[Résolu] PC infecté par plusieurs virus

[Falkra]

Normalement non, mais s'il attend un timeout de carte réseau, ça peut expliquer le délai. Débranche le câble s'il est connecté à un réseau local, mais ne redémarre pas "à la barbare".

[stee]

Toujours pas d'activité, que me conseille tu , fermer la fenêtre et relancer le script ou relance du pc en ayant fermé la fenêtre?

[Falkra]

J'ai vu parfois le truc repartir au bout d'une heure, mais il n'y a pas de garanties que ça le fasse.

 

Le moins mal - mais ça reste risqué - consisterait à fermer la fenêtre bleue, voir ce que ça donne, et au besoin relancer le gestionnaire de tâches pour faire un redémarrage demandé par windows (pas reset quoi).

 

Après, s'il n'avait pas redémarré la machine, il va finir en redémarrant et faire le rapport (long).

[stee]

Pour info je n'ai touché à rien et il a redémarrer tous seul !!!!!!!!!!

[Falkra]

Ca règle la question, poste le rapport quand il sera mur, sinon ça doit être dans c:\combofix.txt

[stee]

La situation:

 

Pas de prob, relance OK, bureau OK

 

PC antispyware 2010 est dans la barre des taches et me lance une fenêtre WARNING vous avez blablabla

 

Je n'est plus d'antivirus sur la machine (desinstalle hier soir)

[Falkra]

Télécharge une copie fraîche de combofix sur ce lien :combofix.exe

Mets la dans le PC en remplacement de l'autre.

 

Et passe ce script, car il n'a pas été pris en compte, le précédent (et du coup il y a du nouveau à virer par un autre script après) :

http://senduit.com/b94541

[stee]

Lancement du script 11:32

[stee]

LOG du nouveau combofix

 

ComboFix 09-08-10.06 - captain crosoft 17/08/2009 11:32.6.1 - NTFSx86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2047.1628 [GMT 2:00]

Running from: c:\documents and settings\captain crosoft\Bureau\ComboFix.exe

Command switches used :: e:\reparvirus\Cfscript3.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

"c:\documents and settings\All Users\Application Data\ezefo.bat"

"c:\documents and settings\All Users\Application Data\nudyhupod.reg"

"c:\documents and settings\captain crosoft\Application Data\xafif.exe"

"c:\documents and settings\NetworkService\Application Data\awur.com"

"c:\documents and settings\NetworkService\Application Data\qocam.com"

"c:\documents and settings\NetworkService\Application Data\tamilipin.pif"

"c:\documents and settings\NetworkService\Application Data\udoq.reg"

"c:\documents and settings\NetworkService\Local Settings\Application Data\qohiso.exe"

"c:\program files\Fichiers communs\alijowon.inf"

"c:\program files\Fichiers communs\axag._dl"

"c:\program files\Fichiers communs\kudehysyr.reg"

"c:\program files\Fichiers communs\ybisop.dl"

"c:\program files\Fichiers communs\yzozil.dl"

"c:\windows\exymuwikev.exe"

"c:\windows\garinu.scr"

"c:\windows\omuqyxun.bin"

"c:\windows\onafuq.scr"

"c:\windows\system32\_scui.cpl"

"c:\windows\system32\braviax.exe"

"c:\windows\system32\dllcache\figaro.sys"

"c:\windows\system32\elubybyn.com"

"c:\windows\system32\eqyse.reg"

"c:\windows\system32\figaro.sys"

"c:\windows\system32\upowyz.exe"

"c:\windows\system32\venijupuq.vbs"

"c:\windows\system32\vipevuqy.sys"

"c:\windows\system32\wisdstr.exe"

"c:\windows\system32\xisajy.vbs"

"c:\windows\system32\ykalyvig.scr"

"c:\windows\wegabawody.dll"

"c:\windows\ylenysax.reg"

