Bonjour à tous, le pc de mes parents est infecté par un rootkit, il n'y a plus de conexion internet .
J'ai fais un scan avec combofix, mais sans la console de récuperation, voici le rapport
ComboFix 10-04-28.04 - maison 29/04/2010 15:02:10.1.1 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.511.169 [GMT 2:00]
Lancé depuis: c:\documents and settings\maison\Bureau\libe.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\maison\Application Data\avdrn.dat
c:\documents and settings\maison\Local Settings\Application Data\av.exe
c:\documents and settings\maison\Local Settings\Application Data\ave.exe
c:\documents and settings\maison\Local Settings\Application Data\Microsoft\Windows Defender\ave.exe
c:\documents and settings\maison\Local Settings\Application Data\MSASCui.exe
c:\documents and settings\maison\Local Settings\Application Data\vma.exe
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\drivers\cdrom.sys était absent
Copie restaurée à partir de - c:\windows\ServicePackFiles\i386\cdrom.sys
.
((((((((((((((((((((((((((((( Fichiers créés du 2010-03-28 au 2010-04-29 ))))))))))))))))))))))))))))))))))))
.
2010-04-29 13:09 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2010-04-29 13:09 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-29 12:47 . 2010-04-29 12:48 -------- d-----w- c:\documents and settings\maison\Application Data\GetRightToGo
2010-04-29 12:39 . 2010-04-29 12:45 -------- d-----w- c:\program files\ZHPDiag
2010-04-29 12:26 . 2010-04-29 12:26 -------- d-----w- c:\program files\Trend Micro
2010-04-22 14:00 . 2010-04-22 14:00 -------- d-----w- c:\documents and settings\maison\Local Settings\Application Data\avG
2010-04-22 14:00 . 2010-04-22 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-01 18:38 . 2010-03-21 07:35 237941 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\aehelp.dll
2010-04-01 18:38 . 2010-03-21 07:35 188789 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\BACKUP\aecore.dll
2010-04-01 18:37 . 2010-04-01 18:37 1282425 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\UPDATE\AVUPDATE_4bb4e7c6\ave2\aescript.dll
2010-04-01 18:37 . 2010-04-01 18:37 242039 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\UPDATE\AVUPDATE_4bb4e7c6\ave2\aehelp.dll
2010-04-01 18:37 . 2010-04-01 18:37 373108 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\UPDATE\AVUPDATE_4bb4e7c6\ave2\aegen.dll
2010-04-01 18:37 . 2010-04-01 18:37 188790 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\UPDATE\AVUPDATE_4bb4e7c6\ave2\aecore.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-26 12:33 . 2009-08-25 09:46 -------- d-----w- c:\documents and settings\maison\Application Data\HPAppData
2010-04-24 09:08 . 2008-11-18 16:23 1 ----a-w- c:\documents and settings\maison\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-22 13:59 . 2004-08-03 21:59 98240 ----a-w- c:\windows\system32\drivers\cdrom.VIR
2010-03-28 18:39 . 2001-08-24 12:00 80856 ----a-w- c:\windows\system32\perfc00C.dat
2010-03-28 18:39 . 2001-08-24 12:00 500814 ----a-w- c:\windows\system32\perfh00C.dat
2010-03-11 17:18 . 2009-11-08 09:14 79488 ----a-w- c:\documents and settings\maison\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:34 . 2006-04-12 18:13 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:34 . 2004-08-19 15:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:34 . 2004-08-19 15:09 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:10 . 2004-08-19 15:09 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2006-03-09 08:24 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 12:07 . 2006-03-09 08:25 2192000 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:07 . 2005-03-02 16:07 2068864 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 12:11 . 2008-11-17 14:07 86576 ----a-w- c:\documents and settings\maison\Application Data\Microsoft\Services Windows Live\Raccourci Galerie de Photos Windows Live.exe
2010-02-15 12:11 . 2008-11-17 14:07 392728 ----a-w- c:\documents and settings\maison\Application Data\Microsoft\Services Windows Live\Services Windows Live.dll
2010-02-15 12:11 . 2008-11-17 14:07 132672 ----a-w- c:\documents and settings\maison\Application Data\Microsoft\Services Windows Live\Raccourci Windows Live Messenger.exe
2010-02-15 12:11 . 2010-02-15 12:11 135680 ----a-w- c:\documents and settings\maison\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe
2010-02-15 12:10 . 2010-02-15 12:10 0 ----a-r- c:\documents and settings\maison\Application Data\Microsoft\Live Search\Notification-LiveSearch.exe
2010-02-12 04:34 . 2004-08-19 15:09 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-03 22:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-02-12 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-02-12 77824]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"Config"="c:\windows\system32\run.cmd" [2006-02-14 248]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-19 44544]
c:\documents and settings\maison\Menu D‚marrer\Programmes\D‚marrage\
monxga32.exe [2008-4-14 32768]
Notification de cadeaux MSN.lnk - c:\documents and settings\maison\Application Data\Microsoft\Notification de cadeaux MSN\lsnfier.exe [2010-2-15 135680]
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoStrCmpLogical"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"DisablePagingExecutive"=dword:00000001
"SecondLevelDataCache"=dword:00000200
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [17/11/2008 14:56 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [21/06/2008 05:54 66600]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [31/10/2008 08:24 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [31/10/2008 08:24 1365288]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [17/11/2008 14:56 65576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Examen supplémentaire -------
.
uDefault_Search_URL =
hxxp://www.google.com/ieuSearchAssistant =
hxxp://www.google.com/ieuSearchURL,(Default) =
hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\maison\Application Data\Mozilla\Firefox\Profiles\ubmz1xl8.default\
FF - prefs.js: browser.search.defaulturl -
hxxp://www.bing.com/search?FORM=IEFM1&q=FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage -
hxxp://www.doneo.org/2_index.php?id_assoc=FF - prefs.js: keyword.URL -
hxxp://www.bing.com/search?mkt=fr-FR&form=MIMWA5&q=FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\maison\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHELINS SUPPRIMES - - - -
HKLM-Run-syncman - c:\windows\system32\wuaucldt.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-04-29 15:11
Windows 5.1.2600 Service Pack 3 NTFS
Recherche de processus cachés ...
Recherche d'éléments en démarrage automatique cachés ...
Recherche de fichiers cachés ...
Scan terminé avec succès
Fichiers cachés: 0
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
[HKEY_USERS\S-1-5-21-1614895754-823518204-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4969EC46-2261-0C1D-49DF-08891B03A636}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ablhbebdbckmnokdegfenklfeobdfdhkgm"=hex:61,61,00,00
"bblhbebdbckmnokdegoempojoncdgkellffk"=hex:61,61,00,00
.
Heure de fin: 2010-04-29 15:14:57
ComboFix-quarantined-files.txt 2010-04-29 13:14
Avant-CF: 21 165 432 832 octets libres
Après-CF: 21 656 530 944 octets libres
- - End Of File - - 1D0A963E8E73F83EEE2D2C9120D339D8
Merci pour votre aide
