Hi everything went well ComboFix was done with in 13Minutes.
ComboFix 08-06-20.4 - Hassib 2008-06-23 16:17:27.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1256.216.1036.18.409 [GMT 2:00]
Endroit: C:\Documents and Settings\Hassib\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration
.
((((((((((((((((((((((((((((( Fichiers créés 2008-05-23 to 2008-06-23 ))))))))))))))))))))))))))))))))))))
.
2008-06-16 15:45 . 2008-06-16 15:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-16 05:12 . 2008-02-15 23:39 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-06-16 05:12 . 2008-02-15 23:39 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-06-16 05:10 . 2008-06-23 11:32 <REP> d-------- C:\Program Files\Trend Micro
2008-06-15 00:51 . 2008-06-15 00:53 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-06-15 00:31 . 2008-06-17 02:45 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-06-12 16:59 . 2008-06-15 11:25 <REP> d-------- C:\Documents and Settings\Hassib\.housecall6.6
2008-06-12 16:58 . 2008-06-12 16:58 <REP> d-------- C:\WINDOWS\Sun
2008-06-12 16:58 . 2005-04-13 03:48 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-12 16:57 . 2008-06-12 16:58 <REP> d-------- C:\Program Files\Java
2008-06-12 16:55 . 2008-06-12 16:55 <REP> d-------- C:\Program Files\Fichiers communs\Java
2008-06-12 15:30 . 2008-06-14 22:04 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-12 14:39 . 2008-06-12 14:45 <REP> d-------- C:\Program Files\Google
2008-06-12 14:39 . 2008-06-12 14:48 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-12 14:22 . 2008-06-12 14:22 0 --a------ C:\LOG75.tmp
2008-06-01 11:19 . 2008-06-01 11:19 0 --a------ C:\LOG1EA.tmp
2008-06-01 10:23 . 2008-06-12 15:35 <REP> d-------- C:\Ad-Aware SE Professional
2008-06-01 10:21 . 2008-06-01 10:21 <REP> d-------- C:\Inetpub
2008-06-01 10:02 . 2008-06-01 10:02 0 --a------ C:\LOG45.tmp
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-12 14:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-12 14:32 --------- d-----w C:\Program Files\Fichiers communs\Symantec Shared
2008-06-01 09:18 --------- d-----w C:\Documents and Settings\Hassib\Application Data\U3
2008-05-22 14:13 --------- d-----w C:\Program Files\Fichiers communs\ReparateurDeSysteme
2008-05-21 10:45 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Lavasoft
2008-05-20 17:27 --------- d-----w C:\Program Files\Winamp
2008-05-20 17:26 --------- d-----w C:\Program Files\MSN Messenger
2008-05-20 17:20 --------- d-----w C:\Program Files\IMsecure
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\Skype
2008-05-20 16:24 --------- d-----w C:\Documents and Settings\Hassib\Application Data\ITEDO
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\DassaultSystemes
2008-05-20 16:23 --------- d-----w C:\Documents and Settings\Hassib\Application Data\AdobeUM
2008-05-20 16:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-05-20 16:21 --------- d-----r C:\Documents and Settings\All Users\Application Data\SalesMon
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DassaultSystemes
2008-05-20 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-05-20 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-05-20 15:44 160,256 ----a-w C:\WINDOWS\system32\blackster.scr
2008-05-19 13:10 0 ----a-w C:\winxplogon.sys
2008-05-10 16:17 0 ----a-w C:\Documents and Settings\MyDocuments\readthis.doc.exe
2008-05-10 16:17 0 ----a-w C:\Documents and Settings\MyDocuments\Readme.doc .exe
2008-05-02 14:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 14:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 14:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.
