Votre question

Pb de virus (hacktool.rootkit ?)

Tags :
  • Internet Explorer
  • Sécurité
Dernière réponse : dans Sécurité et virus
20 Juin 2008 17:06:14

Bonjour,
je suis désespérément en train d'essayer de sauver ce qu'il reste de mon PC...
En effet, je crois avoir eu hacktool.rootkit (merci NAV...) et donc j'ai fait un scan ad-aware, a2, AVG et spybot et maintenant, mon PC se traîne et des messages d'erreur apparaîssent à chaque manip... et un XPsecuser essaie de s'installer toute les secondes...
Mayday Mayday....

Je joins le log Hijackthis, si qqun peut m'aider je lui en serais reconnaissant

D'avance merci

Logfile of HijackThis v1.99.1
Scan saved at 16:43:23, on 20/06/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\braviax.exe
D:\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\a-squared Anti-Malware\a2service.exe
D:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patator\Bureau\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: (no name) - {B245B1AD-F282-4928-A4E5-0A9DBE0671DD} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NWEReboot] C:\WINDOWS\UNWmaNMix.exe /REMOVE="C:\DOCUME~1\Patator\LOCALS~1\Temp\RarSFX0"
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [a-squared] "D:\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Messenger] msmsgs.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [microsoft-software] vvib.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Logiciels\Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://E:\LOGICI~1\Office\Office10\EXCEL.EXE/3000
O9 - Extra button: NoPopup - {09F0E7C2-01B0-4672-B81C-6471CFAD213E} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
O16 - DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} (AdSignerLCContrl Class) - https://static.impots.gouv.fr/tdir/static/adpform/AdSig...
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - D:\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\System32\aspimgr.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: FireDaemon Service: eventsec (eventsec) - Unknown owner - C:\winnt\system32\dllcache\FireDaemon.EXE (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: FireDaemon Service: ntsysvers (ntsysvers) - Unknown owner - C:\winnt\system32\dllcache\FireDaemon.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Autres pages sur : virus hacktool rootkit

21 Juin 2008 11:00:54

Bonjour,

Télécharge ComboFix (de sUBs) sur ton Bureau.

  • Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
  • Double clique sur ComboFix.exe.
  • Accepte la licence en cliquant sur Oui.
  • Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.

    Le rapport se trouve ici : %systemdrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)

    Aide : Comment utiliser ComboFix.
    21 Juin 2008 12:44:57

    En tout cas merci pour ton aide car je suis une vraie burne en informatique...

    Je viens de faire le scan ComboFix.
    Voici le rapport :

    ComboFix 08-06-20.4 - Patator 2008-06-21 12:27:25.1 - FAT32x86
    Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.62 [GMT 2:00]
    Endroit: C:\Documents and Settings\Patator\Bureau\ComboFix.exe
    * Création d'un nouveau point de restauration

    AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\Starware354
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\FindIt.bmp
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\FindItHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\findithotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\finditxp.png
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\Highlight.bmp
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\HighlightHot.bmp
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\highlighthotxp.png
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\highlightxp.png
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes.bmp
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes.png
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes_foreign_feed.bmp
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\recipes_foreign_feed.png
    C:\Documents and Settings\All Users\Application Data\Starware354\buttons\starware_toolbar_icon.bmp
    C:\Documents and Settings\All Users\Application Data\Starware354\contexts\error.xml
    C:\Documents and Settings\All Users\Application Data\Starware354\contexts\related.xml
    C:\Documents and Settings\All Users\Application Data\Starware354\contexts\Travel.xml
    C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\ProductMessagingConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\ProductMessagingConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\SimpleUpdateConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\SimpleUpdateConfig.xml.backup
    C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\TimerManagerConfig.xml
    C:\Documents and Settings\All Users\Application Data\Starware354\SimpleUpdate\TimerManagerConfig.xml.backup
    C:\Documents and Settings\Patator\Local Settings\Temporary Internet Files\enyxoz.bat
    C:\Documents and Settings\Patator\Local Settings\Temporary Internet Files\kojo.ban
    C:\Documents and Settings\Patator\Local Settings\Temporary Internet Files\yvufuwo.vbs
    C:\WINDOWS\braviax.exe
    C:\WINDOWS\g32.txt
    C:\WINDOWS\s32.txt
    C:\WINDOWS\system32\braviax.exe
    C:\WINDOWS\system32\cru629.dat
    C:\WINDOWS\system32\DelSelf.bat
    C:\WINDOWS\system32\MSINET.oca
    C:\WINDOWS\system32\uninstall.exe
    C:\WINDOWS\system32\winivstr.exe
    C:\WINDOWS\ws386.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ASPIMGR
    -------\Legacy_ROFL
    -------\Service_aspimgr


    ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))))))))
    .

