mon rapport combofixFermé

Question

Bonjour,
ComboFix 09-06-13.09 - crsic 14/06/2009 11:25.1 - NTFSx86
Microsoft Windows XP Professionnel  5.1.2600.2.1252.33.1036.18.191.78 [GMT 2:00]
Lancé depuis: c:\documents and settings\crsic\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\crsic\Bureau\WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((   Autres suppressions   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\avcandac.exe
c:\documents and settings\crsic\reader_s.exe
c:\documents and settings\crsic\Application Data\addons.dat
c:\documents and settings\crsic\reader_s.exe
c:\windows\KBPK090531.log
c:\windows\KBPK090602.log
c:\windows\KBPK090603.log
c:\windows\KBPK090607.log
c:\windows\KBPK090610.log
c:\windows\KBPK090611.log
.
---- Exécution préalable -------
.

.
(((((((((((((((((((((((((((((((((((((((   Pilotes/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_dhcpsrv
-------\Legacy_msncache
-------\Legacy_ntalme
-------\Legacy_sopidkc
-------\Service_6to4
-------\Service_dhcpsrv
-------\Service_msncache
-------\Service_ntalme
-------\Service_sopidkc


(((((((((((((((((((((((((((((   Fichiers créés du 2009-05-14 au 2009-06-14  ))))))))))))))))))))))))))))))))))))
.

2009-06-14 09:16 . 2009-06-14 09:16	--------	d-----w-	C:\32788R22FWJFW.0.tmp
2009-06-14 08:48 . 2004-08-04 04:54	221184	----a-w-	c:\windows\system32\wmpns.dll
2009-06-14 07:10 . 2009-06-14 07:10	--------	d-----w-	c:\documents and settings\Administrateur\Local Settings\Application Data\Adobe
2009-06-07 13:04 . 2009-06-07 13:04	75	----a-w-	C:\ACCM1GEN.DAT
2009-06-07 13:03 . 2009-06-07 13:03	--------	d-----w-	c:\documents and settings\crsic\WINDOWS
2009-06-03 12:51 . 2009-06-03 12:51	--------	d-----w-	c:\program files\Java
2009-06-03 12:51 . 2009-06-03 12:51	--------	d-----w-	c:\program files\Fichiers communs\Java
2009-06-03 12:51 . 2009-06-03 12:51	--------	d-----w-	c:\documents and settings\crsic\Local Settings\Application Data\{7148F0A6-6813-11D6-A77B-00B0D0142070}
2009-06-03 12:47 . 2009-06-03 12:55	--------	d-----w-	c:\program files\Greenstone
2009-06-02 12:14 . 2009-06-02 12:14	--------	d-----w-	c:\program files\Yahoo! Companion
2009-05-31 07:08 . 2009-06-14 09:14	--------	d-----w-	c:\windows\dhcp
2009-05-31 07:05 . 2009-06-07 12:12	0	----a-w-	c:\windows\system32\drivers\cc05f061.sys
2009-05-31 06:59 . 2009-05-31 06:59	9216	----a-w-	C:\d34575e.exe
2009-05-25 10:20 . 2009-05-25 10:20	--------	d-----w-	c:\documents and settings\crsic\Application Data\Greenstone
2009-05-25 10:16 . 2009-05-25 10:16	--------	d-----w-	c:\documents and settings\crsic\.ov4n
2009-05-25 10:16 . 2009-06-03 12:44	--------	d-----w-	c:\documents and settings\crsic\Greenstone2
2009-05-23 12:15 . 2007-06-18 08:38	14848	----a-w-	c:\windows\system32\tpfmxp.dll
2009-05-23 12:15 . 2009-05-23 12:15	--------	d-----w-	c:\documents and settings\All Users\Application Data\tpfmon
2009-05-23 12:15 . 2009-05-23 12:15	--------	d-----w-	c:\program files\Axmapresse
2009-05-23 12:15 . 2009-05-23 12:15	--------	d-----w-	c:\documents and settings\All Users\Application Data\InternetFax