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users\Application Data\ezefo.bat

c:\documents and settings\All Users\Application Data\nudyhupod.reg

c:\documents and settings\captain crosoft\Application Data\xafif.exe

c:\documents and settings\NetworkService\Application Data\awur.com

c:\documents and settings\NetworkService\Application Data\qocam.com

c:\documents and settings\NetworkService\Application Data\tamilipin.pif

c:\documents and settings\NetworkService\Application Data\udoq.reg

c:\documents and settings\NetworkService\Local Settings\Application Data\qohiso.exe

C:\PC_Antispyware2010

c:\pc_antispyware2010\PC_Antispyware2010.lnk

c:\pc_antispyware2010\Uninstall.lnk

c:\program files\Fichiers communs\alijowon.inf

c:\program files\Fichiers communs\axag._dl

c:\program files\Fichiers communs\kudehysyr.reg

c:\program files\Fichiers communs\ybisop.dl

c:\program files\Fichiers communs\yzozil.dl

c:\program files\PC_Antispyware2010

c:\program files\PC_Antispyware2010\.cfg

c:\program files\PC_Antispyware2010\AVEngn.dll

c:\program files\PC_Antispyware2010\data\daily.cvd

c:\program files\PC_Antispyware2010\htmlayout.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll

c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll

c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg

c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

c:\program files\PC_Antispyware2010\pthreadVC2.dll

c:\program files\PC_Antispyware2010\Uninstall.exe

c:\program files\PC_Antispyware2010\wscui.cpl

c:\windows\exymuwikev.exe

c:\windows\garinu.scr

c:\windows\omuqyxun.bin

c:\windows\onafuq.scr

c:\windows\system32\elubybyn.com

c:\windows\system32\eqyse.reg

c:\windows\system32\upowyz.exe

c:\windows\system32\venijupuq.vbs

c:\windows\system32\vipevuqy.sys

c:\windows\system32\xisajy.vbs

c:\windows\system32\ykalyvig.scr

c:\windows\wegabawody.dll

c:\windows\ylenysax.reg

 

.

((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))

.

 

2009-08-17 07:53 . 2009-08-17 08:00 -------- d-s---w- C:\27350-CF

2009-08-17 07:29 . 2002-12-31 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys

2009-08-16 22:36 . 2009-08-16 22:36 11236 ----a-w- c:\windows\putivevovy.com

2009-08-16 22:25 . 2009-08-16 22:25 -------- d-----w- C:\Remote Programs

2009-08-16 22:03 . 2009-08-16 22:03 19954 ----a-w- c:\program files\Fichiers communs\melufe.dat

2009-08-16 22:03 . 2009-08-16 22:03 19195 ----a-w- c:\windows\likivodevi.bat

2009-08-16 22:03 . 2009-08-16 22:03 18559 ----a-w- c:\documents and settings\captain crosoft\Local Settings\Application Data\izygodul.dat

2009-08-16 22:03 . 2009-08-16 22:03 17762 ----a-w- c:\program files\Fichiers communs\utypyji.vbs

2009-08-16 22:03 . 2009-08-16 22:03 16696 ----a-w- c:\documents and settings\captain crosoft\Local Settings\Application Data\ibisowusu.dll

2009-08-16 22:03 . 2009-08-16 22:03 15764 ----a-w- c:\windows\pavipaho.dat

2009-08-16 22:03 . 2009-08-16 22:03 15402 ----a-w- c:\windows\rywyrav.vbs

2009-08-16 22:03 . 2009-08-16 22:03 11180 ----a-w- c:\documents and settings\captain crosoft\Local Settings\Application Data\cimoduwozi.pif

2009-08-16 21:33 . 2009-08-16 22:29 29184 -c--a-w- c:\windows\system32\dllcache\beep.sys

2009-08-16 20:46 . 2009-03-24 14:07 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-16 15:17 . 2009-08-14 10:13 619584 ----a-w- c:\windows\system32\drivers\ntfs.sys

2009-08-15 18:54 . 2009-08-15 18:55 -------- d-----w- C:\615bc555c03f6bd56ce4

2009-08-15 17:45 . 2009-08-15 19:08 -------- d-----w- c:\program files\Lavasoft

2009-08-15 17:45 . 2009-08-15 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-15 17:33 . 2009-08-16 17:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-15 17:18 . 2009-08-15 17:18 -------- d-----w- c:\program files\Trend Micro

