S'abonner :  Newsletters    Magazines
Avis sur les produits Avis sur les logiciels Avis sur les jeux Actualités A propos de 01net
132 utilisateurs connectés
Forum de 01net / Sécurité / virus inffectant le winlogon.exe

virus inffectant le winlogon.exe

thiem60 le 03 juin 2009 à 10h35
Bonjour

Je vous explique mon probleme. Il semble que j'ai été attaqué par un virus qui infecte le fichier winlogon.exe.

Résultat je ne peux plus arrêter mon PC. Lorsque je fais "démarrer-->arrêter", windows se ferme puis j'ai un ecran bleu puis le PC reboot.

Mon anti-virus (kaspersky) m'indique qu'il a découvert un fichier dangereux mais ne semble pas le nettoyer.

Merci de votre aide
répondre
dédétraqué le 03 juin 2009 à 12h41
Salut thiem60


On va vérifier cela, télécharge RSIT (de random/random) sur le bureau ici :
http://images.malwareremoval.com/random/RSIT.exe

- Double clique sur RSIT.exe qui est sur le bureau
- Clique sur Continue dans la fenêtre
- RSIT téléchargera HijackThis si il n’est pas présent où détecté, alors il faudra accepter la licence
- Poste le contenue des deux rapports, log.txt et info.txt(réduit dans la barre des tâches) à la fin de l’analyse

Les rapports sont dans le dossier ici C:\rsit


@++ :)
répondre
thiem60 le 04 juin 2009 à 09h18
info.txt :


info.txt logfile of random's system information tool 1.06 2009-06-04 09:09:20

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Advanced IP Scanner v1.1-->C:\Program Files\Advanced IP Scanner\uninstal.exe
AFPL Ghostscript 8.00-->C:\gs\uninstgs.exe "C:\gs\gs8.00\uninstal.txt"
AFPL Ghostscript Fonts-->C:\gs\uninstgs.exe "C:\gs\fonts\uninstal.txt"
Apple Mobile Device Support-->MsiExec.exe /I{162B71B8-8464-4680-A086-601D555B331D}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Atmel TPM Driver Installer 3.0.3.15-->MsiExec.exe /X{BBD6BA59-4593-43CC-BBC8-8E53D354AEA4}
AutoIt v3.3.0.0-->C:\Program Files\AutoIt3\Uninstall.exe
AutoSizer-->C:\Program Files\AutoSizer\Uninst.exe C:\Program Files\AutoSizer\Uninst.ini
Bentley View (V 08.05.01.28) - 1-->"C:\Program Files\InstallShield Installation Information\GUID.exe" -uninstall -guid"{A281BF84-32B4-4A61-B253-7B7F24AD1313}_0"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Check Point VPN-1 SecureClient NGX R60 HFA1-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FCF2FC0-8268-11D4-A313-0006290D766E}\setup.exe" ADD_REMOVE
CmdHere Powertoy For Windows XP-->MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
DameWare NT Utilities-->MsiExec.exe /I{4223D93D-B63F-4842-89DA-2180DCE9FD97}
Désinstallation du logiciel Lexmark-->C:\Program Files\Lexmark_HostCD\Install\Uninstall.exe
Dia (remove only)-->C:\Program Files\Dia\dia-uninst.exe
Football Manager 2009-->"C:\Program Files\Sports Interactive\Football Manager 2009\Uninstall_Football Manager 2009\Uninstall Football Manager 2009.exe"
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Free PDF to Word Doc Converter v1.1-->"C:\Program Files\Free PDF to Word Doc Converter\unins000.exe"
Gestionnaire d'alimentation ThinkPad-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x40c -AddRemove
getPlus(R)_ocx-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
GTK+ 1.3.0-20030717 runtime environment-->C:\WINDOWS\unins000.exe
GTK+ 2.6.9 runtime environment-->"C:\Program Files\Fichiers communs\GTK\2.0\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Indeo® Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\System32\igxpun.exe -uninstall
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
iTunes-->MsiExec.exe /I{C26B06A9-27BB-45B0-9873-9C623EC2BA38}
Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Kaspersky Administration Kit-->C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{12C259B1-8E8C-498D-927D-60040190BF79}
Kaspersky Anti-Virus 5.0 for Windows File Servers Console Plugin-->MsiExec.exe /X{91607FF0-D28A-48CC-9E39-E0882716A88B}
Kaspersky Anti-Virus 6.0 Console Plugin-->MsiExec.exe /X{F80373B5-40DD-46E9-8D56-EEA1AE6DB63E}
Kaspersky Anti-Virus 6.0 for Windows Workstations-->MsiExec.exe /I{79B986AD-54D8-4498-AA06-89808829ACC0}
Kaspersky Anti-Virus 6.0 for Windows Workstations-->MsiExec.exe /I{79B986AD-54D8-4498-AA06-89808829ACC0}
Kaspersky Network Agent-->C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7C72AAB5-8A7D-4882-950C-A1F26A949DA3}
Lotus Notes 6.0.3 fr-->MsiExec.exe /I{5FF59A5F-029E-4B7C-A485-69D2ABA1FD11}
Micromega Software System EasyScan-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EasyScan\Uninst.isu"
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel 2003-->MsiExec.exe /I{9016040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint 2003-->MsiExec.exe /I{9018040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{9012040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Viewer 2003 (English)-->MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mise à jour de sécurité pour Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Module de compatibilité pour Microsoft Office System 2007-->MsiExec.exe /X{90120000-0020-040C-0000-0000000FF1CE}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
Nullsoft Install System-->"C:\Program Files\NSIS\uninst-nsis.exe"
Option GT Full-->C:\PROGRA~1\FICHIE~1\France Telecom\OGTFULL\1\uninstHardComponent.exe Uninstall.ini
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
Primavera 5.0-->C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{D9FF18B5-8EEF-405D-9D7E-F1AE07D230FE}
Pro Client-->C:\Program Files\w2hlegacy\CpHostProUninstall.exe
PS'Soft Service Desk - Thick Client-->MsiExec.exe /X{FC3AE812-2AD3-442C-B14D-1943F993FF9C}
PS'Soft Tools - Configuration Utility-->MsiExec.exe /X{70EFD80C-0222-46D9-B1A7-0FAB9EF3F494}
QP: Discovery Agent-->MsiExec.exe /I{F6F0C706-147F-4326-A6D7-9996C147C338}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RedMon - Redirection Port Monitor-->C:\WINDOWS\System32\unredmon.exe
RocketDock 1.3.5-->"C:\Program Files\RocketDock\unins000.exe"
Sametime Client v6.5.1-->C:\WINDOWS\IsUn040c.exe -f"C:\Program Files\lotus\Sametime Client\STCUnins.isu"
SametimeClient-->MsiExec.exe /X{7E8F2F30-46B6-4603-9A1E-99F825253D4B}
SAP Kerberos SSO Support-->MsiExec.exe /I{6EC3F304-AE5F-11D3-92BC-080009D23372}
SlowView-->"C:\Program Files\SlowView\Uninstall.exe"
Split File Shell Extension v3.1b-->rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 4 C:\WINDOWS\System32\Shellext\split.inf
Symantec Ghost Console et Outils standard-->MsiExec.exe /I{05CEAB6E-FAD4-449E-0914-D593AC333080}
Système de protection active ThinkVantage-->MsiExec.exe /X{46A84694-59EC-48F0-964C-7E76E9F8A2ED}
ThinkPad Bluetooth with Enhanced Data Rate Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
ThinkPad FullScreen Magnifier-->RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588k.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
Transcender Test Engine-->C:\PROGRA~1\TRANSC~1\UNWISE.EXE C:\PROGRA~1\TRANSC~1\INSTALL.LOG
Transcender: Exam Cert-70-270 -->C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~1\UNWISE.EXE C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~1\INSTALL.LOG
Tweakui Powertoy for Windows XP-->MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
UltraEdit 14.20-->MsiExec.exe /I{D4948A0D-402F-4966-AE08-76574503E9A4}
UltraVNC v1.0.1-->"C:\Program Files\UltraVNC\unins000.exe"
VC_MergeModuleToMSI-->MsiExec.exe /I{900A92BA-19EF-4A34-86CF-7B6C85BDD971}
Visual Task Tips 2.1-->C:\Program Files\VisualTaskTips\uninst.exe
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VMware Infrastructure Update-->MsiExec.exe /X{D93B70D2-4DA4-4F6F-9DC8-72D08F74A386}
Windows Installer Clean Up-->MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD52}
Windows Server 2003 Administration Tools Pack-->MsiExec.exe /I{5E076CF2-EFED-43A2-A623-13E0D62EC7E0}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinHTTrack Website Copier 3.30-->"C:\Program Files\WinHTTrack\unins000.exe"
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.2.1 beta-->"C:\Program Files\WinSCP\unins000.exe"
Wireshark 1.0.7-->"C:\Program Files\Wireshark\uninstall.exe"

