Infection nnnonmjh.dll TR/cryptxpack.gen sous XP SP2
Dernière réponse : dans Le monde de Windows
Bonjour,
J'ai fais le ***.
J'ai activé une série de virus et trojans par l'ouverture d'un exe inconnu (je voulais savoir ce que c'était...![:pt1cable:]( ":pt1cable:")
Une bonne quizaine d'alerte Antivir auxquelles j'ai dit sans même réfléchir "DELETE" et pis voilà ...
Il en reste un...
Impossible de le trucider; ni même en mode sans échec.
Il est détecté sous un .dll et est nommé par antivir: TR/cryptxpack.gen
le .dll est dans le dossier système32 bien sûr.
J'ai tenté avec Hijackthis le Fix Cheched m&ais rien à faire, il est redondant. Aucune fenêtre ne m'indique qu'il est innéfaçable; je me demande s'il n'y a pas un module qui le recré, un rootkit.
alors voici deux rapports pour les experts...
Le premier avec Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 20:56:15, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Neuf\Kit\WiFi\9wifi.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\themeGold55\CursorXP\CursorXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://recherche.neuf.fr/ie/default.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://recherche.neuf.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.neuf.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://recherche.neuf.fr/ie/default.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\nnnonmjH.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Autoconfigurateur WiFi Neuf] "C:\Program Files\Neuf\Kit\WiFi\9wifi.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\themeGold55\CursorXP\CursorXP.exe -s
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl...
O20 - Winlogon Notify: nnnonmjH - C:\WINDOWS\SYSTEM32\nnnonmjH.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Le second avec Rootkit_detective de chez Mc Affee:
McAfee(R) Rootkit Detective 1.1 scan report
On 14-04-2008 at 20:36:33
OS-Version 5.1.2600
Service Pack 2.0
====================================
Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateThread
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwEnumerateKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwEnumerateValueKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwOpenProcess
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwOpenThread
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwQueryKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwQueryValueKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwWriteVirtualMemory
Object-Path: (NULL)
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SYSTEM_CONTROL
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_POWER
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CLEANUP
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SHUTDOWN
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_INTERNAL_DEVICE_CONTROL
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_DEVICE_CONTROL
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_FLUSH_BUFFERS
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_WRITE
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_READ
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CREATE
Object-Path:
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 00000001ontrolSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 0Jf40M\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Unable to access registry key
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: a0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: p0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: s1
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: s2
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: g0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-key
Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-key
Object-Name: 00000001ontrolSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-key
Object-Name: 0Jf40M\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 00000001ontrolSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 0Jf40M\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Unable to access registry key
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: a0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: p0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: s1
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: s2
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: g0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Process
Object-Name: smss.exe
Pid: 464
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible
Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible
Object-Type: Process
Object-Name: iexplore.exe
Pid: 2728
Object-Path: C:\Program Files\Internet Explorer\iexplore.exe
Status: Visible
Object-Type: Process
Object-Name: services.exe
Pid: 592
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible
Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1212
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible
Object-Type: Process
Object-Name: explorer.exe
Pid: 1460
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible
Object-Type: Process
Object-Name: SOUNDMAN.EXE
Pid: 1832
Object-Path: C:\WINDOWS\SOUNDMAN.EXE
Status: Visible
Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible
Object-Type: Process
Object-Name: alg.exe
Pid: 1120
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible
Object-Type: Process
Object-Name: wdfmgr.exe
Pid: 316
Object-Path: C:\WINDOWS\system32\wdfmgr.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 816
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 940
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: wscntfy.exe
Pid: 2056
Object-Path: C:\WINDOWS\system32\wscntfy.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 972
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: mdm.exe
Pid: 2028
Object-Path: C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
Status: Visible
Object-Type: Process
Object-Name: rundll32.exe
Pid: 1812
Object-Path: C:\WINDOWS\system32\RUNDLL32.EXE
Status: Visible
Object-Type: Process
Object-Name: lsass.exe
Pid: 604
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible
Object-Type: Process
Object-Name: CursorXP.exe
Pid: 1968
Object-Path: C:\themeGold55\CursorXP\CursorXP.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 760
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 856
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: avgnt.exe
Pid: 1880
Object-Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
Status: Visible
Object-Type: Process
Object-Name: winlogon.exe
Pid: 548
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible
Object-Type: Process
Object-Name: avguard.exe
Pid: 1324
Object-Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
Status: Visible
Object-Type: Process
Object-Name: 9wifi.exe
Pid: 1728
Object-Path: C:\Program Files\Neuf\Kit\WiFi\9wifi.exe
Status: Visible
Object-Type: Process
Object-Name: nvsvc32.exe
Pid: 180
Object-Path: C:\WINDOWS\system32\nvsvc32.exe
Status: Visible
Object-Type: Process
Object-Name: ctfmon.exe
Pid: 1948
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible
Object-Type: Process
Object-Name: sched.exe
Pid: 1980
Object-Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
Status: Visible
Object-Type: Process
Object-Name: csrss.exe
Pid: 524
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible
Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 3004
Object-Path: C:\Documents and Settings\Manu\Mes documents\Mes images\Rootkit_Detective.exe
Status: Visible
Scan complete. Hidden registry keys/values: 29
Alors merci si quelqu'un comprend mieux tout celà que moi.
