Votre question

fr.errorsafe.com et autre asiafriendfinder.com

Tags :
  • Windows
  • Sécurité
Dernière réponse : dans Sécurité et virus
8 Avril 2007 21:40:08

Bonjour,

Je suis infesté depuis quelques jours (ou plus si je l'ignore)... plus particulièrement depuis une visite sur un site underground russe :fou: 

La partie visible de l'iceberg : des redirections sur fr.errorsafe.com et autre asiafriendfinder.com.

J'ai Avast en résident.
J'ai exécuté Spyboot, AVG-Anti-spyware, CCLeaner, Trojan remover et Ad-Aware SE Personal...
Le dernier scan d'AVG me retourne un Trojan.vundo.ah

Voici le rapport Hijack s'il peut vous aider à m'aider:

Logfile of HijackThis v1.99.1
Scan saved at 19:35:38, on 08.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eogswfaa.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

Que faire pour m'en tirer ???

Autres pages sur : errorsafe com asiafriendfinder com

a b 8 Sécurité
8 Avril 2007 22:23:31

Bonjour,

Télécharge VundoFix.exe (par Atribune) sur ton Bureau.
  • Double-clique VundoFix.exe afin de le lancer
  • Clique sur le bouton Scan for Vundo
  • Lorsque le scan est complété, clique sur le bouton Remove Vundo
  • Une invite te demandera si tu veux supprimer les fichiers, clique YES
  • Après avoir cliqué "Yes", le Bureau disparaîtra un moment lors de la suppression des fichiers
  • Tu verras une invite qui t'annonce que ton PC va redémarrer; clique OK
  • Copie/colle le contenu du rapport situé dans C:\vundofix.txt ainsi qu'un nouveau rapport HijackThis dans ta prochaine réponse

    Note: Il est possible que VundoFix soit confronté à un fichier qu'il ne peut supprimer. Si tel est le cas, l'outil se lancera au prochain redémarrage; il faut simplement suivre les instructions ci-haut, à partir de "clique sur le bouton Scan for Vundo".
    9 Avril 2007 10:49:42

    Le Vundo est viré ! Bravo et merci.
    Je continue dans cette voie...

    Voici déjà le log du Vundofix


    VundoFix V6.3.19

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 23:14:11 08.04.2007

    Listing files found while scanning....

    C:\WINDOWS\system32\awtqq.dll
    C:\WINDOWS\system32\awttuuu.dll
    C:\WINDOWS\system32\byxvttu.dll
    C:\WINDOWS\system32\ehiypumf.dll
    C:\WINDOWS\system32\gpwrxoes.dll
    C:\WINDOWS\system32\lmlxmuhd.dll
    C:\WINDOWS\system32\qqtwa.bak2
    C:\WINDOWS\system32\qqtwa.ini
    C:\WINDOWS\system32\qqtwa.ini2
    C:\WINDOWS\system32\qqtwa.tmp
    C:\WINDOWS\system32\tkmyygxl.exe
    C:\WINDOWS\system32\ydbrlthu.exe
    C:\WINDOWS\system32\yremoxng.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\awtqq.dll
    C:\WINDOWS\system32\awtqq.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\awttuuu.dll
    C:\WINDOWS\system32\awttuuu.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\byxvttu.dll
    C:\WINDOWS\system32\byxvttu.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ehiypumf.dll
    C:\WINDOWS\system32\ehiypumf.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\lmlxmuhd.dll
    C:\WINDOWS\system32\lmlxmuhd.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qqtwa.bak2
    C:\WINDOWS\system32\qqtwa.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qqtwa.ini
    C:\WINDOWS\system32\qqtwa.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qqtwa.ini2
    C:\WINDOWS\system32\qqtwa.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\qqtwa.tmp
    C:\WINDOWS\system32\qqtwa.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\tkmyygxl.exe
    C:\WINDOWS\system32\tkmyygxl.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ydbrlthu.exe
    C:\WINDOWS\system32\ydbrlthu.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\yremoxng.dll
    C:\WINDOWS\system32\yremoxng.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\awtqq.dll
    C:\WINDOWS\system32\awtqq.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\awttuuu.dll
    C:\WINDOWS\system32\awttuuu.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.3.19

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 09:52:35 09.04.2007

    Listing files found while scanning....