======Security center information======

AV: Kaspersky Anti-Virus

======System event log======

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537047
Source Name: Service Control Manager
Time Written: 20090603012835.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537046
Source Name: Service Control Manager
Time Written: 20090603012830.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537045
Source Name: Service Control Manager
Time Written: 20090603012825.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537044
Source Name: Service Control Manager
Time Written: 20090603012820.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537043
Source Name: Service Control Manager
Time Written: 20090603012815.000000+120
Event Type: Informations
User:

=====Application event log=====

Computer Name: BE-59BXA7SCWUQ
Event Code: 0
Message:
Record Number: 5
Source Name: btwdins
Time Written: 20070921034417.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 0
Message:
Record Number: 4
Source Name: btwdins
Time Written: 20070921034417.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 1002
Message: L'environnement s'est arrêté de façon inattendue et Explorer.exe a redémarré.

Record Number: 3
Source Name: Winlogon
Time Written: 20070921034357.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 1000
Message: Les compteurs de performances pour le service WmiApRpl (WmiApRpl) ont été chargés.
Les données d'enregistrement contiennent les nouvelles valeurs d'index
assignées à ce service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20070921033801.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 1001
Message: Les compteurs de performances pour le service WmiApRpl (WmiApRpl) ont été supprimés.
Les données d'enregistrement contiennent les nouvelles valeurs du dernier compteur système
et les dernières entrées du registre d'aide.

Record Number: 1
Source Name: LoadPerf
Time Written: 20070921033801.000000+120
Event Type: Informations
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=D:\oracle\ora90\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Fichiers communs\GTK\2.0\bin;C:\Program Files\WallData\Shared\system;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"Typepst"=Portable
"Site"=DOI
"mesdocs"=D:\userdata
"LGSRV"=\\d0001doi
"LOGICI"=\\d0002doi
"FP_NO_HOST_CHECK"=NO
"WV_GATEWAY_CFG"=D:\oracle\ora90\Apache\modplsql\cfg\wdbsvr.app
"JSERV"=D:\oracle\ora90/Apache/Jserv/conf
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip

-----------------EOF-----------------






log.txt:


