virus BOO/sinowal.C

[yop666]

bonjour a tous, mon pc est infecté par le virus sinowal, j'ai tenté de lui faire sa fête mais il est plus fort que moi ...

c'est avira qui détecte le virus sur l'amorce du dd

xp ultimate edition 7, service pack 3

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:59:32, on 17/07/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.21045)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Fichiers communs\Native Instruments\Hardware\NIHardwareService.exe

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Emsisoft Anti-Malware\a2service.exe

C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2guard.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Administrateur\Bureau\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN : Hotmail, Messenger, Actualité, Sport et Vidéo

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN : Hotmail, Messenger, Actualité, Sport et Vidéo

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll

O2 - BHO: Aide à la navigation SFR - {0F6E720A-1A6B-40E1-A294-1D4D19F156C8} - C:\Program Files\Neuf\Kit\SFRNavErrorHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [Habu] D:\pilotes\souris\razerhid.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2guard.exe" /d=60

O4 - HKCU\..\Run: [steam] "D:\Jeux\steam\Steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239828768046

O16 - DPF: {DFB5BCF1-06AE-4ABB-BFA8-1E228F41C50A} (CamfrogWEB Advanced Unicode Control) - http://bobtv.fr/download/cfweb_www.bobtv.fr-download_instmodule.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL

O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe

O23 - Service: Avira AntiVir Planificateur (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)

O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Program Files\Fichiers communs\Native Instruments\Hardware\NIHardwareService.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: TomTomHOMEService - TomTom - D:\programmes\TomTom HOME 2\TomTomHOMEService.exe

 

--

End of file - 6114 bytes

[pear]

Bonjour,

 

Télécharger antiboot de Kaspersky

Décompresser le fichier zip sur le bureau(Clic droit->Extraire vers..)

Lancez antiboot.exe

Si le pc n'est pas infecté vous aurez cette image

 

Si vous avez ce messageRootkit has been detected!Would you like to cure? y/n

Cliquez y pour désinfecter.

L'outil procède à la désinfection

Cliquez y puis validez pourRedémarrer[/b]

[yop666]

merci de ta réponse,

 

j'ai déjà essayé le logiciel dont tu parles, le problème est qu'il reste bloqué sur " starting up drivers " et que rien ne se passe ...

le log de combofix si ça peux aider ...?

 

 

 

 

 

ComboFix 10-07-16.01 - Administrateur 17/07/2010 19:03:09.3.2 - x86

Microsoft Windows XP Professionnel 5.1.2600.3.1252.1.1036.18.3070.2368 [GMT 2:00]

Lancé depuis: c:\documents and settings\Administrateur\Bureau\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Emsisoft Anti-Malware *On-access scanning disabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}

.

 

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\w32tm.exe . . . est infecté!!

 

.

((((((((((((((((((((((((((((( Fichiers créés du 2010-06-17 au 2010-07-17 ))))))))))))))))))))))))))))))))))))

.

 

2010-07-17 15:31 . 2010-07-17 15:35 5120 ----a-w- c:\windows\system32\drivers\fixmebroot.sys

2010-07-17 08:39 . 2010-07-17 08:54 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2010-07-17 08:21 . 2010-07-17 08:21 -------- d-----r- c:\documents and settings\LocalService\Favoris

2010-07-16 23:34 . 2010-07-16 23:34 -------- d-----w- c:\documents and settings\Administrateur\Application Data\Malwarebytes

2010-07-16 18:19 . 2010-07-16 18:19 -------- d-----w- c:\windows\system32\xircom

2010-07-16 18:19 . 2010-07-16 18:19 -------- d-----w- c:\windows\system32\wbem\snmp

2010-07-16 18:19 . 2010-07-16 18:19 -------- d-----w- c:\windows\system32\oobe

2010-07-16 18:19 . 2010-07-16 18:19 -------- d-----w- c:\windows\system32\npp

2010-07-16 18:19 . 2010-07-16 18:19 -------- d-----w- c:\windows\msagent

2010-07-16 18:19 . 2010-07-16 18:19 -------- d-----w- c:\program files\microsoft frontpage

