Tech Support Forum - View Single Post

broche · 06-17-2009, 08:40 AM

It does not apear anymore
ComboFix 09-05-31.06 - Pyves 02/06/2009 15:44.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.247.56 [GMT 2:00]
Lancé depuis: c:\documents and settings\Pyves\Bureau\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntiSpyCheck
c:\program files\AntiSpyCheck\uninst.exe
c:\windows\cookies.ini
c:\windows\system32\mcrh.tmp

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-05-02 au 2009-06-02 ))))))))))))))))))))))))))))))))))))
.

2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\Pyves\Application Data\Malwarebytes
2009-06-02 13:03 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-02 13:03 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 13:02 . 2009-06-02 13:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 12:55 . 2009-06-02 12:55 -------- d-----w- c:\program files\ESET
2009-06-02 12:15 . 2009-06-02 12:16 -------- d-----w- c:\program files\CCleaner
2009-06-02 12:12 . 2009-06-02 12:12 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-02 12:10 . 2009-06-02 12:10 152576 ----a-w- c:\documents and settings\Pyves\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 12:33 . 2008-05-27 12:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-02 12:12 . 2006-04-04 14:33 -------- d-----w- c:\program files\Java
2009-06-02 12:07 . 2008-05-27 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-19 16:51 . 2007-03-26 18:47 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-19 16:51 . 2007-03-26 18:47 104 --sh--r- c:\windows\system32\86640A7754.sys
2009-04-17 09:40 . 2004-08-19 12:03 457562 ----a-w- c:\windows\system32\perfh00C.dat
2009-04-17 09:40 . 2004-08-19 12:03 70782 ----a-w- c:\windows\system32\perfc00C.dat
2009-04-15 10:27 . 2009-04-15 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-04-15 09:07 . 2008-07-26 20:35 -------- d-----w- c:\program files\Winamp
2009-03-06 14:20 . 2004-08-19 12:03 286720 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1211176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-02 136600]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk
backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Pyves^Menu Démarrer^Programmes^Démarrage^YesMessenger.lnk]
path=c:\documents and settings\Pyves\Menu Démarrer\Programmes\Démarrage\YesMessenger.lnk
backup=c:\windows\pss\YesMessenger.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\devolo\\dlanwlancfg\\dlanwlancfg.exe"=
"c:\\Program Files\\devolo\\informer\\devinf.exe"=
"c:\\Program Files\\devolo\\easyshare\\easyshare.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840]
R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [07/02/2007 17:57 35840]
.
Contenu du dossier 'Tâches planifiées'

2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]

2009-06-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-03 20:18]
.
- - - - ORPHELINS SUPPRIMES - - - -

BHO-{22A48612-5791-4721-941C-56AEA817B886} - c:\windows\system32\nnnoMExy.dll
BHO-{3DDDB950-6E8A-4AA0-9629-BDDD38A41188} - c:\windows\system32\khfFVNFW.dll
BHO-{6B6FD889-1D1D-4EDC-92B9-35BCC6B4A52D} - (no file)
BHO-{73EA7DD4-9DBD-4754-83C9-FECC2C89397C} - (no file)
BHO-{B63665E5-AB1D-4CB7-9B56-EBEA74535588} - (no file)
BHO-{FD7FFD6D-B804-4DE8-AE3D-261881FB4704} - c:\windows\system32\ddcDVooP.dll
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKLM-Run-5c921d1d - c:\windows\system32\kalkodpv.dll
Notify-qoMghFWM - qoMghFWM.dll
SafeBoot-procexp90.Sys

.
------- Examen supplémentaire -------
.
uStart Page = hxxp://fr.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://fr.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://etter2t.dyndns.org/MP4DVR.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 15:52
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'explorer.exe'(1644)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\fr.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Heure de fin: 2009-06-02 15:59 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-06-02 13:59

Avant-CF: 18*849*640*448 octets libres
Après-CF: 18*841*149*440 octets libres

158 --- E O F --- 2009-05-17 06:49

Malwarebytes' Anti-Malware 1.37
Version de la base de données: 2286
Windows 5.1.2600 Service Pack 3

16/06/2009 15:26:08
mbam-log-2009-06-16 (15-26-08).txt

Type de recherche: Examen rapide
Eléments examinés: 87403
Temps écoulé: 10 minute(s), 41 second(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 11
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 2
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 2

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\atfxqogp.blfx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1ae22bce-b554-4803-bae3-2eff740aff44} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{56e90faa-6f19-44fd-8197-0c08388c2632} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1d0b9f7-f3c6-443a-af61-ad47771ace27} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{aaa0a546-2b51-4aed-b1e2-c14f38c73165} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{182fcc02-5b76-4fe2-90a5-ba88906cad3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bbtx (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\atfxqogp.bxpr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76413-OEM-0011903-00102) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully.