    No infected files were found.

    a b 8 Sécurité
    9 Avril 2007 12:32:06

    Et le Hijackthis ?
    10 Avril 2007 07:45:09

    Logfile of HijackThis v1.99.1
    Scan saved at 07:43:57, on 10.04.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avast4\aswUpdSv.exe
    C:\Program Files\Avast4\ashServ.exe
    C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Avast4\ashMaiSv.exe
    C:\Program Files\Avast4\ashWebSv.exe
    C:\PROGRA~1\Avast4\ashDisp.exe
    C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - (no file)
    O2 - BHO: (no name) - {41B8DF4A-0DCE-4650-B641-549B1902F36c} - (no file)
    O2 - BHO: (no name) - {4F0D0454-F232-4BF9-84C5-CC4795C9A400} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {D39389E2-CAB7-4847-949F-D9DCFBC1D282} - (no file)
    O2 - BHO: (no name) - {E4803AF5-859C-4F33-80AA-8289AEE3ED95} - (no file)
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\bqkirumu.dll",setvm
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
    O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    O20 - Winlogon Notify: awtqq - C:\WINDOWS\
    O20 - Winlogon Notify: awttuuu - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    10 Avril 2007 07:46:01

    J'ai toujours un Sound Service qui essaie de modifier la base de registre au démarrage... est-c normal ?
    a b 8 Sécurité
    10 Avril 2007 12:47:22

    Re,

    - Lance Hijackthis ->Do a system scan only
    ->Coche les lignes ci-dessous :

    O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - (no file)
    O2 - BHO: (no name) - {41B8DF4A-0DCE-4650-B641-549B1902F36c} - (no file)
    O2 - BHO: (no name) - {4F0D0454-F232-4BF9-84C5-CC4795C9A400} - (no file)
    O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: (no name) - {D39389E2-CAB7-4847-949F-D9DCFBC1D282} - (no file)
    O2 - BHO: (no name) - {E4803AF5-859C-4F33-80AA-8289AEE3ED95} - (no file)
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\bqkirumu.dll",setvm
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
    O20 - Winlogon Notify: awtqq - C:\WINDOWS\
    O20 - Winlogon Notify: awttuuu - C:\WINDOWS\

    Clique sur Fix checked (en bas à gauche)

    Télécharge OTMoveIt (d'OldTimer). Sauvegarde-le sur ton Bureau.
    Sélectionne l'emplacement en gras ci-dessous :

    C:\WINDOWS\system32\bqkirumu.dll

    ---> Clique-droit puis Copier

    Double-clique sur OTMoveIt.exe afin de le lancer.
    Fais un Clique-droit sur le cadre de gauche puis choisis Coller.
    Clique maintenant sur [#ff0000]MoveIt![/#f]

    [#ff0000]Si un fichier ou dossier ne peut pas être supprimé immédiatement, le logiciel te demandera de redémarrer.
    Accepte en cliquant sur YES.[/#f]

    Poste le rapport situé dans ce dossier : C:\_OTMoveIt\MovedFiles\
    Le nom du rapport est la date de sa création.
    8 Juin 2007 23:30:27

    DllUnregisterServer procedure not found in C:\WINDOWS\system32\wulcogyt.dll
    C:\WINDOWS\system32\wulcogyt.dll NOT unregistered.
    C:\WINDOWS\system32\wulcogyt.dll moved successfully.
    C:\Documents and Settings\All Users\Application Data\vajmfsjo.exe moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkiged.dll
    C:\WINDOWS\system32\jkkiged.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\jkkiged.dll scheduled to be moved on reboot.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\yytcftay.dll
    C:\WINDOWS\system32\yytcftay.dll NOT unregistered.
    C:\WINDOWS\system32\yytcftay.dll moved successfully.
    C:\WINDOWS\system32\windevx.exe moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\windevx.dll
    C:\WINDOWS\system32\windevx.dll NOT unregistered.
    C:\WINDOWS\system32\windevx.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\heamqrrg.dll
    C:\WINDOWS\system32\heamqrrg.dll NOT unregistered.
    C:\WINDOWS\system32\heamqrrg.dll moved successfully.
    C:\WINDOWS\system32\gfgyyosp.exe moved successfully.
    C:\WINDOWS\system32\xsjbxboo.exe moved successfully.
    LoadLibrary failed for C:\WINDOWS\system32\j5241133.dll
    C:\WINDOWS\system32\j5241133.dll NOT unregistered.
    C:\WINDOWS\system32\j5241133.dll moved successfully.