2010-07-16 17:29 . 2010-07-16 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations

2010-07-16 17:26 . 2010-07-17 08:05 12552 ----a-w- c:\windows\system32\drivers\hddirect.sys

2010-07-16 17:23 . 2010-07-16 17:24 -------- d-----w- c:\program files\Ad-Remover

2010-07-16 10:15 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-16 10:14 . 2010-07-16 10:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-16 10:13 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-16 10:13 . 2010-07-16 10:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-15 20:13 . 2010-07-15 20:13 531 ----a-w- c:\windows\eReg.dat

2010-07-13 09:48 . 2009-05-20 10:26 4969808 ----a-w- c:\documents and settings\Administrateur\Application Data\TomTom\HOME\Profiles\g4cbiv7s.default\extensions\Navcore.8.351.9982@tomtom.com\8-351-9982-1.dll

 

.

(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-17 17:00 . 2009-04-15 20:55 16608 ----a-w- c:\windows\gdrv.sys

2010-07-17 15:36 . 2009-04-15 20:21 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-07-16 23:29 . 2010-06-12 23:41 -------- d-----w- c:\documents and settings\Administrateur\Application Data\vlc

2010-07-15 22:05 . 2010-03-08 10:56 -------- d-----w- c:\program files\Nexilogic

2010-07-15 20:02 . 2009-04-15 20:43 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-10 10:36 . 2009-04-19 08:20 -------- d-----w- c:\documents and settings\Administrateur\Application Data\dvdcss

2010-06-14 18:48 . 2009-11-14 12:19 -------- d-----w- c:\documents and settings\Administrateur\Application Data\VSO

2010-06-12 10:40 . 2009-10-12 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania

2010-06-10 22:10 . 2010-01-03 13:56 -------- d-----w- c:\program files\ATI

2010-06-04 16:36 . 2010-06-04 16:36 503808 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d86c4e4-n\msvcp71.dll

2010-06-04 16:36 . 2010-06-04 16:36 499712 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d86c4e4-n\jmc.dll

2010-06-04 16:36 . 2010-06-04 16:36 348160 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4d86c4e4-n\msvcr71.dll

2010-06-04 16:36 . 2010-06-04 16:36 61440 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-12b1e8da-n\decora-sse.dll

2010-06-04 16:36 . 2010-06-04 16:36 12800 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-12b1e8da-n\decora-d3d.dll

2010-06-02 05:45 . 2009-04-16 22:42 -------- d-----w- c:\documents and settings\Administrateur\Application Data\uTorrent

2010-05-19 21:16 . 2010-05-19 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2010-05-19 20:22 . 2009-04-15 22:22 -------- d-----w- c:\program files\ATI Technologies

2010-05-19 20:02 . 2010-05-19 20:02 503808 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1c6fd40f-n\msvcp71.dll

2010-05-19 20:02 . 2010-05-19 20:02 499712 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1c6fd40f-n\jmc.dll

2010-05-19 20:02 . 2010-05-19 20:02 348160 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-1c6fd40f-n\msvcr71.dll

2010-05-19 20:02 . 2010-05-19 20:02 61440 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19987497-n\decora-sse.dll

2010-05-19 20:02 . 2010-05-19 20:02 12800 ----a-w- c:\documents and settings\Administrateur\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19987497-n\decora-d3d.dll

2010-05-19 20:02 . 2010-05-19 20:02 -------- d-----w- c:\program files\Fichiers communs\Java

2010-05-19 20:02 . 2009-05-20 18:53 -------- d-----w- c:\program files\Java

2010-05-19 15:36 . 2009-05-20 18:59 1 ----a-w- c:\documents and settings\Administrateur\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

.

