Rapport RSIT XP SP3 [Résolu]

[willys]

Re,
Voici le rapport ComboFix :

ComboFix 09-05-02.4 - Grégoire Havekes 03/05/2009 10:09.1 - FAT32x86
Microsoft Windows XP Édition familiale 5.1.2600.3.1252.33.1036.18.1023.626 [GMT 2:00]
Lancé depuis: c:\documents and settings\Grégoire Havekes\Bureau\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Un nouveau point de restauration a été créé
.

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\start.exe
c:\windows\Web\default.htt

.
((((((((((((((((((((((((((((( Fichiers créés du 2009-04-03 au 2009-05-03 ))))))))))))))))))))))))))))))))))))
.

2009-04-25 08:17 . 2009-04-25 08:17 -------- d-----w c:\program files\CCleaner
2009-04-22 12:38 . 2009-04-22 12:38 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-22 12:36 . 2009-04-22 12:36 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-22 12:34 . 2007-05-02 02:21 92976 ----a-w c:\windows\system32\hgfs1.dll
2009-04-22 10:14 . 2008-04-14 01:33 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-22 10:04 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-22 10:04 . 2009-03-06 14:20 286720 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-22 10:04 . 2009-02-09 11:23 111104 ------w c:\windows\system32\dllcache\services.exe
2009-04-22 10:04 . 2009-02-09 10:53 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-22 10:04 . 2009-02-09 10:53 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-22 10:04 . 2009-02-09 10:53 685568 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-22 10:04 . 2009-02-09 10:53 735744 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-22 10:04 . 2009-02-09 10:53 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-22 10:04 . 2009-02-09 10:53 739840 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-22 10:03 . 2008-12-16 12:31 354304 ------w c:\windows\system32\dllcache\winhttp.dll
2009-04-22 10:03 . 2008-04-21 21:15 219136 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-22 08:58 . 2009-04-22 08:58 -------- d-----w c:\windows\system32\DRVSTORE
2009-04-22 08:54 . 2009-04-22 08:54 -------- d-----w c:\program files\Lavasoft
2009-04-22 08:54 . 2009-04-22 08:54 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-21 11:30 . 2009-04-21 11:30 -------- d-----w c:\windows\Sun
2009-04-20 16:46 . 2009-04-20 16:45 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-20 16:45 . 2009-04-20 16:45 -------- d-----w c:\program files\Java
2009-04-20 12:11 . 2009-04-20 12:11 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-20 11:47 . 2009-04-20 11:47 -------- d-----w c:\program files\Windows Defender
2009-04-20 10:58 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-20 10:58 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 10:58 . 2009-04-20 10:58 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-20 10:58 . 2009-04-20 10:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 08:08 . 2009-01-12 07:50 6 ---ha-w c:\windows\TASKS\SA.DAT
2009-05-03 07:58 . 2009-04-20 11:50 330 ---ha-w c:\windows\TASKS\MP Scheduled Scan.job
2009-04-22 09:20 . 2009-01-29 10:29 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-22 09:04 . 2009-04-22 08:59 512 ----a-w c:\windows\TASKS\Ad-Aware Update (Weekly).job
2009-04-20 08:01 . 2009-01-29 15:35 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-20 08:01 . 2009-01-29 15:35 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-20 08:01 . 2009-01-29 15:35 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-24 14:46 . 2009-03-24 14:46 -------- d-----w c:\program files\WYSE Technology
2009-03-06 14:20 . 2009-01-29 09:01 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-04 14:45 . 2009-03-04 14:45 616 ----a-w c:\windows\eReg.dat
2009-03-03 00:13 . 2009-01-29 09:02 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-22 18:01 . 2009-01-29 09:03 91776 ----a-w c:\windows\system32\perfc00C.dat
2009-02-22 18:01 . 2009-01-29 09:03 529484 ----a-w c:\windows\system32\perfh00C.dat
2009-02-20 17:10 . 2009-01-29 09:45 78336 ------w c:\windows\system32\ieencode.dll
2009-02-12 16:23 . 2009-02-12 16:23 0 ----a-w c:\windows\nsreg.dat
2009-02-10 17:03 . 2009-02-10 17:03 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-02-09 14:05 . 2009-01-29 09:02 1846912 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 2002-08-29 09:42 2025984 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 11:23 . 2009-01-29 09:01 2147328 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:23 . 2009-01-29 09:01 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:53 . 2009-01-29 09:01 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:53 . 2009-01-29 09:01 739840 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:53 . 2009-01-29 09:00 735744 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:53 . 2009-01-29 08:58 685568 ----a-w c:\windows\system32\advapi32.dll
2009-02-06 16:34 . 2009-01-29 09:19 76487 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-02-06 16:11 . 2009-02-06 16:11 2678 ----a-w c:\windows\JAVA\Packages\Data\TRJFHZ7L.DAT
2009-02-06 16:11 . 2009-02-06 16:11 2678 ----a-w c:\windows\JAVA\Packages\Data\13RLNNPB.DAT
2009-02-06 16:11 . 2009-02-06 16:11 2678 ----a-w c:\windows\JAVA\Packages\Data\XND7PZ9B.DAT
2009-02-06 16:11 . 2009-02-06 16:11 2678 ----a-w c:\windows\JAVA\Packages\Data\WZZ5RHBR.DAT
2009-02-06 16:11 . 2009-02-06 16:11 2678 ----a-w c:\windows\JAVA\Packages\Data\9VT3NXNP.DAT
2009-02-06 10:39 . 2009-01-29 09:01 35328 ----a-w c:\windows\system32\sc.exe
2009-02-04 17:00 . 1979-12-31 22:00 502 ----a-w c:\windows\TASKS\Démarrage du programme de réglages.job
2009-02-03 19:58 . 2009-01-29 09:01 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-12 07:07 . 2009-01-12 07:07 266 --sh--w c:\program files\desktop.ini
2009-01-12 07:07 . 2009-01-12 07:07 11208 ---h--w c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 18:02 8517632 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-20 1932568]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-20 08:01 10520 ----a-w c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
2007-05-02 02:21 364544 ----a-r c:\windows\SYSTEM32\TPSvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"PinnacleDriverCheck"=c:\windows\SYSTEM32\PSDrvCheck.exe -CheckReg
"PCLEPCI"=c:\progra~1\PINNACLE\PPE\ppe.exe
"VMware Tools"=c:\program files\VMware\VMware Tools\VMwareTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Corel\\Graphics10\\Register\\NAVBrowser.exe"=
"c:\\WINDOWS\\System32\\dxdiag.exe"=
"c:\\WINDOWS\\System32\\dpnsvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\VMware\VMware Tools\TPAutoConnSvc.exe [2007-05-02 294912]
R3 vmdesched;VMware Descheduled Time Accounting Service;c:\program files\VMware\VMware Tools\vmdesched.exe [2007-05-02 52016]
S0 vmscsi;vmscsi;c:\windows\system32\DRIVERS\vmscsi.sys [2007-05-02 17968]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-20 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-20 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-20 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-20 298264]
S2 hgfs;hgfs;c:\windows\system32\DRIVERS\hgfs.sys [2007-05-02 101552]
S2 LGTO_Sync;Sync Driver;c:\windows\system32\Drivers\lgtosync.sys [2007-05-02 36656]
S2 vmdesched-driver;vmdesched Descheduled Time Accounting Service [Driver];c:\windows\system32\Drivers\vmdesched.sys [2007-05-02 02:21 26928]
S2 VMMEMCTL;VMware server memory controller;c:\program files\VMware\VMware Tools\Drivers\memctl\vmmemctl.sys [2007-05-02 15664]
S2 VMTools;VMware Tools Service;c:\program files\VMware\VMware Tools\VMwareService.exe [2007-05-02 252720]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\DRIVERS\vmmouse.sys [2007-05-02 11696]
S3 vmx_svga;vmx_svga;c:\windows\system32\DRIVERS\vmx_svga.sys [2007-05-02 63024]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\DRIVERS\vmxnet.sys [2007-05-02 34992]

