cjoint

Publicité


Publicité

Format du document : text/plain

Prévisualisation

ComboFix 15-04-16.01 - Administrateur 16/04/2015 21:24:34.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1256.213.1036.18.958.484 [GMT 2:00]
Running from: d:\downloads\Programs\ComboFix_2.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Documents
D:\~WRL1230.tmp
D:\~WRL1717.tmp
D:\~WRL2003.tmp
D:\~WRL3810.tmp
D:\trz4.tmp . . . . Failed to delete
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\erdnt\cache\ntfs.sys
.
.
((((((((((((((((((((((((( Files Created from 2015-03-16 to 2015-04-16 )))))))))))))))))))))))))))))))
.
.
2015-04-16 18:52 . 2001-08-23 15:47 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2015-04-16 18:52 . 2001-08-23 15:47 12800 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2015-04-16 18:51 . 2001-08-28 14:00 362496 ----a-w- c:\windows\system32\dllcache\home_ss.dll
2015-04-16 18:51 . 2001-08-28 14:00 361472 ----a-w- c:\windows\system32\dllcache\blue_ss.dll
2015-04-16 18:50 . 2001-08-23 15:47 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2015-04-16 18:47 . 2001-08-23 15:47 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2015-04-16 18:44 . 2008-04-13 16:33 49152 ----a-w- c:\windows\system32\dllcache\kdsui.dll
2015-04-16 18:43 . 2001-08-28 14:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2015-04-16 18:42 . 2001-08-23 14:47 53760 ----a-w- c:\windows\system32\dllcache\eqndiag.exe
2015-04-16 18:41 . 2001-08-28 14:00 56832 ----a-w- c:\windows\system32\dllcache\convlog.exe
2015-04-16 18:40 . 2001-08-17 17:49 23552 ----a-w- c:\windows\system32\dllcache\atixbar.sys
2015-04-16 18:37 . 2002-09-07 00:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2015-04-16 18:35 . 2008-04-13 19:33 47104 ----a-w- c:\windows\system32\dllcache\coadmin.dll
2015-04-16 18:35 . 2003-03-24 13:52 188480 ----a-w- c:\windows\system32\dllcache\cfgwiz.exe
2015-04-16 18:34 . 2003-03-24 13:52 16439 ----a-w- c:\windows\system32\dllcache\author.exe
2015-04-16 18:32 . 2008-04-13 19:33 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2015-04-16 18:32 . 2008-04-13 19:33 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2015-04-16 18:32 . 2003-03-24 13:52 16439 ----a-w- c:\windows\system32\dllcache\admin.exe
2015-04-16 14:57 . 2015-04-16 14:57 -------- d-----w- c:\windows\jumpshot.com
2015-04-16 13:51 . 2015-04-16 13:49 26096 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2015-04-16 13:51 . 2015-04-16 13:49 253728 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2015-04-16 13:51 . 2015-04-16 13:50 291312 ----a-w- c:\windows\system32\aswBoot.exe
2015-04-16 13:50 . 2015-04-16 13:50 43112 ----a-w- c:\windows\avastSS.scr
2015-04-16 13:49 . 2015-04-16 13:49 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2015-04-16 13:22 . 2015-04-16 13:22 637 ----a-w- c:\windows\trz49.tmp
2015-04-16 13:22 . 2015-04-16 13:22 655 ----a-w- c:\documents and settings\trz46.tmp
2015-04-16 11:37 . 2015-04-16 11:37 637 ----a-w- c:\windows\trz47.tmp
2015-04-16 11:37 . 2015-04-16 11:37 655 ----a-w- c:\documents and settings\trz44.tmp
2015-04-15 14:17 . 2015-04-15 14:17 637 ----a-w- c:\windows\trz45.tmp
2015-04-15 14:17 . 2015-04-15 14:17 655 ----a-w- c:\documents and settings\trz42.tmp
2015-04-15 12:41 . 2015-04-15 12:41 637 ----a-w- c:\windows\trz43.tmp
2015-04-15 12:41 . 2015-04-15 12:41 655 ----a-w- c:\documents and settings\trz40.tmp
2015-04-15 12:26 . 2015-04-15 12:26 637 ----a-w- c:\windows\trz41.tmp
2015-04-15 12:26 . 2015-04-15 12:26 655 ----a-w- c:\documents and settings\trz3E.tmp
2015-04-13 06:48 . 2015-04-13 06:48 -------- d-----w- c:\windows\system32\xircom
2015-04-13 06:48 . 2015-04-13 06:48 -------- d-----w- c:\windows\system32\wbem\snmp
2015-04-13 06:48 . 2015-04-13 06:48 -------- d-----w- c:\program files\microsoft frontpage
2015-04-12 08:20 . 2015-04-16 12:45 512 ----a-w- C:\PhysicalDisk0_MBR.bin
2015-04-12 08:16 . 2015-04-16 12:45 -------- d-----w- c:\program files\ZHPDiag
2015-04-12 08:16 . 2015-04-16 12:44 -------- d-----w- c:\documents and settings\Administrateur\Application Data\ZHP
