . 2008-11-09 18:58 <REP> d-------- c:\program files\Axium

2008-11-08 19:26 . 2008-11-08 19:26 <REP> d-------- c:\program files\Invadazoid

2008-11-06 13:31 . 2008-11-06 13:31 <REP> d-------- c:\program files\Neoact

2008-11-06 13:31 . 2002-07-22 16:11 139,264 --a------ c:\windows\NeoUninstall.exe

2008-11-06 13:31 . 2008-11-06 13:31 26 --a------ c:\windows\NeoSetup.INI

2008-11-06 13:31 . 2008-11-06 13:31 0 --a------ c:\windows\iPool.INI

2008-11-06 13:18 . 2008-11-06 13:18 <REP> d-------- c:\program files\ThePoolClub

2008-11-06 12:26 . 2008-11-06 12:26 0 --a------ c:\windows\LiveBilliards.INI

2008-11-06 10:09 . 1999-12-17 09:13 86,016 --a------ c:\windows\unvise32.exe

2008-11-06 10:08 . 2008-11-06 10:08 <REP> d-------- c:\program files\TerraGame

2008-11-06 09:04 . 2008-11-06 09:04 45,056 --a------ c:\windows\NCUNINST.EXE

2008-11-05 21:18 . 2008-11-22 18:02 <REP> d-------- c:\windows\wt

2008-11-05 21:18 . 2008-11-09 16:34 <REP> d-------- c:\program files\Zone.com Deluxe Games

2008-11-05 21:18 . 2002-09-27 14:47 45,056 --a------ c:\windows\system32\wtcpl.cpl

2008-11-05 21:03 . 2008-11-11 08:45 <REP> d-------- c:\program files\phelios

2008-11-05 20:54 . 2008-11-05 20:54 <REP> d-------- c:\program files\goldminerjoe_full

2008-11-05 20:51 . 2008-11-11 08:45 <REP> d-------- c:\program files\Gravity Gems

2008-11-05 20:51 . 2008-11-09 18:58 <REP> d-------- c:\program files\BFG

2008-11-05 20:34 . 2008-11-05 20:34 <REP> d-------- c:\program files\Dweep Gold

2008-11-05 20:22 . 2008-11-05 20:22 <REP> d-------- c:\program files\BrickShooter

2008-11-05 20:22 . 2000-05-16 10:40 83,968 --a------ c:\windows\UnGins.exe

2008-11-05 20:22 . 2008-11-05 20:23 270 --a------ c:\windows\BS15.INI

2008-11-05 19:00 . 2008-11-11 08:46 <REP> d-------- c:\program files\Zylom Games

2008-11-05 19:00 . 2008-11-09 18:58 <REP> d-------- c:\documents and settings\user\Application Data\Zylom

2008-11-05 18:59 . 2008-11-05 18:59 <REP> d-------- c:\program files\LTank

2008-11-05 18:59 . 1997-11-21 14:35 14,480 --a------ c:\windows\system32\Ctl3d.dll

2008-11-05 18:45 . 2008-11-05 18:45 <REP> d-------- c:\program files\MagicBall

2008-11-05 18:37 . 2008-11-06 08:54 37,473 --a------ c:\windows\system32\muzika.xm

2008-10-28 20:35 . 2008-11-20 19:12 <REP> d-------- c:\program files\Big Kahuna Reef

2008-10-27 18:04 . 2008-10-27 18:12 <REP> d-------- c:\program files\Bud Redhead

2008-10-26 21:25 . 2008-10-30 16:34 <REP> d-------- c:\program files\Luxor

2008-10-26 21:20 . 2008-11-09 12:54 <REP> d-------- c:\program files\GameHouse

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-14 10:25 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-13 20:06 --------- d-----w c:\program files\TrackMania Nations ESWC

2008-11-12 17:39 --------- d-----w c:\program files\Panda Craze

2008-11-11 16:13 --------- d-----w c:\program files\Tropix

2008-11-11 07:45 --------- d-----w c:\program files\Insaniquarium Deluxe

2008-11-10 08:05 724,992 -c--a-w c:\windows\iun6002.exe

2008-11-09 17:30 --------- d-----w c:\program files\EA Games

2008-11-09 15:35 --------- d-----w c:\program files\PopCap Games

2008-11-06 09:08 --------- d-----w c:\program files\Common Files

2008-11-06 08:02 --------- d-----w c:\program files\Fichiers communs\SWF Studio

2008-11-05 17:09 --------- d-----w c:\program files\Sega

2008-11-05 17:09 --------- d-----w c:\program files\Atari

2008-11-05 17:04 --------- d-----w c:\program files\MotoGP2

2008-11-05 17:00 --------- d--h--w c:\program files\Zero G Registry

2008-10-31 18:15 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys

2008-10-17 14:46 --------- d-----w c:\program files\My Worst Day WW2

2008-10-17 14:41 --------- d-----w c:\program files\Devastation Zone Troopers

2008-10-16 09:55 --------- d-----w c:\program files\Bid For Power

2008-10-16 09:33 --------- d-----w c:\program files\GameSpy Arcade

2008-10-12 18:27 --------- d-----w c:\program files\Jurassic Realm

2008-10-10 14:40 142 ----a-w C:\Delapp.bat

2008-09-29 12:00 --------- d-----w c:\program files\Star Defender 4

2008-09-23 20:01 --------- d-----w c:\documents and settings\All Users\Application Data\TrackMania