Vous remarquerez que le .dll est relié à winlogon notify. Ce dll est il corrompu au coeur du WGA?
Merci pour vos réponses![:hello:]( ":hello:")
J'ai fais le ***.
J'ai activé une série de virus et trojans par l'ouverture d'un exe inconnu (je voulais savoir ce que c'était...
Une bonne quizaine d'alerte Antivir auxquelles j'ai dit sans même réfléchir "DELETE" et pis voilà ...
Il en reste un...
Impossible de le trucider; ni même en mode sans échec.
Il est détecté sous un .dll et est nommé par antivir: TR/cryptxpack.gen
le .dll est dans le dossier système32 bien sûr.
J'ai tenté avec Hijackthis le Fix Cheched m&ais rien à faire, il est redondant. Aucune fenêtre ne m'indique qu'il est innéfaçable; je me demande s'il n'y a pas un module qui le recré, un rootkit.
alors voici deux rapports pour les experts...
Le premier avec Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 20:56:15, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Neuf\Kit\WiFi\9wifi.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\themeGold55\CursorXP\CursorXP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://recherche.neuf.fr/ie/default.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://recherche.neuf.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.neuf.fr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://recherche.neuf.fr/ie/default.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\nnnonmjH.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Autoconfigurateur WiFi Neuf] "C:\Program Files\Neuf\Kit\WiFi\9wifi.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\themeGold55\CursorXP\CursorXP.exe -s
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.google.fr
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/fl...
O20 - Winlogon Notify: nnnonmjH - C:\WINDOWS\SYSTEM32\nnnonmjH.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Le second avec Rootkit_detective de chez Mc Affee:
McAfee(R) Rootkit Detective 1.1 scan report
On 14-04-2008 at 20:36:33
OS-Version 5.1.2600
Service Pack 2.0
====================================
Object-Type: SSDT-hook
Object-Name: ZwCreateKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwCreateThread
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwEnumerateKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwEnumerateValueKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwOpenKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwOpenProcess
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwOpenThread
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwQueryKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwQueryValueKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwSetValueKey
Object-Path: \SystemRoot\System32\drivers\spzl.sys
Object-Type: SSDT-hook
Object-Name: ZwTerminateProcess
Object-Path: (NULL)
Object-Type: SSDT-hook
Object-Name: ZwWriteVirtualMemory
Object-Path: (NULL)
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SYSTEM_CONTROL
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_POWER
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CLEANUP
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_SHUTDOWN
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_INTERNAL_DEVICE_CONTROL
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_DEVICE_CONTROL
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_FLUSH_BUFFERS
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_WRITE
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_READ
Object-Path:
Object-Type: IRP-hook
Object-Name: \Driver\Ftdisk->IRP_MJ_CREATE
Object-Path:
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 00000001ontrolSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 0Jf40M\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Unable to access registry key
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: a0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: p0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: s1
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: s2
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: g0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-key
Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-key
Object-Name: 00000001ontrolSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-key
Object-Name: 0Jf40M\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 00000001ontrolSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Unable to access registry key