2009-08-14 20:07 . 2009-08-14 20:07 74083 ----a-r- c:\documents and settings\captain crosoft\Application Data\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ARPPRODUCTICON.exe

2009-08-14 20:07 . 2009-08-14 20:07 73728 ----a-r- c:\documents and settings\captain crosoft\Application Data\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe1_0D54DE165360499A9175C95A7F3C5401.exe

2009-08-14 20:07 . 2009-08-14 20:07 73728 ----a-r- c:\documents and settings\captain crosoft\Application Data\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe_0BD1ADA496834929AD856F9834E3E161.exe

2009-08-14 20:07 . 2009-08-14 20:07 -------- d-----w- c:\program files\Navigraph

2009-08-14 20:07 . 2009-08-14 20:07 -------- d-----w- c:\documents and settings\captain crosoft\Application Data\Navigraph

2009-08-14 18:08 . 2009-08-14 18:08 -------- d-----w- C:\!KillBox

2009-08-14 13:57 . 2009-08-14 13:57 -------- d-----w- c:\program files\FS Real Time

2009-08-14 13:56 . 2009-08-14 13:56 -------- d-----w- c:\program files\MSBuild

2009-08-14 13:53 . 2009-08-15 18:55 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-14 13:53 . 2009-08-14 13:53 -------- d-----w- c:\program files\Reference Assemblies

2009-08-14 13:52 . 2006-06-29 11:07 14048 ------w- c:\windows\system32\spmsg2.dll

2009-08-14 12:26 . 2009-08-14 12:26 -------- d-----w- c:\documents and settings\captain crosoft\Application Data\Malwarebytes

2009-08-14 12:25 . 2009-08-03 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-14 12:25 . 2009-08-14 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-14 12:25 . 2009-08-03 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-14 12:25 . 2009-08-14 12:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-14 12:25 . 2009-08-14 12:25 3942048 ----a-w- C:\malwarebytes-anti-malware_malwarebytes_anti-malware_1.40_francais_215092.exe

2009-08-14 12:17 . 2009-08-14 12:17 3278552 ----a-w- C:\ccsetup222.exe

2009-08-13 09:54 . 2009-08-13 09:54 -------- d-----w- c:\program files\Ken Salter

2009-08-12 20:36 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-11 12:14 . 2009-08-11 12:15 -------- d-----w- c:\program files\ALMATY9 V2.0

2009-08-11 08:15 . 2009-08-11 08:15 149657 ----a-w- c:\windows\OCS PT-154 Uninstaller.exe

2009-08-11 08:14 . 2009-08-11 08:14 -------- d-----w- c:\program files\OCS PT-154

2009-08-11 08:12 . 2009-08-14 20:57 -------- d-----w- c:\program files\NCalc5

2009-08-11 07:35 . 2009-08-05 10:29 43008 ----a-w- c:\documents and settings\captain crosoft\Application Data\Mozilla\Firefox\Profiles\6gh4c5ef.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll

2009-08-11 07:35 . 2009-08-05 10:29 340480 ----a-w- c:\documents and settings\captain crosoft\Application Data\Mozilla\Firefox\Profiles\6gh4c5ef.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll

2009-08-11 07:35 . 2009-08-05 10:28 346112 ----a-w- c:\documents and settings\captain crosoft\Application Data\Mozilla\Firefox\Profiles\6gh4c5ef.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

2009-08-05 09:00 . 2009-08-05 09:00 205312 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-16 22:26 . 2009-04-14 17:19 -------- d-----w- c:\program files\EasyScan

2009-08-16 22:03 . 2009-08-16 22:03 15711 ----a-w- c:\program files\Fichiers communs\gecyvufiru._dl

2009-08-16 22:03 . 2009-08-16 22:03 12117 ----a-w- c:\program files\Fichiers communs\poqyveq.db