    2008-06-19 21:49 . 2008-06-19 21:49 <REP> d--hs---- C:\FOUND.000
    2008-06-19 21:32 . 2008-06-19 21:32 <REP> d-------- C:\Documents and Settings\Patator\Application Data\Grisoft
    2008-06-19 21:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-06-19 21:31 . 2008-06-19 21:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-06-19 21:26 . 2008-06-19 21:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-19 21:24 . 2008-06-19 21:24 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
    2008-06-19 20:31 . 2008-06-19 20:31 <REP> d-------- C:\fsaua.data
    2008-06-17 19:42 . 2008-06-17 19:42 19,299 --a------ C:\WINDOWS\perorun.dll
    2008-06-17 19:42 . 2008-06-17 19:42 17,769 --a------ C:\WINDOWS\kigymyry.sys
    2008-06-17 19:42 . 2008-06-17 19:42 17,578 --a------ C:\WINDOWS\system32\gybyxas.bat
    2008-06-17 19:42 . 2008-06-17 19:42 17,472 --a------ C:\WINDOWS\system32\ykylag.scr
    2008-06-17 19:42 . 2008-06-17 19:42 16,258 --a------ C:\WINDOWS\igemi.exe
    2008-06-17 19:42 . 2008-06-17 19:42 15,883 --a------ C:\WINDOWS\uzaq.bin
    2008-06-17 19:42 . 2008-06-17 19:42 14,001 --a------ C:\WINDOWS\system32\yqaxidex.vbs
    2008-06-17 19:42 . 2008-06-17 19:42 12,285 --a------ C:\Documents and Settings\All Users\Application Data\uwex.pif
    2008-06-17 19:42 . 2008-06-17 19:42 11,545 --a------ C:\WINDOWS\tyna.com
    2008-06-17 19:42 . 2008-06-17 19:42 11,082 --a------ C:\WINDOWS\suqyzofiqa.exe

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-05-12 17:41 --------- d-----w C:\Program Files\Samsung
    2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
    2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
    2006-12-28 20:05 17,232 ----a-w C:\Documents and Settings\Patator\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 01:03 1038336]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "microsoft-software"="vvib.exe" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Messenger"="msmsgs.exe" []
    "vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-26 18:06 73728]
    "Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2003-01-14 01:43 868352]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
    "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
    "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
    "a-squared"="D:\a-squared Anti-Malware\a2guard.exe" [2008-06-03 12:37 2131600]
    "!AVG Anti-Spyware"="D:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Windows Messenger"="msmsgs.exe" []

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30 1491216]
    "Windows Messenger"="msmsgs.exe" []

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Windows Messenger"="msmsgs.exe" []

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "microsoft-software"="qtzs.exe" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.DIVF"= DivX412.dll
    "vidc.ffds"= C:\WINDOWS\system32\ffdshow.ax

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 20:49]

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-21 12:32:40
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    Balayage processus cach‚s ...

    Balayage cach‚ autostart entries ...

    Balayage des fichiers cach‚s ...

    Scan termin‚ avec succŠs
    Les fichiers cach‚s: 0

    **************************************************************************
    .
    --------------------- DLLs a charg‚ sous des processus courants ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    -> C:\WINDOWS\System32\NavLogon.dll

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\Program Files\Panicware\Pop-Up Stopper\DPHOOK32.DLL
    -> C:\WINDOWS\PANICNT.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
    D:\a-squared Anti-Malware\a2service.exe
    D:\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\NavNT\VPC32.EXE
    C:\Program Files\NavNT\vpdn_lu.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
    .
    **************************************************************************
    .
    Temps d'accomplissement: 2008-06-21 12:39:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-21 10:38:52

    Pre-Run: 460,029,952 octets libres
    Post-Run: 666,681,344 octets libres

    161

    Autant dire, j'y comprends pas grand chose

    Merci encore pour ton aide !

