Merci de ton aide, destrio
excuses moi du retard...je suis dans les caraibes et on a 6h de decalage horaire
j`ai lance combo fix sur le pc 2 infecte
voici le rapport
ComboFix 08-07-23.5 - Frederico 2008-07-24 15:56:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.632 [GMT -4:00]
Running from: C:\Documents and Settings\Frederico\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!/b/color
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\autorun.inf
C:\Documents and Settings\Frederico\ravmonlog
C:\WINDOWS\ravmone.exe
C:\WINDOWS\system32\ckvo.exe
C:\WINDOWS\system32\ckvo0.dll
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll
C:\WINDOWS\system32\tavo.exe
C:\WINDOWS\system32\tavo0.dll
C:\WINDOWS\system32\tavo1.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.
2008-07-23 17:42 . 2008-07-23 17:42 <DIR> d-------- C:\Program Files\PrevxCSI
2008-07-23 17:42 . 2008-07-23 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-23 17:42 . 2008-07-23 17:42 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-07-23 17:06 . 2008-07-23 17:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-23 16:57 . 2008-07-23 17:19 <DIR> d-------- C:\SDFix
2008-07-23 16:26 . 2008-07-23 16:45 <DIR> d-------- C:\VundoFix Backups
2008-07-23 16:25 . 2008-07-22 15:00 119,808 --a------ C:\VundoFix.exe
2008-07-23 15:14 . 2008-07-23 15:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 15:14 . 2008-07-23 15:14 812,344 --a------ C:\Program Files\HJTInstall.exe
2008-07-23 12:27 . 2008-07-23 17:20 117,946 -r-hs---- C:\g2pfnid.com
2008-07-23 11:59 . 2008-07-23 17:20 130,904 -r-hs---- C:\ceqfqp.bat
2008-07-21 00:40 . 2008-07-21 06:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-21 00:40 . 2008-07-21 00:40 <DIR> d-------- C:\Documents and Settings\Frederico\Application Data\Malwarebytes
2008-07-21 00:40 . 2008-07-21 00:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-21 00:40 . 2008-07-20 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-21 00:40 . 2008-07-20 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-21 00:39 . 2008-07-21 00:39 1,830,984 --a------ C:\Program Files\mbam-setup.exe
2008-07-20 18:52 . 2008-07-20 19:21 117,009 -r-hs---- C:\ybj8df.exe
2008-07-17 12:06 . 2008-07-17 14:14 131,870 -r-hs---- C:\e6.com
2008-07-16 19:42 . 2008-07-23 17:20 77,312 -r-hs---- C:\WINDOWS\system32\ckvo1.dll
2008-07-16 19:41 . 2008-07-16 19:42 115,233 -r-hs---- C:\p83gjy.exe
2008-07-16 19:10 . 2008-07-07 08:19 130,407 -r-hs---- C:\8uot.exe
2008-07-15 02:28 . 2008-07-15 02:29 <DIR> d-------- C:\Program Files\PacificPoker4
2008-07-07 11:53 . 2008-07-07 11:53 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-07 10:22 . 2008-07-07 11:39 35,124,856 --a------ C:\Program Files\AdbeRdr90_en_US.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 19:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-24 19:12 --------- d-----w C:\Program Files\AVPersonal
2008-07-14 03:31 --------- d-----w C:\Documents and Settings\Frederico\Application Data\PacificPoker4
2008-07-07 15:43 --------- d-----w C:\Program Files\Common Files\Adobe
2005-11-21 21:37 9,352,392 ----a-w C:\Program Files\Install_MSN_Messenger.exe
2005-03-27 00:05 2,481,207 -c--a-w C:\Program Files\SiteMapper2.exe
2005-03-26 23:51 3,755,091 -c--a-w C:\Program Files\httrack-3.33.exe
2005-03-26 06:30 4,739,854 -c--a-w C:\Program Files\20030828132149359_Ml1210_Common.exe