Object-Type: Registry-key
Object-Name: 0Jf40M\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: (Default)
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Unable to access registry key
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Status: Hidden
Object-Type: Registry-value
Object-Name: a0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Status: Hidden
Object-Type: Registry-value
Object-Name: p0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: khjeh
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Status: Hidden
Object-Type: Registry-value
Object-Name: s1
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: s2
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: g0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Registry-value
Object-Name: h0
Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
Status: Hidden
Object-Type: Process
Object-Name: smss.exe
Pid: 464
Object-Path: C:\WINDOWS\System32\smss.exe
Status: Visible
Object-Type: Process
Object-Name: System Idle Process
Pid: 0
Object-Path:
Status: Visible
Object-Type: Process
Object-Name: iexplore.exe
Pid: 2728
Object-Path: C:\Program Files\Internet Explorer\iexplore.exe
Status: Visible
Object-Type: Process
Object-Name: services.exe
Pid: 592
Object-Path: C:\WINDOWS\system32\services.exe
Status: Visible
Object-Type: Process
Object-Name: spoolsv.exe
Pid: 1212
Object-Path: C:\WINDOWS\system32\spoolsv.exe
Status: Visible
Object-Type: Process
Object-Name: explorer.exe
Pid: 1460
Object-Path: C:\WINDOWS\Explorer.EXE
Status: Visible
Object-Type: Process
Object-Name: SOUNDMAN.EXE
Pid: 1832
Object-Path: C:\WINDOWS\SOUNDMAN.EXE
Status: Visible
Object-Type: Process
Object-Name: System
Pid: 4
Object-Path:
Status: Visible
Object-Type: Process
Object-Name: alg.exe
Pid: 1120
Object-Path: C:\WINDOWS\System32\alg.exe
Status: Visible
Object-Type: Process
Object-Name: wdfmgr.exe
Pid: 316
Object-Path: C:\WINDOWS\system32\wdfmgr.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 816
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 940
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: wscntfy.exe
Pid: 2056
Object-Path: C:\WINDOWS\system32\wscntfy.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 972
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: mdm.exe
Pid: 2028
Object-Path: C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
Status: Visible
Object-Type: Process
Object-Name: rundll32.exe
Pid: 1812
Object-Path: C:\WINDOWS\system32\RUNDLL32.EXE
Status: Visible
Object-Type: Process
Object-Name: lsass.exe
Pid: 604
Object-Path: C:\WINDOWS\system32\lsass.exe
Status: Visible
Object-Type: Process
Object-Name: CursorXP.exe
Pid: 1968
Object-Path: C:\themeGold55\CursorXP\CursorXP.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 760
Object-Path: C:\WINDOWS\system32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: svchost.exe
Pid: 856
Object-Path: C:\WINDOWS\System32\svchost.exe
Status: Visible
Object-Type: Process
Object-Name: avgnt.exe
Pid: 1880
Object-Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
Status: Visible
Object-Type: Process
Object-Name: winlogon.exe
Pid: 548
Object-Path: C:\WINDOWS\system32\winlogon.exe
Status: Visible
Object-Type: Process
Object-Name: avguard.exe
Pid: 1324
Object-Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
Status: Visible
Object-Type: Process
Object-Name: 9wifi.exe
Pid: 1728
Object-Path: C:\Program Files\Neuf\Kit\WiFi\9wifi.exe
Status: Visible
Object-Type: Process
Object-Name: nvsvc32.exe
Pid: 180
Object-Path: C:\WINDOWS\system32\nvsvc32.exe
Status: Visible
Object-Type: Process
Object-Name: ctfmon.exe
Pid: 1948
Object-Path: C:\WINDOWS\system32\ctfmon.exe
Status: Visible
Object-Type: Process
Object-Name: sched.exe
Pid: 1980
Object-Path: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
Status: Visible
Object-Type: Process
Object-Name: csrss.exe
Pid: 524
Object-Path: C:\WINDOWS\system32\csrss.exe
Status: Visible
Object-Type: Process
Object-Name: Rootkit_Detecti
Pid: 3004
Object-Path: C:\Documents and Settings\Manu\Mes documents\Mes images\Rootkit_Detective.exe
Status: Visible
Scan complete. Hidden registry keys/values: 29
Alors merci si quelqu'un comprend mieux tout celà que moi.
Vous remarquerez que le .dll est relié à winlogon notify. Ce dll est il corrompu au coeur du WGA?