.
((((((((((((((((((((((((((((((((((   Compte-rendu de Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 09:29 . 2009-04-27 08:19	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-14 09:28 . 2009-04-27 08:19	327712	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2009-06-14 09:28 . 2009-04-27 08:19	3248	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2009-06-14 09:28 . 2009-04-27 08:19	1430048	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2009-06-14 09:28 . 2009-04-27 08:19	13300	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2009-06-03 13:13 . 2009-04-30 09:13	664	----a-w-	c:\windows\system32\d3d9caps.dat
2009-05-09 12:06 . 2009-04-28 07:42	--------	d-----w-	c:\documents and settings\crsic\Application Data\Skype
2009-05-09 10:57 . 2002-09-07 00:00	49494	----a-w-	c:\windows\system32\perfc00C.dat
2009-05-09 10:57 . 2002-09-07 00:00	370414	----a-w-	c:\windows\system32\perfh00C.dat
2009-05-03 07:14 . 2009-04-26 09:44	73872	----a-w-	c:\documents and settings\crsic\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 08:08 . 2009-05-02 07:58	--------	d-----w-	c:\program files\Pinnacle
2009-05-02 08:02 . 2009-04-26 11:24	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-05-02 07:59 . 2009-05-02 07:59	--------	d-----w-	c:\documents and settings\All Users\Application Data\Pinnacle
2009-05-02 07:57 . 2009-04-26 11:24	--------	d-----w-	c:\program files\Fichiers communs\InstallShield
2009-04-29 09:31 . 2009-04-26 09:19	86331	----a-w-	c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-28 07:42 . 2009-04-28 07:42	--------	d-----w-	c:\documents and settings\All Users\Application Data\Skype
2009-04-28 07:42 . 2009-04-28 07:42	--------	d-----w-	c:\program files\Skype
2009-04-27 10:43 . 2008-01-29 16:29	33808	----a-w-	c:\windows\system32\drivers\klbg.sys
2009-04-27 10:43 . 2009-04-27 08:20	101287	----a-w-	c:\windows\system32\drivers\klin.dat
2009-04-27 10:43 . 2009-04-27 08:20	89601	----a-w-	c:\windows\system32\drivers\klick.dat
2009-04-27 10:43 . 2009-04-27 10:43	33808	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\klbg.sys
2009-04-27 10:43 . 2009-04-27 10:43	213520	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\XP\klif.sys
2009-04-27 10:43 . 2009-04-27 10:43	21256	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\vkbd.dll
2009-04-27 10:43 . 2009-04-27 10:42	861448	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\updater.dll
2009-04-27 10:42 . 2009-04-27 10:42	83208	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\mzvkbd.dll
2009-04-27 10:42 . 2009-04-27 10:42	62728	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\ievkbd.dll
2009-04-27 10:42 . 2009-04-27 10:42	43784	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\fssync.dll
2009-04-27 10:42 . 2009-04-27 10:42	365832	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\ckahum.dll
2009-04-27 10:42 . 2009-04-27 10:42	201992	----a-w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.357\avp.exe
2009-04-27 09:38 . 2009-04-26 09:18	--------	d-----w-	c:\program files\Services en ligne
2009-04-27 08:41 . 2009-04-27 08:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-27 08:36 . 2009-04-27 08:35	--------	d-----w-	c:\program files\CCleaner
2009-04-27 08:36 . 2009-04-27 08:35	--------	d-----w-	c:\program files\Yahoo!
2009-04-27 08:35 . 2009-04-27 08:35	--------	d-----w-	c:\documents and settings\crsic\Application Data\Yahoo!
2009-04-27 08:32 . 2009-04-27 08:32	--------	d-----w-	c:\program files\Fichiers communs\Adobe
2009-04-27 08:19 . 2009-04-27 08:19	--------	d-----w-	c:\program files\Kaspersky Lab
2009-04-27 08:18 . 2009-04-27 08:18	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-04-27 08:11 . 2009-04-27 08:11	--------	d-----w-	c:\program files\epson
2009-04-26 11:26 . 2009-04-26 11:26	--------	d-----w-	c:\documents and settings\crsic\Application Data\SmarThru4
2009-04-26 11:26 . 2009-04-26 11:25	--------	d-----w-	c:\program files\SmarThru 4
2009-04-26 11:26 . 2009-04-26 11:25	--------	d-----w-	c:\program files\Readiris
2009-04-26 11:22 . 2009-04-26 11:22	--------	d-----w-	c:\program files\Samsung
2009-04-26 09:20 . 2009-04-26 09:20	--------	d-----w-	c:\program files\microsoft frontpage
2009-04-26 09:17 . 2009-04-26 09:17	21892	----a-w-	c:\windows\system32\emptyregdb.dat
1990-01-01 01:01 . 1990-01-01 01:01	53248	--sh--r-	c:\windows\system32\lpg32.dll
2004-08-04 04:54 . 2004-08-04 04:54	168509	--sha-r-	c:\windows\system32\vfmfedsr.dll
.

