Votre question

Trojan coriace !!!!

Tags :
  • économiseur d écran
  • Sécurité
Dernière réponse : dans Sécurité et virus
27 Septembre 2008 14:26:33

Bonjour,

J ai un probleme inpossible a resoudre:
- une fenetre de type economiseur d'ecran disant THIS COMPUTER IS BEING ATTACKED qui apparait et se balade toutes les 30 secondes.
- Plus de droits admnistrateur, donc impossible d'acceder au panneau de configuration
- Au demarrage impossible de demarrer en mode sans echec
- Ai passe plusieurs antispyware de type SUPERANTISPYWARE et MALWAREBYTES, les trojans sont decouverts mais impossible a supprimer
- Ai essaye COMBOFIX et SMITFRAUDFIX sans succes
- Ai essaye de mettre d'arreter les process incrimnines mais ceux ci reapparraissent
- Ai essaye de mettre a la poubelle les fichiers infectes, sans succes

Quelqu'un pourrait-il m'aider?
Merci d avance

SmitFraudFix v2.354

Scan done at 18:45:02.37, 2008-09-27
Run from C:\Documents and Settings\Juliette\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\DUALphone\DUALphone Suite\DUALphone Suite.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Juliette\LOCALS~1\Temp\winstvn.exe
C:\DOCUME~1\Juliette\LOCALS~1\Temp\winlnls.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Juliette\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Juliette


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Juliette\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Juliette\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Atheros AR5005G Wireless Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 172.21.128.1

Description: Atheros AR5005G Wireless Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{62148AF4-1911-4724-91DE-0232F51E8B02}: NameServer=172.21.128.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9E5FBFEF-226F-4997-A729-A9B2E690584C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E2AB33A6-F583-4E19-A52E-D0185591E663}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E2AB33A6-F583-4E19-A52E-D0185591E663}: NameServer=172.21.128.1,172.21.128.3
HKLM\SYSTEM\CS1\Services\Tcpip\..\{62148AF4-1911-4724-91DE-0232F51E8B02}: NameServer=172.21.128.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9E5FBFEF-226F-4997-A729-A9B2E690584C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E2AB33A6-F583-4E19-A52E-D0185591E663}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E2AB33A6-F583-4E19-A52E-D0185591E663}: NameServer=172.21.128.1,172.21.128.3
HKLM\SYSTEM\CS3\Services\Tcpip\..\{62148AF4-1911-4724-91DE-0232F51E8B02}: NameServer=172.21.128.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{9E5FBFEF-226F-4997-A729-A9B2E690584C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E2AB33A6-F583-4E19-A52E-D0185591E663}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E2AB33A6-F583-4E19-A52E-D0185591E663}: NameServer=172.21.128.1,172.21.128.3
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Voici le rapport COMBOFIX:

ComboFix 08-09-26.06 - Juliette 2008-09-27 19:37:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.85 [GMT 7:00]
Running from: C:\Documents and Settings\Juliette\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\MS-DOS.com
C:\WINDOWS\Cursors\Boom.vbs
C:\WINDOWS\Fonts.\Fonts.exe
C:\WINDOWS\Fonts.\tskmgr.exe
C:\WINDOWS\Fonts.\wav.wav
C:\WINDOWS\Fonts\fonts.exe
C:\WINDOWS\Fonts\tskmgr.exe
C:\WINDOWS\Fonts\wav.wav
C:\WINDOWS\Help\microsoft.hlp
C:\WINDOWS\Media\rndll32.pif
C:\WINDOWS\pchealth\Global.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com
C:\WINDOWS\system\KEYBOARD.exe
C:\WINDOWS\system32.\dllcache\tskmgr.exe
C:\WINDOWS\system32\dllcache\autorun.inf
C:\WINDOWS\system32\dllcache\Default.exe
C:\WINDOWS\system32\dllcache\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\rndll32.exe
C:\WINDOWS\system32\drivers\drivers.cab.exe
C:\WINDOWS\system32\regedit.exe
.
---- Previous Run -------
.
C:\autorun.inf
C:\MS-DOS.com
C:\WINDOWS\Cursors\Boom.vbs
C:\WINDOWS\Fonts.\Fonts.exe
C:\WINDOWS\Fonts.\tskmgr.exe
C:\WINDOWS\Fonts.\wav.wav
C:\WINDOWS\Fonts\fonts.exe
C:\WINDOWS\Fonts\tskmgr.exe
C:\WINDOWS\Fonts\wav.wav
C:\WINDOWS\Help\microsoft.hlp
C:\WINDOWS\Media\rndll32.pif
C:\WINDOWS\pchealth\Global.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com
C:\WINDOWS\system\KEYBOARD.exe
C:\WINDOWS\system32.\dllcache\tskmgr.exe
C:\WINDOWS\system32\dllcache\autorun.inf
C:\WINDOWS\system32\dllcache\Default.exe
C:\WINDOWS\system32\dllcache\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\WINDOWS\system32\dllcache\rndll32.exe
C:\WINDOWS\system32\drivers\drivers.cab.exe
C:\WINDOWS\system32\regedit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_asc3360pr
-------\Legacy_ASC3360PR
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-25 18:03 . 2008-09-25 18:03 <DIR> d-------- C:\Documents and Settings\Juliette\Application Data\Malwarebytes
2008-09-25 18:02 . 2008-09-25 18:02 <DIR> d-------- C:\Documents and Settings\Juliette\Application Data\SUPERAntiSpyware.com
2008-09-25 09:17 . 2008-09-25 09:17 <DIR> d-------- C:\Documents and Settings\Juliette\Application Data\Ulead Systems
2008-09-25 01:06 . 2008-09-27 16:07 <DIR> d-------- C:\Documents and Settings\Juliette\Application Data\skypePM
2008-09-25 01:04 . 2008-09-27 19:00 <DIR> d-------- C:\Documents and Settings\Juliette\Application Data\Skype
2008-09-25 00:58 . 2008-09-25 00:58 <DIR> d-------- C:\Documents and Settings\Juliette
2008-09-24 23:58 . 2008-09-24 23:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-24 23:58 . 2008-09-24 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-09-24 23:58 . 2008-09-24 23:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-24 23:05 . 2008-09-27 18:45 2,178 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-24 22:44 . 2008-09-24 22:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-24 22:30 . 2008-09-24 22:30 <DIR> d-------- C:\Program Files\PrevxCSI
2008-09-24 22:30 . 2008-09-27 14:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-09-24 22:30 . 2008-09-24 22:30 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-09-24 18:33 . 2008-09-24 18:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-24 18:33 . 2008-09-24 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-24 18:33 . 2008-09-24 18:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-24 18:33 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-24 18:33 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-19 20:11 . 2008-09-19 20:11 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-18 08:26 . 2008-08-27 14:50 405,504 -rahsc--- C:\WINDOWS\system32\dllcache\svchost.exe
2008-09-17 08:20 . 2008-09-17 08:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-09-17 08:16 . 2008-09-17 08:16 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-17 08:15 . 2008-09-17 08:17 <DIR> d-------- C:\Program Files\QuickTime
2008-09-17 08:15 . 2008-09-17 08:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-17 08:14 . 2008-09-17 08:14 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-17 08:14 . 2008-09-17 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-14 12:49 . 2008-09-22 13:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-09-06 10:57 . 2008-09-06 10:57 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-08-29 09:02 . 2008-09-27 18:57 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-24 17:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2008-09-24 17:05 --------- d-----w C:\Documents and Settings\Administrator\Application Data\skypePM
2004-04-10 10:56 25,496 -c--a-w C:\Program Files\ukfaq.htm
2004-04-10 10:13 56,789 -c--a-w C:\Program Files\ukmanual.htm
2004-04-08 03:33 61,440 -c--a-w C:\Program Files\UKHook35.dll
2004-04-07 22:34 126,464 -c--a-w C:\Program Files\UniKeyNT.exe
2001-02-16 05:41 403,456 -c--a-w C:\Program Files\tahomavn.exe
2001-02-16 05:10 250,880 -c--a-w C:\Program Files\microssvn.exe
2001-02-16 03:37 657,408 -c--a-w C:\Program Files\arialvn.exe
2001-02-16 03:25 757,760 -c--a-w C:\Program Files\timesvn.exe
2001-02-16 03:15 260,096 -c--a-w C:\Program Files\grgarevn.exe
.