2008-09-23 19:57 --------- d-----w c:\program files\TmNationsForever

2008-09-17 19:54 325,632 ----a-w c:\windows\system32\EAREMOVE.EXE

2008-09-17 19:53 304,128 -c--a-w c:\windows\unin040c.exe

2008-09-17 19:53 299,520 -c--a-w c:\windows\uninst.exe

2008-09-17 19:53 294,912 -c----r c:\windows\alcupd.exe

2008-09-17 19:53 200,704 -c----r c:\windows\alcrmv.exe

2008-09-17 19:24 308,224 -c--a-w c:\windows\IsUn040c.exe

2008-09-12 13:09 753,664 -c--a-w c:\windows\system32\nvcplui.exe

2008-09-11 10:03 56,834,127 ----a-w C:\CookingAcademySetup.exe

2008-08-23 17:52 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Fichiers communs\Ahead\lib\NMBgMonitor.exe" [2005-09-25 94208]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]

"RaidTool"="c:\program files\VIA\RAID\raid_tool.exe" [2005-06-20 1056768]

"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2002-09-27 20480]

"avgnt"="c:\program files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 327720]

"SiSPower"="SiSPower.dll" [2005-06-09 c:\windows\system32\SiSPower.dll]

"SoundMan"="SOUNDMAN.EXE" [2005-06-20 c:\windows\soundman.exe]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveSearch"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.VP31"= vp31vfw.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^user^Menu Démarrer^Programmes^Démarrage^Product Registration.lnk]

path=c:\documents and settings\user\Menu Démarrer\Programmes\Démarrage\Product Registration.lnk

backup=c:\windows\pss\Product Registration.lnkStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^user^Menu Démarrer^Programmes^Démarrage^Reboot.exe]

path=c:\documents and settings\user\Menu Démarrer\Programmes\Démarrage\Reboot.exe

backup=c:\windows\pss\Reboot.exeStartup

 

[HKLM\~\startupfolder\C:^Documents and Settings^user^Menu Démarrer^Programmes^Démarrage^Sid Registration.lnk]

path=c:\documents and settings\user\Menu Démarrer\Programmes\Démarrage\Sid Registration.lnk

backup=c:\windows\pss\Sid Registration.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2004-08-04 01:07 1667584 c:\program files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a--c--- 2005-09-25 19:11 155648 c:\windows\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]

--a------ 2008-03-26 18:41 1232896 c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

--a------ 2008-03-28 11:20 1079296 c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a--c--- 2007-09-17 01:07 1626112 c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"RasMan"=3 (0x3)

"Netman"=3 (0x3)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\RY's GAMES\\Serious Sam\\Bin\\SeriousSam.exe"=

"c:\\Program Files\\EA Games\\MOHAA\\MOHAA.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Pc Gamer\\Serious Sam 2\\Bin\\Sam2.exe"=

"c:\\Program Files\\Duke Nukem - Manhattan Project\\prism3d.exe"=

"c:\\Program Files\\TmNationsForever\\TmForever.exe"=

"c:\\Program Files\\Raven\\SOF GOLD\\SoF.exe"=

"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=

"c:\\Program Files\\GameTop.com\\Extreme Racers\\Extreme Racers.exe"=

"d:\\Nexuiz\\nexuiz.exe"=

"c:\\Program Files\\www.SmallGames.ws\\Beach Head - Desert War\\BH2Game\\BH2.exe"=

"c:\\Program Files\\Sierra\\SWAT 4\\Content\\System\\Swat4.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II The Conquerors Expansion Trial\\age2_x1t.exe"=

 

S3 FXDRV;FXDRV;E:\Fxdrv.sys [ ]

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-22 18:03:15

Windows 5.1.2600 Service Pack 2 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe

c:\program files\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\rundll32.exe

c:\windows\wt\updater\wcmdmgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Heure de fin: 2008-11-22 18:07:28 - La machine a redémarré

ComboFix-quarantined-files.txt 2008-11-22 17:07:23

ComboFix2.txt 2008-11-15 17:53:49

 

Avant-CF: 10 657 024 000 octets libres

Après-CF: 10,647,233,536 octets libres

 

198

 

 

 

 

 

AntiVir PersonalEdition Classic

Report file date: samedi 22 novembre 2008 18:21

 

Scanning for 740715 virus strains and unwanted programs.