Logfile of random's system information tool 1.06 (written by random/random)
Run by thiem60 at 2009-06-04 09:08:57
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 2 GB (16%) free of 15 GB
Total RAM: 998 MB (5% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:09:15, on 04/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
D:\oracle\ora90\bin\omtsreco.exe
D:\oracle\ora90\bin\agntsrvc.exe
D:\oracle\ora90\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
D:\oracle\ora90\BIN\TNSLSNR.exe
D:\oracle\ora90\bin\dbsnmp.exe
d:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\UltraVNC\WinVNC.exe
D:\oracle\ora90\Apache\Apache\apache.exe
D:\oracle\ora90\jdk\bin\java.exe
D:\oracle\ora90\jdk\bin\java.exe
d:\oracle\ora90\bin\isqlplus
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mlemer\Bureau\RSIT.exe
C:\Program Files\trend micro\MLEMER.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GROUPE BEL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://s0031bel.fr.bel.com/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = n0004doi.fr.bel.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.*;intrabel;172.*;*.bel.com;sso.capgemini.com;empower.capgemini.com;www.cpgmarket.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AutoSizer] "C:\Program Files
répondre
thiem60 le 04 juin 2009 à 09h24
info.txt :


info.txt logfile of random's system information tool 1.06 2009-06-04 09:09:20

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Advanced IP Scanner v1.1-->C:\Program Files\Advanced IP Scanner\uninstal.exe
AFPL Ghostscript 8.00-->C:\gs\uninstgs.exe "C:\gs\gs8.00\uninstal.txt"
AFPL Ghostscript Fonts-->C:\gs\uninstgs.exe "C:\gs\fonts\uninstal.txt"
Apple Mobile Device Support-->MsiExec.exe /I{162B71B8-8464-4680-A086-601D555B331D}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Atmel TPM Driver Installer 3.0.3.15-->MsiExec.exe /X{BBD6BA59-4593-43CC-BBC8-8E53D354AEA4}
AutoIt v3.3.0.0-->C:\Program Files\AutoIt3\Uninstall.exe
AutoSizer-->C:\Program Files\AutoSizer\Uninst.exe C:\Program Files\AutoSizer\Uninst.ini
Bentley View (V 08.05.01.28) - 1-->"C:\Program Files\InstallShield Installation Information\GUID.exe" -uninstall -guid"{A281BF84-32B4-4A61-B253-7B7F24AD1313}_0"
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Check Point VPN-1 SecureClient NGX R60 HFA1-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FCF2FC0-8268-11D4-A313-0006290D766E}\setup.exe" ADD_REMOVE
CmdHere Powertoy For Windows XP-->MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
DameWare NT Utilities-->MsiExec.exe /I{4223D93D-B63F-4842-89DA-2180DCE9FD97}
Désinstallation du logiciel Lexmark-->C:\Program Files\Lexmark_HostCD\Install\Uninstall.exe
Dia (remove only)-->C:\Program Files\Dia\dia-uninst.exe
Football Manager 2009-->"C:\Program Files\Sports Interactive\Football Manager 2009\Uninstall_Football Manager 2009\Uninstall Football Manager 2009.exe"
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
Free PDF to Word Doc Converter v1.1-->"C:\Program Files\Free PDF to Word Doc Converter\unins000.exe"
Gestionnaire d'alimentation ThinkPad-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x40c -AddRemove
getPlus(R)_ocx-->rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
GTK+ 1.3.0-20030717 runtime environment-->C:\WINDOWS\unins000.exe
GTK+ 2.6.9 runtime environment-->"C:\Program Files\Fichiers communs\GTK\2.0\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Indeo® Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ligos\Indeo\Uninst.isu" -c"C:\Program Files\Ligos\Indeo\Indeo System Files\indounin.dll"
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\System32\igxpun.exe -uninstall
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
iTunes-->MsiExec.exe /I{C26B06A9-27BB-45B0-9873-9C623EC2BA38}
Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Kaspersky Administration Kit-->C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{12C259B1-8E8C-498D-927D-60040190BF79}
Kaspersky Anti-Virus 5.0 for Windows File Servers Console Plugin-->MsiExec.exe /X{91607FF0-D28A-48CC-9E39-E0882716A88B}
Kaspersky Anti-Virus 6.0 Console Plugin-->MsiExec.exe /X{F80373B5-40DD-46E9-8D56-EEA1AE6DB63E}
Kaspersky Anti-Virus 6.0 for Windows Workstations-->MsiExec.exe /I{79B986AD-54D8-4498-AA06-89808829ACC0}
Kaspersky Anti-Virus 6.0 for Windows Workstations-->MsiExec.exe /I{79B986AD-54D8-4498-AA06-89808829ACC0}
Kaspersky Network Agent-->C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7C72AAB5-8A7D-4882-950C-A1F26A949DA3}
Lotus Notes 6.0.3 fr-->MsiExec.exe /I{5FF59A5F-029E-4B7C-A485-69D2ABA1FD11}
Micromega Software System EasyScan-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\EasyScan\Uninst.isu"
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel 2003-->MsiExec.exe /I{9016040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint 2003-->MsiExec.exe /I{9018040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{9012040C-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Viewer 2003 (English)-->MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Mise à jour de sécurité pour Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Module de compatibilité pour Microsoft Office System 2007-->MsiExec.exe /X{90120000-0020-040C-0000-0000000FF1CE}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
Nullsoft Install System-->"C:\Program Files\NSIS\uninst-nsis.exe"
Option GT Full-->C:\PROGRA~1\FICHIE~1\France Telecom\OGTFULL\1\uninstHardComponent.exe Uninstall.ini
PDFCreator-->C:\Program Files\PDFCreator\unins000.exe
Primavera 5.0-->C:\PROGRA~1\FICHIE~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{D9FF18B5-8EEF-405D-9D7E-F1AE07D230FE}
Pro Client-->C:\Program Files\w2hlegacy\CpHostProUninstall.exe
PS'Soft Service Desk - Thick Client-->MsiExec.exe /X{FC3AE812-2AD3-442C-B14D-1943F993FF9C}
PS'Soft Tools - Configuration Utility-->MsiExec.exe /X{70EFD80C-0222-46D9-B1A7-0FAB9EF3F494}
QP: Discovery Agent-->MsiExec.exe /I{F6F0C706-147F-4326-A6D7-9996C147C338}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RedMon - Redirection Port Monitor-->C:\WINDOWS\System32\unredmon.exe
RocketDock 1.3.5-->"C:\Program Files\RocketDock\unins000.exe"
Sametime Client v6.5.1-->C:\WINDOWS\IsUn040c.exe -f"C:\Program Files\lotus\Sametime Client\STCUnins.isu"
SametimeClient-->MsiExec.exe /X{7E8F2F30-46B6-4603-9A1E-99F825253D4B}
SAP Kerberos SSO Support-->MsiExec.exe /I{6EC3F304-AE5F-11D3-92BC-080009D23372}
SlowView-->"C:\Program Files\SlowView\Uninstall.exe"
Split File Shell Extension v3.1b-->rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 4 C:\WINDOWS\System32\Shellext\split.inf
Symantec Ghost Console et Outils standard-->MsiExec.exe /I{05CEAB6E-FAD4-449E-0914-D593AC333080}
Système de protection active ThinkVantage-->MsiExec.exe /X{46A84694-59EC-48F0-964C-7E76E9F8A2ED}
ThinkPad Bluetooth with Enhanced Data Rate Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
ThinkPad FullScreen Magnifier-->RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588k.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
Transcender Test Engine-->C:\PROGRA~1\TRANSC~1\UNWISE.EXE C:\PROGRA~1\TRANSC~1\INSTALL.LOG
Transcender: Exam Cert-70-270 -->C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~1\UNWISE.EXE C:\PROGRA~1\TRANSC~1\EXAMFI~1\EXAMID~1\INSTALL.LOG
Tweakui Powertoy for Windows XP-->MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
UltraEdit 14.20-->MsiExec.exe /I{D4948A0D-402F-4966-AE08-76574503E9A4}
UltraVNC v1.0.1-->"C:\Program Files\UltraVNC\unins000.exe"
VC_MergeModuleToMSI-->MsiExec.exe /I{900A92BA-19EF-4A34-86CF-7B6C85BDD971}
Visual Task Tips 2.1-->C:\Program Files\VisualTaskTips\uninst.exe
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VMware Infrastructure Update-->MsiExec.exe /X{D93B70D2-4DA4-4F6F-9DC8-72D08F74A386}
Windows Installer Clean Up-->MsiExec.exe /I{121634B0-2F4A-11D3-ADA3-00C04F52DD52}
Windows Server 2003 Administration Tools Pack-->MsiExec.exe /I{5E076CF2-EFED-43A2-A623-13E0D62EC7E0}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinHTTrack Website Copier 3.30-->"C:\Program Files\WinHTTrack\unins000.exe"
WinPcap 4.0.2-->C:\Program Files\WinPcap\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.2.1 beta-->"C:\Program Files\WinSCP\unins000.exe"
Wireshark 1.0.7-->"C:\Program Files\Wireshark\uninstall.exe"