Merci pour vos réponses
Autres pages sur : infection nnnonmjh dll cryptxpack gen sp2
Lassé par la pub ? Créez un compte
Bonjour,
[#ff0000]Désactive tes protections résidentes (antivirus, Spybot...) ![/#f]
Télécharge Combofix ([#ff0000]sUBs[/#f]) sur ton Bureau.
Double clique sur combofix.exe afin de le lancer.
Lorsque le scan sera complété, un rapport apparaîtra. Poste ce rapport dans ta prochaine réponse.
[#ff0000]Désactive tes protections résidentes (antivirus, Spybot...) ![/#f]
Merci pour ta réponse et ton aide, voici le rapport combofix
ComboFix 08-04-13.3 - Manu 2008-04-14 22:10:50.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.735 [GMT 2:00]
Endroit: C:\ComboFix.exe
* Création d'un nouveau point de restauration
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\nnnonmjH.dll
.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-03-14 to 2008-04-14 ))))))))))))))))))))))))))))))))))))
.
2008-04-14 22:08 . 2008-04-14 22:09 1,700,404 --a------ C:\ComboFix.exe
2008-04-14 20:45 . 2008-03-01 14:58 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 20:45 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 20:45 . 2007-03-08 07:10 1,048,576 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 20:45 . 2008-03-01 14:58 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 20:45 . 2008-03-01 14:58 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 20:45 . 2008-03-01 14:58 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 20:45 . 2008-03-01 14:58 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 20:45 . 2008-03-01 14:58 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 20:45 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-14 20:04 . 2008-04-14 20:04 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-14 18:24 . 2008-04-14 18:24 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 18:24 . 2008-04-14 18:57 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 18:13 . 2005-02-16 11:06 218,112 --a------ C:\HijackThis.exe
2008-04-14 13:13 . 2008-04-14 13:13 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-04-14 13:05 . 2008-04-14 13:05 <REP> d-------- C:\Documents and Settings\Manu\Application Data\Nero
2008-04-14 13:02 . 2008-04-14 13:02 <REP> d-------- C:\Program Files\Nero
2008-04-14 13:02 . 2008-04-14 13:26 <REP> d-------- C:\Program Files\Fichiers communs\Nero
2008-04-14 13:02 . 2008-04-14 13:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-13 18:35 . 2008-04-13 18:35 20,336 --a------ C:\Documents and Settings\Manu\Application Data\GDIPFONTCACHEV1.DAT
2008-04-06 00:06 . 2008-04-06 00:06 <REP> d-------- C:\Documents and Settings\Manu\Application Data\vlc
2008-04-06 00:05 . 2008-04-06 00:05 <REP> d-------- C:\Program Files\VideoLAN
2008-04-05 23:35 . 2008-04-05 23:37 <REP> d-------- C:\Program Files\uTorrent
2008-04-05 23:35 . 2008-04-14 18:39 <REP> d-------- C:\Documents and Settings\Manu\Application Data\uTorrent
2008-04-05 22:49 . 2008-04-06 13:38 <REP> d-------- C:\Program Files\eMule
2008-04-05 21:58 . 2008-04-05 21:58 <REP> d-------- C:\Program Files\MC2
2008-04-05 21:30 . 2008-04-05 21:30 <REP> d-------- C:\Program Files\Smart Projects
2008-04-05 17:49 . 2008-04-05 17:49 385 --a------ C:\WINDOWS\ODBC.INI
2008-04-05 17:46 . 2008-04-05 17:48 <REP> d-------- C:\WINDOWS\ShellNew
2008-04-05 17:40 . 2008-04-05 17:40 <REP> d-------- C:\Program Files\DAEMON Tools Lite
2008-04-05 17:38 . 2008-04-05 17:38 <REP> d-------- C:\Documents and Settings\Manu\Application Data\DAEMON Tools
2008-04-05 17:38 . 2008-04-05 17:38 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-05 17:29 . 2008-04-05 17:29 <REP> d-------- C:\Documents and Settings\Manu\Application Data\Media Player Classic
2008-04-05 17:17 . 2008-04-05 17:17 <REP> d-------- C:\Program Files\Avira
2008-04-05 17:17 . 2008-04-05 17:17 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-05 17:12 . 2008-04-05 17:12 <REP> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-05 16:29 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-04-05 13:28 . 2008-04-05 21:58 <REP> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-05 13:28 . 2006-10-18 11:39 17,920 -ra------ C:\WINDOWS\system32\drivers\xfilt.sys
2008-04-05 13:28 . 2006-10-17 14:22 9,216 -ra------ C:\WINDOWS\system32\drivers\videX32.sys
2008-04-05 13:27 . 2008-04-05 13:27 <REP> d-------- C:\Program Files\VIA
2008-04-05 13:27 . 2005-04-14 01:54 331,184 --------- C:\WINDOWS\system32\difxapi.dll
2008-04-05 13:25 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-04-05 13:24 . 2008-04-05 13:24 <REP> d--hs---- C:\Documents and Settings\Manu\UserData