 

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Username: user

Computer name: HOMR-09BB4389E7

 

Version information:

BUILD.DAT : 248 14437 Bytes 31/05/2007 16:59:00

AVSCAN.EXE : 7.0.4.15 282664 Bytes 20/04/2007 12:37:14

AVSCAN.DLL : 7.0.4.4 33832 Bytes 27/03/2007 12:31:54

LUKE.DLL : 7.0.4.11 143400 Bytes 27/03/2007 12:26:04

LUKERES.DLL : 7.0.4.0 10280 Bytes 19/03/2007 12:18:59

ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 14:08:58

ANTIVIR1.VDF : 6.37.1.151 4303360 Bytes 23/02/2007 14:09:01

ANTIVIR2.VDF : 6.38.0.214 729600 Bytes 12/04/2007 14:09:02

ANTIVIR3.VDF : 6.38.0.225 50688 Bytes 16/04/2007 14:09:02

AVEWIN32.DLL : 7.4.0.12 2404864 Bytes 13/04/2007 14:04:24

AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26

AVPREF.DLL : 7.0.2.1 24616 Bytes 27/03/2007 12:31:50

AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24

AVPACK32.DLL : 7.3.0.8 360488 Bytes 27/03/2007 08:48:28

AVREG.DLL : 7.0.1.2 31784 Bytes 15/03/2007 09:05:08

AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 27/03/2007 12:16:05

AVARKT.DLL : 1.0.0.17 278568 Bytes 02/05/2007 11:32:26

NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42

RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 13/03/2007 10:46:18

RCTEXT.DLL : 7.0.45.0 86056 Bytes 19/03/2007 12:42:42

 

Configuration settings for the scan:

Jobname..........................: Local Drives

Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\alldrives.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: off

Scan boot sector.................: on

Boot sectors.....................: F:,

Scan memory......................: on

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: Intelligent file selection

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

 

Start of the scan: samedi 22 novembre 2008 18:21

 

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'NclRSSrv.exe' - '1' Module(s) have been scanned

Scan process 'NclUSBSrv.exe' - '1' Module(s) have been scanned

Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'wscntfy.exe' - '1' Module(s) have been scanned

Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'wcmdmgr.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'raid_tool.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'soundman.exe' - '1' Module(s) have been scanned

Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'MDM.EXE' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'aawservice.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

32 processes with 32 modules were scanned

 

Start scanning boot sectors:

Boot sector 'C:\'

[NOTE] No virus was found!

Boot sector 'D:\'

[NOTE] No virus was found!

Boot sector 'A:\'

[NOTE] In the drive 'A:\' no data medium is inserted!

Boot sector 'H:\'

[NOTE] No virus was found!

 

Starting to scan the registry.

The registry was scanned ( '12' files ).

 

 

Starting the file scan:

 

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

Begin scan in 'D:\'

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364012.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was deleted!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364013.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was deleted!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364014.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was deleted!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364015.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was deleted!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364016.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4914.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364017.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4919.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364018.EXE

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b491a.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364019.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b491c.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364020.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4921.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364021.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4922.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364022.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4923.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364023.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4935.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364024.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4941.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364025.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4945.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364026.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4946.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364027.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '48ff3fd3.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364028.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4940.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364029.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '48ff3fd5.qua'!

D:\System Volume Information\_restore{D94A209A-92B7-4305-A1DD-2D9F1F42301A}\RP252\A0364030.exe

[DETECTION] Contains signature of the Windows virus W32/Hidrag.a

[iNFO] The file was moved to '495b4947.qua'!

D:\120games\120games.zip

[0] Archive type: ZIP

--> 120 jogos crackeados.rar

[1] Archive type: RAR

--> 120 jogos crackeados\Alchemy DeLuxe 1.6 ENG\Alchemy Keygen\alchemy.deluxe.1.2.keygen-tsrh.exe

[DETECTION] Contains suspicious code HEUR/Crypted

--> 120 jogos crackeados\Atomica deLuxe 2.52\kEYGEN.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[WARNING] An error has occurred and the file was not deleted. ErrorID: 16001

[WARNING] Failed!

D:\120games\120 jogos crackeados\Alchemy DeLuxe 1.6 ENG\Alchemy Keygen\alchemy.deluxe.1.2.keygen-tsrh.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '498b4cb5.qua'!

D:\120games\120 jogos crackeados\Atomica deLuxe 2.52\kEYGEN.exe

[DETECTION] Contains suspicious code HEUR/Crypted

[iNFO] The file was moved to '49814c92.qua'!

Begin scan in 'A:\'

Search path A:\ could not be opened!

Le périphérique n'est pas prêt.

 

Begin scan in 'H:\'

Begin scan in 'E:\' <MYCD_VOL>

Begin scan in 'F:\'

Search path F:\ could not be opened!

Le périphérique n'est pas prêt.

 

 

 

End of the scan: samedi 22 novembre 2008 19:24

Used time: 1:03:06 min

 

The scan has been done completely.

 

10505 Scanning directories

353792 Files were scanned

23 viruses and/or unwanted programs were found

4 classified as suspicious:

4 files were deleted

0 files were repaired

17 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

353765 Files not concerned

2432 Archives were scanned

3 Warnings

6 Notes

0 Hidden objects were found