malware "antivirus plus"

[locita]

bonjour, j'ai eu un souci avec un malware "antivirus plus"

j'ai fais un scan avec combofix et voici le rapport. Quelqu'un pourrait me dire si j'en ai fini avec ce virus??

merci!

 

 

ComboFix 10-01-26.01 - Utilisateur 26/01/2010 18:58:04.1.2 - x86

Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.1015.651 [GMT 1:00]

Lancé depuis: c:\documents and settings\Utilisateur\Mes documents\Téléchargements\ComboFix.exe

AV: avast! antivirus 4.8.1368 [VPS 100121-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Utilisateur\Application Data\AntiVirus Plus

c:\documents and settings\Utilisateur\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll

c:\documents and settings\Utilisateur\Application Data\avp.ico

c:\documents and settings\Utilisateur\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk

c:\documents and settings\Utilisateur\Application Data\SystemProc

c:\documents and settings\Utilisateur\Application Data\SystemProc\lsass.exe

c:\program files\Fast Browser Search

c:\program files\Fast Browser Search\IE\1.bat

c:\program files\Fast Browser Search\IE\about.html

c:\program files\Fast Browser Search\IE\affid.dat

c:\program files\Fast Browser Search\IE\basis.xml

c:\program files\Fast Browser Search\IE\basis_br.xml

c:\program files\Fast Browser Search\IE\basis_de.xml

c:\program files\Fast Browser Search\IE\basis_en.xml

c:\program files\Fast Browser Search\IE\basis_es.xml

c:\program files\Fast Browser Search\IE\basis_fr.xml

c:\program files\Fast Browser Search\IE\basis_it.xml

c:\program files\Fast Browser Search\IE\basis_nr.xml

c:\program files\Fast Browser Search\IE\basis_pt.xml

c:\program files\Fast Browser Search\IE\basis_ru.xml

c:\program files\Fast Browser Search\IE\basis_tr.xml

c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe

c:\program files\Fast Browser Search\IE\error.html

c:\program files\Fast Browser Search\IE\FBSPlugin.dll

c:\program files\Fast Browser Search\IE\fbsProtection.xml

c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml

c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe

c:\program files\Fast Browser Search\IE\FBStoolbar.dll

c:\program files\Fast Browser Search\IE\fbstoolbar.jar

c:\program files\Fast Browser Search\IE\fbstoolbar.manifest

c:\program files\Fast Browser Search\IE\icons.bmp

c:\program files\Fast Browser Search\IE\info.txt

c:\program files\Fast Browser Search\IE\local.xml

c:\program files\Fast Browser Search\IE\logobg.bmp

c:\program files\Fast Browser Search\IE\MTWBtoolbar.html

c:\program files\Fast Browser Search\IE\search.bmp

c:\program files\Fast Browser Search\IE\search_br.bmp

c:\program files\Fast Browser Search\IE\search_de.bmp

c:\program files\Fast Browser Search\IE\search_es.bmp

c:\program files\Fast Browser Search\IE\search_fr.bmp

c:\program files\Fast Browser Search\IE\search_it.bmp

c:\program files\Fast Browser Search\IE\search_pt.bmp

c:\program files\Fast Browser Search\IE\search_ru.bmp

c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe

c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico

c:\program files\Fast Browser Search\IE\SGPU.ico

c:\program files\Fast Browser Search\IE\sgpUpdater.exe

c:\program files\Fast Browser Search\IE\sgpUpdater.xml

c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe

c:\program files\Fast Browser Search\IE\tbhelper.dll

c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js

c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js

c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js

c:\program files\Fast Browser Search\IE\Toolbar Help.htm

c:\program files\Fast Browser Search\IE\uninstall.exe

c:\program files\Fast Browser Search\IE\uninstalSGP.exe

c:\program files\Fast Browser Search\IE\uninstalSGPU.exe

c:\program files\Fast Browser Search\IE\update.exe

c:\program files\Fast Browser Search\IE\version.txt

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul

c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

c:\program files\Search Guard Plus

c:\program files\Search Guard Plus\fbsProtection.xml

c:\program files\Search Guard Plus\fbsSearchProvider.xml