 

------- Sigcheck -------

 

 

[-] 2008-05-02 . 22F702A6DCBDB4F7282C4B73B95EE4E4 . 2011136 . . [6.00.2900.5512] . . c:\windows\explorer.exe

 

[-] 2008-05-02 . A9658459BB4F4EE00FA117C9382C0D3A . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

 

 

c:\windows\System32\drivers\beep.sys ... manque !!

c:\windows\System32\regsvc.dll ... manque !!

.

((((((((((((((((((((((((((((( SnapShot@2010-07-16_18.19.25 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-07-17 17:00 . 2010-07-17 17:00 16384 c:\windows\Temp\Perflib_Perfdata_4a8.dat

+ 2010-07-17 17:00 . 2010-07-17 17:00 16384 c:\windows\Temp\Perflib_Perfdata_468.dat

.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F6E720A-1A6B-40E1-A294-1D4D19F156C8}]

2009-10-15 08:53 165184 ----a-w- c:\program files\Neuf\Kit\SFRNavErrorHelper.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="d:\jeux\steam\Steam.exe" [2010-07-15 1238352]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Habu"="d:\pilotes\souris\razerhid.exe" [2007-05-11 176128]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"RTHDCPL"="RTHDCPL.EXE" [2008-06-27 16875008]

"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]

"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-02-18 248040]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_2"="shell32" [X]

"nltide_3"="advpack.dll" [2009-04-29 124928]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDDirect.sys]

@="Driver"

 

[HKLM\~\startupfolder\C:^Documents and Settings^Administrateur^Menu Démarrer^Programmes^Démarrage^Kremlin Sentry.LNK]

path=c:\documents and settings\Administrateur\Menu Démarrer\Programmes\Démarrage\Kremlin Sentry.LNK

backup=c:\windows\pss\Kremlin Sentry.LNKStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GEST]

= [X]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]

2010-06-24 14:41 247144 ----a-w- d:\programmes\TomTom HOME 2\TomTomHOMERunner.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"TomTomHOME.exe"="d:\programmes\TomTom HOME 2\TomTomHOMERunner.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"a-squared"="c:\program files\EMSISOFT ANTI-MALWARE\a2guard.exe" /d=60

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"d:\\programmes\\utorrent\\uTorrent.exe"=

"d:\\Jeux\\Counter-Strike Source\\hl2.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"d:\\iso\\Left 4 Dead\\left4dead.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"d:\\Jeux\\COD4\\iw3mp.exe"=

"g:\\JEUX\\TmNationsForever\\TmForever.exe"=

"d:\\Jeux\\TmNationsForever\\TmForever.exe"=

"d:\\Jeux\\FarCry2\\Far Cry 2\\bin\\FarCry2.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"d:\\Jeux\\crisiss\\Bin32\\CrysisDedicatedServer.exe"=

"d:\\Jeux\\aarmy\\Binaries\\AA3Game.exe"=

"d:\\Jeux\\masseffect2\\Mass Effect 2\\Binaries\\MassEffect2.exe"=

"d:\\Jeux\\masseffect2\\Mass Effect 2\\MassEffect2Launcher.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"g:\\programmes\\eMule\\emule.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Jeux\\steam\\Steam.exe"=

"d:\\Jeux\\steam\\SteamApps\\lovboost\\team fortress 2\\hl2.exe"=

 

R0 Si3124;Si3124;c:\windows\system32\drivers\si3124.sys [03/05/2008 00:57 76208]

R0 Si3531;Si3531;c:\windows\system32\drivers\Si3531.sys [03/05/2008 00:57 210224]

R1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [17/07/2010 10:39 39576]

R1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [17/07/2010 10:39 11776]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [17/07/2010 10:39 1935120]

R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [16/01/2010 00:59 108289]

R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [15/04/2009 23:51 80392]

R2 NIHardwareService;NIHardwareService;c:\program files\Fichiers communs\Native Instruments\Hardware\NIHardwareService.exe [17/07/2009 15:32 3576320]

R2 TomTomHOMEService;TomTomHOMEService;d:\programmes\TomTom HOME 2\TomTomHOMEService.exe [24/06/2010 16:41 92008]

R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [17/07/2010 10:39 71008]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S3 HDDirect;Hard Disk Direct Control;c:\windows\system32\drivers\hddirect.sys [16/07/2010 19:26 12552]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16/04/2009 20:58 721904]

.