    Contenus similaires
    21 Juin 2008 13:23:51

    Re,

    Sélectionne l'intégralité du cadre ci-dessous :

    Collect::
    C:\WINDOWS\suqyzofiqa.exe
    C:\WINDOWS\perorun.dll
    C:\WINDOWS\kigymyry.sys
    C:\WINDOWS\system32\gybyxas.bat
    C:\WINDOWS\system32\ykylag.scr
    C:\WINDOWS\igemi.exe
    C:\WINDOWS\uzaq.bin
    C:\WINDOWS\system32\yqaxidex.vbs
    C:\Documents and Settings\All Users\Application Data\uwex.pif
    C:\WINDOWS\tyna.com

    Folder::
    C:\FOUND.000

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "microsoft-software"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Messenger"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "Windows Messenger"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Messenger"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Windows Messenger"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "microsoft-software"=-


    Cela va relancer Combofix. Après redémarrage, poste le contenu du rapport ComboFix.txt.
    S'il n'y a pas de rédémarrage, poste quand même le rapport.

  • Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
  • Enregistre le sous sur ton bureau sous le nom de CFScript.txt
  • Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme ci-dessous :

  • Cela va relancer Combofix. Poste le contenu du rapport ComboFix.txt après redémarrage s'il y en a un.
    21 Juin 2008 13:52:54

    Il n'y a pas eu de redémarrage mais voici le contenu de ComboFix.txt :

    ComboFix 08-06-20.4 - Patator 2008-06-21 13:40:59.2 - FAT32x86
    Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.51 [GMT 2:00]
    Endroit: C:\Documents and Settings\Patator\Bureau\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Patator\Bureau\CFScript.txt
    * Création d'un nouveau point de restauration

    AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\uwex.pif
    C:\FOUND.000
    C:\FOUND.000\FILE0000.CHK
    C:\FOUND.000\FILE0001.CHK
    C:\WINDOWS\igemi.exe
    C:\WINDOWS\kigymyry.sys
    C:\WINDOWS\perorun.dll
    C:\WINDOWS\suqyzofiqa.exe
    C:\WINDOWS\system32\gybyxas.bat
    C:\WINDOWS\system32\ykylag.scr
    C:\WINDOWS\system32\yqaxidex.vbs
    C:\WINDOWS\tyna.com
    C:\WINDOWS\uzaq.bin

    .
    ((((((((((((((((((((((((((((( Fichiers créés 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))))))))
    .

    2008-06-19 21:32 . 2008-06-19 21:32 <REP> d-------- C:\Documents and Settings\Patator\Application Data\Grisoft
    2008-06-19 21:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-06-19 21:31 . 2008-06-19 21:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-06-19 21:26 . 2008-06-19 21:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-19 21:24 . 2008-06-19 21:24 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
    2008-06-19 20:31 . 2008-06-19 20:31 <REP> d-------- C:\fsaua.data

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-16 18:12 13,270,549 ------w C:\WINDOWS\Internet Logs\tvDebug.zip
    2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-05-12 17:41 --------- d-----w C:\Program Files\Samsung
    2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
    2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
    2006-12-28 20:05 17,232 ----a-w C:\Documents and Settings\Patator\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((( snapshot@2008-06-21_12.36.41.26 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
    + 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
    - 2008-06-21 10:18:34 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-21 10:39:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 01:03 1038336]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-26 18:06 73728]
    "Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2003-01-14 01:43 868352]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
    "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
    "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
    "a-squared"="D:\a-squared Anti-Malware\a2guard.exe" [2008-06-03 12:37 2131600]
    "!AVG Anti-Spyware"="D:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30 1491216]

    C:\Documents and Settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
    Microsoft Office.lnk - E:\Logiciels\Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.DIVF"= DivX412.dll
    "vidc.ffds"= C:\WINDOWS\system32\ffdshow.ax

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    S2 eventsec;FireDaemon Service: eventsec;C:\winnt\system32\dllcache\FireDaemon.EXE []
    S2 ntsysvers;FireDaemon Service: ntsysvers;C:\winnt\system32\dllcache\FireDaemon.EXE []
    S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 20:49]

    *Newly Created Service* - MCHINJDRV
    *Newly Created Service* - NAVAP
    *Newly Created Service* - NAVENG
    *Newly Created Service* - NAVEX15
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-21 13:44:42
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    Balayage processus cachés ...

    Balayage caché autostart entries ...

    Balayage des fichiers cachés ...