.
Contenu du dossier 'Tâches planifiées'

2009-05-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&s ... f8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Grégoire Havekes\Application Data\Mozilla\Firefox\Profiles\0b12ys8d.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 10:12
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Recherche de processus cachés ...

Recherche d'éléments en démarrage automatique cachés ...

Recherche de fichiers cachés ...

Scan terminé avec succès
Fichiers cachés: 0

**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"C040710900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•9~*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Heure de fin: 2009-05-03 10:14
ComboFix-quarantined-files.txt 2009-05-03 08:14

Avant-CF: 35 946 299 392 octets libres
Après-CF: 36 577 771 520 octets libres

WindowsXP-KB310994-SP2-Home-BootDisk-FRA.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP dition familiale" /fastdetect /NoExecute=OptIn

178 --- E O F --- 2009-04-30 17:08

Est-ce que je peu supprimer catchme.
Et après M.A.J. de Office (SP3) ça à l'air de marcher normalement.
Merci par avance et

[nardino]

Bonjour
Tu peux supprimer Catchme et ComboFix.exe, C:\Combofix.txt et c:\Qoobox
@+

[willys]

Bonjour,
OK et merci encore Nardino.
Je vais faire des "tests" pour être sur que ce SVCHOST.EXE est bien partit.
Sinon je t'en ferais part.

[nardino]

Bonjour,

Svchost :
http://www.generation-nt.com/astuces/li ... /page2.php
Pour t'aider à comprendre la chose.
@+

[willys]

Bonjour,
Merci mais j'avais déjà lu un article similaire.

[willys]

Bonjour,
Je passe le sujet en résolu vu que ça fonctionne.
Si jamais il y a encore un bug, j'ouvrirai un nouveau topic.