Votre question

mrofinu2000351.exe

Tags :
  • Internet Explorer
  • Sécurité
Dernière réponse : dans Sécurité et virus
6 Mai 2008 09:08:24

un instant d'innatention, et j'ai apparament installé une petite saleté, mrofinu2000351.exe. par acquis de conscience, j'envoie ce log d'Hijakthis pour savoir s'il n'existe pas d'autre processus mal intentionnés dans ma machine.

merci d'avance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:59:06, on 06/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
F:\Avast\aswUpdSv.exe
F:\Avast\ashServ.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ASUS\AI Booster\OverClk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\mrofinu2000351.exe
F:\Avast\ashDisp.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
F:\Avast\ashMaiSv.exe
F:\Avast\ashWebSv.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Spcron\Spcron.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9848DBB7-A9B3-4655-A712-462A177B95B2} - C:\WINDOWS.0\system32\khfCVOIy.dll (file missing)
O2 - BHO: (no name) - {FCBABDA2-801E-4F51-B6E8-0122032FB16B} - C:\WINDOWS.0\system32\pmnkKeEw.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Launch Ai Booster] "C:\Program Files\ASUS\AI Booster\OverClk.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS.0\mrofinu2000351.exe 61A847B5BBF72810329B385577F801F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS.0\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Eric\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: pmnkKeEw - pmnkKeEw.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Avast\ashWebSv.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 7188 bytes

Autres pages sur : mrofinu2000351 exe

7 Mai 2008 07:14:59

Bonjour,

Télécharge ComboFix (de sUBs) sur ton Bureau. ()

  • Désactive temporairement toute protection résidente ! (Antivirus, antispywares..)
  • Double clique sur ComboFix.exe.
  • Accepte la licence en cliquant sur Oui.
  • Lorsque l'opération sera terminée, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.

    Le rapport se trouve ici : %systemdrive%\ComboFix.txt (%systemdrive% étant la partition où est installée Windows; C:\ en général)

    Aide : Comment utiliser ComboFix.
    7 Mai 2008 09:00:26

    Merci, voici le scan.



    ComboFix 08-05-01.3 - Eric 2008-05-07 8:46:54.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2591 [GMT 2:00]
    Running from: C:\Documents and Settings\Eric\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Eric\Application Data\inst.exe
    C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\bestwiner.stt
    C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\CPV.stt
    C:\Program Files\Temporary
    C:\WINDOWS.0\mrofinu2000351.exe
    C:\WINDOWS.0\mrofinu2000351.exe.tmp
    C:\WINDOWS.0\system32\yIOVCfhk.ini
    C:\WINDOWS.0\system32\yIOVCfhk.ini2

    .
    ((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
    .