2015-04-12 08:11 . 2015-04-16 12:01 -------- d-----w- c:\documents and settings\Administrateur\Application Data\IDM
2015-04-12 08:10 . 2015-04-12 08:11 -------- d-----w- c:\program files\Internet Download Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-16 18:46 . 2008-08-17 22:11 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-04-16 13:50 . 2008-08-17 22:05 57888 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2015-04-16 13:50 . 2008-08-17 22:05 208024 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-04-16 13:50 . 2008-08-17 22:05 73440 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-04-16 13:50 . 2008-08-17 22:05 49904 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-04-16 13:50 . 2008-08-17 22:05 427736 ----a-w- c:\windows\system32\drivers\aswSP.sys
2015-04-16 13:50 . 2008-08-17 22:05 55200 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2015-04-16 13:50 . 2008-08-17 22:05 24144 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-04-16 13:49 . 2008-08-17 22:05 788272 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-01-09 . 618AC546F5158A3FF98614755C455278 . 2166272 . . [5.1.2600.5973] . . c:\windows\system32\ntkrnlpa.exe
.
[-] 2011-01-09 . 4BCACD08E169BCB8EF098F2EE237C6F4 . 2288128 . . [5.1.2600.5973] . . c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-04-16 13:50 644608 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiWormUpdate"="c:\google\AutoIt3.exe" [2012-01-29 750320]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-09-26 3528128]
"AntiUsbWorm"="start c:\google\AutoIt3.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"VistaDrive"="c:\windows\VistaDrive\VistaDrive.exe" [2006-10-05 280779]
"USB Security"="c:\program files\USB Disk Security\USBGuard.exe" [2013-06-20 687336]
"AntiWormUpdate"="c:\google\AutoIt3.exe" [2012-01-29 750320]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-04-16 5512912]
"AntiUsbWorm"="start c:\google\AutoIt3.exe" [BU]
.
c:\documents and settings\All Users\Menu D�marrer\Programmes\D�marrage\
AntiUsbWormUpdate.lnk - c:\google\AutoIt3.exe /AutoIt3ExecuteScript c:\google\googleupdate.a3x [2008-8-18 750320]
AntiWormUpdate.lnk - c:\windows\system32\cmd.exe /c start c:\google\AutoIt3.exe /AutoIt3ExecuteScript c:\google\googleupdate.a3x & exit [2010-12-2 401408]
trz1.tmp [2008-8-18 589]
trz10.tmp [2015-3-18 589]
trz11.tmp [2008-8-18 583]
trz12.tmp [2008-8-18 589]
trz13.tmp [2015-8-19 589]
trz14.tmp [2015-8-19 583]
trz15.tmp [2015-4-5 583]
trz16.tmp [2015-4-5 589]
trz17.tmp [2015-4-5 583]
trz18.tmp [2015-4-5 589]
trz19.tmp [2015-4-5 583]
trz1A.tmp [2015-4-5 589]
trz1B.tmp [2015-4-5 583]
trz1C.tmp [2015-4-5 589]
trz1D.tmp [2015-4-5 589]
trz1E.tmp [2008-8-18 589]
trz1F.tmp [2015-4-6 589]
trz2.tmp [2008-8-18 583]
trz20.tmp [2015-4-6 589]
trz21.tmp [2015-4-7 589]
trz22.tmp [2015-4-8 589]
trz23.tmp [2015-4-9 589]
trz24.tmp [2015-4-9 583]
trz25.tmp [2015-4-9 589]
trz26.tmp [2008-8-18 583]
trz27.tmp [2008-8-18 589]
trz28.tmp [2015-4-12 583]
trz29.tmp [2015-4-12 589]
trz2A.tmp [2015-4-12 583]
trz2B.tmp [2015-4-12 589]
trz2C.tmp [2015-4-12 583]
trz2D.tmp [2015-4-12 589]
trz2E.tmp [2015-4-13 583]
trz2F.tmp [2015-4-13 589]
trz3.tmp [2008-8-18 583]
trz30.tmp [2015-4-13 589]
trz31.tmp [2015-4-13 583]
trz32.tmp [2008-8-18 583]
trz33.tmp [2008-8-18 589]
trz34.tmp [2008-8-18 583]
trz35.tmp [2008-8-18 589]
trz36.tmp [2008-8-18 583]
trz37.tmp [2008-8-18 589]
trz38.tmp [2008-8-18 583]
trz39.tmp [2008-8-18 589]
trz3A.tmp [2008-8-18 583]
trz3B.tmp [2008-8-18 589]
trz3C.tmp [2015-4-15 583]
trz3D.tmp [2015-4-15 589]
trz3E.tmp [2015-4-15 583]
trz3F.tmp [2015-4-15 589]
trz4.tmp [2008-8-18 589]
trz40.tmp [2015-4-15 583]
trz41.tmp [2015-4-15 589]
trz42.tmp [2015-4-16 583]
trz43.tmp [2015-4-16 589]
trz44.tmp [2015-4-16 583]
trz45.tmp [2015-4-16 589]
trz4A.tmp [2015-4-5 583]
trz4C.tmp [2015-4-6 589]
trz4E.tmp [2015-4-7 589]
trz5.tmp [2015-3-16 583]
trz6.tmp [2015-3-16 589]
trz7.tmp [2008-8-18 583]
trz8.tmp [2008-8-18 589]
trz9.tmp [2008-8-18 583]
trzA.tmp [2008-8-18 589]
trzB.tmp [2008-8-18 583]
trzC.tmp [2008-8-18 589]
trzD.tmp [2015-3-18 583]
trzE.tmp [2015-3-18 589]