2008-04-05 13:24 . 2004-08-19 16:09 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-04-05 13:24 . 2004-08-19 15:54 58,496 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-04-05 13:24 . 2001-08-17 21:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-04-05 13:23 . 2008-04-14 18:24 <REP> dr------- C:\Program Files
2008-04-05 13:23 . 2008-04-05 14:34 756,934 --a------ C:\WINDOWS\system32\PerfStringBackup.INI
2008-04-05 13:23 . 2008-04-05 12:29 4,207 --a------ C:\WINDOWS\ODBCINST.INI
2008-04-05 13:23 . 2008-04-14 20:49 584 --a------ C:\WINDOWS\imsins.BAK
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\Default User\Voisinage r‚seau
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\Default User\Voisinage d'impression
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\Default User\ModÅ les
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d-------- C:\Documents and Settings\Default User\Mes documents
2008-04-05 13:22 . 2008-04-05 13:22 <REP> dr------- C:\Documents and Settings\Default User\Menu D‚marrer
2008-04-05 13:22 . 2008-04-05 12:29 <REP> d-------- C:\Documents and Settings\Default User\Favoris
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d-------- C:\Documents and Settings\Default User\Bureau
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\All Users\ModÅ les
2008-04-05 13:22 . 2008-04-05 17:48 <REP> dr------- C:\Documents and Settings\All Users\Menu D‚marrer
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d-------- C:\Documents and Settings\All Users\Favoris
2008-04-05 13:22 . 2008-04-05 12:26 <REP> dr------- C:\Documents and Settings\All Users\Documents
2008-04-05 13:22 . 2008-04-14 13:13 <REP> d-------- C:\Documents and Settings\All Users\Bureau
2008-04-05 13:21 . 2008-04-05 13:21 <REP> d-------- C:\WINDOWS\nview
2008-04-05 13:21 . 2008-04-05 12:29 <REP> d--h----- C:\Documents and Settings\Default User
2008-04-05 13:21 . 2008-04-05 12:28 <REP> d-------- C:\Documents and Settings\All Users
2008-04-05 13:21 . 2008-04-05 12:33 <REP> d-------- C:\Documents and Settings
2008-04-05 13:21 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-05 13:21 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-05 13:21 . 2008-04-05 21:12 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-05 13:21 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-05 13:20 . 2008-04-05 21:57 <REP> d-------- C:\Program Files\Fichiers communs\InstallShield
2008-04-05 13:20 . 2008-04-05 13:20 <REP> d-------- C:\NVIDIA
2008-04-05 13:07 . 2007-07-09 15:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-05 13:01 . 2008-04-14 20:49 <REP> d--h----- C:\WINDOWS\$hf_mig$
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 10:56 --------- d-----w C:\Program Files\Neuf
2008-04-05 10:35 155,995 ----a-w C:\WINDOWS\java\Packages\QFDNZNJ1.ZIP
2008-04-05 10:34 --------- d-----w C:\Program Files\D-Tools
2008-04-05 10:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-05 10:28 --------- d-----w C:\Program Files\Services en ligne
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 10:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"CursorXP"="C:\themeGold55\CursorXP\CursorXP.exe" [2001-12-13 20:00 100864]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 11:39 486856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-12-15 18:56 81920]
"Autoconfigurateur WiFi Neuf"="C:\Program Files\Neuf\Kit\WiFi\9wifi.exe" [2007-02-14 13:06 181752]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SoundMan"="SOUNDMAN.EXE" [2006-11-16 23:42 577536 C:\WINDOWS\SOUNDMAN.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-05 17:18 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoLowDiskSpaceCheck"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoLowDiskSpaceCheck"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonmjH]
nnnonmjH.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
R0 d343bus;d343bus;C:\WINDOWS\system32\DRIVERS\d343bus.sys [2003-12-15 18:46]
R0 d343port;d343port;C:\WINDOWS\system32\DRIVERS\d343port.sys [2003-12-15 17:29]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 13:22]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 14:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 11:39]
R3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2005-11-19 03:13]
R3 usbstor;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 22:13:51
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-04-14 22:14:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 20:14:47
Pre-Run: 213,543,440,384 octets libres
Post-Run: 213,540,761,600 octets libres
.
