ComboFix 07-08-30.3 - "Bureau" 2007-09-07 8:20:10.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.1.1036.18.1614 [GMT 2:00]
Rootkit driver xpdt is present. ... attempting disinfection xpdt ...... driver unloaded successfully.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Fichiers communs\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\xpdt.sys
C:\WINDOWS\wr.txt
((((((((((((((((((((((((( Files Created from 2007-08-07 to 2007-09-07 )))))))))))))))))))))))))))))))
2007-09-07 08:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-09-06 15:35 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-06 15:35 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-09-06 15:33 <REP> d-------- C:\WINDOWS\Internet Logs
2007-09-04 17:41 <REP> d-------- C:\Program Files\Trend Micro
2007-09-03 18:51 <REP> d-------- C:\Program Files\CCleaner
2007-09-02 17:18 3,428 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-22 13:01 10,290 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2007-08-22 10:34 <REP> d-------- C:\Program Files\Realtek AC97
2007-08-22 10:33 454,656 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2007-08-22 10:32 9,728 -ra------ C:\WINDOWS\system32\bdco1.dll
2007-08-22 10:32 33,536 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2007-08-22 10:32 32,256 -ra------ C:\WINDOWS\system32\nvconrm.dll
2007-08-22 10:32 261,888 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2007-08-22 10:32 208,256 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys
2007-08-22 10:32 201,728 -ra------ C:\WINDOWS\system32\fdco1.dll
2007-08-22 10:32 176,128 -ra------ C:\WINDOWS\system32\nvusmb.exe
2007-08-22 10:32 176,128 --a------ C:\WINDOWS\system32\nvunrm.exe
2007-08-22 10:32 12,928 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2007-08-22 10:26 <REP> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-08-22 10:22 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-08-22 10:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-08-22 10:22 <REP> d-------- C:\WINDOWS\nview
2007-08-08 09:17 94,208 --a------ C:\WINDOWS\system32\DNIN50.dll
2007-08-08 09:17 843,776 -ra------ C:\WINDOWS\system32\AegisE5.dll
2007-08-08 09:17 20,480 --a--c--- C:\WINDOWS\system32\dllcache\usbuhci.sys
2007-08-08 09:17 20,480 --------- C:\WINDOWS\system32\drivers\usbuhci.sys
2007-08-08 09:17 17,149 --a------ C:\WINDOWS\system32\DNINDIS5.sys
2007-08-08 09:17 15,890 --a------ C:\WINDOWS\system32\drivers\mdc8021x.sys
2007-08-08 09:17 110,592 -ra------ C:\WINDOWS\system32\AegisI5.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-09-06 20:25 5684 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-06 20:25 215072 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-06 17:17 --------- d-------- C:\DOCUME~1\Bureau\APPLIC~1\TribalWeb
2007-09-06 17:06 22328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-06 17:06 103736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-06 16:30 66872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-06 15:34 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-06 15:34 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-04 18:39 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-09-03 18:53 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-22 16:42 --------- d-------- C:\Program Files\Fichiers communs\Wise Installation Wizard
2007-08-22 16:41 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-22 16:40 --------- d-------- C:\Program Files\Microsoft GIF Animator
2007-08-22 16:39 --------- d-------- C:\Program Files\LcdStudio
2007-08-22 16:39 --------- d-------- C:\Program Files\Hitman Pro
2007-08-22 10:26 62009 --a------ C:\WINDOWS\system32\wpfb_nv4_disp.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 15:35 --------- d-------- C:\Program Files\TribalWeb.net
2007-07-24 17:29 --------- d-------- C:\DOCUME~1\Bureau\APPLIC~1\Microsoft Games
2007-07-24 17:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Games
2007-07-16 15:42 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-16 15:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-07-16 15:41 --------- d-------- C:\Program Files\Fichiers communs\Logitech
2007-07-16 15:41 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-07-13 11:24 --------- d-------- C:\Program Files\Maxis
2007-06-26 08:09 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-21 21:55 54672 --a------ C:\WINDOWS\system32\vsutil_loc040c.dll
2007-06-21 21:55 42384 --a------ C:\WINDOWS\zllsputility_loc040c.dll
2007-06-21 21:55 21904 --a------ C:\WINDOWS\system32\imsinstall_loc040c.dll
2007-06-21 21:55 17808 --a------ C:\WINDOWS\system32\imslsp_install_loc040c.dll
2007-06-21 21:54 75248 --a------ C:\WINDOWS\zllsputility.exe
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-06-19 15:32 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 15:22 1037312 --a------ C:\WINDOWS\explorer.exe
--------- C:\Program Files\Hijackthis Version Française