======Security center information======

AV: Kaspersky Anti-Virus

======System event log======

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537047
Source Name: Service Control Manager
Time Written: 20090603012835.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537046
Source Name: Service Control Manager
Time Written: 20090603012830.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537045
Source Name: Service Control Manager
Time Written: 20090603012825.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537044
Source Name: Service Control Manager
Time Written: 20090603012820.000000+120
Event Type: Informations
User:

Computer Name: thiem
Event Code: 7036
Message: Le service Multi-user Cleanup Service est entré dans l'état : en cours d'exécution.

Record Number: 1537043
Source Name: Service Control Manager
Time Written: 20090603012815.000000+120
Event Type: Informations
User:

=====Application event log=====

Computer Name: BE-59BXA7SCWUQ
Event Code: 0
Message:
Record Number: 5
Source Name: btwdins
Time Written: 20070921034417.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 0
Message:
Record Number: 4
Source Name: btwdins
Time Written: 20070921034417.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 1002
Message: L'environnement s'est arrêté de façon inattendue et Explorer.exe a redémarré.

Record Number: 3
Source Name: Winlogon
Time Written: 20070921034357.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 1000
Message: Les compteurs de performances pour le service WmiApRpl (WmiApRpl) ont été chargés.
Les données d'enregistrement contiennent les nouvelles valeurs d'index
assignées à ce service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20070921033801.000000+120
Event Type: Informations
User:

Computer Name: BE-59BXA7SCWUQ
Event Code: 1001
Message: Les compteurs de performances pour le service WmiApRpl (WmiApRpl) ont été supprimés.
Les données d'enregistrement contiennent les nouvelles valeurs du dernier compteur système
et les dernières entrées du registre d'aide.

Record Number: 1
Source Name: LoadPerf
Time Written: 20070921033801.000000+120
Event Type: Informations
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=D:\oracle\ora90\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Fichiers communs\GTK\2.0\bin;C:\Program Files\WallData\Shared\system;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"Typepst"=Portable
"Site"=DOI
"mesdocs"=D:\userdata
"LGSRV"=\\d0001doi
"LOGICI"=\\d0002doi
"FP_NO_HOST_CHECK"=NO
"WV_GATEWAY_CFG"=D:\oracle\ora90\Apache\modplsql\cfg\wdbsvr.app
"JSERV"=D:\oracle\ora90/Apache/Jserv/conf
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip

-----------------EOF-----------------






log.txt:


Logfile of random's system information tool 1.06 (written by random/random)
Run by thiem60 at 2009-06-04 09:08:57
Microsoft Windows XP Professionnel Service Pack 3
System drive C: has 2 GB (16%) free of 15 GB
Total RAM: 998 MB (5% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:09:15, on 04/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Kaspersky Lab\NetworkAgent\klnagent.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec\Ghost\ngserver.exe
D:\oracle\ora90\bin\omtsreco.exe
D:\oracle\ora90\bin\agntsrvc.exe
D:\oracle\ora90\Apache\Apache\apache.exe
C:\WINDOWS\system32\cmd.exe
D:\oracle\ora90\BIN\TNSLSNR.exe
D:\oracle\ora90\bin\dbsnmp.exe
d:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\UltraVNC\WinVNC.exe
D:\oracle\ora90\Apache\Apache\apache.exe
D:\oracle\ora90\jdk\bin\java.exe
D:\oracle\ora90\jdk\bin\java.exe
d:\oracle\ora90\bin\isqlplus
C:\Program Files\Symantec\Ghost\bin\dbserv.exe
C:\Program Files\Symantec\Ghost\bin\rteng9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\igfxsrvc.exe
C:\Program Files\Symantec\Ghost\ngtray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mlemer\Bureau\RSIT.exe
C:\Program Files\trend micro\MLEMER.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GROUPE BEL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://s0031bel.fr.bel.com/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = n0004doi.fr.bel.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.*;intrabel;172.*;*.bel.com;sso.capgemini.com;empower.capgemini.com;www.cpgmarket.com;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AutoSizer] "C:\Program Files
répondre
dédétraqué le 04 juin 2009 à 12h41
Salut thiem60


Télécharge combofix.exe (de sUBs) sur le bureau :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Important Désactive ton Antivirus et antispyware avant le scan avec Combofix :
http://forum.pcastuces.com/desactiver_les_protections_residentes-f31s4.htm


==> Sauvegarde ton travail et ferme toutes les fenêtres actives, il peut y avoir un redémarrage du PC. Ne lance aucun programme tant que Combofix n’est pas fini. <==

Double clique sur combofix.exe, clique sur OUI et valide par Entrée

Il te sera demandé d’installer la console si elle n’est pas installer, clique sur NON

Lorsque le scan sera complété, un rapport apparaîtra. Copie/colle ce rapport dans ta prochaine réponse.

NOTE : Le rapport se trouve également ici : C:\ Combofix.txt

Combofix est détecté par certains antivirus comme une infection, ne pas en tenir compte, il s'agit d'un faux positif, continue la procédure


@++ :)
répondre
thiem60 le 05 juin 2009 à 09h37
ComboFix 09-06-04.06 - MLEMER 05/06/2009 9:15.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.998.192 [GMT 2:00]
Lancé depuis: c:\documents and settings\mlemer\Bureau\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Un antivirus résident est actif


AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\patch.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\IBM_7674_W9T_TP.MRK
c:\windows\system32\MabryObj.dll

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-05-05 au 2009-06-05 ))))))))))))))))))))))))))))))))))))
.

2009-06-04 07:08 . 2009-06-04 07:09 -------- d-----w- C:\rsit
2009-06-04 06:56 . 2009-06-04 06:56 16896 ----a-r- c:\documents and settings\mlemer\Application Data\Microsoft\Installer\{7E8F2F30-46B6-4603-9A1E-99F825253D4B}\VSW569_7E8F2F30.exe
2009-06-02 16:04 . 2009-06-02 16:04 512000 ----a-w- c:\windows\system32\winlogon.exe
2009-06-02 10:26 . 2009-06-02 10:26 -------- d-----w- c:\documents and settings\oleapi95\Application Data\Grisoft
2009-06-02 10:16 . 2009-06-04 07:09 -------- d-----w- c:\program files\Trend Micro
2009-06-02 10:09 . 2009-06-02 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-06-02 09:12 . 2009-06-02 11:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-02 09:12 . 2009-06-02 11:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-02 09:05 . 2009-06-02 09:05 -------- d-----w- c:\documents and settings\mlemer\Application Data\AVG8
2009-06-02 08:55 . 2009-06-02 08:55 -------- d-----w- c:\windows\system32\bfubackups
2009-06-02 08:40 . 2009-06-02 08:40 -------- d-----w- c:\documents and settings\mlemer\Application Data\Xerox
2009-06-02 08:33 . 2009-06-02 08:34 -------- d-----w- C:\BFU
2009-05-29 09:26 . 2009-05-29 09:26 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-28 13:33 . 2009-05-28 13:33 -------- d-----w- c:\program files\MSECache
2009-05-28 13:17 . 2009-05-28 13:17 40448 ----a-w- c:\windows\system32\winpyq32.dll
2009-05-12 07:10 . 2007-10-23 07:27 110592 ----a-w- c:\documents and settings\mlemer\Application Data\U3\temp\cleanup.exe
2009-05-12 07:09 . 2008-05-02 08:41 3493888 ---ha-w- c:\documents and settings\mlemer\Application Data\U3\temp\Launchpad Removal.exe
2009-05-12 07:09 . 2009-05-12 07:10 -------- d-----w- c:\documents and settings\mlemer\Application Data\U3
2009-05-06 13:35 . 2009-05-06 13:35 -------- d-----w- c:\program files\Advanced IP Scanner