    Scan terminé avec succès
    Les fichiers cachés: 0

    **************************************************************************
    .
    --------------------- DLLs a chargé sous des processus courants ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    -> C:\WINDOWS\System32\NavLogon.dll
    .
    Temps d'accomplissement: 2008-06-21 13:46:01
    ComboFix-quarantined-files.txt 2008-06-21 11:45:54
    ComboFix2.txt 2008-06-21 10:39:08

    Pre-Run: 621,961,216 octets libres
    Post-Run: 622,243,840 octets libres

    111
    21 Juin 2008 14:07:56

    Re,

    Sélectionne l'intégralité du cadre ci-dessous :

    Driver::
    eventsec
    ntsysvers
    NAVAP
    NAVENG
    NAVEX15

    Folder::
    C:\Program Files\NavNT


    Cela va relancer Combofix. Après redémarrage, poste le contenu du rapport ComboFix.txt.
    S'il n'y a pas de rédémarrage, poste quand même le rapport.

  • Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
  • Enregistre le sous sur ton bureau sous le nom de CFScript.txt
  • Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme ci-dessous :

  • Cela va relancer Combofix. Poste le contenu du rapport ComboFix.txt après redémarrage s'il y en a un.
    21 Juin 2008 15:51:09

    C'est fait !
    Merci pour ta patience !

    Ci joint le rapport ComboFix :

    ComboFix 08-06-20.4 - Patator 2008-06-21 15:31:23.3 - FAT32x86
    Microsoft Windows XP Professionnel 5.1.2600.1.1252.1.1036.18.58 [GMT 2:00]
    Endroit: C:\Documents and Settings\Patator\Bureau\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Patator\Bureau\CFScript.txt
    * Création d'un nouveau point de restauration

    AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\NavNT
    C:\Program Files\NavNT\_ISNAVNT.ULG
    C:\Program Files\NavNT\AMS2\_INST32I.EX_
    C:\Program Files\NavNT\AMS2\12520437.CP_
    C:\Program Files\NavNT\AMS2\12520850.CP_
    C:\Program Files\NavNT\AMS2\AMS.DL_
    C:\Program Files\NavNT\AMS2\AMS2.CA_
    C:\Program Files\NavNT\AMS2\AMS2.CFG
    C:\Program Files\NavNT\AMS2\AMS2INST.DLL
    C:\Program Files\NavNT\AMS2\AMSDB.DL_
    C:\Program Files\NavNT\AMS2\AMSDB.MD_
    C:\Program Files\NavNT\AMS2\AMSLIB.DL_
    C:\Program Files\NavNT\AMS2\AMSTRANS.DL_
    C:\Program Files\NavNT\AMS2\AMSUI.DL_
    C:\Program Files\NavNT\AMS2\BCSTHNDL.DL_
    C:\Program Files\NavNT\AMS2\CACONFIG.EX_
    C:\Program Files\NavNT\AMS2\CADB.DL_
    C:\Program Files\NavNT\AMS2\CASVC.EX_
    C:\Program Files\NavNT\AMS2\CASVC.MD_
    C:\Program Files\NavNT\AMS2\CAUNINST.DLL
    C:\Program Files\NavNT\AMS2\CBA.CA_
    C:\Program Files\NavNT\AMS2\CBA.DL_
    C:\Program Files\NavNT\AMS2\CBADB.MD_
    C:\Program Files\NavNT\AMS2\CBATL.MD_
    C:\Program Files\NavNT\AMS2\CBAXFR.DL_
    C:\Program Files\NavNT\AMS2\CLUTIL_S.DL_
    C:\Program Files\NavNT\AMS2\CMNRC.DL_
    C:\Program Files\NavNT\AMS2\CSL.DL_
    C:\Program Files\NavNT\AMS2\CSSM32S.DL_
    C:\Program Files\NavNT\AMS2\CSSM32S.SI_
    C:\Program Files\NavNT\AMS2\CSSMS_IN.DL_
    C:\Program Files\NavNT\AMS2\CTINST.EXE
    C:\Program Files\NavNT\AMS2\CTL3D32.DL_
    C:\Program Files\NavNT\AMS2\DS16GT.DL_
    C:\Program Files\NavNT\AMS2\DS32GT.DL_
    C:\Program Files\NavNT\AMS2\ENUAMS.LR_
    C:\Program Files\NavNT\AMS2\ENUAMS2.CN_
    C:\Program Files\NavNT\AMS2\ENUAMS2.HL_
    C:\Program Files\NavNT\AMS2\ENUAMSUI.LR_
    C:\Program Files\NavNT\AMS2\ENUCACRC.LR_
    C:\Program Files\NavNT\AMS2\ENUCAIN.DL_
    C:\Program Files\NavNT\AMS2\ENUCAMGR.CN_
    C:\Program Files\NavNT\AMS2\ENUCAMGR.CNT
    C:\Program Files\NavNT\AMS2\ENUCAMGR.HL_
    C:\Program Files\NavNT\AMS2\ENUCAMGR.HLP
    C:\Program Files\NavNT\AMS2\ENUCASRC.LR_
    C:\Program Files\NavNT\AMS2\ENUCMNRC.LR_
    C:\Program Files\NavNT\AMS2\ENUINST.DLL
    C:\Program Files\NavNT\AMS2\ENUPDSRC.LR_
    C:\Program Files\NavNT\AMS2\ENUSAT.CN_
    C:\Program Files\NavNT\AMS2\ENUSAT.HL_
    C:\Program Files\NavNT\AMS2\ENUSAT.LR_
    C:\Program Files\NavNT\AMS2\ENUXFRRC.LR_
    C:\Program Files\NavNT\AMS2\FRAAMS.LR_
    C:\Program Files\NavNT\AMS2\FRAAMS2.CN_
    C:\Program Files\NavNT\AMS2\FRAAMS2.HL_
    C:\Program Files\NavNT\AMS2\FRAAMSUI.LR_
    C:\Program Files\NavNT\AMS2\FRACACRC.LR_
    C:\Program Files\NavNT\AMS2\FRACAIN.DL_
    C:\Program Files\NavNT\AMS2\FRACAMGR.CN_
    C:\Program Files\NavNT\AMS2\FRACAMGR.HL_
    C:\Program Files\NavNT\AMS2\FRACASRC.LR_
    C:\Program Files\NavNT\AMS2\frainst.dll
    C:\Program Files\NavNT\AMS2\FRAPDSRC.LR_
    C:\Program Files\NavNT\AMS2\FRASAT.CN_
    C:\Program Files\NavNT\AMS2\FRASAT.HL_
    C:\Program Files\NavNT\AMS2\FRASAT.LR_
    C:\Program Files\NavNT\AMS2\FRAXFRRC.LR_
    C:\Program Files\NavNT\AMS2\HARDWARE.CD_
    C:\Program Files\NavNT\AMS2\HARDWARE.DB_
    C:\Program Files\NavNT\AMS2\HNDLRSVC.EX_
    C:\Program Files\NavNT\AMS2\IAO.EX_
    C:\Program Files\NavNT\AMS2\INDSM_S.DL_
    C:\Program Files\NavNT\AMS2\InstallAMS.dll