2008-04-05 15:42:46 --- E O F ---
ComboFix 08-04-13.3 - Manu 2008-04-14 22:10:50.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.735 [GMT 2:00]
Endroit: C:\ComboFix.exe
* Création d'un nouveau point de restauration
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\nnnonmjH.dll
.
((((((((((((((((((((((((((((( Fichiers cr‚‚s 2008-03-14 to 2008-04-14 ))))))))))))))))))))))))))))))))))))
.
2008-04-14 22:08 . 2008-04-14 22:09 1,700,404 --a------ C:\ComboFix.exe
2008-04-14 20:45 . 2008-03-01 14:58 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-14 20:45 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-14 20:45 . 2007-03-08 07:10 1,048,576 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-14 20:45 . 2008-03-01 14:58 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-14 20:45 . 2008-03-01 14:58 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-14 20:45 . 2008-03-01 14:58 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-14 20:45 . 2008-03-01 14:58 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-14 20:45 . 2008-03-01 14:58 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-14 20:45 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-14 20:04 . 2008-04-14 20:04 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-14 18:24 . 2008-04-14 18:24 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-14 18:24 . 2008-04-14 18:57 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-14 18:13 . 2005-02-16 11:06 218,112 --a------ C:\HijackThis.exe
2008-04-14 13:13 . 2008-04-14 13:13 <REP> d-------- C:\Program Files\Fichiers communs\Adobe
2008-04-14 13:05 . 2008-04-14 13:05 <REP> d-------- C:\Documents and Settings\Manu\Application Data\Nero
2008-04-14 13:02 . 2008-04-14 13:02 <REP> d-------- C:\Program Files\Nero
2008-04-14 13:02 . 2008-04-14 13:26 <REP> d-------- C:\Program Files\Fichiers communs\Nero
2008-04-14 13:02 . 2008-04-14 13:26 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-13 18:35 . 2008-04-13 18:35 20,336 --a------ C:\Documents and Settings\Manu\Application Data\GDIPFONTCACHEV1.DAT
2008-04-06 00:06 . 2008-04-06 00:06 <REP> d-------- C:\Documents and Settings\Manu\Application Data\vlc
2008-04-06 00:05 . 2008-04-06 00:05 <REP> d-------- C:\Program Files\VideoLAN
2008-04-05 23:35 . 2008-04-05 23:37 <REP> d-------- C:\Program Files\uTorrent
2008-04-05 23:35 . 2008-04-14 18:39 <REP> d-------- C:\Documents and Settings\Manu\Application Data\uTorrent
2008-04-05 22:49 . 2008-04-06 13:38 <REP> d-------- C:\Program Files\eMule
2008-04-05 21:58 . 2008-04-05 21:58 <REP> d-------- C:\Program Files\MC2
2008-04-05 21:30 . 2008-04-05 21:30 <REP> d-------- C:\Program Files\Smart Projects
2008-04-05 17:49 . 2008-04-05 17:49 385 --a------ C:\WINDOWS\ODBC.INI
2008-04-05 17:46 . 2008-04-05 17:48 <REP> d-------- C:\WINDOWS\ShellNew
2008-04-05 17:40 . 2008-04-05 17:40 <REP> d-------- C:\Program Files\DAEMON Tools Lite
2008-04-05 17:38 . 2008-04-05 17:38 <REP> d-------- C:\Documents and Settings\Manu\Application Data\DAEMON Tools
2008-04-05 17:38 . 2008-04-05 17:38 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-04-05 17:29 . 2008-04-05 17:29 <REP> d-------- C:\Documents and Settings\Manu\Application Data\Media Player Classic
2008-04-05 17:17 . 2008-04-05 17:17 <REP> d-------- C:\Program Files\Avira
2008-04-05 17:17 . 2008-04-05 17:17 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-05 17:12 . 2008-04-05 17:12 <REP> d-------- C:\Program Files\K-Lite Codec Pack
2008-04-05 16:29 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\000001_.tmp
2008-04-05 13:28 . 2008-04-05 21:58 <REP> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-05 13:28 . 2006-10-18 11:39 17,920 -ra------ C:\WINDOWS\system32\drivers\xfilt.sys
2008-04-05 13:28 . 2006-10-17 14:22 9,216 -ra------ C:\WINDOWS\system32\drivers\videX32.sys