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 07:26 . 2009-02-13 13:17 11689248 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-05 07:26 . 2009-02-13 13:17 283936 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-05 07:22 . 2009-02-13 13:17 159380 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-05 07:22 . 2009-02-13 13:17 33908 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-05 07:02 . 2009-02-13 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-03 07:37 . 2008-03-05 11:42 -------- d-----w- c:\documents and settings\mlemer\Application Data\FileZilla
2009-05-28 09:17 . 2007-09-21 07:23 -------- d-----w- c:\program files\CheckPoint
2009-05-25 07:35 . 2009-02-13 13:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-25 07:35 . 2009-02-13 13:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-04-30 08:50 . 2009-04-30 08:50 -------- d-----w- c:\documents and settings\mlemer\Application Data\Wireshark
2009-04-30 08:48 . 2009-04-30 08:34 -------- d-----w- c:\program files\Wireshark
2009-04-30 08:48 . 2009-04-30 08:34 -------- d-----w- c:\program files\WinPcap
2009-04-24 10:26 . 2009-04-24 10:26 139264 ----a-w- c:\documents and settings\mlemer\remotedrive_1_BPET26H_14.dll
2009-04-21 15:04 . 2003-11-16 04:35 -------- d-----w- c:\program files\EasyScan
2009-04-14 13:21 . 2009-04-14 10:55 -------- d-----w- c:\documents and settings\mlemer\Application Data\dvdcss
2009-04-08 15:22 . 2009-02-13 13:28 201504 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP6\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav6\6.0.3.830\klif.sys
2009-03-30 20:20 . 2002-09-10 18:27 75704 ----a-w- c:\windows\system32\perfc00C.dat
2009-03-30 20:20 . 2002-09-10 18:27 468728 ----a-w- c:\windows\system32\perfh00C.dat
2009-03-12 20:18 . 2009-03-12 20:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"VisualTaskTips"="c:\program files\VisualTaskTips\VisualTaskTips.exe" [2006-07-31 36864]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-05-16 138008]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-05-16 162584]
"Persistence"="c:\windows\System32\igfxpers.exe" [2007-05-16 138008]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-28 925696]
"AutoSizer"="c:\program files\AutoSizer\AutoSizer.exe" [2003-11-16 57344]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2007-05-02 181896]
"WinVNC"="c:\program files\UltraVNC\winvnc.exe" [2005-08-06 974848]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143872]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-01-10 294912]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-01-10 208896]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2007-03-14 49168]
"TrackPointSrv"="tp4mon.exe" - c:\windows\system32\tp4mon.exe [2008-04-13 82944]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"1"="c:\utilities\Lanceur.vbs" [2003-12-10 304]

c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Bginfo.lnk - c:\utilities\Bginfo.exe [2005-11-18 512045]
BTTray.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-2-27 561213]
MAJ Applications eBel.lnk - c:\utilities\Log\Appinst.vbs [2008-2-18 12778]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"RecycleBinSize"= 10 (0xa)
"NoTaskGrouping"= 1 (0x1)
"NoSMBalloonTip"= 0 (0x0)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-14 21:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2006-04-09 18:59 24674 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 22:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 19:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winpyq32]
2009-05-28 13:17 40448 ----a-w- c:\windows\system32\winpyq32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2187590103-147294922-1584409417-13925\Scripts\Logoff\0\0]
"Script"=logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2187590103-147294922-1584409417-13925\Scripts\Logon\0\0]
"Script"=logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2187590103-147294922-1584409417-20143\Scripts\Logoff\0\0]
"Script"=Logoff.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2187590103-147294922-1584409417-20143\Scripts\Logon\0\0]
"Script"=Logon.vbs

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Démarrer^Programmes^Démarrage^Intrabel at startup.lnk]
path=c:\documents and settings\All Users\Menu Démarrer\Programmes\Démarrage\Intrabel at startup.lnk
backup=c:\windows\pss\Intrabel at startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\Symantec\\Ghost\\GhostSrv.exe"=
"d:\\oracle\\ora90\\Apache\\Apache\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit

R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [16/10/2007 18:33 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [16/10/2007 18:32 19504]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [23/06/2008 09:33 4442]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [03/10/2007 15:42 36400]
R2 klnagent;Kaspersky Network Agent;c:\program files\Kaspersky Lab\NetworkAgent\klnagent.exe [17/03/2008 17:19 94608]
R2 OracleOraHome90HTTPServer;OracleOraHome90HTTPServer;d:\oracle\ora90\Apache\Apache\Apache.exe [18/04/2002 23:02 4096]
R2 OracleOraHome90TNSListener;OracleOraHome90TNSListener;d:\oracle\ora90\BIN\TNSLSNR --> d:\oracle\ora90\BIN\TNSLSNR [?]
R2 OracleServiceHOTEL;OracleServiceHOTEL;d:\oracle\ora90\bin\ORACLE.EXE HOTEL --> d:\oracle\ora90\bin\ORACLE.EXE HOTEL [?]
R2 QP: Discovery Agent;QP: Discovery Agent;c:\program files\PSSOFT\QPDiscovery\agent\QPDISCOVERY.EXE [16/01/2006 09:42 339968]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Fichiers communs\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [14/03/2007 23:10 11152]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [03/10/2007 15:42 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [03/10/2007 15:42 671472]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [03/10/2007 15:42 2234320]
S3 GTFFBUS;GT FF BUS;c:\windows\system32\drivers\gtffbus.sys [17/03/2008 11:11 17152]
S3 GTMNDISIRPXP;GT M 3G+ IRP NDIS;c:\windows\system32\drivers\Gtm51Irp.sys [17/03/2008 11:11 122240]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [17/03/2008 11:01 8064]
S3 GTUQBUS;GT UQ BUS;c:\windows\system32\drivers\gtuqbus.sys [17/03/2008 11:11 36992]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/11/2007 22:22 34064]
S3 OracleOraHome90ClientCache;OracleOraHome90ClientCache;d:\oracle\ora90\bin\ONRSD.EXE [26/04/2002 20:34 242328]
S3 OracleOraHome90PagingServer;OracleOraHome90PagingServer;d:\oracle\ora90\bin\pagntsrv.exe [20/08/2002 22:47 49152]
S3 OracleOraHome90SNMPPeerEncapsulator;OracleOraHome90SNMPPeerEncapsulator;d:\oracle\ora90\bin\encsvc.exe [13/02/2002 09:23 187392]
S3 OracleOraHome90SNMPPeerMasterAgent;OracleOraHome90SNMPPeerMasterAgent;d:\oracle\ora90\bin\agntsvc.exe [13/02/2002 09:23 254464]
S3 QP: Discovery Software Usage Agent;QP: Discovery Software Usage Agent;c:\program files\PSSOFT\QPDiscovery\agent\QPSOFTWAREUSAGE.EXE [14/12/2005 18:06 172032]
S3 QP: Discovery Update Agent;QP: Discovery Update Agent;c:\program files\PSSOFT\QPDiscovery\agent\QPDUpdateService.exe [17/01/2006 17:29 192512]
.
Contenu du dossier 'Tâches planifiées'