    C:\Program Files\NavNT\AMS2\ITMLHNDL.DL_
    C:\Program Files\NavNT\AMS2\IX509CLS.DL_
    C:\Program Files\NavNT\AMS2\JPNAMS2.CN_
    C:\Program Files\NavNT\AMS2\JPNAMS2.HL_
    C:\Program Files\NavNT\AMS2\JPNCAMGR.CNT
    C:\Program Files\NavNT\AMS2\JPNCAMGR.HLP
    C:\Program Files\NavNT\AMS2\LCFINST.EX_
    C:\Program Files\NavNT\AMS2\LCFINST.PK_
    C:\Program Files\NavNT\AMS2\LOC32VC0.DL_
    C:\Program Files\NavNT\AMS2\LOC32VC0.DLL
    C:\Program Files\NavNT\AMS2\MFC42.DL_
    C:\Program Files\NavNT\AMS2\MFC42ENU.DL_
    C:\Program Files\NavNT\AMS2\MFC42FRA.DL_
    C:\Program Files\NavNT\AMS2\MODEMCFG.EX_
    C:\Program Files\NavNT\AMS2\MODEMS.CD_
    C:\Program Files\NavNT\AMS2\MODEMS.DB_
    C:\Program Files\NavNT\AMS2\MSBXHNDL.DL_
    C:\Program Files\NavNT\AMS2\MSCPXL32.DL_
    C:\Program Files\NavNT\AMS2\MSGSYS.DL_
    C:\Program Files\NavNT\AMS2\MSGSYS.EX_
    C:\Program Files\NavNT\AMS2\MSJET35.DL_
    C:\Program Files\NavNT\AMS2\MSJINT35.DL_
    C:\Program Files\NavNT\AMS2\MSJTER35.DL_
    C:\Program Files\NavNT\AMS2\MSLTUS35.DL_
    C:\Program Files\NavNT\AMS2\MSRD2X35.DL_
    C:\Program Files\NavNT\AMS2\MSVCIRT.DL_
    C:\Program Files\NavNT\AMS2\MSVCRT.DL_
    C:\Program Files\NavNT\AMS2\MSVCRT20.DL_
    C:\Program Files\NavNT\AMS2\MSVCRT40.DL_
    C:\Program Files\NavNT\AMS2\MSVCRT40.DLL
    C:\Program Files\NavNT\AMS2\MTXDM.DL_
    C:\Program Files\NavNT\AMS2\NTELHNDL.DL_
    C:\Program Files\NavNT\AMS2\NTS.DL_
    C:\Program Files\NavNT\AMS2\ODBC16GT.DL_
    C:\Program Files\NavNT\AMS2\ODBC32.DL_
    C:\Program Files\NavNT\AMS2\ODBC32GT.DL_
    C:\Program Files\NavNT\AMS2\ODBCAD32.EX_
    C:\Program Files\NavNT\AMS2\ODBCCP32.CP_
    C:\Program Files\NavNT\AMS2\ODBCCP32.DL_
    C:\Program Files\NavNT\AMS2\ODBCCR32.DL_
    C:\Program Files\NavNT\AMS2\ODBCINST.CN_
    C:\Program Files\NavNT\AMS2\ODBCINST.HL_
    C:\Program Files\NavNT\AMS2\ODBCINT.DL_
    C:\Program Files\NavNT\AMS2\ODBCJET.CN_
    C:\Program Files\NavNT\AMS2\ODBCJET.HL_
    C:\Program Files\NavNT\AMS2\ODBCJI32.DL_
    C:\Program Files\NavNT\AMS2\ODBCJT32.DL_
    C:\Program Files\NavNT\AMS2\ODBCTL32.DL_
    C:\Program Files\NavNT\AMS2\ODBCTRAC.DL_
    C:\Program Files\NavNT\AMS2\ORIGREG.DL_
    C:\Program Files\NavNT\AMS2\ORIGREG.IL_
    C:\Program Files\NavNT\AMS2\OSSAPI.DL_
    C:\Program Files\NavNT\AMS2\OSSMEM.DL_
    C:\Program Files\NavNT\AMS2\PAGEHNDL.DL_
    C:\Program Files\NavNT\AMS2\PAGESVC.IN_
    C:\Program Files\NavNT\AMS2\PDS.DL_
    C:\Program Files\NavNT\AMS2\PDS.EX_
    C:\Program Files\NavNT\AMS2\PRGXHNDL.DL_
    C:\Program Files\NavNT\AMS2\SERVICES.CD_
    C:\Program Files\NavNT\AMS2\SERVICES.DB_
    C:\Program Files\NavNT\AMS2\SNMPAT.EX_
    C:\Program Files\NavNT\AMS2\SNMPAT.LD_
    C:\Program Files\NavNT\AMS2\SNMPHNDL.DL_
    C:\Program Files\NavNT\AMS2\SOEDPER.DL_
    C:\Program Files\NavNT\AMS2\VBAJET32.DL_
    C:\Program Files\NavNT\AMS2\VBAR332.DL_
    C:\Program Files\NavNT\AMS2\vssver.scc
    C:\Program Files\NavNT\AMS2\WSDLL32.DL_
    C:\Program Files\NavNT\AMS2\XFR.EX_
    C:\Program Files\NavNT\chan32i.dll
    C:\Program Files\NavNT\Cliproxy.dll
    C:\Program Files\NavNT\Cliscan.dll
    C:\Program Files\NavNT\clninst.bat