2009-08-16 22:03 . 2009-08-16 22:03 11132 ----a-w- c:\program files\Fichiers communs\iwar._sy

2009-08-16 22:03 . 2009-08-16 22:03 11039 ----a-w- c:\documents and settings\All Users\Application Data\ikagoja.dat

2009-08-15 21:21 . 2006-09-18 12:15 24488 ----a-w- c:\documents and settings\captain crosoft\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 18:59 . 2003-04-24 19:00 81718 ----a-w- c:\windows\system32\perfc00C.dat

2009-08-15 18:59 . 2003-04-24 19:00 503166 ----a-w- c:\windows\system32\perfh00C.dat

2009-08-14 13:29 . 2006-11-10 07:45 249856 ------w- c:\windows\Setup1.exe

2009-08-14 13:29 . 2006-09-18 12:01 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-14 13:25 . 2009-06-26 22:45 -------- d-----w- c:\program files\Real Environment Pro

2009-08-14 12:18 . 2006-09-26 06:52 -------- d-----w- c:\program files\CCleaner

2009-08-13 22:02 . 2006-11-19 07:55 -------- d-----w- c:\documents and settings\captain crosoft\Application Data\OpenOffice.org2

2009-08-13 20:45 . 2007-09-06 22:11 205061 ----a-w- c:\documents and settings\captain crosoft\Application Data\Thunderbird\Profiles\f0cc1wri.default\Mail\Nouvelles et Blogs\Linux news from LinuxWorld.com

2009-08-13 20:45 . 2006-09-18 11:10 -------- d-----w- c:\program files\Mozilla Thunderbird

2009-08-05 09:00 . 2003-04-24 19:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-30 19:09 . 2006-10-25 18:01 -------- d-----w- c:\program files\Google

2009-07-17 19:03 . 2003-04-24 19:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 21:43 . 2004-08-19 23:09 286208 ------w- c:\windows\system32\wmpdxm.dll

2009-07-10 11:05 . 2009-07-10 11:05 -------- d-----w- c:\program files\Microsoft Games

2009-07-10 10:38 . 2009-01-22 18:03 -------- d-----w- c:\program files\Vim

2009-07-10 10:38 . 2006-09-19 18:40 -------- d-----w- c:\program files\PyGrenouille

2009-07-09 12:32 . 2006-09-18 10:44 86327 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat

2009-06-29 15:57 . 2006-06-23 11:28 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 15:57 . 2004-08-19 23:09 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 15:57 . 2003-04-24 19:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-26 22:09 . 2009-06-26 22:09 -------- d-----w- c:\program files\Boeing737FPL

2009-06-25 22:58 . 2009-06-25 22:58 90 --sh--w- c:\windows\cnerolf.dat

2009-06-25 08:26 . 2003-04-24 19:00 736768 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:26 . 2003-04-24 19:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:26 . 2003-04-24 19:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:26 . 2003-04-24 19:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:26 . 2003-04-24 19:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:26 . 2005-06-15 17:51 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 22:47 . 2009-06-24 22:12 287746956 ----a-w- C:\LO_1.1b_Flaming_Cliffs_Setup.exe

2009-06-24 11:18 . 2003-04-24 19:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-23 18:24 . 2009-06-23 18:23 28081408 ----a-w- C:\flight_simulator_2004_un_siecle_d_aviation_patch_v9.1_francais_13134.exe

2009-06-22 13:23 . 2009-06-22 13:23 239088 ----a-w- c:\documents and settings\captain crosoft\Application Data\Mozilla\plugins\npgoogletalk.dll

2009-06-18 21:32 . 2009-06-18 13:51 -------- d-----w- c:\program files\Ubisoft

2009-06-18 15:33 . 2009-06-18 15:33 -------- d-----w- c:\program files\M-Audio

2009-06-18 13:41 . 2009-06-18 13:40 21579004 ----a-w- C:\silent_hunter_3_patch_1-4b_version_retail_europe.exe

2009-06-18 13:33 . 2009-06-12 17:32 -------- d-----w- c:\program files\GameShadow

