Chargement en cours...
Connexion au forum informatique de Sur-la-Toile
La discussion « Cadeaux Noel : Smitfraud-C RESOLU !!!!!!!!!! » se trouve dans le forum « Virus, troyens, etc... »
Statut de la discussion » Cadeaux Noel : Smitfraud-C RESOLU !!!!!!!!!! « ( résolue)

Cadeaux Noel : Smitfraud-C RESOLU !!!!!!!!!!

» Liste des Forums » Virus, troyens, etc... » Discussion
» Discussion disponible en mode résumé (2 messages)

Le  3-01-2007 à 21:50 #

Re,

  • Télécharge combofix.exe (par sUBs) sur ton Bureau
  • Double clique combofix.exe.
  • Tape sur la touche Y (Yes) pour démarrer le scan.
  • Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.


NOTE : Le rapport se trouve également ici : C:\Combofix.txt

Le  3-01-2007 à 22:18 #

Et voila le travail :

ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Nicola\Bureau"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wintsvsu.exe
C:\Program Files\Deskbar
C:\Program Files\Fichiers communs\{30610385-0576-1036-0522-030416200021}
C:\Program Files\Fichiers communs\{80610385-0257-1036-0522-030416200021}
C:\Program Files\Fichiers communs\{80610385-0576-1036-0522-030416200021}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Nicola\Mes documents\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))


2007-01-03 20:47 <REP> d-------- C:\VundoFix Backups
2007-01-03 19:36 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-03 19:36 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-01-03 19:36 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-03 19:35 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-01-03 19:35 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-01-03 19:35 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-01-03 19:35 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-03 19:35 <REP> d-------- C:\Program Files\Alwil Software
2007-01-03 19:30 88,340 --a------ C:\WINDOWS\system32\fnnxitwo.exe
2007-01-03 19:30 81,684 --a------ C:\WINDOWS\system32\vysrepyw.dll
2007-01-03 19:30 44,060 --a------ C:\WINDOWS\system32\qxdbyoyd.dll
2007-01-03 19:30 118,804 --a------ C:\WINDOWS\system32\eibpanee.dll
2007-01-03 19:11 <REP> d-------- C:\SMITFRAUD
2007-01-03 18:15 <REP> d-------- C:\Program Files\Ipwindows
2007-01-03 18:07 <REP> d-------- C:\Program Files\Outerinfo
2007-01-03 18:06 72,704 --a------ C:\WINDOWS\system32\drvcot.dll
2007-01-03 18:06 22,541 ---hs---- C:\WINDOWS\system32\byxvvww.dll
2007-01-03 13:48 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-03 13:48 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-03 13:48 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-03 13:48 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-03 13:48 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-03 13:48 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-03 11:33 72,704 --a------ C:\WINDOWS\system32\drvcuv.dll
2007-01-03 11:33 54,423 --a------ C:\WINDOWS\system32\game0.exe.exe
2007-01-03 11:33 274,432 --a------ C:\WINDOWS\system32\avfglqjdo.exe
2007-01-03 11:33 22,541 --------- C:\WINDOWS\system32\rqrsqoo.dll
2007-01-03 11:33 <REP> d-------- C:\Program Files\PSDream
2007-01-02 21:41 <REP> d-------- C:\AboutBuster
2007-01-02 21:38 2,728 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-02 17:32 13,356,136 --a------ C:\Documents and Settings\Nicola\antivir-personal-edition-7_antivir_personal_edition_classic_7_7.00.00.47_anglais_10821.exe
2006-12-31 01:13 54,423 --a------ C:\WINDOWS\system32\messenger.lib.exe
2006-12-31 01:12 5,120 --a------ C:\WINDOWSsystem32alg.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

[color=red]Rootkit driver pe386 is present. A rootkit scan is required[/color]

2007-01-03 22:09 -------- d-------- C:\Program Files\Fichiers communs
2007-01-03 11:32 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-01 21:31 -------- d-------- C:\Program Files\HardwareDetection
2006-12-08 13:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-30 14:40 -------- d-------- C:\Program Files\Fichiers communs\Deterministic Networks
2006-11-30 14:39 16000 --a------ C:\WINDOWS\system32\drivers\eqdrv5.sys
2006-11-30 14:39 -------- d-------- C:\Program Files\CoSine Communications
2006-11-30 14:38 -------- d-------- C:\Program Files\Equant
2006-11-12 16:38 -------- d-------- C:\Program Files\Call of Duty
2006-11-10 16:51 -------- d-------- C:\Program Files\EPSON
2006-11-06 11:02 722 --a------ C:\Documents and Settings\Nicola\Application Data\C3-About.log