c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe

c:\program files\Search Guard Plus\SearchGuardPlus.exe

c:\program files\Search Guard Plus\SearchGuardPlus.ico

c:\program files\Search Guard Plus\uninstalSGP.exe

c:\program files\Search Guard PlusU

c:\program files\Search Guard PlusU\SGPU.ico

c:\program files\Search Guard PlusU\sgpUpdater.exe

c:\program files\Search Guard PlusU\sgpUpdater.xml

c:\program files\Search Guard PlusU\sgpUpdaters.exe

c:\program files\Search Guard PlusU\uninstalSGPU.exe

c:\program files\SGPSA

c:\windows\msa.exe

c:\windows\system32\sshnas21.dll

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

 

Une copie infectée de c:\windows\system32\DRIVERS\atapi.sys a été trouvée et désinfectée

Copie restaurée à partir de - Kitty ate it

.

((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_SSHNAS

-------\Service_SSHNAS

 

 

((((((((((((((((((((((((((((( Fichiers créés du 2009-12-26 au 2010-01-26 ))))))))))))))))))))))))))))))))))))

.

 

2010-01-26 16:44 . 2010-01-26 16:44 -------- d-----w- c:\documents and settings\Utilisateur\Application Data\Malwarebytes

2010-01-26 16:44 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-26 16:44 . 2010-01-26 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-26 16:44 . 2010-01-26 17:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-26 16:44 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-26 16:10 . 2010-01-26 16:10 110592 ----a-w- C:\autoexec.exe

2010-01-21 20:36 . 2010-01-21 20:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-01-21 17:30 . 2010-01-21 17:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-01-21 17:28 . 2010-01-21 17:28 118256 ----a-w- c:\windows\system32\KE1WqC7a5_2.exe

2010-01-21 17:24 . 2010-01-21 17:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-26 18:08 . 2009-04-09 03:48 -------- d-----w- c:\documents and settings\Utilisateur\Application Data\OpenOffice.org2

2010-01-02 08:25 . 2009-07-24 17:26 -------- d-----w- c:\documents and settings\Utilisateur\Application Data\U3

2009-12-26 12:03 . 2009-04-07 14:56 31672 ----a-w- c:\documents and settings\Utilisateur\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-26 05:41 . 2009-12-26 05:41 1187840 ----a-w- c:\windows\system32\eMaGn_5ba.dll

2009-12-13 09:20 . 2008-04-14 12:00 49054 ----a-w- c:\windows\system32\perfc00C.dat

2009-12-13 09:20 . 2008-04-14 12:00 368314 ----a-w- c:\windows\system32\perfh00C.dat

2009-11-28 15:33 . 2009-04-09 03:49 1 ----a-w- c:\documents and settings\Utilisateur\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys

2009-11-24 23:54 . 2009-04-07 14:53 1280480 ----a-w- c:\windows\system32\aswBoot.exe

2009-11-24 23:51 . 2009-04-07 14:54 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys

2009-11-24 23:50 . 2009-04-07 14:54 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2009-11-24 23:50 . 2009-04-07 14:54 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys

2009-11-24 23:50 . 2009-04-07 14:54 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2009-11-24 23:49 . 2009-04-07 14:54 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2009-11-24 23:48 . 2009-04-07 14:54 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2009-11-24 23:47 . 2009-04-07 14:54 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2009-11-24 23:47 . 2009-04-07 14:54 97480 ----a-w- c:\windows\system32\AvastSS.scr

2009-11-21 15:58 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll

2009-10-29 07:42 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

 

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-11-18 10:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28ef3264-e096-bdac-a774-f997373bb81c}]

2009-12-26 05:41 1187840 ----a-w- c:\windows\system32\eMaGn_5ba.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

 

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

 

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-08 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-08 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-08 137752]

"RTHDCPL"="RTHDCPL.EXE" [2008-08-08 16875008]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-08-08 671744]