2005-03-25 12:59 320,000 -c--a-w C:\Program Files\ie-spyad.exe
2005-03-25 09:19 226,584 -c--a-w C:\Program Files\jre-1_5_0_02-windows-i586-p-iftw.exe
2005-03-20 21:06 1,392,611 -c--a-w C:\Program Files\absetup.exe
2001-11-23 04:08 712,704 -c--a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-15 12:00 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVGCtrl"="C:\Program Files\AVPersonal\AVGNT.EXE" [2004-04-22 14:39 118824]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-02-27 05:31 69632]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-02-27 04:36 757760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-02-26 16:50 253952]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-07-01 12:56 1130546]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 02:38 34672]
"VTTimer"="VTTimer.exe" [2004-01-15 08:33 49152 C:\WINDOWS\system32\VTTimer.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 03:56 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-24 21:35:22 10872]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-05-15 12:00:58 124400]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.fvfw"= ffvfw.dll
"vidc.xvid"= xvid.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"17948:TCP"= 17948:TCP:NortonAV
"17428:TCP"= 17428:TCP:NortonAV
"13761:TCP"= 13761:TCP:NortonAV
"18079:TCP"= 18079:TCP:NortonAV
"12196:TCP"= 12196:TCP:NortonAV
"18374:TCP"= 18374:TCP:NortonAV
"16468:TCP"= 16468:TCP:NortonAV
"13258:TCP"= 13258:TCP:NortonAV
"16047:TCP"= 16047:TCP:NortonAV
"18556:TCP"= 18556:TCP:NortonAV
"12525:TCP"= 12525:TCP:NortonAV
"12724:TCP"= 12724:TCP:NortonAV
"13966:TCP"= 13966:TCP:NortonAV
"18251:TCP"= 18251:TCP:NortonAV
"15620:TCP"= 15620:TCP:NortonAV
"16658:TCP"= 16658:TCP:NortonAV
"16629:TCP"= 16629:TCP:NortonAV
"17339:TCP"= 17339:TCP:NortonAV
"14577:TCP"= 14577:TCP:NortonAV
"14895:TCP"= 14895:TCP:NortonAV
"14521:TCP"= 14521:TCP:NortonAV
"13959:TCP"= 13959:TCP:NortonAV
"12254:TCP"= 12254:TCP:NortonAV
"13842:TCP"= 13842:TCP:NortonAV
"16621:TCP"= 16621:TCP:NortonAV
"13787:TCP"= 13787:TCP:NortonAV
"17252:TCP"= 17252:TCP:NortonAV
"15473:TCP"= 15473:TCP:NortonAV
"16611:TCP"= 16611:TCP:NortonAV
"13040:TCP"= 13040:TCP:NortonAV
"16850:TCP"= 16850:TCP:NortonAV
"15267:TCP"= 15267:TCP:NortonAV
"15896:TCP"= 15896:TCP:NortonAV
"13693:TCP"= 13693:TCP:NortonAV
"18188:TCP"= 18188:TCP:NortonAV
"16622:TCP"= 16622:TCP:NortonAV
"13080:TCP"= 13080:TCP:NortonAV
"14117:TCP"= 14117:TCP:NortonAV
"16820:TCP"= 16820:TCP:NortonAV
"14729:TCP"= 14729:TCP:NortonAV
"17471:TCP"= 17471:TCP:NortonAV
"18328:TCP"= 18328:TCP:NortonAV
"12211:TCP"= 12211:TCP:NortonAV
"16955:TCP"= 16955:TCP:NortonAV
"12247:TCP"= 12247:TCP:NortonAV
"13116:TCP"= 13116:TCP:NortonAV
"15012:TCP"= 15012:TCP:NortonAV
"18487:TCP"= 18487:TCP:NortonAV
"18317:TCP"= 18317:TCP:NortonAV
"13103:TCP"= 13103:TCP:NortonAV
"18701:TCP"= 18701:TCP:NortonAV
"18980:TCP"= 18980:TCP:NortonAV
"13572:TCP"= 13572:TCP:NortonAV
"12569:TCP"= 12569:TCP:NortonAV
"13528:TCP"= 13528:TCP:NortonAV
"12474:TCP"= 12474:TCP:NortonAV
"16244:TCP"= 16244:TCP:NortonAV
"15927:TCP"= 15927:TCP:NortonAV
"15299:TCP"= 15299:TCP:NortonAV
"16728:TCP"= 16728:TCP:NortonAV
"12493:TCP"= 12493:TCP:NortonAV
"17232:TCP"= 17232:TCP:NortonAV
R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-07-23 17:42]
R2 AVWUpSrv;AntiVir Update;C:\Program Files\AVPersonal\AVWUPSRV.EXE [2003-09-12 09:12]
R2 CSIScanner;CSIScanner;C:\Program Files\PrevxCSI\prevxcsi.exe [2008-07-23 17:42]