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Oerl"="\"C:\\DOCUME~1\\Nicola\\MESDOC~1\\DOBE~1\\wucrtupd.exe\" -vt yazb"
"Snqro"="C:\\Documents and Settings\\Nicola\\Mes documents\\??curity\\r?ndll.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"\\\\NICOLAS\\EPSON Stylus Photo RX420 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9CE.EXE /P41 \"\\\\NICOLAS\\EPSON Stylus Photo RX420 Series\" /O6 \"USB001\" /M \"Stylus Photo RX420\""
"NECMFK"="C:\\Program Files\\necmfk\\necmfk.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"{80610385-0576-1036-0522-030416200021}"="\"C:\\Program Files\\Fichiers communs\\{80610385-0576-1036-0522-030416200021}\\Update.exe\" mc-110-12-0000272"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\System32\\eibpanee.dll\",setvm"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"WelcomePad"="C:\\Program Files\\Apoint2K\\ApWelcom.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"WelcomePad"="C:\\Program Files\\Apoint2K\\ApWelcom.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Internet Explorer"="{F28A40D7-AD0E-034A-C651-5F0ED76232E6}"
"NrMIKrgXf"="{80610386-2ACB-A92C-581F-EFEC89C68495}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Lancement rapide d'Adobe Reader.lnk"
"backup"="C:\\WINDOWS\\pss\\Lancement rapide d'Adobe Reader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Lancement rapide d'Adobe Reader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^SoftRemote.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\SoftRemote.lnk"
"backup"="C:\\WINDOWS\\pss\\SoftRemote.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COSINE~1\\IPSECD~1\\SafeCfg.exe "
"item"="SoftRemote"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnk"
"backup"="C:\\WINDOWS\\pss\\Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SAGEMW~1\\WLANUTL.exe "
"item"="Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgnt"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTFMON"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Fichiers communs\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PRONoMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDream"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dragdiag"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Systems]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysmon"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\sysmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZCfgSvc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\ZCfgSvc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{80610385-0257-1036-0522-030416200021}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\{80610385-0257-1036-0522-030416200021}\\Update.exe\" te-110-12-0000273"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{80610385-0576-1036-0522-030416200021}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\{80610385-0576-1036-0522-030416200021}\\Update.exe\" te-110-12-0000273"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\TEST.job

Completion time: 07-01-03 22:10:03.34
C:\ComboFix.txt ... 07-01-03 22:10




Le  3-01-2007 à 22:21 #


Mais qu ait, c est grave ???

Le  3-01-2007 à 23:04 #

Plusieurs infections dont un rootkit.

Télécharge Rustbfix (par ejvindh)
**Si le lien ne fonctionne pas, clique ici**
Sauvegarde-le sur ton Bureau.

Double clique rustbfix.exe afin de lancer l'outil.
Si une infection Rustock.b est détectée, une invite t'indiquera qu'il est nécessaire de redémarrer le PC. Ce redémarrage pourrait être plus long que d'habitude, et il est possible que deux redémarrages soient requis. Tout cela se fera automatiquement.
Suite au(x) redémarrage(s), deux rapports s'ouvriront : (C:\avenger.txt & C:\Rustbfix\pelog.txt).
Poste (Copie/Colle) le contenu de ces deux rapports, ainsi qu'un nouveau log HijackThis dans ta prochaine réponse.

Le  3-01-2007 à 23:50 #

Et voila la suite :

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\knrfbydu

*******************

Script file located at: \??\C:\Program Files\ucflfkkb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

==================================================

************************* Rustock.b-fix -- By ejvindh *************************
03/01/2007 23:42:36,75

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 65568
Total size: 65568 bytes.
Attempting to remove ADS...
system32: deleted 65568 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************