2009-06-16 14:40 . 2003-04-24 19:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:40 . 2003-04-24 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-15 10:44 . 2003-04-24 19:00 78848 ----a-w- c:\windows\system32\telnet.exe

2009-06-15 10:44 . 2003-04-24 19:00 82944 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 17:17 . 2009-06-12 17:16 21579004 ----a-w- C:\silent_hunter_3_patch_v1.4b_-_retail_europe_14744.exe

2009-06-10 14:14 . 2003-04-24 19:00 85504 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 07:21 . 2006-09-18 10:42 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:15 . 2003-04-24 19:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:10 . 2003-04-24 19:00 1297408 ----a-w- c:\windows\system32\quartz.dll

2006-09-16 07:55 . 2007-07-24 15:55 1512 ----a-w- c:\program files\2cv mod 1.0 - readme.txt

2006-05-29 14:40 . 2008-03-07 17:25 7296000 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll

2004-08-04 12:00 . 2007-08-29 19:56 413696 ----a-w- c:\program files\mozilla firefox\plugins\msvcp60.dll

.

 

------- Sigcheck -------

 

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys

[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys

[7] 2004-08-04 06:15 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys

[7] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys

[7] 2008-04-13 11:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\dllcache\ntfs.sys

[7] 2008-04-13 19:15 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\system32\dllcache\cache\ntfs.sys

[-] 2009-08-14 10:13 619584 4DFB45D14330ACE7FD32EE8DBCF50C97 c:\windows\system32\drivers\ntfs.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-08-15_20.49.33 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 00:19 . 2007-11-07 00:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2007-01-10 15:56 . 2007-11-30 11:19 18296 c:\windows\system32\spmsg.dll

+ 2009-08-16 20:44 . 2009-08-16 20:44 228352 c:\windows\Installer\e03fbc.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-19 68856]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"Google Update"="c:\documents and settings\captain crosoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gainward"="c:\windows\TBPanel.exe" [2005-10-26 2052096]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-14 7700480]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-14 86016]

"RivaTuner"="c:\rivatuner v2.02\RivaTuner.exe" [2007-07-01 2596864]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]

"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2007-12-11 267048]

"RivaTunerStartupDaemon"="c:\rivatuner v2.02\RivaTuner.exe" [2007-07-01 2596864]

"M-Audio Taskbar Icon"="c:\windows\System32\MAFWTray.exe" [2008-03-03 252424]

"MAFWTaskbarApp"="c:\windows\system32\MAFWTray.exe" [2008-03-03 252424]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-02-14 1622016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]

path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk

backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Apache2.2"=2 (0x2)

"WZCSVC"=2 (0x2)

"SharedAccess"=2 (0x2)

"SCardSvr"=3 (0x3)

"mysql"=2 (0x2)

"RSVP"=3 (0x3)

"RemoteRegistry"=2 (0x2)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"TapiSrv"=3 (0x3)

"UPS"=3 (0x3)

"VMware NAT Service"=2 (0x2)

"vmserverdWin32"=2 (0x2)

"vmount2"=2 (0x2)

"VMnetDHCP"=2 (0x2)

"VMAuthdService"=2 (0x2)

"mnmsrvc"=3 (0x3)

"Themes"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\ABC\\abc.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\FileZilla\\FileZilla.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\ITUNES\\iTunes.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Documents and Settings\\captain crosoft\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\captain crosoft\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=

"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"34447:TCP"= 34447:TCP:*:Disabled:Rfactor session chat

"34297:UDP"= 34297:UDP:*:Disabled:Rfactor Lan query

"34397:UDP"= 34397:UDP:*:Disabled:Rfactor Race event

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

 

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [05/07/2006 14:46 63352]

R2 xdasd;Distributed Audit Service;c:\openxdas\xdasd.exe [28/05/2008 19:48 45056]

R3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [18/06/2009 17:33 193032]

S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [21/11/2006 10:30 4224]