.

------- Examen supplémentaire -------

.

uStart Page = hxxp://google.fr/

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab

DPF: {DFB5BCF1-06AE-4ABB-BFA8-1E228F41C50A} - hxxp://bobtv.fr/download/cfweb_www.bobtv.fr-download_instmodule.exe

FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\nf4ylack.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438543&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - vsosoftware Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/

FF - prefs.js: keyword.URL - hxxp://redirecterror.sfr.fr/?q=

FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

 

---- PARAMETRES FIREFOX ----

FF - user.js: keyword.URL - hxxp://redirecterror.sfr.fr/?q=

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHELINS SUPPRIMES - - - -

 

Toolbar-ITBar7Layout - (no file)

Toolbar-ITBar7Position - (no file)

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-07-17 19:05

Windows 5.1.2600 Service Pack 3 NTFS

 

Recherche de processus cachés ...

 

Recherche d'éléments en démarrage automatique cachés ...

 

Recherche de fichiers cachés ...

 

Scan terminé avec succès

Fichiers cachés: 0

 

**************************************************************************

.

--------------------- CLES DE REGISTRE BLOQUEES ---------------------

 

[HKEY_USERS\S-1-5-21-507921405-1844823847-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1B265B37-2985-C5D5-EECC-E311E9E2591D}*]

"nabmbafhhajmclgcdhpjnahillkl"=hex:6a,61,67,63,70,69,6a,64,6d,6d,6d,70,64,63,

67,64,6f,6a,6f,6f,00,21

"gbpfnafnehjmpblklahmalcnfmcglliaicmhjmejgjocco"=hex:61,61,00,00

"bbjfeehdhhlbeahlnaojhfimbnmkglidbjoh"=hex:61,61,00,00

"oahlfcpcldpnndjdeaobalfhahaccb"=hex:6a,61,67,63,70,69,6a,64,6d,6d,6d,70,64,63,

67,64,6f,6a,6f,6f,00,21

 

[HKEY_USERS\S-1-5-21-507921405-1844823847-682003330-500\Software\SecuROM\License information*]

"datasecu"=hex:b6,44,df,23,7e,73,dc,a8,4e,bb,82,fc,8e,f9,2b,b1,c1,37,85,fe,8a,

d8,05,16,7b,44,86,20,cb,da,26,e4,1d,0f,8a,fc,18,01,b6,04,4f,5a,b8,a3,4c,15,\

"rkeysecu"=hex:1d,a8,52,9e,4c,40,5c,4e,14,a1,4b,8e,74,61,ae,ba

.

--------------------- DLLs chargées dans les processus actifs ---------------------

 

- - - - - - - > 'winlogon.exe'(992)

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\windows\system32\COMRes.dll

 

- - - - - - - > 'lsass.exe'(1064)

c:\windows\system32\setupapi.dll

 

- - - - - - - > 'explorer.exe'(2824)

c:\windows\system32\SHDOCVW.dll

c:\program files\Emsisoft Anti-Malware\a2hooks32.dll

c:\windows\system32\COMRes.dll

c:\windows\system32\msi.dll

c:\windows\system32\wpdshserviceobj.dll

c:\windows\system32\portabledevicetypes.dll

c:\windows\system32\portabledeviceapi.dll

c:\windows\system32\SETUPAPI.dll

c:\windows\system32\NETSHELL.dll

c:\windows\system32\credui.dll

c:\windows\system32\eappprxy.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\WS2HELP.dll

.