==================================================

Logfile of HijackThis v1.99.1
Scan saved at 23:47:53, on 03/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe
C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE
C:\Program Files\necmfk\necmfk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Equant\Dialer\EACSvrMngr.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Nicola\Mes documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {51A71BFE-8918-87C5-6F8D-F6AD090EB0B3} - C:\WINDOWS\System32\imerf.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {50EF89C9-58AD-4BB7-BDEB-F9B318503757} - C:\WINDOWS\System32\awtqr.dll (file missing)
O2 - BHO: (no name) - {51A71BFE-8918-87C5-6F8D-F6AD090EB0B3} - C:\WINDOWS\System32\imerf.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\System32\qxdbyoyd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [\\NICOLAS\EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P41 "\\NICOLAS\EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [NECMFK] C:\Program Files\necmfk\necmfk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{80610385-0576-1036-0522-030416200021}] "C:\Program Files\Fichiers communs\{80610385-0576-1036-0522-030416200021}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\eibpanee.dll",setvm
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Oerl] "C:\DOCUME~1\Nicola\MESDOC~1\DOBE~1\wucrtupd.exe" -vt yazb
O4 - HKCU\..\Run: [Snqro] C:\Documents and Settings\Nicola\Mes documents\??curity\r?ndll.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\IPPS\XM2002®\XM2002.exe
O9 - Extra 'Tools' menuitem: &XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\IPPS\XM2002®\XM2002.exe
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE883BAD-F783-4F7B-AE46-D2383BBE8021}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Fbacljmm.dll (file missing)
O21 - SSODL: NrMIKrgXf - {80610386-2ACB-A92C-581F-EFEC89C68495} - C:\WINDOWS\System32\tlcfy.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Fichiers communs\BOONTY Shared\Service\Boonty.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Program Files\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Program Files\Equant\Dialer\EACSys.exe
O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\CoSine Communications\IPSec Dial Client\IreIKE.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Fichiers communs\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Fichiers communs\Sony Shared\AVLib\PACSPTISVR.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Le  3-01-2007 à 23:51 #


Ben j espere vraiment que tu vas y arriver , moi j en e comprends plus rien maintenant

Le  4-01-2007 à 13:56 #

Refais un scan Combofix maintenant.

Le  4-01-2007 à 20:28 #

Voila mais je dois preciser que j ai du travailer avec ce ordinateur aujourd hui et que j ai du me connecter 15min a internet, Avast n as rien dis !!!

ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Nicola\Bureau"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Nicola\Mes documents\CURITY~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))


2007-01-03 23:45 <REP> d-------- C:\avenger
2007-01-03 23:42 <REP> d-------- C:\Rustbfix
2007-01-03 20:47 <REP> d-------- C:\VundoFix Backups
2007-01-03 19:36 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-01-03 19:36 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-01-03 19:36 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-01-03 19:35 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-01-03 19:35 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-01-03 19:35 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-01-03 19:35 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-01-03 19:35 <REP> d-------- C:\Program Files\Alwil Software
2007-01-03 19:30 88,340 --a------ C:\WINDOWS\system32\fnnxitwo.exe
2007-01-03 19:30 81,684 --a------ C:\WINDOWS\system32\vysrepyw.dll
2007-01-03 19:30 44,060 --a------ C:\WINDOWS\system32\qxdbyoyd.dll
2007-01-03 19:30 118,804 --a------ C:\WINDOWS\system32\eibpanee.dll
2007-01-03 19:11 <REP> d-------- C:\SMITFRAUD
2007-01-03 18:15 <REP> d-------- C:\Program Files\Ipwindows
2007-01-03 18:07 <REP> d-------- C:\Program Files\Outerinfo
2007-01-03 18:06 72,704 --a------ C:\WINDOWS\system32\drvcot.dll
2007-01-03 18:06 22,541 ---hs---- C:\WINDOWS\system32\byxvvww.dll
2007-01-03 13:48 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-03 13:48 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-03 13:48 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-03 13:48 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-03 13:48 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-03 13:48 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-03 11:33 72,704 --a------ C:\WINDOWS\system32\drvcuv.dll
2007-01-03 11:33 54,423 --a------ C:\WINDOWS\system32\game0.exe.exe
2007-01-03 11:33 274,432 --a------ C:\WINDOWS\system32\avfglqjdo.exe
2007-01-03 11:33 22,541 --------- C:\WINDOWS\system32\rqrsqoo.dll
2007-01-03 11:33 <REP> d-------- C:\Program Files\PSDream
2007-01-02 21:41 <REP> d-------- C:\AboutBuster
2007-01-02 21:38 2,728 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-02 17:32 13,356,136 --a------ C:\Documents and Settings\Nicola\antivir-personal-edition-7_antivir_personal_edition_classic_7_7.00.00.47_anglais_10821.exe
2006-12-31 01:13 54,423 --a------ C:\WINDOWS\system32\messenger.lib.exe
2006-12-31 01:12 5,120 --a------ C:\WINDOWSsystem32alg.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-03 22:09 -------- d-------- C:\Program Files\Fichiers communs
2007-01-03 11:32 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-01 21:31 -------- d-------- C:\Program Files\HardwareDetection
2006-12-08 13:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-30 14:40 -------- d-------- C:\Program Files\Fichiers communs\Deterministic Networks
2006-11-30 14:39 16000 --a------ C:\WINDOWS\system32\drivers\eqdrv5.sys
2006-11-30 14:39 -------- d-------- C:\Program Files\CoSine Communications
2006-11-30 14:38 -------- d-------- C:\Program Files\Equant
2006-11-12 16:38 -------- d-------- C:\Program Files\Call of Duty
2006-11-10 16:51 -------- d-------- C:\Program Files\EPSON
2006-11-06 11:02 722 --a------ C:\Documents and Settings\Nicola\Application Data\C3-About.log