"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

"{27E89A8E-9BAE-b852-9AA8-EF9A97BAB48E}"="c:\program files\Connection Manager\AvqAutoRun.exe" [2008-07-11 57344]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

 

c:\documents and settings\Invit‚\Menu D‚marrer\Programmes\D‚marrage\

OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

 

c:\documents and settings\Utilisateur\Menu D‚marrer\Programmes\D‚marrage\

AntiVirus Plus.lnk - c:\windows\system32\rundll32.exe [2008-4-14 33792]

OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

 

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\

AntiVirus Plus.lnk - c:\windows\system32\rundll32.exe [2008-4-14 33792]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-3-14 2938184]

OSD.lnk - c:\windows\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_2ACF3AE2549EAFB90DD4A8.exe [2008-8-27 21630]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

 

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [07/04/2009 15:54 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07/04/2009 15:54 20560]

R2 OsdService;OSD Service;c:\program files\OEM\OSD_1.41\OsdService.exe [22/02/2008 08:24 94208]

R3 GpdDevDPort;GpdDevDPort;c:\windows\system32\directport.sys [17/06/2008 20:27 7168]

R3 GpdKbFilter;GpdKbFilter;c:\windows\system32\kbfiltr.sys [22/04/2008 18:06 8192]

R3 ReallusionVirtualAudio;Reallusion Virtual Audio;c:\windows\system32\drivers\RLVrtAuCbl.sys [27/08/2008 13:03 31616]

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [27/08/2008 11:32 153088]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://www.tattoodle.com?tid={3B546E76-361C-4eab-99FB-519B3B1B8586}

uInternet Connection Wizard,ShellNext = hxxp://www.reallusion.com/templates/linkcount/linkcount.asp?lid=CTECg&param=lang=6

IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Utilisateur\Application Data\Mozilla\Firefox\Profiles\v2961p5e.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=

FF - prefs.js: browser.search.selectedEngine - Fast Browser Search

FF - prefs.js: browser.startup.homepage - hxxp://www.tattoodle.com?tid={B27D9E27-ABB8-261E-51B1-89A208F4BBD2}

FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={B27D9E27-ABB8-261E-51B1-89A208F4BBD2}&q=

FF - component: c:\program files\Mozilla Firefox\extensions\{05966e99-7da5-0905-7ff1-79b607166af8}\components\KL4t9-Ic_IB-YL.dll

.

- - - - ORPHELINS SUPPRIMES - - - -

 

BHO-{C2B5AAB8-2183-4be7-81A6-F11493C45872} - c:\documents and settings\Utilisateur\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll

HKLM-Run-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe

HKLM-Run-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe

HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Utilisateur\Application Data\SystemProc\lsass.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-26 19:08

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SGPUpdater = c:\program files\Search Guard PlusU\sgpUpdaters.exe??o?????????????????????????????????????????????

FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe?????????????????????????????????????????????

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

RTHDBPL = c:\documents and settings\Utilisateur\Application Data\SystemProc\lsass.exe?????????????????????????????????????????????????????

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'explorer.exe'(1564)

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

------------------------ Autres processus actifs ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RTHDCPL.EXE

c:\program files\OpenOffice.org 2.4\program\soffice.exe

c:\program files\OpenOffice.org 2.4\program\soffice.BIN

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Heure de fin: 2010-01-26 19:11:11 - La machine a redémarré

ComboFix-quarantined-files.txt 2010-01-26 18:11

 

Avant-CF: 151 316 226 048 octets libres

Après-CF: 152 066 035 712 octets libres

 

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP dition familiale" /noexecute=optin /fastdetect

 

- - End Of File - - A3383D0859A3AA54706DA9C44ACB2E70

[wifi2]

Bonsoir,

 

je te conseille d'abandonner Avast pour Avg ou Avira...

 

es-tu bien à jour avec Windows ? (windowsupdate)

 

Mets à jour tes logiciels (OpenOffice existe en 3.1)....

 

N'installe plus les toolsbars

 

a+