    2008-05-07 08:53 . 2008-05-07 08:53 <DIR> d-------- C:\WINDOWS.0\system32\xircom
    2008-05-07 08:53 . 2008-05-07 08:53 <DIR> d-------- C:\WINDOWS.0\srchasst
    2008-05-07 08:53 . 2008-05-07 08:53 <DIR> d-------- C:\Program Files\microsoft frontpage
    2008-05-06 08:58 . 2008-05-06 08:58 <DIR> d-------- C:\Program Files\Trend Micro
    2008-05-05 21:36 . 2008-05-05 21:36 <DIR> d-------- C:\Program Files\Spcron
    2008-05-05 21:31 . 2008-05-05 21:31 <DIR> d-------- C:\Program Files\Svconr
    2008-05-04 22:51 . 2008-05-04 22:51 435,712 --a------ C:\WINDOWS.0\system32\shellstyle.dll
    2008-05-04 22:01 . 2007-09-19 18:20 102,664 --a------ C:\WINDOWS.0\system32\drivers\tmcomm.sys
    2008-05-04 21:24 . 2008-03-15 17:57 199,445 --a------ C:\Documents and Settings\Eric\Application Data\toolbar.dll
    2008-05-03 20:20 . 2008-05-03 20:20 278,984 --a------ C:\WINDOWS.0\system32\drivers\atksgt.sys
    2008-05-03 20:20 . 2008-05-03 20:20 25,416 --a------ C:\WINDOWS.0\system32\drivers\lirsgt.sys
    2008-04-30 16:43 . 2008-04-30 16:43 <DIR> d-------- C:\Program Files\Lavasoft
    2008-04-30 16:43 . 2008-04-30 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-05-07 06:54 --------- d-----w C:\Program Files\Steam
    2008-05-07 06:36 --------- d-----w C:\Program Files\eMule
    2008-05-06 19:37 --------- d-----w C:\Documents and Settings\Eric\Application Data\Bioshock
    2008-05-06 10:08 --------- d-----w C:\Documents and Settings\Eric\Application Data\IMVU
    2008-05-06 07:35 --------- d-----w C:\Program Files\IMVU
    2008-05-05 19:58 --------- d-----w C:\Documents and Settings\Eric\Application Data\DNA
    2008-05-04 21:06 --------- d-----w C:\Program Files\InterVideo
    2008-05-04 21:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-05-04 21:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-05-04 21:03 --------- d-----w C:\Program Files\Logitech
    2008-05-04 21:03 --------- d-----w C:\Program Files\ASUS
    2008-05-04 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
    2008-05-04 20:57 --------- d-----w C:\Program Files\Paint.NET
    2008-05-04 20:56 --------- d-----w C:\Program Files\CyberLink
    2008-05-02 22:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-05-02 22:41 98,304 ----a-w C:\WINDOWS.0\DUMP4e7d.tmp
    2008-05-01 19:11 108,144 ----a-w C:\WINDOWS.0\system32\CmdLineExt.dll
    2008-04-30 15:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-04-29 17:51 98,304 ----a-w C:\WINDOWS.0\DUMP51c9.tmp
    2008-04-28 00:23 --------- d-----w C:\Documents and Settings\Eric\Application Data\OpenOffice.org2
    2008-03-29 19:57 98,304 ----a-w C:\WINDOWS.0\DUMP4e5e.tmp
    2008-03-26 20:09 --------- d-----w C:\Program Files\WowCartographe
    2008-03-25 20:03 98,304 ----a-w C:\WINDOWS.0\DUMP5236.tmp
    2008-03-23 02:48 98,304 ----a-w C:\WINDOWS.0\DUMP5c77.tmp
    2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS.0\system32\win32k.sys
    2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS.0\system32\dllcache\win32k.sys
    2008-03-13 06:31 --------- d-----w C:\Program Files\BitTorrent_DNA
    2008-03-13 06:31 --------- d-----w C:\Documents and Settings\Eric\Application Data\BitTorrent DNA
    2008-03-10 16:59 98,304 ----a-w C:\WINDOWS.0\DUMP4d83.tmp
    2008-03-08 03:42 --------- d-----w C:\Documents and Settings\Eric\Application Data\ImgBurn
    2008-03-08 02:43 --------- d-----w C:\Program Files\ImgBurn
    2008-03-07 10:24 409,600 ----a-w C:\WINDOWS.0\system32\wrap_oal.dll
    2008-03-07 10:24 114,688 ----a-w C:\WINDOWS.0\system32\OpenAL32.dll
    2008-03-07 10:24 --------- d-----w C:\Program Files\OpenAL
    2008-03-07 10:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
    2008-03-07 10:12 0 ----a-w C:\Program Files\temp01
    2008-03-07 10:12 --------- d-----w C:\Program Files\bfgclient
    2008-03-07 08:11 --------- d-----w C:\Program Files\Ubisoft
    2008-02-20 18:49 45,568 ----a-w C:\WINDOWS.0\system32\dnsrslvr.dll
    2008-02-20 18:49 45,568 ----a-w C:\WINDOWS.0\system32\dllcache\dnsrslvr.dll
    2008-02-20 06:52 282,624 ----a-w C:\WINDOWS.0\system32\gdi32.dll
    2008-02-20 06:52 282,624 ----a-w C:\WINDOWS.0\system32\dllcache\gdi32.dll
    2008-02-20 05:19 147,968 ----a-w C:\WINDOWS.0\system32\dllcache\dnsapi.dll
    2007-12-30 22:55 47,360 ----a-w C:\Documents and Settings\Eric\Application Data\pcouffin.sys
    2007-09-04 11:25 1,056 --sha-w C:\WINDOWS.0\system32\KGyGaAvL.sys
    2007-10-01 22:02 608 --sha-w C:\WINDOWS.0\system32\winzvprt5.sys
    2007-09-04 10:53 16,384 --sha-w C:\WINDOWS.0\system32\config\systemprofile\Cookies\index.dat
    2007-09-04 10:53 32,768 --sha-w C:\WINDOWS.0\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    2007-09-04 10:53 32,768 --sha-w C:\WINDOWS.0\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007090420070905\index.dat
    2007-09-04 10:53 32,768 --sha-w C:\WINDOWS.0\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9848DBB7-A9B3-4655-A712-462A177B95B2}]
    C:\WINDOWS.0\system32\khfCVOIy.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-04 03:56 15360]
    "Steam"="c:\program files\steam\steam.exe" [2008-03-29 21:58 1271032]
    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-08-16 13:24 167368]
    "WebCamRT.exe"="" []
    "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [ ]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ]
    "Svconr"="C:\Program Files\Svconr\Svconr.exe" [2008-05-05 21:31 57344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-11-15 00:43 286720]
    "Launch Ai Booster"="C:\Program Files\ASUS\AI Booster\OverClk.exe" [2006-07-24 15:32 3712512]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "DeskMateAutoUpdate"="C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe" [2007-09-18 23:44 26160]
    "LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2002-06-10 15:21 102400]
    "NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
    "nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS.0\system32\nwiz.exe]
    "NvMediaCenter"="C:\WINDOWS.0\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 15:34 868352]
    "SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 08:12 729088]
    "NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS.0\system32\CTFMON.EXE" [2004-08-04 03:56 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_3"="advpack.dll" [2007-12-07 04:01 124928 C:\WINDOWS.0\system32\advpack.dll]
    "ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoDesktopCleanupWizard"= 1 (0x1)
    "HideRunAsVerb"= 1 (0x1)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoResolveSearch"= 1 (0x1)
    "NoSMConfigurePrograms"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkKeEw]
    pmnkKeEw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
    "vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
    "C:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"=

