Je n'avais pas vu le 2ème fichier malicieux
J'ai fait la procédure
Voici le rapport:
ComboFix 08-01-02.1 - Administrateur 2008-01-04 18:10:15.3 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.48 [GMT 1:00]
Running from: C:\Documents and Settings\Administrateur.72FE02D314F24D6\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrateur.72FE02D314F24D6\Bureau\CFScript.txt
* Created a new restore point
FILE
C:\windows\system32\gebywxx.dll
C:\WINDOWS\system32\ndaTqsVqrX.dll
.
((((((((((((((((((((((((((((( Fichiers créés 2007-12-04 to 2008-01-04 ))))))))))))))))))))))))))))))))))))
.
2008-01-03 17:21 . 2008-01-03 17:21 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-01-03 17:18 . 2008-01-03 17:18 17,544,334 --a------ C:\upload_moi_72FE02D314F24D6.tar.gz
2008-01-03 16:14 . 2008-01-03 16:23 <REP> d-------- C:\Program Files\Navilog1
2008-01-02 18:20 . 2008-01-02 18:21 72,488 --a------ C:\cc_20080102_1820.reg
2008-01-02 17:37 . 2008-01-02 17:37 <REP> d-------- C:\VundoFix Backups
2008-01-02 17:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 10:29 . 2008-01-02 10:29 <REP> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-01-02 10:28 . 2008-01-02 10:28 <REP> d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2008-01-01 11:39 . 2008-01-01 11:51 <REP> d-------- C:\Program Files\RegCleaner
2007-12-30 09:44 . 2007-12-30 09:44 23,040 --a------ C:\Rapport 29.doc
2007-12-21 12:43 . 2007-12-21 12:43 <REP> d-------- C:\Documents and Settings\Administrateur.72FE02D314F24D6\Application Data\Lavasoft
2007-12-20 17:26 . 2007-12-20 17:26 <REP> d-------- C:\Documents and Settings\Administrateur.72FE02D314F24D6\Application Data\Quark
2007-12-20 17:00 . 2007-12-20 17:00 <REP> d-------- C:\Program Files\Quark
2007-12-20 11:59 . 2007-12-20 11:59 <REP> d-------- C:\Program Files\Lavasoft
2007-12-12 15:20 . 2007-07-06 13:50 660,992 -----c--- C:\WINDOWS\system32\dllcache\mqqm.dll
2007-12-12 15:20 . 2007-07-06 13:50 527,360 -----c--- C:\WINDOWS\system32\dllcache\mqutil.dll
2007-12-12 15:20 . 2007-07-06 13:50 177,152 -----c--- C:\WINDOWS\system32\dllcache\mqrt.dll
2007-12-12 15:20 . 2007-07-06 13:50 138,240 -----c--- C:\WINDOWS\system32\dllcache\mqad.dll
2007-12-12 15:20 . 2007-07-06 13:50 95,744 -----c--- C:\WINDOWS\system32\dllcache\mqsec.dll
2007-12-12 15:20 . 2007-07-06 11:05 72,960 -----c--- C:\WINDOWS\system32\dllcache\mqac.sys
2007-12-12 15:20 . 2007-07-06 13:50 48,640 -----c--- C:\WINDOWS\system32\dllcache\mqupgrd.dll
2007-12-12 15:20 . 2007-07-06 13:50 47,104 -----c--- C:\WINDOWS\system32\dllcache\mqdscli.dll
2007-12-12 15:20 . 2007-07-06 13:50 16,896 -----c--- C:\WINDOWS\system32\dllcache\mqise.dll
2007-12-12 15:19 . 2007-10-29 23:43 1,293,824 -----c--- C:\WINDOWS\system32\dllcache\quartz.dll
2007-12-12 15:19 . 2007-11-14 08:28 450,560 -----c--- C:\WINDOWS\system32\dllcache\jscript.dll
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-02 14:33 --------- d-----w C:\Documents and Settings\Administrateur.72FE02D314F24D6\Application Data\AdobeUM
2008-01-02 14:21 --------- d-----w C:\Documents and Settings\Administrateur.72FE02D314F24D6\Application Data\Canon
2008-01-02 10:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-01-01 13:08 --------- d-----w C:\Program Files\CartoNavPlus
2007-12-21 11:42 --------- d-----w C:\Program Files\Ad-Aware
2007-12-11 10:13 --------- d-----w C:\Program Files\Shareaza
2007-11-29 07:45 --------- d-----w C:\Program Files\Rar Repair Tool
2007-11-26 13:15 --------- d-----w C:\Program Files\FDRLab
2007-11-25 08:41 --------- d-----w C:\Program Files\Whisper Technology
2007-11-23 12:40 --------- d-----w C:\Program Files\ElcomSoft
2007-11-23 09:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-23 09:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\BVRP Software
2007-11-23 08:58 --------- d-----w C:\Program Files\Ontrack
2007-11-22 14:41 --------- d-----w C:\Program Files\TSL
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-10-08 23:18 145,920 ----a-w C:\WINDOWS\inf\hdaudio.sys
.