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-07-12 09:55 C:\WINDOWS\soundman.exe]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2005-10-21 11:07]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 03:10]
"Motive SmartBridge"="C:\PROGRA~1\CLUB-I~1\LECOMP~1\SMARTB~1\MotiveSB.exe" [2005-08-24 07:51]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 04:50]
"Launch LCDMon"="C:\Program Files\Fichiers communs\Logitech\LCD Manager\lcdmon.exe" [2006-11-09 13:45]
"Launch LGDCore"="C:\Program Files\Fichiers communs\Logitech\G-series Software\LGDCore.exe" [2006-11-09 14:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-16 20:10]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26]
"nwiz"="nwiz.exe" [2007-04-19 13:26 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 12:48]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 15:18]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:54]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
R1 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\amdtools.sys
R1 Machnm32;Machnm32 Driver;\??\C:\WINDOWS\system32\Machnm32.sys
R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys
S1 KS0108;KS0108;\??\C:\Program Files\LcdStudio\ks0108.sys
S1 LC7981;LC7981;\??\C:\Program Files\LcdStudio\LC7981.sys
S1 n3900;n3900;\??\C:\Program Files\LcdStudio\n3900.sys
S1 SED133x;SED133x;\??\C:\Program Files\LcdStudio\SED133x.sys
S1 T6963C;T6963C;\??\C:\Program Files\LcdStudio\T6963c.sys
S2 mple7docserver;Maya 7 PLE Documentation Server;E:\MayaPLE\docs\wrapper.exe -s E:\MayaPLE\docs\Wrapper.conf
S3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;C:\WINDOWS\system32\DRIVERS\wg11tnd5.sys
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;\??\C:\WINDOWS\system32\drivers\pivotmou.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b542b9a-b218-11db-ac63-0015f24ff202}]
AutoRun\command- L:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d13b168d-2733-11db-b18f-806d6172696f}]
AutoRun\command- J:\ASUSACPI.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6fde9d4-a865-11db-ac5a-0015f24ff202}]
AutoRun\command- M:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
*Newly Created Service* - CATCHME
Contents of the 'Scheduled Tasks' folder
2007-08-31 15:15:00 C:\WINDOWS\Tasks\Maintenance en 1 clic.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2007-09-07 08:24:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-09-07 8:25:34
C:\ComboFix-quarantined-files.txt ... 2007-09-07 08:25
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:32:25, on 07/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\PROGRA~1\CLUB-I~1\LECOMP~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Fichiers communs\Logitech\LCD Manager\lcdmon.exe
C:\Program Files\Fichiers communs\Logitech\G-series Software\LGDCore.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Fichiers communs\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.fr/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\CLUB-I~1\LECOMP~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Fichiers communs\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Fichiers communs\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TribalWeb.lnk = C:\Program Files\TribalWeb.net\tribalweb.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xporter vers Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\WIDCOMM\Logiciel Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Créer un Favori de l'appareil mobile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Créer un Favori de l'appareil mobile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.files-ftp.com/~unicorni/phpBB2/index.php
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupda ... 8124015125O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -
http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {867E13F2-7F31-44FB-AC97-CD38E0DC46EF} -
http://www.touslesdrivers.com/fichiers/ ... b?version=O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan ... asinst.cabO16 - DPF: {E6ACF817-0A85-4EBE-9F0A-096C6488CFEA} (NTR ActiveX 1.1.
-
https://www.ntrconnect.com/main/mod/set ... 118_24.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{FE4515D9-7AAC-4818-945A-2672DAF39670}: NameServer = 194.117.200.10,194.117.200.15
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - E:\MayaPLE\docs\wrapper.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6334 bytes
Je te signale juste que Combofix a fait redémarrer le PC après avoir détecté un rootkit. Après le redémarrage, il a signalé ne plus trouver le fichier en question. Tout ceci c'est fait sans aucune intervention de ma part, je n'ai touché à rien comme tu me l'avais demandé, bien entendu... Sinon, une bonne nouvelle: je n'ai pas reçu de nouveaux mails du service abuse de CI depuis le 5/09 à 21h... Bon, j'en recevrais peut être un dans la journée, mais je dois avouer que pour l'instant, ça me rassure... Zone Alarm est vraiment bien plus efficace que le FW de Windows (bon, je m'en doutais un peu, mais quand même...)