2008-04-05 13:27 . 2008-04-05 13:27 <REP> d-------- C:\Program Files\VIA
2008-04-05 13:27 . 2005-04-14 01:54 331,184 --------- C:\WINDOWS\system32\difxapi.dll
2008-04-05 13:25 . 2001-08-17 22:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2008-04-05 13:24 . 2008-04-05 13:24 <REP> d--hs---- C:\Documents and Settings\Manu\UserData
2008-04-05 13:24 . 2004-08-19 16:09 77,312 --a------ C:\WINDOWS\system32\usbui.dll
2008-04-05 13:24 . 2004-08-19 15:54 58,496 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-04-05 13:24 . 2001-08-17 21:13 27,165 --a------ C:\WINDOWS\system32\drivers\fetnd5.sys
2008-04-05 13:23 . 2008-04-14 18:24 <REP> dr------- C:\Program Files
2008-04-05 13:23 . 2008-04-05 14:34 756,934 --a------ C:\WINDOWS\system32\PerfStringBackup.INI
2008-04-05 13:23 . 2008-04-05 12:29 4,207 --a------ C:\WINDOWS\ODBCINST.INI
2008-04-05 13:23 . 2008-04-14 20:49 584 --a------ C:\WINDOWS\imsins.BAK
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\Default User\Voisinage r‚seau
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\Default User\Voisinage d'impression
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\Default User\ModÅ les
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d-------- C:\Documents and Settings\Default User\Mes documents
2008-04-05 13:22 . 2008-04-05 13:22 <REP> dr------- C:\Documents and Settings\Default User\Menu D‚marrer
2008-04-05 13:22 . 2008-04-05 12:29 <REP> d-------- C:\Documents and Settings\Default User\Favoris
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d-------- C:\Documents and Settings\Default User\Bureau
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d--h----- C:\Documents and Settings\All Users\ModÅ les
2008-04-05 13:22 . 2008-04-05 17:48 <REP> dr------- C:\Documents and Settings\All Users\Menu D‚marrer
2008-04-05 13:22 . 2008-04-05 13:22 <REP> d-------- C:\Documents and Settings\All Users\Favoris
2008-04-05 13:22 . 2008-04-05 12:26 <REP> dr------- C:\Documents and Settings\All Users\Documents
2008-04-05 13:22 . 2008-04-14 13:13 <REP> d-------- C:\Documents and Settings\All Users\Bureau
2008-04-05 13:21 . 2008-04-05 13:21 <REP> d-------- C:\WINDOWS\nview
2008-04-05 13:21 . 2008-04-05 12:29 <REP> d--h----- C:\Documents and Settings\Default User
2008-04-05 13:21 . 2008-04-05 12:28 <REP> d-------- C:\Documents and Settings\All Users
2008-04-05 13:21 . 2008-04-05 12:33 <REP> d-------- C:\Documents and Settings
2008-04-05 13:21 . 2007-12-05 02:53 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-04-05 13:21 . 2007-12-05 01:41 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-04-05 13:21 . 2008-04-05 21:12 163,353 --a------ C:\WINDOWS\system32\nvapps.xml
2008-04-05 13:21 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-04-05 13:20 . 2008-04-05 21:57 <REP> d-------- C:\Program Files\Fichiers communs\InstallShield
2008-04-05 13:20 . 2008-04-05 13:20 <REP> d-------- C:\NVIDIA
2008-04-05 13:07 . 2007-07-09 15:11 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-05 13:01 . 2008-04-14 20:49 <REP> d--h----- C:\WINDOWS\$hf_mig$
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 10:56 --------- d-----w C:\Program Files\Neuf
2008-04-05 10:35 155,995 ----a-w C:\WINDOWS\java\Packages\QFDNZNJ1.ZIP
2008-04-05 10:34 --------- d-----w C:\Program Files\D-Tools
2008-04-05 10:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-05 10:28 --------- d-----w C:\Program Files\Services en ligne
2008-03-20 08:09 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 10:33 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:35 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les ‚l‚ments vides & les ‚l‚ments initiaux l‚gitimes ne sont pas list‚s
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 16:09 15360]