Heure de fin: 2010-07-17 19:07:02

ComboFix-quarantined-files.txt 2010-07-17 17:06

ComboFix2.txt 2010-07-17 08:17

ComboFix3.txt 2010-07-16 18:22

 

Avant-CF: 46 755 999 744 octets libres

Après-CF: 46 747 430 912 octets libres

 

- - End Of File - - 7094A16BC9A72C88608029C07D091699

[pear]

Bonsoir,

 

le log de combofix si ça peux aider ...?

 

Si vous recommencez de telles initatives, je vous souhaiterez "bonne chance", mais m'arrêterez là, parce qu'à partir du moment où vous demandez de l'aide, vous devez suivre les procédures que l'on vous propose , et sans interférences qui pourraient être nuisibles.

Ce n'est pas le cas ici, heureusement.

Avant de continuer, je souhaite votre accord sur cette façon de procéder.

[yop666]

Bonsoir,

Avant de continuer, je souhaite votre accord sur cette façon de procéder.

 

 

bonsoir pear,

 

oui bien sur, je viens ici pour trouver de l'aide !!!

 

2 choses, d'abord, a la vue du virus, je suis allé faire un tour sur le net, et donc j'ai tenté d'abord " par moi même " d'éradiquer le virus ...

d'où les deux log ...

 

deuxième chose, antiboot a "peut être " fonctionné : la fenêtre ne comporte pas autant de mots que sur tes captures, mais il m'a dit qu'il n'y avait pas de virus, appuyer sur une touche pour continuer

 

je fais un test avec antivir qui me confirme toujours l'infection .

 

cordialement.

[pear]

Bonsoir,

Ok!

 

On commence comme ainsi:

 

Téléchargez haxfix.exe.

Enregistrez-le sur votre bureau.

Fermez toutes les fenêtres et tous les programmes ouverts.

Doublez-cliquez sur haxfix.exe pour lancer le programme.

Une fenêtre dos rouge va alors s'ouvrir avec le menu suivant

1. Make logfile

E. Exit Haxfix

 

Option 1: Make logfile.

Choisissez l'option 1: Créez un log en appuyant sur 1/

Cela peut parfois durer longtemps.

Lors de l'utilisation de l'option 1 (création du log),

en cours de balayage, il y a ouverture puis fermeture d'une fenêtre à fond noir "catchme"

Ne fermez pas cette fenêtre.

lorsque le balayage sera terminé, utiliser l'option E (Exit) pour fermer HaxFix.

Un rapport s'ouvre (haxlog.txt)s'ouvrira qui montre tout ce qui peut révéler la présence d'une variante de Haxdoor.

[yop666]

voici le rapport :

 

HAXFIX logfile - by Marckie

 

version 5.094

18/07/2010 0:49:05,50

 

--- INFORMATION ---

 

Manufacturer: Gigabyte Technology Co., Ltd. - Model: EP45-DS4

Operating System: Microsoft Windows XP Professionnel -- 5.1.2600 -- Service Pack 3 --

Processor: Processeur Intel Pentium III Xeon

Number of Processors: 2

Work Station

Bootmode: Normal boot

Total RAM: 3070 MB (free 2194 MB - 71%)

 

Computername: D5A4D33EC15C499

Domain: WORKGROUP

User: Administrateur (Administrator account)

 

Bootdevice: \Device\HarddiskVolume3

Systemdrive: C:

Windowsdirectory: C:\WINDOWS

Systemdirectory: C:\WINDOWS\system32

 

Internet Explorer Version: 7.0.5730.13

 

Antivirus Program: AntiVir Desktop 9.0.1.32 [Not Enabled - Updated]

Antivirus Program: Emsisoft Anti-Malware 5 [Not Enabled - Updated]

 

 

--- Checking for Haxdoor ---

 

checking for a3d files

a3d files not found

 

checking for matching notify keys

matching notify keys found

AtiE

 

checking for matching services

matching services found

Si3132

Si3124

 

checking for matching safeboot services

no matching safeboot services found

 

 