- Code: Select all
<pre>
----a-w 0 2008-05-10 16:17:05 C:\Documents and Settings\MyDocuments\Readme.doc .exe
</pre>
------- Sigcheck -------
2006-03-09 10:25 578048 0df75fb73f705b011630159a43d7c354 C:\WINDOWS\system32\user32.dll
2006-04-12 20:13 667648 241dbc4c2714b2f39afded49459ed420 C:\WINDOWS\system32\wininet.dll
2006-02-14 21:56 359808 667192a11db19f36624119c0dd4de4f2 C:\WINDOWS\system32\drivers\tcpip.sys
2006-05-09 10:11 2017280 50b3a210b6fa8d3089a36a32e7d8b21f C:\WINDOWS\system32\ntkrnlpa.exe
2006-03-09 10:25 2137600 e75f7aa5a33479f29c636fd0890f5762 C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-17_ 6.15.44.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 04:08:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 11:52:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 06:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132F969E-2442-47BE-8CC8-955483AF951B}]
C:\WINDOWS\fvowketqfgq.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier2.exe"="C:\Program Files\SuperCopier2\SuperCopier2.exe" [2006-07-07 18:45 1052672]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]
"FrameWorkService"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 14:39 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [ ]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 21:33 125168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 11:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 22:05 344064]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"FrameWorkService"="" []
"UADCcw"="C:\Program Files\AdvancedCleaner Free\UADCcw.exe" [ ]
"BMN"="C:\Program Files\Fichiers communs\AntivirusOrdi\bm.exe dm=http://antivirusordi.com ad=http://antivirusordi.com" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 17:09 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Config"="C:\WINDOWS\system32\run.cmd" [2006-02-14 12:24 248]
"nlsf"="move" []
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-19 16:52 44544]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoStrCmpLogical"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= cmd.exe
"2"= mmc.exe
"3"= rstrui.exe
"4"= regedit.exe
"5"= regedt32.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mpfanvqg"= {0332C26B-A151-4352-A2D3-4A76A5490BC4} - C:\WINDOWS\mpfanvqg.dll [ ]
"vbksrofa"= {B05FDAF4-A03F-4F67-A74B-6A45A8428BB3} - C:\WINDOWS\vbksrofa.dll [ ]
"AvpPrx"= {a7afcc91-b39d-4cc0-bbf2-d4712a39d03a} - C:\WINDOWS\Resources\AvpPrx.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccdcDus]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"DisablePagingExecutive"=dword:00000001
"SecondLevelDataCache"=dword:00000200
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 15:22]
R2 BBDemon;Backbone Service;"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe" -service []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{623506b4-a33b-11dc-a6d2-001b24510921}]
\Shell\AutoRun\command - E:\zPharaoh.exe
\Shell\explore\command - E:\zPharaoh.exe
\Shell\open\command - E:\zPharaoh.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{623506b9-a33b-11dc-a6d2-001b24510921}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{84918836-cb54-11dc-a711-001b24510921}]
\Shell\AutoRun\command - qd.cmd
\Shell\explore\Command - qd.cmd
\Shell\open\Command - qd.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f24ea9e-ccbd-11dc-a714-001b24510921}]
\Shell\AutoRun\command - zPharaoh.exe
\Shell\explore\command - zPharaoh.exe
\Shell\open\command - zPharaoh.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f24eaa1-ccbd-11dc-a714-001b24510921}]
\Shell\AutoRun\command - E:\m1t8ta.com
\Shell\explore\Command - E:\m1t8ta.com
\Shell\open\Command - E:\m1t8ta.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98a899ce-1a7b-11dd-a769-001b24510921}]
\Shell\AutoRun\command - E:\u2.cmd
\Shell\explore\Command - E:\u2.cmd
\Shell\open\Command - E:\u2.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbc59340-cb69-11dc-a712-001b24510921}]
\Shell\AutoRun\command - E:\ntde1ect.com
\Shell\explore\Command - E:\ntde1ect.com
\Shell\open\Command - E:\ntde1ect.com
*Newly Created Service* - CATCHME
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-06-23 16:25:31
Windows 5.1.2600 Service Pack 2 NTFS
Balayage processus cachés ...
Balayage caché autostart entries ...
Balayage des fichiers cachés ...
Scan terminé avec succès
Les fichiers cachés: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\DOCUME~1\Hassib\LOCALS~1\Temp\mc25.tmp"
.
Temps d'accomplissement: 2008-06-23 16:29:46
ComboFix-quarantined-files.txt 2008-06-23 14:29:23
ComboFix2.txt 2008-06-17 04:17:07
Pre-Run: 40,638,337,024 octets libres
Post-Run: 40,629,817,344 octets libres
191 --- E O F --- 2008-05-20 12:44:35