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
c:\documents and settings\Pyves\menu démarrer\AntiSpyCheck 2.1.0.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, June 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 17, 2009 10:31:15
Records in database: 2356200
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 51902
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:55:07

File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

The selected area was scanned.

06-17-2009, 08:40 AM	#5 (permalink)
broche Registered User Join Date: Apr 2009 Posts: 12 OS: XP SP3	Re: VIRUS ALERT! next to System Time. It does not apear anymore ComboFix 09-05-31.06 - Pyves 02/06/2009 15:44.1 - NTFSx86 Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.247.56 [GMT 2:00] Lancé depuis: c:\documents and settings\Pyves\Bureau\ComboFix.exe AV: ESET NOD32 Antivirus 4.0 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !! . (((((((((((((((((((((((((((((((((((( Autres suppressions )))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\AntiSpyCheck c:\program files\AntiSpyCheck\uninst.exe c:\windows\cookies.ini c:\windows\system32\mcrh.tmp . ((((((((((((((((((((((((((((( Fichiers créés du 2009-05-02 au 2009-06-02 )))))))))))))))))))))))))))))))))))) . 2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\Pyves\Application Data\Malwarebytes 2009-06-02 13:03 . 2009-05-26 11:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-02 13:03 . 2009-06-02 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-02 13:03 . 2009-05-26 11:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-02 13:02 . 2009-06-02 13:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-02 12:55 . 2009-06-02 12:55 -------- d-----w- c:\program files\ESET 2009-06-02 12:15 . 2009-06-02 12:16 -------- d-----w- c:\program files\CCleaner 2009-06-02 12:12 . 2009-06-02 12:12 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-06-02 12:10 . 2009-06-02 12:10 152576 ----a-w- c:\documents and settings\Pyves\Application Data\Sun\Java\jre1.6.0_11\lzma.dll 2009-05-14 13:49 . 2009-05-14 13:49 94360 ----a-w- c:\windows\system32\drivers\epfwtdir.sys 2009-05-14 13:47 . 2009-05-14 13:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys 2009-05-14 13:41 . 2009-05-14 13:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys . (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M )))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-02 12:33 . 2008-05-27 12:02 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-02 12:12 . 2006-04-04 14:33 -------- d-----w- c:\program files\Java 2009-06-02 12:07 . 2008-05-27 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-19 16:51 . 2007-03-26 18:47 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-05-19 16:51 . 2007-03-26 18:47 104 --sh--r- c:\windows\system32\86640A7754.sys 2009-04-17 09:40 . 2004-08-19 12:03 457562 ----a-w- c:\windows\system32\perfh00C.dat 2009-04-17 09:40 . 2004-08-19 12:03 70782 ----a-w- c:\windows\system32\perfc00C.dat 2009-04-15 10:27 . 2009-04-15 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET 2009-04-15 09:07 . 2008-07-26 20:35 -------- d-----w- c:\program files\Winamp 2009-03-06 14:20 . 2004-08-19 12:03 286720 ----a-w- c:\windows\system32\pdh.dll . ((((((((((((((((((((((((((((((((( Points de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))) . . Note les éléments vides & les éléments initiaux légitimes ne sont pas listés REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1211176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-02 136600] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Lancement rapide d'Adobe Reader.lnk] path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Lancement rapide d'Adobe Reader.lnk backup=c:\windows\pss\Lancement rapide d'Adobe Reader.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Pyves^Menu Démarrer^Programmes^Démarrage^YesMessenger.lnk] path=c:\documents and settings\Pyves\Menu Démarrer\Programmes\Démarrage\YesMessenger.lnk backup=c:\windows\pss\YesMessenger.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\devolo\\dlanwlancfg\\dlanwlancfg.exe"= "c:\\Program Files\\devolo\\informer\\devinf.exe"= "c:\\Program Files\\devolo\\easyshare\\easyshare.