trzF.tmp [2015-3-18 583]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
2010-05-20 15:01 65536 ----a-w- c:\windows\system32\LogonDll.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C /k:D /k:E *
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [16/04/2015 15:49 12112]
R0 aswNdis2;avast! Firewall NDIS Driver;c:\windows\system32\drivers\aswNdis2.sys [16/04/2015 15:51 253728]
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [18/08/2008 00:05 49904]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [18/08/2008 00:05 208024]
R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [20/05/2010 17:04 153240]
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [10/01/2011 20:09 5632]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [10/01/2011 20:09 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [10/01/2011 20:09 5632]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [16/04/2015 15:51 26096]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [18/08/2008 00:05 788272]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18/08/2008 00:05 427736]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [10/10/2012 11:36 111200]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [18/08/2008 00:05 24144]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [18/08/2008 00:05 73440]
R2 avast! Firewall;Avast Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [16/04/2015 15:49 107448]
R2 DFServ;DFServ;c:\program files\Faronics\Deep Freeze\Install C-0\DFServ.exe [20/05/2010 16:55 1073664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-16 13:51 988488 ----a-w- c:\program files\Google\Chrome\Application\42.0.2311.90\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-04-16 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2015-04-16 13:50]
.
2015-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2015-04-16 13:47]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.fr/
mStart Page = hxxp://www.google.com/
ucustomizesearch = hxxp://www.google.com/ie
usearchassistant = hxxp://www.google.com/ie
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: T�l�charger avec IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: T�l�charger tous les liens avec IDM - c:\program files\Internet Download Manager\IEGetAll.htm
FF - ProfilePath - c:\documents and settings\Administrateur\Application Data\Mozilla\Firefox\Profiles\9w5wsstv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.fr
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-04-16 21:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0b5380dc-6585-45d2-b423-43fc6e2dda33}]
@Denied: (Full) (Everyone)
"Model"=dword:000000e5
"Therad"=dword:0000002e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,88,79,0d,22,8e,33,17,75,9e,60,01,c1,91,6a,3b,4e,ea,9b,c0,70,21,d0,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):64,72,33,c4,f6,56,c6,14,c0,af,46,50,66,9e,44,e4,81,23,6d,f2,07,
41,17,5e,60,b0,8e,76,0f,4b,f4,d1,da,b0,f5,94,c6,ac,2a,1c,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):83,24,4e,82,69,35,b0,7f,f1,5e,68,32,13,10,77,b8,ac,54,37,59,83,
34,dc,fe,b4,f4,3b,1a,78,36,04,30,89,56,fa,5d,8e,83,71,3e,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b1d3dfc9-ff7f-42b3-94b1-2fbae38d7303}]
@Denied: (Full) (Everyone)
"Model"=dword:00000068
"Therad"=dword:00000002
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\LogonDll.dll
.
- - - - - - - > 'explorer.exe'(3792)
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\program files\Internet Download Manager\IDMNetMon.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Google\Update\1.3.26.9\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CNAB4RPK.EXE
c:\program files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\S3trayp.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2015-04-16 21:35:44 - machine was rebooted
ComboFix-quarantined-files.txt 2015-04-16 19:35
ComboFix2.txt 2015-04-13 06:52
.
Pre-Run: 31�885�324�288 octets libres
Post-Run: 31�929�532�416 octets libres
.
- - End Of File - - 40CFCC9F5227DE13C1DB11AA7744269F
C99C3199CFAA4CBDCD91493F6D113A50

Publicité


Signaler le contenu de ce document

Publicité