R3 avgntdd;avgntdd;C:\Program Files\AVPersonal\AVGNTDD.SYS [2004-05-18 09:18]
S3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys [2001-08-17 12:19]
S3 GT680xNT;ColorPage-Vivid 1200XE;C:\WINDOWS\system32\drivers\gt680x.sys []
S3 rpfun;Conexant Riptide Dummy Driver;C:\WINDOWS\system32\drivers\rpfun.sys [2001-08-17 12:19]
S3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys [2001-08-17 12:19]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\g2pfnid.com
\Shell\explore\Command - C:\g2pfnid.com
\Shell\open\Command - C:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\g2pfnid.com
\Shell\explore\Command - D:\g2pfnid.com
\Shell\open\Command - D:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\g2pfnid.com
\Shell\explore\Command - F:\g2pfnid.com
\Shell\open\Command - F:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\g2pfnid.com
\Shell\explore\Command - G:\g2pfnid.com
\Shell\open\Command - G:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\g2pfnid.com
\Shell\explore\Command - H:\g2pfnid.com
\Shell\open\Command - H:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\g2pfnid.com
\Shell\explore\Command - K:\g2pfnid.com
\Shell\open\Command - K:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\Shell\AutoRun\command - L:\g2pfnid.com
\Shell\explore\Command - L:\g2pfnid.com
\Shell\open\Command - L:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\g2pfnid.com
\Shell\explore\Command - M:\g2pfnid.com
\Shell\open\Command - M:\g2pfnid.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ecf9b0fc-5381-11dd-961a-00e04ccb40db}]
\Shell\AutoRun\command - E:\e6.com
\Shell\explore\Command - E:\e6.com
\Shell\open\Command - E:\e6.com
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-ares - C:\Program Files\Ares\Ares.exe
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-kamsoft - C:\WINDOWS\system32\ckvo.exe
HKLM-Run-Cmaudio - cmicnfg.cpl
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com.do/
R0 -: HKCU-Main,Search Page = hxxp://www.google.com
R0 -: HKCU-Main,Search Bar = hxxp://www.google.com/ie
R0 -: HKLM-Main,Default_Search_URL = hxxp://www.google.com/ie
R0 -: HKLM-Main,Start Page = hxxp://es.yahoo.com
R0 -: HKLM-Main,Search Bar = C:\Program Files\Copernic 2001 Pro\Search Bar.htm
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R0 -: HKCU-Search,SearchAssistant = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
R0 -: HKLM-Search,SearchAssistant = hxxp://www.google.com/ie
O8 -: Buscar utilizando Copernic - C:\Program Files\Copernic 2001 Pro\Search Extension.htm
O8 -: E&xportar a Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 -: {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 -: {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O17 -: HKLM\CCS\Interface\{10EC5254-1AD2-4CE5-96BE-B1A25F04577C}: NameServer = 196.3.81.5,196.3.81.132
O17 -: HKLM\CCS\Interface\{A58A721C-8AE8-42ED-BD4C-786500CF89B4}: NameServer = 200.42.213.11,196.3.81.5
O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 16:00:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-07-24 16:09:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 20:08:33
Pre-Run: 12,926,615,552 bytes free
Post-Run: 12,944,224,256 bytes free
261
!['tr/crypt.xpack.gen' [trojan] a été détecté.](/img/pixeltransparent.gif?200909 "'tr/crypt.xpack.gen' [trojan] a été détecté."){kind=tracking}
'tr/crypt.xpack.gen' [trojan] a été détecté.