    Created on 06-08-2007 23:21:32
    9 Juin 2007 23:20:53

    "Serge" - 2007-06-09 23:13:32 Service Pack 2 NTFS
    ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Serge\Bureau\"
    Command switches used :: "/v jkkiged mllmj"


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\jmllm.bak1
    C:\WINDOWS\system32\jmllm.bak2
    C:\WINDOWS\system32\jmllm.ini
    C:\WINDOWS\system32\jmllm.tmp
    C:\WINDOWS\system32\jmllm.bak1
    C:\WINDOWS\system32\jmllm.bak2
    C:\WINDOWS\system32\jmllm.ini
    C:\WINDOWS\system32\jkkiged.dll
    C:\WINDOWS\system32\mllmj.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    ((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


    2007-06-09 17:07 <REP> d-------- C:\sj787
    2007-06-09 17:07 <REP> d-------- C:\sj786
    2007-06-09 17:07 <REP> d-------- C:\col1832
    2007-06-09 17:07 <REP> d-------- C:\COL10439
    2007-06-09 17:06 <REP> d-------- C:\sj668
    2007-06-09 17:06 <REP> d-------- C:\sj667
    2007-06-09 17:05 <REP> d-------- C:\sj620
    2007-06-09 17:04 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
    2007-06-09 08:59 131,124 --a------ C:\WINDOWS\system32\efitffhv.dll
    2007-06-09 08:09 <REP> d-------- C:\DOCUME~1\Serge\APPLIC~1\Dossier de t‚l‚chargement Share-to-Web
    2007-06-09 08:09 <REP> d-------- C:\DOCUME~1\Serge\APPLIC~1\Dossier de t‚l‚chargement Share-to-Web
    2007-06-09 08:08 <REP> d-------- C:\Program Files\Hewlett-Packard
    2007-06-09 08:08 <REP> d-------- C:\Program Files\Fichiers communs\Hewlett-Packard
    2007-06-09 00:05 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-06-08 20:21 49,152 --a------ C:\WINDOWS\nircmd.exe
    2007-06-08 19:33 <REP> d-------- C:\VundoFix Backups
    2007-06-06 21:23 757,760 --a------ C:\WINDOWS\system32\bcm1xsup.dll
    2007-06-06 21:23 69,632 --a------ C:\WINDOWS\system32\bcmwlpkt.dll
    2007-06-06 21:23 604,928 --a------ C:\WINDOWS\system32\drivers\BCMWL5.SYS
    2007-06-06 21:23 33,664 --a------ C:\WINDOWS\system32\drivers\BCMWLNPF.SYS
    2007-06-06 21:23 2,129,920 --a------ C:\WINDOWS\system32\WLBCGCBPRO731.DLL
    2007-06-06 21:21 53,248 --------- C:\WINDOWS\system32\preflb0.dll
    2007-06-06 21:21 36,864 --------- C:\WINDOWS\system32\MAXguninst.exe
    2007-06-06 21:21 327,680 --------- C:\WINDOWS\system32\Diogenes.dll
    2007-06-06 21:21 17,992 --------- C:\WINDOWS\system32\drivers\bcm42rly.sys
    2007-06-06 18:59 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
    2007-06-06 18:51 <REP> d-------- C:\WINDOWS\SHELLNEW
    2007-06-06 18:51 <REP> d-------- C:\Program Files\Microsoft.NET
    2007-06-06 18:48 <REP> dr-h----- C:\MSOCache
    2007-06-06 17:50 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2007-06-05 22:01 <REP> d-------- C:\Program Files\MAMMUT_PRIVATE
    2007-06-05 21:21 <REP> d-------- C:\DOCUME~1\Serge\APPLIC~1\Google
    2007-06-05 21:21 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
    2007-06-05 21:20 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
    2007-06-05 20:59 <REP> d-------- C:\Program Files\Fichiers communs\C-CHANNEL
    2007-06-05 20:59 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\C-CHANNEL
    2007-06-05 20:57 <REP> d--h----- C:\Program Files\Zero G Registry
    2007-06-05 20:57 <REP> d--h----- C:\DOCUME~1\Serge\InstallAnywhere
    2007-06-05 20:57 <REP> d-------- C:\Program Files\yellownet
    2007-06-05 20:50 <REP> d-------- C:\Program Files\Microsoft Money
    2007-06-05 20:49 <REP> d-------- C:\Program Files\PowerArchiver
    2007-06-05 20:29 <REP> d-------- C:\DOCUME~1\Serge\APPLIC~1\Logitech
    2007-06-05 20:12 94,208 --a------ C:\WINDOWS\system32\Msstkprp.dll
    2007-06-05 20:12 90,112 --a------ C:\WINDOWS\system32\mam_ynet128.dll
    2007-06-05 20:12 89,360 --a------ C:\WINDOWS\system32\Vb5db.dll
    2007-06-05 20:12 8,192 --a------ C:\WINDOWS\system32\Msprpde.dll
    2007-06-05 20:12 72,704 --a------ C:\WINDOWS\system32\Odbctl32.dll