2009-06-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-06-23 23:30]
.
- - - - ORPHELINS SUPPRIMES - - - -

HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\HOMERunner.exe
HKLM-Run-S3Hotkey - (no file)
HKLM-Run-S3TRAY2 - (no file)
HKLM-Run-TkBellExe - (no file)
HKLM-Run-QuickTime Task - (no file)
SafeBoot-procexp90.Sys


.
------- Examen supplémentaire -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = 192.*;intrabel;172.*;*.bel.com;sso.capgemini.com;empower.capgemini.com;www.cpgmarket.com;<local>
uInternet Settings,ProxyServer = n0004doi.fr.bel.com:8080
Trusted Zone: bel-insight.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxp://bssdoi37/download/dolcontrol.cab
DPF: {952F9A71-131A-11D5-8404-00500445A7D0} - hxxp://minitel/mplugax.cab
DPF: {ABB81A12-05DF-11D1-A007-02608CDD90E8} - hxxp://s0031bel/w2hlegacy/pro/cphostproclient.cab
FF - ProfilePath - c:\documents and settings\mlemer\Application Data\Mozilla\Firefox\Profiles\d4v96pg2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr/
FF - prefs.js: network.proxy.ftp - n0004doi.fr.bel.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - n0004doi.fr.bel.com
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - n0004doi.fr.bel.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - n0004doi.fr.bel.com
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - n0004doi.fr.bel.com
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\mlemer\Application Data\Mozilla\Firefox\Profiles\d4v96pg2.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\mlemer\Application Data\Mozilla\Firefox\Profiles\d4v96pg2.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 09:26
Windows 5.1.2600 Service Pack 3 NTFS

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
"ImagePath"="System32\DRIVERS\ql1280.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QP: Discovery Agent]
"ImagePath"="c:\program files\PSSOFT\QPDiscovery\agent\QPDiscovery.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QP: Discovery Software Usage Agent]
"ImagePath"="c:\program files\PSSOFT\QPDiscovery\agent\QPSoftwareUsage.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\QP: Discovery Update Agent]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome90PagingServer]
"ImagePath"="d:\oracle\ora90/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome90TNSListener]
"ImagePath"="d:\oracle\ora90\BIN\TNSLSNR "
.
--------------------- DLLs chargées dans les processus actifs ---------------------

- - - - - - - > 'winlogon.exe'(1188)
c:\windows\system32\vrlogon.dll
c:\windows\system32\klogon.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\windows\system32\winpyq32.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll

- - - - - - - > 'lsass.exe'(1244)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(556)
c:\program files\RocketDock\RocketDock.dll
c:\program files\VisualTaskTips\VttHooks.dll
c:\windows\system32\btmmhook.dll
c:\program files\AutoSizer\AutoSizer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\lotus\notes\ntmulti.exe
c:\program files\Symantec\Ghost\ngserver.exe
d:\oracle\ora90\bin\omtsreco.exe
d:\oracle\ora90\bin\agntsrvc.exe
d:\oracle\ora90\bin\TNSLSNR.EXE
d:\oracle\ora90\bin\dbsnmp.exe
d:\oracle\ora90\bin\oracle.exe
c:\windows\system32\TPHDEXLG.exe
d:\oracle\ora90\jdk\bin\java.exe
d:\oracle\ora90\jdk\bin\java.exe
d:\oracle\ora90\bin\isqlplus
c:\program files\Symantec\Ghost\bin\dbserv.exe
c:\program files\Symantec\Ghost\bin\rteng9.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Heure de fin: 2009-06-05 9:30 - La machine a redémarré
ComboFix-quarantined-files.txt 2009-06-05 07:30

Avant-CF: 2 504 658 944 octets libres
Après-CF: 2 514 849 792 octets libres

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
298
répondre
dédétraqué le 05 juin 2009 à 13h00
Salut thiem60


Faire un scan de ce fichier winpyq32.dll ici :

http://www.virustotal.com/fr/


Clique sur Parcourir et copie/colle ceci :
c:\windows\system32\winpyq32.dll
Après tu clique sur Envoyer le fichier et attendre le résultat de l’analyse.


Poste le résultat au complet

Aide : http://bibou0007.com/scans-en-ligne-f75/tutorial-sur-virustotal-t190.htm


Faire de même avec ce fichier :
c:\documents and settings\mlemer\Application Data\Microsoft\Installer\{7E8F2F30-46B6-4603-9A1E-99F825253D4B}\VSW569_7E8F2F30.exe


@++ :)
répondre
thiem60 le 05 juin 2009 à 14h19
Fichier winpyq32.dll :

Résultat: 9/40 (22.5%)

Information additionnelle
File size: 40448 bytes
MD5...: 2feec160eb3be67a4fdf8189a6501f62
SHA1..: 1cf2d6f8bfff0c5db5fa17887056fe04f0dcd6c6
SHA256: 65f3973329686746e177ddff401e82db03832962ecdf43480e02b88fe05ee88b
ssdeep: -
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1050
timedatestamp.....: 0x4a1e7ce3 (Thu May 28 12:00:35 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x79b6 0x7a00 6.27 43b5049e313f0e3b7c9029fedc019de2
.rdata 0x9000 0xe4e 0x1000 4.89 a0ce16c1798a3e6e78a8918e33c3c044
.data 0xa000 0x3554 0x600 5.49 758be50d7a2d576b68c0598f535d238f
.reloc 0xe000 0x8f6 0xa00 5.90 02e148e1a4df5637fe5d5e27961ac5aa

