Tech Support Forum - View Single Post

broche · 06-16-2009, 03:40 AM

Ok I run combofix
The virus allert message is still there

Here is the combofix log

ComboFix 09-06-15.06 - Pyves 16/06/2009 11:23.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.247.58 [GMT 2:00]
Lancé depuis: \\10.1.10.24\docu\a\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((( Fichiers créés du 2009-05-16 au 2009-06-16 ))))))))))))))))))))))))))))))))))))
.

2009-06-02 14:16 . 2009-06-02 14:16 -------- d-----w- c:\program files\Trend Micro
2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\Pyves\Application Data\Malwarebytes
2009-06-02 13:03 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-02 13:03 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 13:02 . 2009-06-02 13:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 12:55 . 2009-06-02 12:55 -------- d-----w- c:\program files\ESET
2009-06-02 12:15 . 2009-06-02 12:16 -------- d-----w- c:\program files\CCleaner
2009-06-02 12:12 . 2009-06-02 12:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-02 12:10 . 2009-06-02 12:10 152576 ----a-w- c:\documents and settings\Pyves\Application Data\Sun\Java\jre1.6.0_11\lzma.dll

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 12:33 . 2008-05-27 12:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-02 12:12 . 2006-04-04 14:33 -------- d-----w- c:\program files\Java
2009-06-02 12:07 . 2008-05-27 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-19 16:51 . 2007-03-26 18:47 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-19 16:51 . 2007-03-26 18:47 104 --sh--r- c:\windows\system32\86640A7754.sys
2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-05-07 15:33 . 2004-08-19 12:03 348672 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:34 . 2004-08-19 12:03 670720 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:34 . 2004-08-19 12:03 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-19 19:50 . 2004-08-19 12:03 1847296 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 09:40 . 2004-08-19 12:03 457562 ----a-w- c:\windows\system32\perfh00C.dat
2009-04-17 09:40 . 2004-08-19 12:03 70782 ----a-w- c:\windows\system32\perfc00C.dat
2009-04-15 14:53 . 2004-08-19 12:03 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1211176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-02 136600]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]
"ISUSPM Startup"="c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pyves^Menu Démarrer^Programmes^Démarrage^YesMessenger.lnk]
path=c:\documents and settings\Pyves\Menu Démarrer\Programmes\Démarrage\YesMessenger.lnk
backup=c:\windows\pss\YesMessenger.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\devolo\\dlanwlancfg\\dlanwlancfg.exe"=
"c:\\Program Files\\devolo\\informer\\devinf.exe"=
"c:\\Program Files\\devolo\\easyshare\\easyshare.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840]
R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [07/02/2007 17:57 35840]
.
Contenu du dossier 'Tâches planifiées'

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2009-06-15 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-03 20:18]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://fr.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://fr.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {76C297DE-AE76-4B08-A1AA-FD140D1D7E6C} = 195.238.2.21,195.238.2.22
DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://etter2t.dyndns.org/MP4DVR.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 11:29
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(3176)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\fr.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\eappprxy.dll
.
Heure de fin: 2009-06-16 11:32
ComboFix-quarantined-files.txt 2009-06-16 09:32

Avant-CF: 20*871*499*776 octets libres
Après-CF: 20*903*153*664 octets libres

WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect

138 --- E O F --- 2009-06-11 10:50

06-16-2009, 03:40 AM	#3 (permalink)
broche Registered User Join Date: Apr 2009 Posts: 12 OS: XP SP3	Re: VIRUS ALERT! next to System Time. Ok I run combofix The virus allert message is still there Here is the combofix log ComboFix 09-06-15.06 - Pyves 16/06/2009 11:23.2 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.247.58 [GMT 2:00] Lancé depuis: \\10.1.10.24\docu\a\ComboFix.exe AV: ESET NOD32 Antivirus 4.0 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} . ((((((((((((((((((((((((((((( Fichiers créés du 2009-05-16 au 2009-06-16 )))))))))))))))))))))))))))))))))))) . 2009-06-02 14:16 . 2009-06-02 14:16 -------- d-----w- c:\program files\Trend Micro 2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\Pyves\Application Data\Malwarebytes 2009-06-02 13:03 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-02 13:03 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-02 13:02 . 2009-06-02 13:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-02 12:55 . 2009-06-02 12:55 -------- d-----w- c:\program files\ESET 2009-06-02 12:15 . 2009-06-02 12:16 -------- d-----w- c:\program files\CCleaner 2009-06-02 12:12 . 2009-06-02 12:12 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-06-02 12:10 . 2009-06-02 12:10 152576 ----a-w- c:\documents and settings\Pyves\Application Data\Sun\Java\jre1.6.0_11\lzma.dll . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-02 12:33 . 2008-05-27 12:02 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-02 12:12 . 2006-04-04 14:33 -------- d-----w- c:\program files\Java 2009-06-02 12:07 . 2008-05-27 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-19 16:51 . 2007-03-26 18:47 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-05-19 16:51 . 2007-03-26 18:47 104 --sh--r- c:\windows\system32\86640A7754.sys 2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys 2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys 2009-05-07 15:33 . 2004-08-19 12:03 348672 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:34 . 2004-08-19 12:03 670720 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:34 . 2004-08-19 12:03 81920 ----a-w- c:\windows\system32\ieencode.dll 2009-04-19 19:50 . 2004-08-19 12:03 1847296 ----a-w- c:\windows\system32\win32k.sys 2009-04-17 09:40 . 2004-08-19 12:03 457562 ----a-w- c:\windows\system32\perfh00C.dat 2009-04-17 09:40 . 2004-08-19 12:03 70782 ----a-w- c:\windows\system32\perfc00C.dat 2009-04-15 14:53 . 2004-08-19 12:03 585216 ----a-w- c:\windows\system32\rpcrt4.dll . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . Note les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1211176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-02 136600] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640] "ISUSPM Startup"="c:\program files\Fichiers communs\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk] path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Pyves^Menu Démarrer^Programmes^Démarrage^YesMessenger.lnk] path=c:\documents and settings\Pyves\Menu Démarrer\Programmes\Démarrage\YesMessenger.lnk backup=c:\windows\pss\YesMessenger.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\devolo\\dlanwlancfg\\dlanwlancfg.exe"= "c:\\Program Files\\devolo\\informer\\devinf.exe"= "c:\\Program Files\\devolo\\easyshare\\easyshare.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840] R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [07/02/2007 17:57 35840] . Contenu du dossier 'Tâches planifiées' 2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13] 2009-06-15 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-05-03 20:18] . . ------- Examen supplémentaire ------- . uStart Page = hxxp://fr.yahoo.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://fr.yahoo.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 TCP: {76C297DE-AE76-4B08-A1AA-FD140D1D7E6C} = 195.238.2.21,195.238.2.22 DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://etter2t.dyndns.org/MP4DVR.cab . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-16 11:29 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ************************************************************************ . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'winlogon.exe'(828) c:\windows\system32\igfxdev.dll - - - - - - - > 'explorer.exe'(3176) c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\fr.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\eappprxy.dll . Heure de fin: 2009-06-16 11:32 ComboFix-quarantined-files.txt 2009-06-16 09:32 Avant-CF: 20871499776 octets libres Après-CF: 20903153664 octets libres WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect 138 --- E O F --- 2009-06-11 10:50