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Oerl"="\"C:\\DOCUME~1\\Nicola\\MESDOC~1\\DOBE~1\\wucrtupd.exe\" -vt yazb"
"Snqro"="C:\\Documents and Settings\\Nicola\\Mes documents\\??curity\\r?ndll.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"\\\\NICOLAS\\EPSON Stylus Photo RX420 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9CE.EXE /P41 \"\\\\NICOLAS\\EPSON Stylus Photo RX420 Series\" /O6 \"USB001\" /M \"Stylus Photo RX420\""
"NECMFK"="C:\\Program Files\\necmfk\\necmfk.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"{80610385-0576-1036-0522-030416200021}"="\"C:\\Program Files\\Fichiers communs\\{80610385-0576-1036-0522-030416200021}\\Update.exe\" mc-110-12-0000272"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\System32\\eibpanee.dll\",setvm"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"WelcomePad"="C:\\Program Files\\Apoint2K\\ApWelcom.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"WelcomePad"="C:\\Program Files\\Apoint2K\\ApWelcom.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"Internet Explorer"="{F28A40D7-AD0E-034A-C651-5F0ED76232E6}"
"NrMIKrgXf"="{80610386-2ACB-A92C-581F-EFEC89C68495}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Lancement rapide d'Adobe Reader.lnk"
"backup"="C:\\WINDOWS\\pss\\Lancement rapide d'Adobe Reader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Lancement rapide d'Adobe Reader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^SoftRemote.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\SoftRemote.lnk"
"backup"="C:\\WINDOWS\\pss\\SoftRemote.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COSINE~1\\IPSECD~1\\SafeCfg.exe "
"item"="SoftRemote"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Démarrer\\Programmes\\Démarrage\\Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnk"
"backup"="C:\\WINDOWS\\pss\\Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SAGEMW~1\\WLANUTL.exe "
"item"="Utilitaire réseau pour SAGEM Wi-Fi 11g USB adapter"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Apoint"
"hkey"="HKLM"
"command"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgnt"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTFMON"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Fichiers communs\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PRONoMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDream"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dragdiag"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Systems]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sysmon"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\sysmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZCfgSvc.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ZCfgSvc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\ZCfgSvc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{80610385-0257-1036-0522-030416200021}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\{80610385-0257-1036-0522-030416200021}\\Update.exe\" te-110-12-0000273"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{80610385-0576-1036-0522-030416200021}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Update"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Fichiers communs\\{80610385-0576-1036-0522-030416200021}\\Update.exe\" te-110-12-0000273"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\TEST.job

Completion time: 07-01-04 20:24:54.40
C:\ComboFix.txt ... 07-01-04 20:24
C:\ComboFix2.txt ... 07-01-03 22:10

Le  4-01-2007 à 20:43 #

Re,

Télécharge KillBox d'Option^Explicit.
[u]Dézippe[/u] le dans un dossier ou sur ton bureau (Clique droit puis Extraire Tout).

Selectionne le texte dans le cadre :

C:\WINDOWS\system32\fnnxitwo.exe
C:\WINDOWS\system32\vysrepyw.dll
C:\WINDOWS\system32\qxdbyoyd.dll
C:\WINDOWS\system32\eibpanee.dll
C:\WINDOWS\system32\byxvvww.dll
C:\WINDOWS\system32\drvcot.dll
C:\WINDOWS\system32\drvcuv.dll
C:\WINDOWS\system32\game0.exe.exe
C:\WINDOWS\system32\avfglqjdo.exe
C:\WINDOWS\system32\rqrsqoo.dll


---> Clique Droit puis Copier.
----------

-- Ouvre Killbox.exe
-- Choisis "Delete on reboot"
-- Clique sur :
- " File " -> " Paste from Clipboard "
- " All Files "

Pour terminer clique sur [:angeldark:3]

Une question te sera alors posée :
" File will be Removed on Reboot, Do you want to reboot now ? "

-- Répond par OUI, un compte à rebours s'enclenche, ton PC va redémarrer.
-- Après redémarrage, relance Killbox puis clique sur le menu : Files -> Logs -> Actions History Log, poste ce rapport ici.