((((((((((((((((((((((((((((( snapshot@2008-09-24_23.33.11.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-24 16:58:13 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-09-24 16:58:13 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-13 249272]
"DUALphone Suite"="C:\Program Files\DUALphone\DUALphone Suite\DUALphone Suite.exe" [2007-02-07 372736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 290872]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-05 262189]
"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 208896]
"Ulead AutoDetector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" [2003-11-18 122880]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 495616]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Configuration Utility.lnk - C:\Program Files\D-Link AirPlus G\AirPlus.exe [2007-02-12 368640]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 152992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictCpl"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"12"= forge60.exe
"24"= Forge70.exe
"13"= keygen.exe
"15"= Forge80.exe
"16"= nero.exe
"17"= smartmovie.exe
"18"= wmplayer.exe
"19"= mPhonetools.exe
"20"= videoenc.exe
"21"= smartmovie_sp.exe
"22"= Dr.DivX.exe
"7"= vegas50.exe
"28"= vegas40.exe
"29"= vegas30.exe
"8"= vegas60.exe
"9"= Audition.exe
"23"= WinRAR.exe
"25"= MPBrowser.exe
"26"= BlueSoleil.exe
"27"= ENCARTA.exe
"30"= Photoshop.exe
"31"= Dreamweaver.exe
"32"= NeatImage.exe
"33"= AudioCommander.exe
"34"= NeroStartSmart.exe
"35"= msiexec.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\EXCEL.exe]
"Debugger"=C:\WINDOWS\Fonts\Fonts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MSACCESS.exe]
"Debugger"=C:\WINDOWS\Fonts\Fonts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\MSPUB.exe]
"Debugger"=C:\WINDOWS\Fonts\Fonts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Photoshop.exe]
"Debugger"=C:\WINDOWS\system32\drivers\drivers.cab.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\POWERPNT.exe]
"Debugger"=C:\WINDOWS\Fonts\Fonts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ProcessManager.exe]
"Debugger"=C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\WINWORD.exe]
"Debugger"=C:\WINDOWS\Fonts\Fonts.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"C:\\Program Files\\DUALphone\\DUALphone Suite\\DUALphone Suite.exe"=
"C:\\Program Files\\D-Link AirPlus G\\AirPlus.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"C:\\Program Files\\Ulead Systems\\Ulead Photo Express 5 SE\\calcheck.exe"=
"C:\\WINDOWS\\system32\\notepad.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe"=
"C:\\ComboFix\\NirCmd.cfexe"=
"C:\\Program Files\\QuickTime\\qttask.exe"=
"C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"=
"C:\\WINDOWS\\system32\\wuauclt.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\WINDOWS\\system32\\CF8530.exe"=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-09-24 17408]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-09-24 618040]
R3 OBOE;Toshiba FIR Port Type-DO;C:\WINDOWS\system32\DRIVERS\tos4mo.sys [2001-08-17 28232]
S0 luvohq;luvohq;C:\WINDOWS\system32\drivers\gpmd.sys [ ]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 69692]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{354aa034-83bf-11dd-bbf0-00134661a864}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MS-DOS.com
\Shell\Explore\command - E:\MS-DOS.com
\Shell\Open\command - E:\MS-DOS.com

*Newly Created Service* - ASC3360PR
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://news.google.fr/nwshp?hl=fr&tab=wn
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O17 -: HKLM\CCS\Interface\{62148AF4-1911-4724-91DE-0232F51E8B02}: NameServer = 172.21.128.1
O17 -: HKLM\CCS\Interface\{E2AB33A6-F583-4E19-A52E-D0185591E663}: NameServer = 172.21.128.1,172.21.128.3

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 19:44:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\ComboFix\NirCmd.cfexe
.
**************************************************************************
.
Completion time: 2008-09-27 19:46:52 - machine was rebooted [Juliette]
ComboFix-quarantined-files.txt 2008-09-27 12:46:46
ComboFix2.txt 2008-09-24 16:48:05
ComboFix3.txt 2008-09-24 16:35:07

Pre-Run: 15,793,881,088 bytes free
Post-Run: 15,922,601,984 bytes free

266

Autres pages sur : trojan coriace

27 Septembre 2008 15:11:59

et voici le rapport HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:05:48, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DUALphone\DUALphone Suite\DUALphone Suite.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\DOCUME~1\Juliette\LOCALS~1\Temp\fbdpq.exe
C:\DOCUME~1\Juliette\LOCALS~1\Temp\fail.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.fr/nwshp?hl=fr&tab=wn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DUALphone Suite] C:\Program Files\DUALphone\DUALphone Suite\DUALphone Suite.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{62148AF4-1911-4724-91DE-0232F51E8B02}: NameServer = 172.21.128.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2AB33A6-F583-4E19-A52E-D0185591E663}: NameServer = 172.21.128.1,172.21.128.3
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4401 bytes
a b 8 Sécurité
27 Septembre 2008 18:17:40

Bonjour,

T'as le même problème après Combofix ?
Contenus similaires
27 Septembre 2008 20:37:48

Oui il reste des trojans residuels apres Combofix
a b 8 Sécurité
28 Septembre 2008 21:49:20

Comment es-tu certain ?
Tom's guide dans le monde
  • Allemagne
  • Italie
  • Irlande
  • Royaume Uni
  • Etats Unis
Suivre Tom's Guide
Inscrivez-vous à la Newsletter
  • ajouter à twitter
  • ajouter à facebook
  • ajouter un flux RSS