( 4 imports )
> KERNEL32.dll: GetProcAddress, GetLocalTime, FindAtomA, GetModuleFileNameA, GetModuleHandleA, CreateMutexA, CloseHandle, GetVersion, GetTempPathA, GetSystemTime, GetFileSize, lstrcmpA, GetLocaleInfoA, MoveFileExA, FreeLibrary, SystemTimeToFileTime, SetEvent, VirtualFree, GetWindowsDirectoryA, OpenProcess, GetVolumeInformationA, CreateEventA, GetSystemDirectoryA, lstrcmpiA, VirtualAlloc, GetLastError, WritePrivateProfileStringA, MoveFileA, GetCurrentThreadId, GetVersionExA, lstrcpyA, HeapAlloc, HeapFree, GetProcessHeap, ReadFile, VirtualProtectEx, GetTempFileNameA, WriteProcessMemory, DeleteFileA, GetThreadContext, VirtualQueryEx, GlobalAlloc, TerminateProcess, GlobalFree, ResumeThread, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, VirtualQuery, RtlUnwind, lstrcatA, CreateProcessA, Sleep, WriteFile, GetTickCount, WaitForSingleObject, lstrcpynA, lstrlenA, CreateFileA, LoadLibraryA, ExitProcess, IsDebuggerPresent
> USER32.dll: SetThreadDesktop, CloseDesktop, OpenInputDesktop, GetThreadDesktop, FindWindowExA, CallNextHookEx, ClientToScreen, TranslateMessage, InflateRect, CreateWindowExA, DefWindowProcA, SetWindowsHookExA, GetCursorPos, GetCaretPos, PostMessageA, DispatchMessageA, GetMessageA, GetWindowRect, RegisterClassExA, GetFocus, wsprintfA, EqualRect, IsWindowVisible, FindWindowA, LoadCursorA, GetWindowThreadProcessId, LoadIconA
> ADVAPI32.dll: CreateProcessAsUserA, RegQueryValueExA, RegDeleteKeyA, RegEnumKeyExA, RegCreateKeyExA, RegOpenKeyExA, RegDeleteValueA, RegEnumValueA, RegCloseKey, OpenProcessToken
> SHLWAPI.dll: SHDeleteKeyA, SHDeleteValueA, SHSetValueA, SHGetValueA

( 5 exports )
AUyzPMPDlZ, GBBEaJLnA, VlNvsOGH, kurYW, lptTs
PDFiD.: -
RDS...: NSRL Reference Data Set
-
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=A3E8A3AF002630469E28002F3444EA0081F9238F' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=A3E8A3AF002630469E28002F3444EA0081F9238F</a>
répondre
thiem60 le 05 juin 2009 à 14h21
Fichier VSW569_7E8F2F30.exe

Résultat: 1/38 (2.64%)

File size: 16896 bytes
MD5...: b2d6db6c6f732a91ae11bf8f045834ab
SHA1..: e0d3925d4e4988f34c9cc4747d21c14733d59ef9
SHA256: f8ab236629fdeb2721a279ff26a78d70ac8f268d8cd5249115c7bbe315936708
ssdeep: -
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x400
timedatestamp.....: 0x3e70e8c6 (Thu Mar 13 20:23:34 2003)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x400 0x26 0x200 0.41 ea3fab44a0faa96a491ce18b31b2bcc8
.rdata 0x600 0x92 0x200 1.17 f8e326dc0246025bf1f28f0af4f6567c
.data 0x800 0x37 0x200 0.96 e8e206760eca50db563d5191cf9a7726
.rsrc 0xa00 0x377c 0x3800 3.99 b3a6e38fe1e01d4f0223d88ea976467c

( 2 imports )
> KERNEL32.dll: ExitProcess
> USER32.dll: MessageBoxA

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
répondre
dédétraqué le 06 juin 2009 à 00h14
Salut thiem60


Les rapports ne sont pas complet, as-tu bien regardé le tuto, il me manque le nom de l'infection que chaque Antivirus trouve.

Refais de nouveau.


@++ :)
répondre
thiem60 le 07 juin 2009 à 23h18
Merci dédétraqué !

Virus total m'a trouvé le virus. C'était une dll qui etait associé au process de winlogon. Je l'ai supprimé et ca remarche.



répondre
dédétraqué le 07 juin 2009 à 23h23
Salut thiem60


Supprime ce dossier C:\rsit

Refais un scan avec RSIT et poste les rapports log.txt et info.txt(réduit dans la barre des tâches) à la fin de l’analyse

Les rapports sont dans le dossier ici C:\rsit


@++ :)
répondre


PRODUITS

TÉLÉCHARGER - LOGICIELS

JEUX VIDÉOS

LOISIRS

01NET PRO

AVIS ET COMMENTAIRES

A PROPOS DE 01NET

Forum de 01net / Sécurité / virus inffectant le winlogon.exe
publicité
> 01netPro :
Rubrique Emplois
Consultez les actualités et les dernières offres.

Service 01net
Newsletters 01net
abonnez vous gratuitement !
Actus
Voir le dernier numéro
Entreprise
Voir le dernier numéro
  
01Informatique
01 INFORMATIQUE
L'hebdo de référence des décideurs informatiques.
Micro Hebdo
MICRO HEBDO
L'hebdo qui vous simplifie la micro
et Internet.
L'Ordinateur Individuel
L'ORDINATEUR INDIVIDUEL
Le mensuel informatique qui vous informe et vous conseille.
Nous contacter  |  Charte de confiance  |  Voir notice légale

01net.  -  01men  -  RMC  -  BFM Radio  -  BFM TV  -  TousLesPodcasts  -  01informatique.fr  -  Association RMC-BFM
Tous droits réservés © 1999 - 2009 Internext - 01net.