    2007-06-05 20:12 7,495,680 --a------ C:\WINDOWS\system32\MAM_EZ.dll
    2007-06-05 20:12 659,456 --a------ C:\WINDOWS\system32\SSLInterface.dll
    2007-06-05 20:12 64,512 --a------ C:\WINDOWS\system32\Mscc2de.dll
    2007-06-05 20:12 6,656 --a------ C:\WINDOWS\system32\Stdftde.dll
    2007-06-05 20:12 53,248 --a------ C:\WINDOWS\system32\mam_phoenix.dll
    2007-06-05 20:12 49,152 --a------ C:\WINDOWS\system32\vertrag_dll_private.dll
    2007-06-05 20:12 49,152 --a------ C:\WINDOWS\system32\Konto_dll_p.dll
    2007-06-05 20:12 45,056 --a------ C:\WINDOWS\system32\Vertrag_dll_com_sbs.dll
    2007-06-05 20:12 45,056 --a------ C:\WINDOWS\system32\network_dll.dll
    2007-06-05 20:12 45,056 --a------ C:\WINDOWS\system32\kurse_dll.dll
    2007-06-05 20:12 42,496 --a------ C:\WINDOWS\system32\Flxgdde.dll
    2007-06-05 20:12 40,960 --a------ C:\WINDOWS\system32\Vertrag_dll_frei_p.dll
    2007-06-05 20:12 385,024 --a------ C:\WINDOWS\system32\Sbc_private.dll
    2007-06-05 20:12 368,640 --a------ C:\WINDOWS\system32\Exportassistent.dll
    2007-06-05 20:12 36,864 --a------ C:\WINDOWS\system32\MAMMUT_CRYPT.DLL
    2007-06-05 20:12 36,864 --a------ C:\WINDOWS\system32\DEPOT_MODUL_P.dll
    2007-06-05 20:12 36,352 --a------ C:\WINDOWS\system32\Rchtxde.dll
    2007-06-05 20:12 33,792 --a------ C:\WINDOWS\system32\Cmdlgde.dll
    2007-06-05 20:12 32,768 --a------ C:\WINDOWS\system32\Vertrag_dll_wbe_p.dll
    2007-06-05 20:12 32,768 --a------ C:\WINDOWS\system32\vertrag_dll_sbs_p.dll
    2007-06-05 20:12 32,768 --a------ C:\WINDOWS\system32\mamprop.dll
    2007-06-05 20:12 32,768 --a------ C:\WINDOWS\system32\iban_modul.dll
    2007-06-05 20:12 3,870,720 --a------ C:\WINDOWS\system32\STAMMLISTE_P.dll
    2007-06-05 20:12 3,510,272 --a------ C:\WINDOWS\system32\MAM_EMAILS.dll
    2007-06-05 20:12 3,420,160 --a------ C:\WINDOWS\system32\mam_za_private.dll
    2007-06-05 20:12 3,112,960 --a------ C:\WINDOWS\system32\Kontobewegungen_p.dll
    2007-06-05 20:12 28,672 --a------ C:\WINDOWS\system32\vertrag_dll_com_frei_p.dll
    2007-06-05 20:12 28,672 --a------ C:\WINDOWS\system32\mam_ras_config.dll
    2007-06-05 20:12 28,672 --a------ C:\WINDOWS\system32\Cmct3de.dll
    2007-06-05 20:12 252,176 --a------ C:\WINDOWS\system32\Msrd2x35.dll
    2007-06-05 20:12 249,856 --a------ C:\WINDOWS\system32\DB_UTIL.DLL
    2007-06-05 20:12 24,848 --a------ C:\WINDOWS\system32\Msjter35.dll
    2007-06-05 20:12 24,576 --a------ C:\WINDOWS\system32\scrrnde.dll
    2007-06-05 20:12 233,472 --a------ C:\WINDOWS\system32\MAM_SHOW_GRAFIK.dll
    2007-06-05 20:12 22,528 --a------ C:\WINDOWS\system32\Tabctde.dll
    2007-06-05 20:12 192,512 --a------ C:\WINDOWS\system32\MAM_IMPORT_PLUGIN.DLL
    2007-06-05 20:12 16,896 --a------ C:\WINDOWS\system32\Winskde.dll
    2007-06-05 20:12 16,384 --a------ C:\WINDOWS\system32\Inetde.dll
    2007-06-05 20:12 158,208 --a------ C:\WINDOWS\system32\Mscmcde.dll
    2007-06-05 20:12 14,336 --a------ C:\WINDOWS\system32\Mscomde.dll
    2007-06-05 20:12 118,784 --a------ C:\WINDOWS\system32\Msstdfmt.dll
    2007-06-05 20:12 112,640 --a------ C:\WINDOWS\system32\Cmctlde.dll
    2007-06-05 20:12 1,949,696 --a------ C:\WINDOWS\system32\wizard_auftrag_dll.dll
    2007-06-05 20:12 1,458,176 --a------ C:\WINDOWS\system32\mam_wbe.dll
    2007-06-05 20:12 1,372,160 --a------ C:\WINDOWS\system32\ZV_DLL.DLL
    2007-06-05 20:12 1,040,384 --a------ C:\WINDOWS\system32\MAMMUT2000_transfer.dll
    2007-06-05 20:12 1,040,384 --a------ C:\WINDOWS\system32\maintain_p.dll
    2007-06-05 20:03 <REP> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-06-05 20:02 <REP> d-------- C:\Program Files\Migros Livre Photo
    2007-06-05 20:01 59,904 --a------ C:\WINDOWS\system32\MSCC2FR.DLL
    2007-06-05 20:01 23,552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL
    2007-06-05 20:01 141,312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL
    2007-06-05 20:01 119,568 --a------ C:\WINDOWS\system32\VB6FR.DLL