((((((((((((((((((((((((((((( snapshot@2008-01-02_17.10.09,84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-01-04 16:32:47 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2b8.dat
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="C:\Program Files\UberIcon\UberIcon Manager.exe" [2005-08-12 20:52 180224]
"VisualTaskTips"="C:\Windows\System32\VisualTaskTips.exe" [2006-07-05 03:23 36864]
"TweakRAM"="C:\Program Files\TweakRAM\TweakRAM.exe" [2006-04-15 18:07 907264]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 20:27 65536]
"Ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:54 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-11-02 21:33 7700480]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-11-02 21:33 86016]
"Vistadrv"="C:\WINDOWS\system32\Vistadrive\vsdrv.exe" [2006-07-30 03:37 121089]
"TopDesk"="C:\WINDOWS\system32\topdesk.exe" [2006-11-06 20:31 195584]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 17:52 184408]
"nod32kui"="C:\Program Files\Nod32\nod32kui.exe" [2007-03-09 17:26 921600]
"Look 'n' Stop"="C:\Program Files\Soft4Ever\looknstop\looknstop.exe" [2007-04-10 07:07 364612]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UberIcon"="C:\Program Files\UberIcon\UberIcon Manager.exe" [2005-08-12 20:52 180224]
"VisualTaskTips"="C:\Windows\System32\VisualTaskTips.exe" [2006-07-05 03:23 36864]
"TweakRAM"="C:\Program Files\TweakRAM\TweakRAM.exe" [2006-04-15 18:07 907264]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 20:27 65536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide3"="cmd.exe" [2006-06-20 11:15 403968 C:\WINDOWS\system32\cmd.exe]
C:\Documents and Settings\All Users.WINDOWS\Menu D‚marrer\Programmes\D‚marrage\
Acc‚l‚rateur de d‚marrage AutoCAD.lnk - C:\Program Files\Fichiers communs\Autodesk Shared\acstart17.exe [2006-03-05 13:43:54]
Assistant d'Acrobat.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Outil de mise … jour Google.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-03-22 08:51:45]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebywxx]
gebywxx.dll
R0 Si3112;Si3112;C:\WINDOWS\system32\drivers\Si3112.sys [2006-10-09 00:30]
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys [2006-10-09 00:30]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-09 00:30]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-05-28 19:01]
R1 lnsfw1;lnsfw1;C:\WINDOWS\system32\drivers\lnsfw1.sys [2007-03-09 21:36]
S3 usbscan;Pilote de scanneur USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
S3 USBSTOR;Pilote de stockage de masse USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-12-29 00:58]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService REG_MULTI_SZ WebClient LmHosts upnphost SSDPSRV
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1B323974-9D09-774A-0507-020300020002}]
C:\WINDOWS\Nod32.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-01-04 18:14:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\topdesk.dll
-> C:\Program Files\UberIcon\UberIcon.dll
-> C:\Windows\System32\VttHooks.dll
-> C:\Program Files\LClock\LC.dll
.
Completion time: 2008-01-04 18:16:27
ComboFix-quarantined-files.txt 2008-01-04 17:16:22
ComboFix2.txt 2008-01-04 16:35:32
ComboFix3.txt 2008-01-02 16:10:41
.
2007-12-21 16:37:47 --- E O F ---