    R1 aswSP;avast! Self Protection;C:\WINDOWS.0\system32\drivers\aswSP.sys [2008-03-29 19:31]
    R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\Setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b996c4f-5ae2-11dc-bc0d-806d6172696f}]
    \Shell\AutoRun\command - D:\Setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca0ed53f-79a1-11dc-a212-001a92e7dee6}]
    \Shell\AutoRun\command - C:\WINDOWS.0\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
    \Shell\Open(0)\command - Recycled\ctfmon.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc684844-5ad7-11dc-a1d8-806d6172696f}]
    \Shell\AutoRun\command - D:\Autorun.exe

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-04 19:24:34 C:\WINDOWS.0\Tasks\At1.job"
    - C:\Documents and Settings\Eric\Application Data\wunauclt.exe
    "2008-05-04 19:24:34 C:\WINDOWS.0\Tasks\At2.job"
    - C:\Documents and Settings\Eric\Application Data\wunauclt.exe
    "2008-05-04 19:24:34 C:\WINDOWS.0\Tasks\At3.job"
    - C:\Documents and Settings\Eric\Application Data\wunauclt.exe
    "2008-05-04 19:25:36 C:\WINDOWS.0\Tasks\At4.job"
    - C:\Documents and Settings\Eric\Application Data\wunauclt.exe
    "2008-05-04 19:25:36 C:\WINDOWS.0\Tasks\At5.job"
    - C:\Documents and Settings\Eric\Application Data\wunauclt.exe
    "2008-05-04 19:25:36 C:\WINDOWS.0\Tasks\At6.job"
    - C:\Documents and Settings\Eric\Application Data\wunauclt.exe
    .
    **************************************************************************