--- Checking for Goldun - Spybanker ---

 

checking for SSODL keys

no ssodl keys found

 

checking for notify keys

no notify keys found

 

checking for services

no services found

 

checking for random used files and services

-- these files are not necessarily malicious

-- scanning all folders

C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\F57B48ADF2224F088EDD1A2B9BAD84E8\Local Cache\164368FE9051439A8E8FB3FE5730FC7C_icon48.png

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\00879DF6B28A9273468529A834F86D3F_Skins%5cAvatars%5cimages.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\22A5B93799022D20208EE86371CFEB95_Skins%5cAvatars%5cjb-kfz%5cFerrari.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\320F19B5536C9D35830C55203F47C982_Skins%5cAvatars%5cmoi.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\5E3657C5FDE2C2739562606576F30006_Skins%5cAvatars%5c8134.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\6B0733413C070C6068CB6D81BA20664A_Skins%5cAvatars%5cSmileys%5cSmiley12.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\78F644C1F8FF66F174B12E83AD85C118_Skins%5cAvatars%5cFlags%5cROM.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\B8F059323A3289C9A8148E7A345A99F9_Skins%5cAvatars%5cSmileys%5cSmiley07.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\CB88463A323B9EF48A3E2AB89830B153_Skins%5cAvatars%5cSmileys%5cSmiley09.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\D67CB09BC0064450FD1153090D1D0B05_Skins%5cAvatars%5cSmileys%5cSmiley04.dds

C:\Documents and Settings\All Users\Application Data\TrackMania\Cache\F289AAAD484FA1D49B0F147ECAE10296_Skins%5cAvatars%5csl-ava.dds

C:\Program Files\Paint.NET\UpdateMonitor.exe

C:\Program Files\Windows Media Connect 2\wmccds.exe

C:\Program Files\Windows Media Connect 2\wmccfg.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Implementation\CLI.Caste.Graphics.Runtime.Shared.Private.dll

C:\Program Files\ATI Technologies\ATI.ACE\HydraVision-Full\CLI.Caste.HydraVision.Shared.dll

C:\Program Files\DAEMON Tools Toolbar\Resources\Weather_m43.bmp

C:\Program Files\Defraggler\Lang\lang-1028.dll

C:\Program Files\Malwarebytes' Anti-Malware\Languages\polish.lng

C:\Program Files\Occtpt\Plugins\SysTool.dll

C:\Program Files\OpenOffice.org 3\program\crashrep.com

C:\Program Files\OpenOffice.org 3\program\unopkg.com

C:\Program Files\OpenOffice.org 3\Basis\program\onlinecheck.dll

C:\Program Files\OpenOffice.org 3\Basis\program\python-core-2.6.1\lib\popen2.py

C:\Program Files\OpenOffice.org 3\Basis\share\template\fr\wizard\report\cnt-05.ott

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\da.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\de.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\en.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\fi.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\ko.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\nb.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\pl.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\ru.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\sv.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\zh_CN.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\QuickTime\QTSystem\QuickTime3GPP.Resources\zh_TW.lproj\QuickTime3GPPLocalized.qtr

C:\Program Files\Real\RealPlayer\rpchromebrowserrecordhelper.dll

C:\WINDOWS\Fonts\modern.fon

C:\WINDOWS\inf\netepvcm.PNF

C:\WINDOWS\system32\tsbyuv.dll

C:\WINDOWS\$hf_mig$\KB977914\SP3QFE\tsbyuv.dll

C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime.Shared.Private\2.0.3748.36849__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.Shared.Private.DLL

C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.HydraVision.Shared\2.0.3748.36943__90ba9c70f846762e\CLI.Caste.HydraVision.Shared.DLL

C:\WINDOWS\Driver Cache\i386\tsbyuv.dll

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\fr\aspnet_compiler.resources.dll

C:\WINDOWS\system32\dllcache\tsbyuv.dll

C:\WINDOWS\system32\fr-fr\icardie.dll.mui

no matching random used services found

 

checking for browser helper objects

no known browser helper objects found

 

checking for appinit files

no files found

 

checking for possible infected files

please submit these file here: Bleeping Computer - Computer Help and Discussion

no files found

 

checking for Active Setup Installed Components

no known Active Setup Installed Components found

 

checking iexplore.exe

iexplore.exe is not infected

 