(((((((((((((((((((((((((((((((((   Points de chargement Reg   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-03 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-04-27 201992]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2003-12-04 406016]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_07\bin\jusched.exe" [2005-01-15 32881]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\windows\system32\config\systemprofile\Menu D‚marrer\Programmes\D‚marrage\
kasp6.0_ak_refguidefr.pdf [2008-10-9 3524288]
kav6.0fr.pdf [2009-3-4 1699654]
kav6.0_winwksen.pdf [2008-8-11 3057457]
kav6.0_winwksfr.pdf [2007-10-9 4559220]
kav6.0_wseeappschemes_fr.pdf [2009-3-4 491351]
kav6.0_wseeinstallguide_fr.pdf [2009-3-4 2725040]

c:\windows\system32\config\systemprofile\Menu D‚marrer\Programmes\D‚marrage\
kasp6.0_ak_refguidefr.pdf [2008-10-9 3524288]
kav6.0fr.pdf [2009-3-4 1699654]
kav6.0_winwksen.pdf [2008-8-11 3057457]
kav6.0_winwksfr.pdf [2007-10-9 4559220]
kav6.0_wseeappschemes_fr.pdf [2009-3-4 491351]
kav6.0_wseeinstallguide_fr.pdf [2009-3-4 2725040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{9DCB0AE8-633C-B1D2-29E1-3A8A1A15D25A}"= "c:\windows\system32\lpg32.dll" [1990-01-01 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\drwtsn32.exe]
"Debugger"=c:\windows\system32\wscript.exe /E:vbs c:\windows\system32\winjpg.jpg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe"=
"c:\Program Files\Skype\Phone\Skype.exe"=
"c:\Program Files\Messenger\msmsgs.exe"=
"c:\Program Files\Fichiers communs\Adobe\Updater6\Adobe_Updater.exe"=
"c:\Program Files\Yahoo!\Companion\Installs\cpn\ytbb.exe"=
"c:\Program Files\Windows Media Player\wmplayer.exe"=
"c:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"=
"c:\WINDOWS\system32\logon.scr"=
"c:\WINDOWS\system32\drwtsn32.exe"=
"c:\WINDOWS\system32\netsh.exe"=
"c:\Program Files\SmarThru 4\ControlPanel.exe"=
"c:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6760:TCP"= 6760:TCP:njqzvyni

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 18:29 33808]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 19:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [25/03/2008 20:07 24592]
S1 cc05f061;cc05f061;c:\windows\system32\drivers\cc05f061.sys [31/05/2009 09:05 0]
S2 cwwcvy;Driver Time;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 06:55 14336]
S2 uhhmopz;Helper Shell;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 06:55 14336]
S3 etugvndvr;etugvndvr;\??\c:\windows\system32\[u]0/u1.tmp --> c:\windows\system32\[u]0/u1.tmp [?]
S3 kodkfghwo;kodkfghwo;\??\c:\windows\system32\[u]0/u2.tmp --> c:\windows\system32\[u]0/u2.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
uhhmopz
cwwcvy
.
- - - - ORPHELINS SUPPRIMES - - - -

HKCU-Run-crsic - c:\documents and settings\crsic\crsic.exe


.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.dz/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {3E87828C-26CF-4C8E-A809-FEFC5963A18A} = 193.194.80.116,193.194.64.11
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 11:30
Windows 5.1.2600 Service Pack 2 NTFS

Recherche de processus cachés ... 

Recherche d'éléments en démarrage automatique cachés ... 

Recherche de fichiers cachés ... 

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\etugvndvr]
"ImagePath"="\??\c:\windows\system32\[u]0/u1.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kodkfghwo]
"ImagePath"="\??\c:\windows\system32\[u]0/u2.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cwwcvy]
"ServiceDll"="c:\windows\system32\vfmfedsr.dll"

fix200 · Answer

Salut,

Tu es trés infecté (virut , rootkits , trojan, par support amovible) etc
*****************************************************************

Driver::
cc05f061
cwwcvy
uhhmopz;
etugvndvr
kodkfghwo
Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{9DCB0AE8-633C-B1D2-29E1-3A8A1A15D25A}"=- 
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\etugvndvr]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kodkfghwo]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cwwcvy]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uhhmopz]    
FILE::
C:\32788R22FWJFW.0.tmp
C:\ACCM1GEN.DAT
C:\d34575e.exe
c:\windows\system32\drivers\cc05f061.sys
c:\windows\system32\drivers\klick.dat
c:\windows\system32\drivers\klin.dat 
c:\windows\system32\lpg32.dll 
c:\windows\system32\02.tmp
c:\windows\system32\01.tmp
c:\windows\system32\vfmfedsr.dll
     

- Ouvre le Bloc-Notes puis colle le texte copié.
(Démarrer\Tous les programmes\Accessoires\Bloc notes.)

- Sauvegarde ce fichier sous le nom de CFScript.txt

- Glisse maintenant le fichier CFScript.txt dans Combofix.exe comme ceci

Cela va relancer Combofix,

Une fenêtre bleue va apparaître: au message qui apparaît ( Type 1 to continue, or 2 to abort) , tape 1 puis valide.

Patiente le temps du scan.Le bureau va disparaître à plusieurs reprises: c'est normal!

Ne touche à rien tant que le scan n'est pas terminé.

Après redémarrage, poste le contenu du rapport Combofix.txt


++

Mon rapport combofix

1 réponse

Discussions similaires

Newsletters