    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-05-07 08:54:09
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 171

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    F:\Avast\aswUpdSv.exe
    F:\Avast\ashServ.exe
    C:\WINDOWS.0\system32\nvsvc32.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\WINDOWS.0\system32\rundll32.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    F:\Avast\ashMaiSv.exe
    F:\Avast\ashWebSv.exe
    .
    **************************************************************************
    .
    Completion time: 2008-05-07 8:58:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-05-07 06:58:41

    Pre-Run: 219,067,838,464 bytes free
    Post-Run: 221,245,890,560 bytes free

    203 --- E O F --- 2008-05-06 23:08:28
    7 Mai 2008 17:03:54

    Re,

    Télécharge ZebRestore

    Dézippe-le. Ouvre le dossier, lance le en double cliquant sur l'exe.

    Coche :
    - Policies

    ********

    Sélectionne l'intégralité du cadre ci-dessous :

    File::
    C:\Documents and Settings\Eric\Application Data\wunauclt.exe
    C:\WINDOWS.0\Tasks\At1.job
    C:\WINDOWS.0\Tasks\At2.job
    C:\WINDOWS.0\Tasks\At3.job
    C:\WINDOWS.0\Tasks\At4.job
    C:\WINDOWS.0\Tasks\At5.job
    C:\WINDOWS.0\Tasks\At6.job
    C:\WINDOWS.0\system32\pmnkKeEw.dll
    C:\WINDOWS.0\system32\khfCVOIy.dll
    C:\WINDOWS.0\DUMP4d83.tmp
    C:\WINDOWS.0\DUMP5236.tmp
    C:\WINDOWS.0\DUMP5c77.tmp
    C:\WINDOWS.0\DUMP4e7d.tmp
    C:\WINDOWS.0\DUMP51c9.tmp
    C:\WINDOWS.0\DUMP4e5e.tmp

    Folder::
    C:\Program Files\Svconr
    C:\Program Files\temp01
    C:\Program Files\Spcron

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9848DBB7-A9B3-4655-A712-462A177B95B2}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WebCamRT.exe"=-
    "BitTorrent DNA"=-
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=-
    "Svconr"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ShowDeskFix"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkKeEw]


    Cela va relancer Combofix. Après redémarrage, poste le contenu du rapport ComboFix.txt.
    S'il n'y a pas de rédémarrage, poste quand même le rapport.

  • Copie/colle le dans le Bloc Notes (Démarrer\Tous les programmes\Accessoires\Bloc notes.)
  • Enregistre le sous sur ton bureau sous le nom de CFScript.txt
  • Glisse maintenant le fichier CFScript.txt dans ComboFix.exe comme ci-dessous :

  • Cela va relancer Combofix. Poste le contenu du rapport ComboFix.txt après redémarrage s'il y en a un.

    ********

    - Poste de travail/outils/option des dossiers/affichage/afficher les fichiers et dossiers cachés/Appliquer - - > OK
    - Poste de travail/outils/option des dossiers/affichage/décocher masquer les fichiers protégés du système d'exploitation./Appliquer - - > OK

    Tu recoches ces options après !

    Fais analyser ce(s) fichier(s) sur ce site >> Virustotal <<

  • Clique sur Parcourir en haut, choisis Poste de travail et cherche ce fichier : C:\Documents and Settings\Eric\Application Data\toolbar.dll
  • Clique maintenant sur Envoyer le fichier.
  • Poste le rapport (De Fichier *** reçu le *** jusqu%u2019à SHA1 : ***)
    Tom's guide dans le monde
    • Allemagne
    • Italie
    • Irlande
    • Royaume Uni
    • Etats Unis
    Suivre Tom's Guide
    Inscrivez-vous à la Newsletter
    • ajouter à twitter
    • ajouter à facebook
    • ajouter un flux RSS