 

--- Checking for other Goldun, Spybanker and Haxdoor files ---

no other Haxdoor or Goldun files found

 

 

--- Catchme logfile - thank you Gmer ---

 

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-07-18 02:01:28

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000001

"hdf12"=hex:ed,9e,ef,93,cf,c4,d0,8b,66,e9,7b,82,62,5b,58,99,46,a3,e2,03,52,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,42,db,4a,d0,3d,ca,f0,48,5e,44,ce,c0,62,35,c3,3d,f4,..

"hdf12"=hex:7a,ef,6f,84,da,0f,72,2a,82,14,06,18,74,2d,95,72,52,51,72,a2,64,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:f9,7c,78,c7,8e,0f,0b,a3,85,c6,48,3b,e6,76,30,d9,03,e8,34,e0,e0,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]

"hdf12"=hex:32,5a,3c,99,26,db,75,ee,1e,76,a8,e7,86,5d,24,d7,e5,c0,9d,ca,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:39,5a,d7,a2,bf,3b,a6,69,7f,be,ec,62,72,bc,e6,ed,cc,9d,20,08,40,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:5e,09,7a,3e,20,af,16,dd,b9,63,c9,bd,58,4b,56,0b,2d,df,db,85,1c,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:58,f0,43,ca,6d,2a,b3,07,f3,f0,07,3f,95,5f,70,27,bc,a7,65,6a,d7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000001

"hdf12"=hex:ed,9e,ef,93,cf,c4,d0,8b,66,e9,7b,82,62,5b,58,99,46,a3,e2,03,52,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,42,db,4a,d0,3d,ca,f0,48,5e,44,ce,c0,62,35,c3,3d,f4,..

"hdf12"=hex:7a,ef,6f,84,da,0f,72,2a,82,14,06,18,74,2d,95,72,52,51,72,a2,64,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:f9,7c,78,c7,8e,0f,0b,a3,85,c6,48,3b,e6,76,30,d9,03,e8,34,e0,e0,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]

"hdf12"=hex:32,5a,3c,99,26,db,75,ee,1e,76,a8,e7,86,5d,24,d7,e5,c0,9d,ca,f5,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:39,5a,d7,a2,bf,3b,a6,69,7f,be,ec,62,72,bc,e6,ed,cc,9d,20,08,40,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"khjeh"=hex:5e,09,7a,3e,20,af,16,dd,b9,63,c9,bd,58,4b,56,0b,2d,df,db,85,1c,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:58,f0,43,ca,6d,2a,b3,07,f3,f0,07,3f,95,5f,70,27,bc,a7,65,6a,d7,..

 

scanning hidden registry entries ...

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1B265B37-2985-C5D5-EECC-E311E9E2591D}]

"nabmbafhhajmclgcdhpjnahillkl"=hex:6a,61,67,63,70,69,6a,64,6d,6d,6d,70,64,63,67,64,6f,6a,6f,6f,00,..

"gbpfnafnehjmpblklahmalcnfmcglliaicmhjmejgjocco"=hex:61,61,00,00

"bbjfeehdhhlbeahlnaojhfimbnmkglidbjoh"=hex:61,61,00,00

"oahlfcpcldpnndjdeaobalfhahaccb"=hex:6a,61,67,63,70,69,6a,64,6d,6d,6d,70,64,63,67,64,6f,6a,6f,6f,00,..

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

--- Analysing Catchme logfile ---

 

no matching regkeys found

 

 

Finished!

[pear]

Bonjour,

 

2)Haxfix_Nettoyage

Relancer Haxfix à nouveau en cliquant sur son icône.

Vous obtenez un menu avec les options suivantes:

1. Make logfile

2. Run auto fix

3. Run manual fix

4. Run unknown fix

E. Exit Haxfix

 

Choisissez l'option 2

 

Option 2: effectue un fix en mode automatique.