S2 gupdate1c9cdb39a729a0;Google Update Service (gupdate1c9cdb39a729a0);c:\program files\Google\Update\GoogleUpdate.exe [05/05/2009 20:55 133104]

S3 NSClientpp;NSClientpp (Nagios) 0.3.5.2 2008-09-24 w32;c:\program files\NSClient++\nsclient++.exe [24/09/2008 23:33 409600]

S3 PORTMON;PORTMON;\??\c:\outils_alstom\PORTMSYS.SYS --> c:\outils_alstom\PORTMSYS.SYS [?]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [15/08/2008 00:17 517632]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [18/09/2006 14:55 16896]

S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;c:\ufasoft\Sniffer\usft_sn4.sys [11/11/2007 03:30 15744]

S3 vmserverdWin32;VMware Registration Service;c:\program files\VMware\VMware Server\vmserverdWin32.exe [30/10/2008 18:59 1650782]

.

Contents of the 'Scheduled Tasks' folder

 

2009-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 18:55]

 

2009-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-05 18:55]

 

2009-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1993962763-725345543-1003Core.job

- c:\documents and settings\captain crosoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 22:04]

 

2009-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-839522115-1993962763-725345543-1003UA.job

- c:\documents and settings\captain crosoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 22:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Télécharger avec &BitSpirit - c:\program files\BitSpirit\bsurl.htm

TCP: {040CBFAE-B17B-4D4C-83D7-3A631463AC03} = 192.168.1.1,212.27.48.10

TCP: {58E5BC09-7242-4633-99BB-94E7ECA95338} = 80.10.246.2,80.10.246.129

TCP: {6F14E2EC-E3A9-429B-9160-FA199D284144} = 212.27.54.252,212.27.32.177

TCP: {7C2205B0-3CBC-4189-82B7-063F543AD864} = 160.92.121.4,160.92.121.6,80.10.246.2,80.10.246.129

FF - ProfilePath - c:\documents and settings\captain crosoft\Application Data\Mozilla\Firefox\Profiles\6gh4c5ef.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll

FF - plugin: c:\documents and settings\captain crosoft\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\captain crosoft\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npExentCtl.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npUMediaPlayer5.dll

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-17 11:43

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-839522115-1993962763-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

 

[HKEY_USERS\S-1-5-21-839522115-1993962763-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:7d,0b,ed,c9,72,ef,f3,96,64,23,a2,a9,54,c9,8a,a2,9e,d2,5b,e3,95,70,19,

8e,21,da,1c,1b,86,df,51,7c,ef,2d,81,c9,b8,00,97,7f,ce,8c,e0,5e,6b,0e,3e,8b,\

"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

 

[HKEY_USERS\S-1-5-21-839522115-1993962763-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:b3,aa,9a,8d,c3,2c,7e,ac,82,cf,85,26,7c,c5,bb,de,88,91,c2,fb,08,

0c,5d,c3,e3,21,e1,46,6a,e2,80,9a,71,85,0f,58,3d,bd,a7,9e,0f,f6,97,15,e5,0f,\

"rkeysecu"=hex:0a,8a,03,96,13,6d,9e,41,e6,bb,99,da,b9,a6,f6,b0

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(788)

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\eappprxy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\scardsvr.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\sessmgr.exe

c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\windows\system32\tlntsvr.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-08-17 11:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-17 09:49

ComboFix2.txt 2009-08-17 07:39

ComboFix3.txt 2009-08-16 22:07

ComboFix4.txt 2009-08-16 16:48

ComboFix5.txt 2009-08-17 07:48

 

Pre-Run: 22 012 514 304 octets libres

Post-Run: 21 958 529 024 octets libres

 

380 --- E O F --- 2009-08-16 21:16

[Falkra]

Ca régénère en partie, comme on a raté un redémarrage.

 

Je ne savais pas que la machine n'était pas reliée au net.

Ennuyeux pour les mises à jour des outils.

 

Télécharge et installe la mise à jour des signatures MBAM ici :

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Sinon mets à jour normalement, si ça marche.

 

Scanne avec MBAM et vire tout (recherche rapide), poste le rapport MBAM.