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"= "c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [14/05/2009 15:47 107256] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [14/05/2009 15:49 94360] R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [14/05/2009 15:47 731840] R2 NPF_devolo;NetGroup Packet Filter Driver (devolo);c:\windows\system32\drivers\npf_devolo.sys [07/02/2007 17:57 35840] . Contenu du dossier 'Tâches planifiées' 2009-04-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13] 2009-06-02 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-05-03 20:18] . - - - - ORPHELINS SUPPRIMES - - - - BHO-{22A48612-5791-4721-941C-56AEA817B886} - c:\windows\system32\nnnoMExy.dll BHO-{3DDDB950-6E8A-4AA0-9629-BDDD38A41188} - c:\windows\system32\khfFVNFW.dll BHO-{6B6FD889-1D1D-4EDC-92B9-35BCC6B4A52D} - (no file) BHO-{73EA7DD4-9DBD-4754-83C9-FECC2C89397C} - (no file) BHO-{B63665E5-AB1D-4CB7-9B56-EBEA74535588} - (no file) BHO-{FD7FFD6D-B804-4DE8-AE3D-261881FB4704} - c:\windows\system32\ddcDVooP.dll HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe HKLM-Run-5c921d1d - c:\windows\system32\kalkodpv.dll Notify-qoMghFWM - qoMghFWM.dll SafeBoot-procexp90.Sys . ------- Examen supplémentaire ------- . uStart Page = hxxp://fr.yahoo.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://fr.yahoo.com uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll DPF: {F92211F4-3913-4DC2-A275-756374D848B0} - hxxp://etter2t.dyndns.org/MP4DVR.cab . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-02 15:52 Windows 5.1.2600 Service Pack 3 NTFS Recherche de processus cachés ... Recherche d'éléments en démarrage automatique cachés ... Recherche de fichiers cachés ... Scan terminé avec succès Fichiers cachés: 0 ********************************************************************** . --------------------- DLLs chargées dans les processus actifs --------------------- - - - - - - - > 'explorer.exe'(1644) c:\program files\iTunes\iTunesMiniPlayer.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\fr.lproj\iTunesMiniPlayerLocalized.dll c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll c:\windows\system32\eappprxy.dll . ------------------------ Autres processus actifs ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wbem\wmiapsrv.exe c:\progra~1\MI3AA1~1\rapimgr.exe . ************************************************************************ . Heure de fin: 2009-06-02 15:59 - La machine a redémarré ComboFix-quarantined-files.txt 2009-06-02 13:59 Avant-CF: 18849640448 octets libres Après-CF: 18841149440 octets libres 158 --- E O F --- 2009-05-17 06:49 Malwarebytes' Anti-Malware 1.37 Version de la base de données: 2286 Windows 5.1.2600 Service Pack 3 16/06/2009 15:26:08 mbam-log-2009-06-16 (15-26-08).txt Type de recherche: Examen rapide Eléments examinés: 87403 Temps écoulé: 10 minute(s), 41 second(s) Processus mémoire infecté(s): 0 Module(s) mémoire infecté(s): 0 Clé(s) du Registre infectée(s): 11 Valeur(s) du Registre infectée(s): 0 Elément(s) de données du Registre infecté(s): 2 Dossier(s) infecté(s): 0 Fichier(s) infecté(s): 2 Processus mémoire infecté(s): (Aucun élément nuisible détecté) Module(s) mémoire infecté(s): (Aucun élément nuisible détecté) Clé(s) du Registre infectée(s): HKEY_CLASSES_ROOT\atfxqogp.blfx (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1ae22bce-b554-4803-bae3-2eff740aff44} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{56e90faa-6f19-44fd-8197-0c08388c2632} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{c1d0b9f7-f3c6-443a-af61-ad47771ace27} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{aaa0a546-2b51-4aed-b1e2-c14f38c73165} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{182fcc02-5b76-4fe2-90a5-ba88906cad3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\atfxqogp.bbtx (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\atfxqogp.bxpr (Trojan.FakeAlert) -> Quarantined and deleted successfully. Valeur(s) du Registre infectée(s): (Aucun élément nuisible détecté) Elément(s) de données du Registre infecté(s): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76413-OEM-0011903-00102) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully. Dossier(s) infecté(s): (Aucun élément nuisible détecté) Fichier(s) infecté(s): c:\documents and settings\Pyves\menu démarrer\AntiSpyCheck 2.1.0.lnk (Rogue.AntiSpyCheck) -> Quarantined and deleted successfully. c:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Wednesday, June 17, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Wednesday, June 17, 2009 10:31:15 Records in database: 2356200 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 51902 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 01:55:07 File name / Threat name / Threats count C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 The selected area was scanned.