    C:\Program Files\NavNT\country.dat
    C:\Program Files\NavNT\Ctl3d.dll
    C:\Program Files\NavNT\dec2.dll
    C:\Program Files\NavNT\dec2amg.dll
    C:\Program Files\NavNT\dec2arj.dll
    C:\Program Files\NavNT\dec2id.dll
    C:\Program Files\NavNT\dec2lha.dll
    C:\Program Files\NavNT\dec2lz.dll
    C:\Program Files\NavNT\dec2mime.dll
    C:\Program Files\NavNT\Dec2RTF.dll
    C:\Program Files\NavNT\Dec2SS.dll
    C:\Program Files\NavNT\Dec2UUE.dll
    C:\Program Files\NavNT\dec2zip.dll
    C:\Program Files\NavNT\Defannty.dll
    C:\Program Files\NavNT\default.hst
    C:\Program Files\NavNT\DEFLOC.DAT
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\dwhwizrd.exe
    C:\Program Files\NavNT\enuact.cnt
    C:\Program Files\NavNT\enucore.hlp
    C:\Program Files\NavNT\enuctls.hlp
    C:\Program Files\NavNT\enudlgs.hlp
    C:\Program Files\NavNT\enugloss.hlp
    C:\Program Files\NavNT\enulotus.hlp
    C:\Program Files\NavNT\enuopt.cnt
    C:\Program Files\NavNT\enutask.hlp
    C:\Program Files\NavNT\enuview.hlp
    C:\Program Files\NavNT\enuvpc32.cnt
    C:\Program Files\NavNT\enuvpc32.GID
    C:\Program Files\NavNT\enuvpui.hlp
    C:\Program Files\NavNT\enuxchng.hlp
    C:\Program Files\NavNT\filter.dat
    C:\Program Files\NavNT\i2ldvp3.dll
    C:\Program Files\NavNT\ldvpreg.exe
    C:\Program Files\NavNT\luawrap.exe
    C:\Program Files\NavNT\luhstedt.dll
    C:\Program Files\NavNT\N32call.dll
    C:\Program Files\NavNT\N32vlist.dll
    C:\Program Files\NavNT\navap.sys
    C:\Program Files\NavNT\navap32.dll
    C:\Program Files\NavNT\Navapel.sys
    C:\Program Files\NavNT\navapi32.dll
    C:\Program Files\NavNT\navcust2.dll
    C:\Program Files\NavNT\NavInsNT.dll
    C:\Program Files\NavNT\navlu.dll
    C:\Program Files\NavNT\navntutl.dll
    C:\Program Files\NavNT\NAVRoam.exe
    C:\Program Files\NavNT\navustub.exe
    C:\Program Files\NavNT\nnewdefs.dll
    C:\Program Files\NavNT\patch32i.dll
    C:\Program Files\NavNT\platform.dat
    C:\Program Files\NavNT\qscomm32.dll
    C:\Program Files\NavNT\qsinfo.dll
    C:\Program Files\NavNT\qspak32.dll
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\NavNT\s32luhl1.dll
    C:\Program Files\NavNT\S32NAVQ.DLL
    C:\Program Files\NavNT\scancfg.dat
    C:\Program Files\NavNT\SCANDLVR.DLL
    C:\Program Files\NavNT\scandres.dll
    C:\Program Files\NavNT\sdflt32i.dll
    C:\Program Files\NavNT\sdpck32i.dll
    C:\Program Files\NavNT\sdsnd32i.dll
    C:\Program Files\NavNT\sdsok32i.dll
    C:\Program Files\NavNT\sdstp32i.dll
    C:\Program Files\NavNT\Smstr32i.dll
    C:\Program Files\NavNT\symamg32.dll
    C:\Program Files\NavNT\SymClnUp.exe
    C:\Program Files\NavNT\symlha.dll
    C:\Program Files\NavNT\vpc32.exe
    C:\Program Files\NavNT\vpdebug.log
    C:\Program Files\NavNT\vpdn_lu.exe
    C:\Program Files\NavNT\vpmsece.dll
    C:\Program Files\NavNT\vptray.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_EVENTSEC
    -------\Legacy_NAVAP
    -------\Legacy_NAVENG
    -------\Legacy_NAVEX15
    -------\Legacy_NTSYSVERS
    -------\Service_eventsec
    -------\Service_NAVAP
    -------\Service_NAVENG
    -------\Service_NAVEX15
    -------\Service_ntsysvers
    -------\Legacy_DefWatch
    -------\Service_DefWatch