Fermez toutes les fenêtres et toutes les programmes ouverts, l'ordinateur va redémarrer durant la suppression.

Appuyez sur "2" puis sur "Entrée" pour démarrer le "Run auto fix".

Suivez les instructions à l' écran.

L'ordinateur va alors redémarrer

Lorsque Haxfix aura fini, un rapport va s'ouvrir (c:\haxfix.txt)

[yop666]

bonjour pear,

 

quand je lande l'option 2 , il cherche mais ne redémarre pas l'ordinateur

avira détecte toujours le virus

 

 

voila le log :

 

HAXFIX logfile - by Marckie

 

version 5.094

18/07/2010 15:15:36,60

 

--- Auto Haxdoorfix ---

 

 

Haxdoorfix Part 1

 

matching notifykey found: AtiExt

 

searching for matching services

services not found, haxdoorkey AtiE not added to delete

 

no infections found

 

 

Haxdoorfix Part 2

 

searching for notifykeys

no notifykeys found

 

searching for services

no services found

 

searching for safeboot services

no safeboot services found

 

 

--- Goldun- and SpyBankerfix ---

 

 

searching for other goldun- spybanker- and haxdoorfiles:

no other Haxdoor or Goldun files found

 

checking iexplore.exe

iexplore.exe is not infected

 

searching for SSODLkeys

no SSODLkeys found

 

searching for browser helper objects

no known browser helper objects found

 

searching for appinit files

 

checking for Active Setup Installed Components

no known Active Setup Installed Components found

 

searching for notifykeys

no notify keys found

 

searching for services

no services found

 

 

Finished

[pear]

Alors Antiboot et Haxfix ne voient rien!

 

Certains émulateurs de CD/DVD peuvent hooker le pilote atapi de façon légitime comme Alcohol xx%,CDSpace,Circle Virtual CD,CloneCD,Daemon Tools,Virtual CloneDrive,Virtual CD,VirtualDrive,

WinCDEmu,et empêchent cet affichage.

Télécharger DeFogger de Jpshortstuff sur le bureau.

 

Double cliquer sur DeFogger pour démarrer l'outil.

 

La fenêtre de DeFogger apparaît

Cliquer sur le bouton Disable pour désactiver les drivers d'émulateurs CD.

Cliquer sur Yes pour continuer

Un message 'Finished!' apparaîtra

Cliquer sur OK

DeFogger demandera de redémarrer la machine, OK

 

Ne réactivez PAS ces drivers avant la fin de la désinfection

 

Téléchargez sur le bureau

MBR Rootkit Detector 0.2.4 by gmer

Désactiver provisoirement les programmes de protection (antivirus, firewall,anti-spyware...)

Vous les réactiverez après la désinfection terminée.

Clic sur l'onglet "rootkit"

Clic sur Scan

- Un rapport sera généré -> mbr.log.

En Copier/coller le résultat dans la réponse .

En cas d'infection,vous devriez voir un rapport de ce genre:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\ACPI -> 0x858e41c0

\Driver\atapi -> 0x89bf0410

NDIS: GlobeTrotter HSxPA - Network Interface #2 -> SendCompleteHandler -> 0x8591de70

Warning: possible MBR rootkit infection !

copy of MBR has been found in sector 0x01749DDC1

malicious code @ sector 0x01749DDC4 !

PE file found in sector at 0x01749DDDA !

MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Dans Démarrer-> Exécuter

Copiez/Collez :

"%userprofile%\Bureau\mbr" -f

Guillemets indispensables

Dans le mbr.log cette ligne apparaitra "original MBR restored successfully !"

 

si votre machine est saine,

Mbr.log vous dit:

Stealth MBR rootkit detector 0.2.4 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

 

 

 

Question subsidiare, en cas de nouvel échec:

Avez vous le cd de Windows afin de démarrer en Console de Récupération?