NOTE: Si tu reçois le message "PendingFileRenameOperations Registry Data has been removed by external process!"
Redémarre ton PC manuellement.

AIDE : Tuto sur KillBox (Jesses)
----------
Télécharge Clean.zip (de Malekal),
Décompresse-le sur ton bureau (Clique-Droit/Extraire tout), tu dois obtenir un dossier Clean.
Ouvre le dossier clean, double-clique sur clean.cmd.
Choisis l'option 1 puis patiente. Poste ensuite le contenu du rapport.

Redémarre en mode sans échec

Ouvre le dossier clean, double-clique sur clean.cmd.
Choisis l'option 2 puis patiente.

Redémarre normalement

- Le rapport clean : Poste de travail / double clic sur disque C / double-clic sur rapport_clean.txt et copier/coller le contenu ici C:\rapport_clean.txt

Le  4-01-2007 à 21:47 #

voila les 3 rapports d ans l ordre :

Pocket Killbox version 2.0.0.648
Running on Windows XP as Nicola(Administrator)
was started @ jeudi, janvier 04, 2007, 9:24 PM

Killbox Closed(Exit) @ 9:25:50 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Nicola(Administrator)
was started @ jeudi, janvier 04, 2007, 9:25 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\fnnxitwo.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\vysrepyw.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\qxdbyoyd.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\eibpanee.dll


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\byxvvww.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\drvcot.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\drvcuv.dll


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\game0.exe.exe


# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\avfglqjdo.exe


# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\rqrsqoo.dll


I Rebooted @ 9:27:50 PM
Killbox Closed(Exit) @ 9:27:51 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Nicola(Administrator)
was started @ jeudi, janvier 04, 2007, 9:29 PM

=================================================

Rapport clean par Malekal_morte - http://www.malekal.com
Option 1, executee le 04/01/2007 a 21:32:43,78

*** Recherche de fichiers sur C:

*** Recherche des fichiers dans C:\WINDOWS\
C:\WINDOWS\uniq FOUND

*** Recherche des fichiers dans C:\WINDOWS\system32
C:\WINDOWS\system32\eraseme_?????.exe FOUND
C:\WINDOWS\system32\i FOUND
C:\WINDOWS\system32\kr_done1 FOUND
C:\WINDOWS\system32\messenger.lib.exe FOUND
C:\WINDOWS\system32\x FOUND

"C:\Program Files\Ipwindows\" FOUND
*** Fin du rapport !


=================================================

Script execute en mode sans echec
Rapport clean par Malekal_morte - http://www.malekal.com
Option 2, executee le 04/01/2007 a 21:38:14,81

Microsoft Windows XP [version 5.1.2600]

*** Suppression de fichiers sur C:

*** Suppression des fichiers dans C:\WINDOWS\
tentative de suppression de C:\WINDOWS\uniq

*** Suppression des fichiers dans C:\WINDOWS\system32
tentative de suppression de C:\WINDOWS\system32\eraseme_?????.exe
tentative de suppression de C:\WINDOWS\system32\i
tentative de suppression de C:\WINDOWS\system32\kr_done1
tentative de suppression de C:\WINDOWS\system32\messenger.lib.exe
tentative de suppression de C:\WINDOWS\system32\x

tentative de suppression de "C:\Program Files\Ipwindows\"

*** Suppression des clefs du registre effectuee..
*** Fin du rapport !





Au redemmarage j ai un message m indiquant que eibpanee n est pas trouvé !!!
» Liste des Forums » Virus, troyens, etc...




Sujets Connexes

Arakien & WéWé


Forums

Navigation


Publicité

Connectés

Il y a actuellement 497 visiteurs et 21 toiliens en ligne, ainsi que 3 connectés sur le tchat.

Recherche

Concours


Sauf mention contraire, le contenu du blog et du forum est sous licence Creative Commons By-Sa. Vous avez le droit de le reproduire à condition de citer l'auteur, de faire un lien vers la page d'origine, et de partager vos travaux dérivés selon les mêmes conditions.

Conditions d'utilisation -

Partenaires: [Informatique Multimédia] [Portail du Maroc] [Actualité High Tech]
[Tutoriaux Photoshop] [éligibilité ADSL] [Astuces Windows]

Page générée en 804 millisecondes sur WWW1.