    ((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))))))))
    .

    2008-06-19 21:32 . 2008-06-19 21:32 <REP> d-------- C:\Documents and Settings\Patator\Application Data\Grisoft
    2008-06-19 21:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-06-19 21:31 . 2008-06-19 21:31 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-06-19 21:26 . 2008-06-19 21:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-06-19 21:24 . 2008-06-19 21:24 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
    2008-06-19 20:31 . 2008-06-19 20:31 <REP> d-------- C:\fsaua.data

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2008-05-12 17:41 --------- d-----w C:\Program Files\Samsung
    2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
    2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
    2006-12-28 20:05 17,232 ----a-w C:\Documents and Settings\Patator\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((( snapshot@2008-06-21_12.36.41.26 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-06-21 10:31:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    + 2008-06-21 13:38:02 2,048 --s-a-w C:\WINDOWS\bootstat.dat
    - 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2008-06-21 10:18:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
    + 2008-06-21 10:31:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Historique\History.IE5\index.dat
    - 2008-06-21 10:18:34 360,448 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-21 10:39:18 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 01:03 1038336]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:55 5674352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="C:\Program Files\NavNT\vptray.exe" [ ]
    "Pop-Up Stopper"="C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe" [2003-01-14 01:43 868352]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
    "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
    "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
    "Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
    "Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-03-16 11:34 755480]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
    "a-squared"="D:\a-squared Anti-Malware\a2guard.exe" [2008-06-03 12:37 2131600]
    "!AVG Anti-Spyware"="D:\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 11:45 13312]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30 1491216]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.DIVF"= DivX412.dll
    "vidc.ffds"= C:\WINDOWS\system32\ffdshow.ax

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    S3 ATIVRVXX;ATI Rage Theatre Video (ATIRTCAP);C:\WINDOWS\System32\DRIVERS\atirtcap.sys [2001-08-17 20:49]

    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-21 15:38:57
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    Balayage processus cach‚s ...

    Balayage cach‚ autostart entries ...

    Balayage des fichiers cach‚s ...

    Scan termin‚ avec succŠs
    Les fichiers cach‚s: 0

    **************************************************************************
    .
    --------------------- DLLs a charg‚ sous des processus courants ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\Ati2evxx.dll
    -> C:\WINDOWS\System32\NavLogon.dll

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\Program Files\Panicware\Pop-Up Stopper\DPHOOK32.DLL
    -> C:\WINDOWS\PANICNT.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
    D:\a-squared Anti-Malware\a2service.exe
    D:\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    .
    **************************************************************************
    .
    Temps d'accomplissement: 2008-06-21 15:45:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-06-21 13:45:02
    ComboFix3.txt 2008-06-21 10:39:08
    ComboFix2.txt 2008-06-21 11:46:04

    Pre-Run: 587,309,056 octets libres
    Post-Run: 505,491,456 octets libres

    341
    22 Juin 2008 14:10:19

    Re,

    Poste un nouveau rapport HijackThis.
    22 Juin 2008 18:06:15

    Ci joint le nouveau rapport HijackThis :

    Logfile of HijackThis v1.99.1
    Scan saved at 18:09:00, on 22/06/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    D:\a-squared Anti-Malware\a2guard.exe
    D:\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    D:\a-squared Anti-Malware\a2service.exe
    C:\WINDOWS\System32\alg.exe
    D:\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Patator\Bureau\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O3 - Toolbar: (no name) - {B245B1AD-F282-4928-A4E5-0A9DBE0671DD} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [a-squared] "D:\a-squared Anti-Malware\a2guard.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = E:\Logiciels\Office\Office10\OSA.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://E:\LOGICI~1\Office\Office10\EXCEL.EXE/3000
    O9 - Extra button: NoPopup - {09F0E7C2-01B0-4672-B81C-6471CFAD213E} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
    O16 - DPF: {B79A53C0-1DAC-4636-BACE-FD086A7A79BF} (AdSignerLCContrl Class) - https://static.impots.gouv.fr/tdir/static/adpform/AdSig...
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - D:\a-squared Anti-Malware\a2service.exe
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\Program Files\NavNT\rtvscan.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
    22 Juin 2008 21:27:43

    Re,

    Ouvre Spybot , clique sur l'onglet Mode et choisis Mode Avancé
    Ne tiens pas compte de l'avertissement
    En bas à gauche , clique sur Outils
    Toujours dans la colonne de gauche , clique sur Résident ( pas dans la fenêtre centrale )
    Et décoche l'option Resident "TeaTimer" (Tu pourras la recocher lorsque nous aurons terminé)

    ***********

    Relance HijackThis (clique droit -> lancer en tant qu'adminstrateur sous Vista), do a system scan only, coche ces lignes (si toujours présentes) :
    O3 - Toolbar: (no name) - {B245B1AD-F282-4928-A4E5-0A9DBE0671DD} - (no file)
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Logiciels\Office\Office10\OSA.EXE

    Ferme toutes les applications en cours (particulièrement ton navigateur Internet).
    Puis Fix Checked !

    ************

    Télécharge et exécute : http://service1.symantec.com/SUPPORT/INTER/tsgeninfoint...
    Tom's guide dans le monde
    • Allemagne
    • Italie
    • Irlande
    • Royaume Uni
    • Etats Unis
    Suivre Tom's Guide
    Inscrivez-vous à la Newsletter
    • ajouter à twitter
    • ajouter à facebook
    • ajouter un flux RSS