"CursorXP"="C:\themeGold55\CursorXP\CursorXP.exe" [2001-12-13 20:00 100864]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 11:39 486856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2003-12-15 18:56 81920]
"Autoconfigurateur WiFi Neuf"="C:\Program Files\Neuf\Kit\WiFi\9wifi.exe" [2007-02-14 13:06 181752]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SoundMan"="SOUNDMAN.EXE" [2006-11-16 23:42 577536 C:\WINDOWS\SOUNDMAN.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-05 17:18 249896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 16:09 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoLowDiskSpaceCheck"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoLowDiskSpaceCheck"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnonmjH]
nnnonmjH.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
R0 d343bus;d343bus;C:\WINDOWS\system32\DRIVERS\d343bus.sys [2003-12-15 18:46]
R0 d343port;d343port;C:\WINDOWS\system32\DRIVERS\d343port.sys [2003-12-15 17:29]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 13:22]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 14:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 11:39]
R3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2005-11-19 03:13]
R3 usbstor;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 22:13:51
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cach‚s ...
Balayage cach‚ autostart entries ...
Balayage des fichiers cach‚s ...
Scan termin‚ avec succŠs
Les fichiers cach‚s: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-04-14 22:14:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 20:14:47
Pre-Run: 213,543,440,384 octets libres
Post-Run: 213,540,761,600 octets libres
.
2008-04-05 15:42:46 --- E O F ---
Après un nouveau scan Antivir, aucune infection n'est détectée. (Au cours de l'execution Combofix, le dll à été détruit; il n'apparait plus dans l'arborescence système32)
Je ne sais pas ce qu'est ce dll mais une belle saloperie.
En espérant que c'est bien fini mais d'ici là ; un grand MERCI!![:)]( ":)")
Je ne sais pas ce qu'est ce dll mais une belle saloperie.
En espérant que c'est bien fini mais d'ici là ; un grand MERCI!
Pas terminé ![:)]( ":)")
Télécharge MalwareByte's Anti-Malware sur ton Bureau.
Installe-le en double-cliquant sur le fichier Download_mbam-setup.exe.
Une fois l'installation et la mise à jour effectuées, redémarre en mode sans échec.
AIDE : Redémarrer en mode sans échec
Exécute maintenant MalwareByte's Anti-Malware. Si cela n'est pas déjà fait, sélectionne "Exécuter un examen complet".
Afin de lancer la recherche, clic sur"Rechercher".
Une fois le scan terminé, une fenêtre s'ouvre, clic sur OK. Deux possibilités s'offrent à toi :
-- si le programme n'a rien trouvé, appuie sur OK. Un rapport va apparaître, ferme-le.
-- si des infections sont présentes, clic sur "Afficher les résultats" puis sur "Supprimer la sélection". Enregistre le rapport sur ton Bureau afin de le poster dans ta prochaine réponse.
[#ff0000]REMARQUE : Si MalwareByte's Anti-Malware a besoin de redémarrer pour terminer la suppression, accepte en cliquant sur Ok.[/#f]
AIDE : Tuto en images sur MBAM
Télécharge MalwareByte's Anti-Malware sur ton Bureau.
Installe-le en double-cliquant sur le fichier Download_mbam-setup.exe.
Une fois l'installation et la mise à jour effectuées, redémarre en mode sans échec.
AIDE : Redémarrer en mode sans échec
-- si le programme n'a rien trouvé, appuie sur OK. Un rapport va apparaître, ferme-le.
-- si des infections sont présentes, clic sur "Afficher les résultats" puis sur "Supprimer la sélection". Enregistre le rapport sur ton Bureau afin de le poster dans ta prochaine réponse.
[#ff0000]REMARQUE : Si MalwareByte's Anti-Malware a besoin de redémarrer pour terminer la suppression, accepte en cliquant sur Ok.[/#f]
AIDE : Tuto en images sur MBAM
Lassé par la pub ? Créez un compte