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-06-09 16:40:40 65,362 ----a-w C:\WINDOWS\system32\perfc00C.dat
    2007-06-09 16:40:40 449,322 ----a-w C:\WINDOWS\system32\perfh00C.dat
    2007-06-09 06:09:18 -------- d-----w C:\DOCUME~1\Serge\APPLIC~1\Dossier de téléchargement Share-to-Web
    2007-06-09 06:09:18 -------- d-----w C:\DOCUME~1\Serge\APPLIC~1\Dossier de téléchargement Share-to-Web
    2007-06-09 06:09:06 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-06-05 17:26:59 -------- d-----w C:\Program Files\Sonic
    2007-06-05 17:11:52 -------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
    2007-06-05 17:11:51 -------- d-----w C:\Program Files\Symantec
    2007-06-05 16:52:51 -------- d-----w C:\Program Files\Fichiers communs\ODBC
    2007-06-05 16:35:42 -------- d-----w C:\Program Files\Fichiers communs\InstallShield
    2007-04-18 16:14:18 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-16 20:43:40 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
    2007-03-17 13:44:47 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
    2004-08-05 11:00:00 94,864 --sh--w C:\WINDOWS\twain.dll
    2004-08-05 11:00:00 50,688 --sh--w C:\WINDOWS\twain_32.dll
    2004-08-05 11:00:00 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll
    2004-08-05 11:00:00 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
    2004-08-05 11:00:00 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll
    2004-08-05 11:00:00 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll
    2004-08-05 11:00:00 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
    2004-08-05 11:00:00 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
    2004-08-05 11:00:00 12,288 --sh--w C:\WINDOWS\system32\regsvr32.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {2AEE4056-23F6-4F2D-9198-543C50E9C1F7}=C:\WINDOWS\system32\ddcyw.dll []
    {5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-11-07 05:20]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
    {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-06-05 21:21]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll [2007-06-05 21:20]
    {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 15:56]
    {E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\yytcftay.dll []
    {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=C:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 10:00]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 00:20 C:\WINDOWS\STSYSTRA.EXE]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 13:52]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
    "ISUSPM Startup"="C:\PROGRA~1\FICHIE~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
    "ISUSScheduler"="C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
    "Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10]
    "Logitech Hardware Abstraction Layer"="C:\Program Files\Fichiers communs\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 12:03]
    "@"="" []
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 12:03 C:\WINDOWS\KHALMNPR.Exe]
    "C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 C:\WINDOWS\mixer.exe]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 17:42]
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-05-02 08:08]
    "ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 16:39]
    "Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 14:30]
    "Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [2002-07-16 10:55]
    "MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00]
    "zzzHPSETUP"="E:\Setup.exe" []
    "Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 09:11]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 13:00]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


    Contents of the 'Scheduled Tasks' folder
    2007-06-09 21:16:01 C:\WINDOWS\tasks\Symantec NetDetect.job
    2007-06-09 20:28:02 C:\WINDOWS\tasks\Vérifier les mises à jour de Windows Live Toolbar.job

    **************************************************************************

    catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-06-09 23:18:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-06-09 23:19:43 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-06-09 23:19
    C:\ComboFix2.txt ... 2007-06-08 20:23

    --- E O F ---
    Tom's guide dans le monde
    • Allemagne
    • Italie
    • Irlande
    • Royaume Uni
    • Etats Unis
    Suivre Tom's Guide
    Inscrivez-vous à la Newsletter
    • ajouter à twitter
    • ajouter à facebook
    • ajouter un flux RSS